Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    298s
  • max time network
    303s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    18-09-2023 01:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x8920106.exe

  • Size

    326KB

  • MD5

    ae46fad877029d53bc9f3b23e3e6b68c

  • SHA1

    52cd7b7916103201e20321342006504d2c1e471b

  • SHA256

    7f56bc86d4d13d64838414f3f302407487ffaca278d243cf4243112ee09a3298

  • SHA512

    e237e8b2d5eac7c51024b72292281e73f4a1c1d7ad38de50102f8c2b243826587233e3d803e3fc1238a76078d9e781d9bc1707a9106d58305bcdc711aa17d83d

  • SSDEEP

    6144:KAy+bnr+4Xp0yN90QEGYiLAu3BwwGlBG8vyvaISdv6C9e7h:8Mrzyy90iJ36VlB3aveXA

Score
10/10
healerredlineblackdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

black

C2

77.91.124.82:19071

Attributes
  • auth_value

    c5887216cebc5a219113738140bc3047

Signatures

  • Detects Healer an antivirus disabler dropper 5 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x8920106.exe
    "C:\Users\Admin\AppData\Local\Temp\x8920106.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8562867.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8562867.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2680
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h6894059.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h6894059.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8562867.exe
    Filesize

    242KB

    MD5

    186f93453bdaa681aa6717b3949eb702

    SHA1

    27d14781353f02746f0b913134781a43c0e44a7e

    SHA256

    dac6002381627581d7bc28442c6b8ad56d8e35467e0449f835f2adf4928d9017

    SHA512

    f10ea330c46975e5e56afc7abc009729fdc42803bb1fbf8ba81c85b0700506b9a9f145209e571c94745f216d344e394b5ec894099102e152dbe7ef1a1a332e67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8562867.exe
    Filesize

    242KB

    MD5

    186f93453bdaa681aa6717b3949eb702

    SHA1

    27d14781353f02746f0b913134781a43c0e44a7e

    SHA256

    dac6002381627581d7bc28442c6b8ad56d8e35467e0449f835f2adf4928d9017

    SHA512

    f10ea330c46975e5e56afc7abc009729fdc42803bb1fbf8ba81c85b0700506b9a9f145209e571c94745f216d344e394b5ec894099102e152dbe7ef1a1a332e67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8562867.exe
    Filesize

    242KB

    MD5

    186f93453bdaa681aa6717b3949eb702

    SHA1

    27d14781353f02746f0b913134781a43c0e44a7e

    SHA256

    dac6002381627581d7bc28442c6b8ad56d8e35467e0449f835f2adf4928d9017

    SHA512

    f10ea330c46975e5e56afc7abc009729fdc42803bb1fbf8ba81c85b0700506b9a9f145209e571c94745f216d344e394b5ec894099102e152dbe7ef1a1a332e67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h6894059.exe
    Filesize

    174KB

    MD5

    dfccdf22631c4491b6b466b3364f5569

    SHA1

    884b8e8f38af29cd46b7eb5580f69cb523181994

    SHA256

    da5da12ca0fdff6f5d3a06d6de10f146a96fb84318d64953d37dc174933db211

    SHA512

    be17f2695d55d3407ed290c8d30b19cccde41e223d3001c3130605dd14dd6f7ba91441914aaec1e18d48367b5fc2cdadf1484d478cbaa1e904eb3d6c8d2f62b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h6894059.exe
    Filesize

    174KB

    MD5

    dfccdf22631c4491b6b466b3364f5569

    SHA1

    884b8e8f38af29cd46b7eb5580f69cb523181994

    SHA256

    da5da12ca0fdff6f5d3a06d6de10f146a96fb84318d64953d37dc174933db211

    SHA512

    be17f2695d55d3407ed290c8d30b19cccde41e223d3001c3130605dd14dd6f7ba91441914aaec1e18d48367b5fc2cdadf1484d478cbaa1e904eb3d6c8d2f62b2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\g8562867.exe
    Filesize

    242KB

    MD5

    186f93453bdaa681aa6717b3949eb702

    SHA1

    27d14781353f02746f0b913134781a43c0e44a7e

    SHA256

    dac6002381627581d7bc28442c6b8ad56d8e35467e0449f835f2adf4928d9017

    SHA512

    f10ea330c46975e5e56afc7abc009729fdc42803bb1fbf8ba81c85b0700506b9a9f145209e571c94745f216d344e394b5ec894099102e152dbe7ef1a1a332e67

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\g8562867.exe
    Filesize

    242KB

    MD5

    186f93453bdaa681aa6717b3949eb702

    SHA1

    27d14781353f02746f0b913134781a43c0e44a7e

    SHA256

    dac6002381627581d7bc28442c6b8ad56d8e35467e0449f835f2adf4928d9017

    SHA512

    f10ea330c46975e5e56afc7abc009729fdc42803bb1fbf8ba81c85b0700506b9a9f145209e571c94745f216d344e394b5ec894099102e152dbe7ef1a1a332e67

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\g8562867.exe
    Filesize

    242KB

    MD5

    186f93453bdaa681aa6717b3949eb702

    SHA1

    27d14781353f02746f0b913134781a43c0e44a7e

    SHA256

    dac6002381627581d7bc28442c6b8ad56d8e35467e0449f835f2adf4928d9017

    SHA512

    f10ea330c46975e5e56afc7abc009729fdc42803bb1fbf8ba81c85b0700506b9a9f145209e571c94745f216d344e394b5ec894099102e152dbe7ef1a1a332e67

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\h6894059.exe
    Filesize

    174KB

    MD5

    dfccdf22631c4491b6b466b3364f5569

    SHA1

    884b8e8f38af29cd46b7eb5580f69cb523181994

    SHA256

    da5da12ca0fdff6f5d3a06d6de10f146a96fb84318d64953d37dc174933db211

    SHA512

    be17f2695d55d3407ed290c8d30b19cccde41e223d3001c3130605dd14dd6f7ba91441914aaec1e18d48367b5fc2cdadf1484d478cbaa1e904eb3d6c8d2f62b2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\IXP000.TMP\h6894059.exe
    Filesize

    174KB

    MD5

    dfccdf22631c4491b6b466b3364f5569

    SHA1

    884b8e8f38af29cd46b7eb5580f69cb523181994

    SHA256

    da5da12ca0fdff6f5d3a06d6de10f146a96fb84318d64953d37dc174933db211

    SHA512

    be17f2695d55d3407ed290c8d30b19cccde41e223d3001c3130605dd14dd6f7ba91441914aaec1e18d48367b5fc2cdadf1484d478cbaa1e904eb3d6c8d2f62b2

    Download Submit

  • memory/2640-30-0x00000000003B0000-0x00000000003B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2640-29-0x00000000003D0000-0x0000000000400000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2680-15-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2680-22-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2680-20-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2680-18-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2680-17-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2680-16-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2680-14-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2680-13-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download