Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    291s
  • max time network
    300s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19/09/2023, 06:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    x8862234.exe

  • Size

    506KB

  • MD5

    7ce4a4d37e57732e82dc56cfbec9f3d8

  • SHA1

    712076cff059236cf258ab0a00e07aafe80edb2e

  • SHA256

    aef1462b31efd6b91d06ad783582629e29df05f6ef223b0d9141663a297cae2a

  • SHA512

    f5a5314a51f86be5e6f51ff8bc545e2aca82501ddd03536802b193d8c14fca700d5a1ed2f975f28b834cc7d92b5ef51252c17250f3572341193142e32d856667

  • SSDEEP

    12288:fMrOy90uXH+DMdwWH04gBZ4QMCkp0J5y1:ly3brJAZ4xp03w

Score
10/10
healerredlinevashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

vasha

C2

77.91.124.82:19071

Attributes
  • auth_value

    42fc61786274daca54d589b85a2c1954

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x8862234.exe
    "C:\Users\Admin\AppData\Local\Temp\x8862234.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9238151.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9238151.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4248
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0103104.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0103104.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4100
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1936
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6181295.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6181295.exe
        3⤵
        • Executes dropped EXE
        PID:4384

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9238151.exe
          Filesize

          321KB

          MD5

          808640ae624237f7fd9570914eb37e65

          SHA1

          6f180654cd9a781cfd87b809aaa87d01232fefbc

          SHA256

          c4891e45aab4b1ee36312da596e9bb8e57babff786f38b4a884ce59226101281

          SHA512

          62de383f1c7d199dc8dae2dd3b1fdd2907755cbd634ad818a3d02660388a8338bc9bcc7bd6ae0b4456e43d6d165908bcd8cc794c076a1735998ac560e8e337c1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9238151.exe
          Filesize

          321KB

          MD5

          808640ae624237f7fd9570914eb37e65

          SHA1

          6f180654cd9a781cfd87b809aaa87d01232fefbc

          SHA256

          c4891e45aab4b1ee36312da596e9bb8e57babff786f38b4a884ce59226101281

          SHA512

          62de383f1c7d199dc8dae2dd3b1fdd2907755cbd634ad818a3d02660388a8338bc9bcc7bd6ae0b4456e43d6d165908bcd8cc794c076a1735998ac560e8e337c1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0103104.exe
          Filesize

          236KB

          MD5

          4453360a4d31d743e99701fe4bd7e4a7

          SHA1

          02af3df690da8cf02ca9e54b1f038976f7063938

          SHA256

          621e67654ebba1a6562be4cda0bcf6491b6da1b97385169609ce51d745389689

          SHA512

          d9e26e972d829a24fbf3e825520ae2655b0d09aeb17c1a6155168e57206c9cc6af3500e6f1407ef782ce358fd82711b384714244cfa07b69116ead2015a9a2b9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0103104.exe
          Filesize

          236KB

          MD5

          4453360a4d31d743e99701fe4bd7e4a7

          SHA1

          02af3df690da8cf02ca9e54b1f038976f7063938

          SHA256

          621e67654ebba1a6562be4cda0bcf6491b6da1b97385169609ce51d745389689

          SHA512

          d9e26e972d829a24fbf3e825520ae2655b0d09aeb17c1a6155168e57206c9cc6af3500e6f1407ef782ce358fd82711b384714244cfa07b69116ead2015a9a2b9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6181295.exe
          Filesize

          174KB

          MD5

          40772cc213017bd4e62a098c76e5cd46

          SHA1

          0f2bcac1e880547a11bb53281056c8194f04ebc0

          SHA256

          1fd72f634d0f537f6594b635f8d9ab0b1042011d632c70e6d4841b0002a0086c

          SHA512

          bbca4fb5854b3402d2ff22e76068ef70d6e0ff43e729a40289c09c2fc9188da5debe70663299d5f4f0dedaaf029af0ac0db0438a5be8cd6e1aa7aff5f08b7cef

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h6181295.exe
          Filesize

          174KB

          MD5

          40772cc213017bd4e62a098c76e5cd46

          SHA1

          0f2bcac1e880547a11bb53281056c8194f04ebc0

          SHA256

          1fd72f634d0f537f6594b635f8d9ab0b1042011d632c70e6d4841b0002a0086c

          SHA512

          bbca4fb5854b3402d2ff22e76068ef70d6e0ff43e729a40289c09c2fc9188da5debe70663299d5f4f0dedaaf029af0ac0db0438a5be8cd6e1aa7aff5f08b7cef

          Download Submit

        • memory/1936-39-0x0000000072CD0000-0x00000000733BE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1936-14-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1936-54-0x0000000072CD0000-0x00000000733BE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1936-24-0x0000000072CD0000-0x00000000733BE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4384-22-0x0000000072CD0000-0x00000000733BE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4384-25-0x0000000005EA0000-0x00000000064A6000-memory.dmp

          Filesize

          6.0MB

          Download

        • memory/4384-26-0x00000000059A0000-0x0000000005AAA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4384-27-0x00000000056A0000-0x00000000056B2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/4384-28-0x0000000005700000-0x000000000573E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4384-29-0x0000000005890000-0x00000000058DB000-memory.dmp

          Filesize

          300KB

          Download

        • memory/4384-38-0x0000000072CD0000-0x00000000733BE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4384-23-0x0000000001680000-0x0000000001686000-memory.dmp

          Filesize

          24KB

          Download

        • memory/4384-21-0x0000000000E90000-0x0000000000EC0000-memory.dmp

          Filesize

          192KB

          Download