Overview

overview

10

Static

static

3

be20e8d108...d4.exe

windows7-x64

10

be20e8d108...d4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-07-2023 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be20e8d108cf9e94319678c0f61393d4.exe

  • Size

    389KB

  • MD5

    be20e8d108cf9e94319678c0f61393d4

  • SHA1

    9ca7da9916d071095a2985ecb2408f24f9978453

  • SHA256

    277f52adcffdae3b95ac4c1b928de6c4a507600023471054f5c9d34f3b852f94

  • SHA512

    4a60a1bb61a320deabeeebb508685a024c2b6c1d065221bc5a2682a90193300899d49e355675b84293875486cd08e94d582c95df886ca3330bef74cb0921afca

  • SSDEEP

    6144:KPy+bnr+Lp0yN90QE9dx9l253NzJGHDRezddZ5ULvrGEf51/HmbTME:FMr7y90P25uFEnwrGEr/YT5

Score
10/10
healerredlinenasadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes
  • auth_value

    6da71218d8a9738ea3a9a78b5677589b

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be20e8d108cf9e94319678c0f61393d4.exe
    "C:\Users\Admin\AppData\Local\Temp\be20e8d108cf9e94319678c0f61393d4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3328
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1369519.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1369519.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3758178.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3758178.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3144
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2710542.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2710542.exe
        3⤵
        • Executes dropped EXE
        PID:1520

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1369519.exe
    Filesize

    206KB

    MD5

    f34c885bc0878d18d10ff2a2bcab37bf

    SHA1

    183ec4b6099090f5e12f2977855a5b8a47434b11

    SHA256

    bc0bd82e116a9895ebc746eb946211813684173fb091a3b5beb68d633d8f8ed7

    SHA512

    ac17cb90087c25fec2966c8ef59192b88d9ae2752d235af76a9b7e73900319750aef27becf5877f89560046b0c0cb43d2901cd501a032295f354fb2f7b27495d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1369519.exe
    Filesize

    206KB

    MD5

    f34c885bc0878d18d10ff2a2bcab37bf

    SHA1

    183ec4b6099090f5e12f2977855a5b8a47434b11

    SHA256

    bc0bd82e116a9895ebc746eb946211813684173fb091a3b5beb68d633d8f8ed7

    SHA512

    ac17cb90087c25fec2966c8ef59192b88d9ae2752d235af76a9b7e73900319750aef27becf5877f89560046b0c0cb43d2901cd501a032295f354fb2f7b27495d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3758178.exe
    Filesize

    14KB

    MD5

    452bb0fa072d8b5b84e96b8135b88a33

    SHA1

    958d7ebe07651e7de76fa57dad744174a6948840

    SHA256

    e4864ebb7779217e5e02467385f0e1b64b27e1eda7c6ce12c81fa2ba5886d6af

    SHA512

    1f7f6066b5b8c076894aed53d85f46a9c643d41a5faebc84400437bcb797a9b220c70b75be4139c9213121c841e868f2677096bbd167f3f151d7b3152cbdad9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3758178.exe
    Filesize

    14KB

    MD5

    452bb0fa072d8b5b84e96b8135b88a33

    SHA1

    958d7ebe07651e7de76fa57dad744174a6948840

    SHA256

    e4864ebb7779217e5e02467385f0e1b64b27e1eda7c6ce12c81fa2ba5886d6af

    SHA512

    1f7f6066b5b8c076894aed53d85f46a9c643d41a5faebc84400437bcb797a9b220c70b75be4139c9213121c841e868f2677096bbd167f3f151d7b3152cbdad9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2710542.exe
    Filesize

    174KB

    MD5

    29d290bc7cf52245c18068dd18a2b56b

    SHA1

    80834b85700772615c39a38757267968e32f3240

    SHA256

    f66d99d19231a0f6abba5374f8916cdcb478e715c50f29d6e436e54ee0e2db44

    SHA512

    86e90ae7c792bbae7bba8f0ee029c71233e540d74f9786aa3c5f381d2394ce7aa72c5cd6045eb9410821e59ba201558da773fc14e267cff0ca09ccc4a5314bed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2710542.exe
    Filesize

    174KB

    MD5

    29d290bc7cf52245c18068dd18a2b56b

    SHA1

    80834b85700772615c39a38757267968e32f3240

    SHA256

    f66d99d19231a0f6abba5374f8916cdcb478e715c50f29d6e436e54ee0e2db44

    SHA512

    86e90ae7c792bbae7bba8f0ee029c71233e540d74f9786aa3c5f381d2394ce7aa72c5cd6045eb9410821e59ba201558da773fc14e267cff0ca09ccc4a5314bed

    Download Submit

  • memory/1520-157-0x0000000004DD0000-0x0000000004EDA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1520-154-0x00000000001D0000-0x0000000000200000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1520-155-0x0000000074B20000-0x00000000752D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1520-156-0x00000000052E0000-0x00000000058F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1520-159-0x0000000004A90000-0x0000000004AA2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1520-158-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1520-160-0x0000000004D00000-0x0000000004D3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1520-161-0x0000000074B20000-0x00000000752D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1520-162-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3144-150-0x00007FF919C60000-0x00007FF91A721000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3144-148-0x00007FF919C60000-0x00007FF91A721000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3144-147-0x00000000005F0000-0x00000000005FA000-memory.dmp

    Filesize

    40KB

    Download