Overview

overview

10

Static

static

3

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/07/2023, 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a0fde39fbadc5301e63aab1c8eaaba286ca43e70464eb1097968f54db95cfeec.exe

  • Size

    389KB

  • MD5

    9cd4244f9b8ce974992c42d4c264585f

  • SHA1

    fccd922df7ec49540ad65f182b9f87d6d42ec932

  • SHA256

    a0fde39fbadc5301e63aab1c8eaaba286ca43e70464eb1097968f54db95cfeec

  • SHA512

    d5acf94a20d101989e8cb2afda2f4fa4971e5ba6f72750b6482aca1098f255c6b97ed2a74d2df6d04ec21081a1ecacc0c64b0d109d28c3425d51b26294b91d54

  • SSDEEP

    6144:Kny+bnr+Hp0yN90QEzhahaoar8ObWHqrdRphUlNbbMcztzkqp:hMrDy90ga6yCqrdRphstyqp

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a0fde39fbadc5301e63aab1c8eaaba286ca43e70464eb1097968f54db95cfeec.exe
    "C:\Users\Admin\AppData\Local\Temp\a0fde39fbadc5301e63aab1c8eaaba286ca43e70464eb1097968f54db95cfeec.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6901441.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6901441.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5974387.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5974387.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4576
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2594359.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2594359.exe
        3⤵
        • Executes dropped EXE
        PID:1048

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6901441.exe
    Filesize

    206KB

    MD5

    844a248373e61342b75b9ca781357df0

    SHA1

    fa8dea3f70c3453b8f8a23cac3cfc28ef6035b2a

    SHA256

    8f5ad9960030538e5112e632b35baa6396397b0c24bc92be9781c265fe77e805

    SHA512

    be270fdb57cdaebc0000b558df3b0bf7f252545876f420d1bc46165be4650fec846b0111c1314fbdfc8a5bab35af369f91b59af2ecefa2c28bc41d16e5df786a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6901441.exe
    Filesize

    206KB

    MD5

    844a248373e61342b75b9ca781357df0

    SHA1

    fa8dea3f70c3453b8f8a23cac3cfc28ef6035b2a

    SHA256

    8f5ad9960030538e5112e632b35baa6396397b0c24bc92be9781c265fe77e805

    SHA512

    be270fdb57cdaebc0000b558df3b0bf7f252545876f420d1bc46165be4650fec846b0111c1314fbdfc8a5bab35af369f91b59af2ecefa2c28bc41d16e5df786a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5974387.exe
    Filesize

    14KB

    MD5

    42a9b33fd1fa1535a8902fcd4a33289e

    SHA1

    e73b75058840463c1b69aa5da8a5ebb2245ca474

    SHA256

    bfb2c117a2be5a3f899d6919624304e4f958894facd73cc594c0b1f095848e41

    SHA512

    cab7a2014b1eabd8d8ecb1f797dac7ad42a2e6b52bb9699bfdd5198773622d7db3b44f8bb58f4d95a0b9048b2be701d6d42e9457452e827305fd05d67227a01e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5974387.exe
    Filesize

    14KB

    MD5

    42a9b33fd1fa1535a8902fcd4a33289e

    SHA1

    e73b75058840463c1b69aa5da8a5ebb2245ca474

    SHA256

    bfb2c117a2be5a3f899d6919624304e4f958894facd73cc594c0b1f095848e41

    SHA512

    cab7a2014b1eabd8d8ecb1f797dac7ad42a2e6b52bb9699bfdd5198773622d7db3b44f8bb58f4d95a0b9048b2be701d6d42e9457452e827305fd05d67227a01e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2594359.exe
    Filesize

    172KB

    MD5

    aa1de16d53c1e816efa48af0d9f513d0

    SHA1

    83d446afd2203cfffb40e7f623a09b74cd7bcb6f

    SHA256

    0ac70f66b4b96dda119bd588f6cd886599319ce158b3780a6ef651de9f386f36

    SHA512

    8cf882980babded6b54feaedc808bd7cdf00ff11d57f348cde05b4b38c3400ebc2b7f2f8529d82f668b32be2dc3035b11a5a7523697b0753f9427eb86bf793bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2594359.exe
    Filesize

    172KB

    MD5

    aa1de16d53c1e816efa48af0d9f513d0

    SHA1

    83d446afd2203cfffb40e7f623a09b74cd7bcb6f

    SHA256

    0ac70f66b4b96dda119bd588f6cd886599319ce158b3780a6ef651de9f386f36

    SHA512

    8cf882980babded6b54feaedc808bd7cdf00ff11d57f348cde05b4b38c3400ebc2b7f2f8529d82f668b32be2dc3035b11a5a7523697b0753f9427eb86bf793bb

    Download Submit

  • memory/1048-157-0x0000000005390000-0x000000000549A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1048-154-0x0000000000800000-0x0000000000830000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1048-155-0x00000000745F0000-0x0000000074DA0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1048-156-0x00000000058A0000-0x0000000005EB8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1048-159-0x0000000005170000-0x0000000005180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1048-158-0x00000000052D0000-0x00000000052E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1048-160-0x0000000005330000-0x000000000536C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1048-161-0x00000000745F0000-0x0000000074DA0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1048-162-0x0000000005170000-0x0000000005180000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4576-150-0x00007FF8B8030000-0x00007FF8B8AF1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4576-148-0x00007FF8B8030000-0x00007FF8B8AF1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4576-147-0x0000000000A30000-0x0000000000A3A000-memory.dmp

    Filesize

    40KB

    Download