Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    291s
  • max time network
    303s
  • platform
    windows10-1703_x64
  • resource
    win10-20230915-en
  • resource tags

    arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
  • submitted
    19-09-2023 06:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x6103409.exe

  • Size

    506KB

  • MD5

    0161d5878fc9f3e1441c6d07fa80d8b6

  • SHA1

    aafaee6eb2797c94d5b62a3a671f9bfe4b683022

  • SHA256

    a637ad2cf121eafebf568f99bbe320aafe238f05fa722bd8d47f16b25d229696

  • SHA512

    2547bf0a2f0f49de2ec04d075e8d8783663bfe8477cea2e494a8be1d113f94951679156e1661e0ac9c76f0c55ed65acb79a735a65e953a47354e73a2f539e71e

  • SSDEEP

    12288:QMrey90E+G98plf4Yb+LKvaQdSOXwpQ4:eyDXyplffTBwj3

Score
10/10
healerredlinevashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

vasha

C2

77.91.124.82:19071

Attributes
  • auth_value

    42fc61786274daca54d589b85a2c1954

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x6103409.exe
    "C:\Users\Admin\AppData\Local\Temp\x6103409.exe"
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3716465.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3716465.exe
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1480
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4780743.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4780743.exe
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3284
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3536
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2391710.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2391710.exe
        • Executes dropped EXE
        PID:964

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3716465.exe
    Filesize

    320KB

    MD5

    bd8aac74df67f6fde61f5f9a924ed6d4

    SHA1

    836e6a69bbef277e18383abe776abc058b9c5341

    SHA256

    4e82ae18daf05be90f7731212b8b696a52e48d1a771d434e99c7705bf6e5486b

    SHA512

    da1c41e43d9ef43eb78b39cd7a1aa1d443181d189385065e8380c188d981436cac43cc33d3d72c251739ce2719472c4bb5706d44adda540e2b50213c2722c727

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3716465.exe
    Filesize

    320KB

    MD5

    bd8aac74df67f6fde61f5f9a924ed6d4

    SHA1

    836e6a69bbef277e18383abe776abc058b9c5341

    SHA256

    4e82ae18daf05be90f7731212b8b696a52e48d1a771d434e99c7705bf6e5486b

    SHA512

    da1c41e43d9ef43eb78b39cd7a1aa1d443181d189385065e8380c188d981436cac43cc33d3d72c251739ce2719472c4bb5706d44adda540e2b50213c2722c727

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4780743.exe
    Filesize

    236KB

    MD5

    35e9af813fed242aacb760b30ef4bc9b

    SHA1

    463fedc2556f79351422a4f35d5504ed05738f59

    SHA256

    27884f346de6e135ffc7559cc22ad9075e643996665dde4f6ad9b85d3bf049c7

    SHA512

    4c8538e180830b57e500f32e5d4416c4e5ae4c6442389c3578c60341a11df0bf61ef6499f0a9a473210f338c72101a285fa2c6b79b7c999944d26b970c3f7523

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4780743.exe
    Filesize

    236KB

    MD5

    35e9af813fed242aacb760b30ef4bc9b

    SHA1

    463fedc2556f79351422a4f35d5504ed05738f59

    SHA256

    27884f346de6e135ffc7559cc22ad9075e643996665dde4f6ad9b85d3bf049c7

    SHA512

    4c8538e180830b57e500f32e5d4416c4e5ae4c6442389c3578c60341a11df0bf61ef6499f0a9a473210f338c72101a285fa2c6b79b7c999944d26b970c3f7523

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2391710.exe
    Filesize

    174KB

    MD5

    2f1b9cdf5437829d0b5dfc330aa68a46

    SHA1

    2b7e1d147bc90dc655275566f77343006e5aed83

    SHA256

    46e347c5529f632394301cfa26bca532887f4e375d1e16438366ab9afed77015

    SHA512

    ce9f8b5bf205734915b538f1a0d0c39e34e85e33694fbb255274fe990dbf7c9238b1a87f2407f31c02f0ddbef20fe152cbd6017fbbc4dbbfb677b11afa84df9a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h2391710.exe
    Filesize

    174KB

    MD5

    2f1b9cdf5437829d0b5dfc330aa68a46

    SHA1

    2b7e1d147bc90dc655275566f77343006e5aed83

    SHA256

    46e347c5529f632394301cfa26bca532887f4e375d1e16438366ab9afed77015

    SHA512

    ce9f8b5bf205734915b538f1a0d0c39e34e85e33694fbb255274fe990dbf7c9238b1a87f2407f31c02f0ddbef20fe152cbd6017fbbc4dbbfb677b11afa84df9a

    Download Submit
  • memory/964-33-0x0000000005690000-0x00000000056DB000-memory.dmp
    Filesize

    300KB

    Download
  • memory/964-21-0x0000000000CB0000-0x0000000000CE0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/964-39-0x00000000737B0000-0x0000000073E9E000-memory.dmp
    Filesize

    6MB

    Download
  • memory/964-23-0x00000000737B0000-0x0000000073E9E000-memory.dmp
    Filesize

    6MB

    Download
  • memory/964-24-0x00000000015D0000-0x00000000015D6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/964-25-0x0000000005CA0000-0x00000000062A6000-memory.dmp
    Filesize

    6MB

    Download
  • memory/964-26-0x00000000057A0000-0x00000000058AA000-memory.dmp
    Filesize

    1MB

    Download
  • memory/964-27-0x00000000054C0000-0x00000000054D2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/964-32-0x0000000005520000-0x000000000555E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/3536-14-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3536-38-0x00000000737B0000-0x0000000073E9E000-memory.dmp
    Filesize

    6MB

    Download
  • memory/3536-22-0x00000000737B0000-0x0000000073E9E000-memory.dmp
    Filesize

    6MB

    Download
  • memory/3536-54-0x00000000737B0000-0x0000000073E9E000-memory.dmp
    Filesize

    6MB

    Download