Overview

overview

10

Static

static

3

d38551fe88...4b.exe

windows7-x64

10

d38551fe88...4b.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d38551fe889202c6c7b67008daaa2c8d684104e1ebedcfce2003be7d31b1034b

  • Size

    723KB

  • Sample

    230912-q8cq3afg53

  • MD5

    38945825dd7a1c4709863a2b533cef16

  • SHA1

    94a8f7710d9d195444dc025ba68eb3cd11c0521c

  • SHA256

    41b72d6062975c186656bc87f21d4d20d610c283df8148d887fb94c687864a2f

  • SHA512

    92e0b2d5d6f15f12a652f210c92e527533c7325569e6e37f16071b28315699a328d11fd4c9a8e17ec4055325024874492d9eaeee8f5201fc479cc3ae648b90ea

  • SSDEEP

    12288:R46Qy90Ex3wzFug+r6CoFPjh06ia85r+z37z0v3AqVH8uMn003ZVdK6PLZ:ayBgzpqtUPjh0638a3fSQqlSfjTZ

Score
10/10
healerredlineviraddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Targets

    • Target

      d38551fe889202c6c7b67008daaa2c8d684104e1ebedcfce2003be7d31b1034b

    • Size

      767KB

    • MD5

      87d2a3a38d3aec0a0ed2430271d0ab2e

    • SHA1

      affc34187e24801769bef3405de97d9ca1d93e11

    • SHA256

      d38551fe889202c6c7b67008daaa2c8d684104e1ebedcfce2003be7d31b1034b

    • SHA512

      7f2abb2ed672eb266c152a275970b8aa8d167a4f6ee42f6c8efc94b1c5a63375aaf3c85c99c410f60012e7ec94837b275000036ffa4e6ae3724df53b47ebc66d

    • SSDEEP

      12288:1MrZy90rSwzJug+rN1em3Hjh04qg85rCzx1zSv3ACVB88MnS037VP/O3yszF:oyK1ztqN7Hjh04D8axdQQCna7PAn

    Score
    10/10
    healerredlineviraddropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks