Overview

overview

10

Static

static

3

winprofile

windows7-x64

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    290s
  • max time network
    304s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-09-2023 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x5610254.exe

  • Size

    506KB

  • MD5

    6358555534d3ecf9384103b3f2228bb1

  • SHA1

    2274736eb3b60d8eb594a42179213c8f67d158ff

  • SHA256

    8ae95d092646486753b97dbdfc6acf17a3c9f6f18a79d58ae599a7925f964f69

  • SHA512

    03dda4d938425bed1cb3b004fbfce2714e5b38ddc01aa54b9d543d4824ea44bbac69e12a0859a3bc7dc20d853ab0a7b6cbb7c22268b5e034d5182a8ca70519bb

  • SSDEEP

    12288:bMrsy90T5DT7798BrhDk1CvzAjgX9jfPztwqxn:3yU18tyEvzUe9jln

Score
10/10
healerredlinevashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

vasha

C2

77.91.124.82:19071

Attributes
  • auth_value

    42fc61786274daca54d589b85a2c1954

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x5610254.exe
    "C:\Users\Admin\AppData\Local\Temp\x5610254.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:820
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8731362.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8731362.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2712
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7935047.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7935047.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:592
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3636
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3626941.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3626941.exe
        3⤵
        • Executes dropped EXE
        PID:4140

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8731362.exe
    Filesize

    320KB

    MD5

    faa8635b24a3c8c194ea66f37770732e

    SHA1

    7a45390809e3fb5a228396d3b5ff05b3a99bc9be

    SHA256

    0fdbc770ea66f062af959235a3a6559123d5408a322c111592ef584215ef81c4

    SHA512

    e269067cd43197b7d6c6901cb3ab55cec1a7e8aeb80f9a1b938bfcb3b4d0cb847a90766fc22ac393f7c035022911fe5ace8ce56c3268fdc3503f60b266789db3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8731362.exe
    Filesize

    320KB

    MD5

    faa8635b24a3c8c194ea66f37770732e

    SHA1

    7a45390809e3fb5a228396d3b5ff05b3a99bc9be

    SHA256

    0fdbc770ea66f062af959235a3a6559123d5408a322c111592ef584215ef81c4

    SHA512

    e269067cd43197b7d6c6901cb3ab55cec1a7e8aeb80f9a1b938bfcb3b4d0cb847a90766fc22ac393f7c035022911fe5ace8ce56c3268fdc3503f60b266789db3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7935047.exe
    Filesize

    236KB

    MD5

    ae3c2011e6b28a83ed5ec20506e2e3eb

    SHA1

    34bcdb009271f3301b37346648ade33ceecf9556

    SHA256

    797cfa22728210b5dfc1b746fda10be7684798629c168664d754440882c5dbcf

    SHA512

    8c8f8a783cd2fa9de0a23735c958dab8563b7f100e77c3e821287a7a07d05db398dd2a3a00b447c11b34d89b0c48ef497a869003582159e7e6c134bba6cd3138

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g7935047.exe
    Filesize

    236KB

    MD5

    ae3c2011e6b28a83ed5ec20506e2e3eb

    SHA1

    34bcdb009271f3301b37346648ade33ceecf9556

    SHA256

    797cfa22728210b5dfc1b746fda10be7684798629c168664d754440882c5dbcf

    SHA512

    8c8f8a783cd2fa9de0a23735c958dab8563b7f100e77c3e821287a7a07d05db398dd2a3a00b447c11b34d89b0c48ef497a869003582159e7e6c134bba6cd3138

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3626941.exe
    Filesize

    174KB

    MD5

    43acc3d174d9c2da4013def25ed93107

    SHA1

    c0e91ed2ab5c607fc0b22c8f4209db792c26fa5f

    SHA256

    745e358e9b0eefe2efe8d14cdbf17a194b81a80f929df4514cc3fed696d259ee

    SHA512

    6ddecd71a2e5f9d6670f297513fe3db5e2ed4e859857d8a25a42dbcfe03e6d5f70762af836061a0ebfdfc05be6ca102d6b9116fe6e627a989811da07c59b9614

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h3626941.exe
    Filesize

    174KB

    MD5

    43acc3d174d9c2da4013def25ed93107

    SHA1

    c0e91ed2ab5c607fc0b22c8f4209db792c26fa5f

    SHA256

    745e358e9b0eefe2efe8d14cdbf17a194b81a80f929df4514cc3fed696d259ee

    SHA512

    6ddecd71a2e5f9d6670f297513fe3db5e2ed4e859857d8a25a42dbcfe03e6d5f70762af836061a0ebfdfc05be6ca102d6b9116fe6e627a989811da07c59b9614

    Download Submit

  • memory/3636-24-0x00000000730C0000-0x00000000737AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3636-14-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3636-54-0x00000000730C0000-0x00000000737AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3636-39-0x00000000730C0000-0x00000000737AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4140-22-0x00000000730C0000-0x00000000737AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4140-25-0x000000000AC00000-0x000000000B206000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4140-26-0x000000000A700000-0x000000000A80A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4140-27-0x000000000A5F0000-0x000000000A602000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4140-32-0x000000000A650000-0x000000000A68E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4140-33-0x000000000A6A0000-0x000000000A6EB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4140-38-0x00000000730C0000-0x00000000737AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4140-23-0x0000000001180000-0x0000000001186000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4140-21-0x00000000008B0000-0x00000000008E0000-memory.dmp

    Filesize

    192KB

    Download