Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    297s
  • max time network
    306s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-09-2023 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x8002878.exe

  • Size

    326KB

  • MD5

    d450a74effe247298e76be251e9d20b6

  • SHA1

    2ec5fbbbd9ea9125beb84d456fac275f9dc42adc

  • SHA256

    c22b6ac1147733913380ba7c0f23d9e8802bb8f91b681e416aa5c5a0f942d105

  • SHA512

    1d4d264d1e20603a5d9dccac06c5055b5ec2555f3d6d390b4bd066a45ff23ede0ea15df9eec5154ac3601c7f28537b4096d703ea294295973e99fbf2b149d678

  • SSDEEP

    6144:K1y+bnr+Fp0yN90QEmnL5C8HqZiuNf0OSbCAVmEDus9CFst:HMr5y90A5OZiuN7oVcsGst

Score
10/10
healerredlineblackdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

black

C2

77.91.124.82:19071

Attributes
  • auth_value

    c5887216cebc5a219113738140bc3047

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x8002878.exe
    "C:\Users\Admin\AppData\Local\Temp\x8002878.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g3089245.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g3089245.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4856
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4060
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8345542.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8345542.exe
      2⤵
      • Executes dropped EXE
      PID:4040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g3089245.exe
    Filesize

    242KB

    MD5

    d1139a672dbbf2080d65e428ab2a5e89

    SHA1

    ba26ec755852555edba81f15f9937884666845c5

    SHA256

    2f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6

    SHA512

    5d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g3089245.exe
    Filesize

    242KB

    MD5

    d1139a672dbbf2080d65e428ab2a5e89

    SHA1

    ba26ec755852555edba81f15f9937884666845c5

    SHA256

    2f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6

    SHA512

    5d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8345542.exe
    Filesize

    174KB

    MD5

    24a7f85e7aba85d56e39eabf594afb44

    SHA1

    33e1f059adfe93d5bdf2a7880a0193c88a7ad1c4

    SHA256

    179783183da481296e77d35b9a3a73c8247ad2420d49a4e7fd35ae12efadd467

    SHA512

    a19c25638b6209e447bd2ef8eabf7377188f4bf89d12333ca25c17fff91e5b0c52d2e0504df3c465b781d6e0b75776c02752492f8e24e54a0e19385c1f326c67

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h8345542.exe
    Filesize

    174KB

    MD5

    24a7f85e7aba85d56e39eabf594afb44

    SHA1

    33e1f059adfe93d5bdf2a7880a0193c88a7ad1c4

    SHA256

    179783183da481296e77d35b9a3a73c8247ad2420d49a4e7fd35ae12efadd467

    SHA512

    a19c25638b6209e447bd2ef8eabf7377188f4bf89d12333ca25c17fff91e5b0c52d2e0504df3c465b781d6e0b75776c02752492f8e24e54a0e19385c1f326c67

    Download Submit

  • memory/4040-17-0x0000000004C80000-0x0000000004C86000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4040-14-0x0000000000500000-0x0000000000530000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4040-15-0x00000000738B0000-0x0000000073F9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4040-18-0x000000000A790000-0x000000000AD96000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/4040-19-0x000000000A310000-0x000000000A41A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4040-20-0x000000000A240000-0x000000000A252000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4040-21-0x000000000A2A0000-0x000000000A2DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4040-26-0x000000000A420000-0x000000000A46B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4040-31-0x00000000738B0000-0x0000000073F9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4060-16-0x00000000738B0000-0x0000000073F9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4060-7-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4060-32-0x00000000738B0000-0x0000000073F9E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4060-47-0x00000000738B0000-0x0000000073F9E000-memory.dmp

    Filesize

    6.9MB

    Download