Overview

overview

10

Static

static

3

f65b1aaf1d...2b.exe

windows7-x64

5

f65b1aaf1d...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/10/2023, 04:47

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    f65b1aaf1d79d150fdb771dbf6b74d1ed2a67f85b4e55f8e67978ee668c68f2b.exe

  • Size

    1.2MB

  • MD5

    c10d1ee33f424c73ab622259843092b0

  • SHA1

    63c465be3c48852fb8e56abcb925c95ce590b8a6

  • SHA256

    f65b1aaf1d79d150fdb771dbf6b74d1ed2a67f85b4e55f8e67978ee668c68f2b

  • SHA512

    fd91480c388e6124048f70c40697beae63093dd3791789455ccda4464a7e71cefb03db99bcd2fa9f48f491de6e67d2eb9452b1754e2450f3e44f6f2833173f02

  • SSDEEP

    24576:l74crlsVawwIpNBpv5PwDKCtK6dU5z7iOliUWjyoxMt2olgloG:54crIpN7RKtK7TkLGREolgloG

Score
10/10
healerredlinepetindropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

petin

C2

77.91.124.82:19071

Attributes
  • auth_value

    f6cf7a48c0291d1ef5a3440429827d6d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f65b1aaf1d79d150fdb771dbf6b74d1ed2a67f85b4e55f8e67978ee668c68f2b.exe
    "C:\Users\Admin\AppData\Local\Temp\f65b1aaf1d79d150fdb771dbf6b74d1ed2a67f85b4e55f8e67978ee668c68f2b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1676
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6795783.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6795783.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5609678.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5609678.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4012
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7499313.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7499313.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3352
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8531326.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8531326.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:4264
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                7⤵
                • Modifies Windows Defender Real-time Protection settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1164
            • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1057155.exe
              C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1057155.exe
              6⤵
              • Executes dropped EXE
              PID:3248

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6795783.exe
          Filesize

          744KB

          MD5

          1dd7c4f6ec2cea6f28a61be0164486a6

          SHA1

          04cde20d9f02559af78a426ad51e79230c97bd36

          SHA256

          52414d13b5fe27a67172158f66b1ff9ff28d53f6badf8fab53f07f06a720b60b

          SHA512

          ba48aa7db81e7d6ad13e779415eb71105f37d9e96d1200bbb4990223401748f524e519440e797558db1ddde0a2a2ee55aa0e06ebe39170342225f7f12b9deaac

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6795783.exe
          Filesize

          744KB

          MD5

          1dd7c4f6ec2cea6f28a61be0164486a6

          SHA1

          04cde20d9f02559af78a426ad51e79230c97bd36

          SHA256

          52414d13b5fe27a67172158f66b1ff9ff28d53f6badf8fab53f07f06a720b60b

          SHA512

          ba48aa7db81e7d6ad13e779415eb71105f37d9e96d1200bbb4990223401748f524e519440e797558db1ddde0a2a2ee55aa0e06ebe39170342225f7f12b9deaac

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5609678.exe
          Filesize

          481KB

          MD5

          fe62473584db28be98432979679c1002

          SHA1

          f42beff00704ba4d57b50d6604c64c6e4b96f41a

          SHA256

          2c76626bfee5490640da39fe0b538d65c6aa98981c3fafbedadb91417e8cad5e

          SHA512

          4a9ba6ce7bbba71b1a195a2481ba4623147423af06d2ced214deba175928b7d0376583c280019145d6f27fda417bc0b887737705525a68b16512581b6beb1197

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5609678.exe
          Filesize

          481KB

          MD5

          fe62473584db28be98432979679c1002

          SHA1

          f42beff00704ba4d57b50d6604c64c6e4b96f41a

          SHA256

          2c76626bfee5490640da39fe0b538d65c6aa98981c3fafbedadb91417e8cad5e

          SHA512

          4a9ba6ce7bbba71b1a195a2481ba4623147423af06d2ced214deba175928b7d0376583c280019145d6f27fda417bc0b887737705525a68b16512581b6beb1197

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7499313.exe
          Filesize

          315KB

          MD5

          11c8c8f83775ed34b700256de4ba9dd7

          SHA1

          5e1008f52d83bba8b68d9319588654edfc177103

          SHA256

          886347f0756ccd2530e4f7ef7efce4db39a58517ea8348315ea62d949369a52e

          SHA512

          74e54d9f14ddf9b929e4b09d72c2a6f1cd04f1ca9d688b3f92b0d59400be1db3c4825f574086193ca376ab0cf929ce04eeb987fd708387187e933063291ec761

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7499313.exe
          Filesize

          315KB

          MD5

          11c8c8f83775ed34b700256de4ba9dd7

          SHA1

          5e1008f52d83bba8b68d9319588654edfc177103

          SHA256

          886347f0756ccd2530e4f7ef7efce4db39a58517ea8348315ea62d949369a52e

          SHA512

          74e54d9f14ddf9b929e4b09d72c2a6f1cd04f1ca9d688b3f92b0d59400be1db3c4825f574086193ca376ab0cf929ce04eeb987fd708387187e933063291ec761

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8531326.exe
          Filesize

          229KB

          MD5

          47dbee08b66e015eeeaf558a8945330f

          SHA1

          e16449f252e3817ee5c313cf985111e5a48f6764

          SHA256

          301e985ac95014a16d3d6d30c96e6caf56b4129ca9e32b2d30215c0e004877c4

          SHA512

          a3d08a2aa77e559297f7a4f5c4582814659a2cbc103f9cc0e3f1947be8704e8767a1f3f6975654cd67a9d403e7c0a6ac4785f514c8ffea8acb3b1a5f03000084

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8531326.exe
          Filesize

          229KB

          MD5

          47dbee08b66e015eeeaf558a8945330f

          SHA1

          e16449f252e3817ee5c313cf985111e5a48f6764

          SHA256

          301e985ac95014a16d3d6d30c96e6caf56b4129ca9e32b2d30215c0e004877c4

          SHA512

          a3d08a2aa77e559297f7a4f5c4582814659a2cbc103f9cc0e3f1947be8704e8767a1f3f6975654cd67a9d403e7c0a6ac4785f514c8ffea8acb3b1a5f03000084

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1057155.exe
          Filesize

          174KB

          MD5

          e3d003fa911a70d59cd67a6018aa93f3

          SHA1

          4bed1faa114cedd63b83fb4519c3390e9d2e6b58

          SHA256

          a87fa0754a8b1c56583db0cec1a481357fd7b3bce7f6fe5f5610deb119b9991a

          SHA512

          39b8f274e0fd7ddd30f5b6240f85b5fb12115ec96e37f7f544a2dca76dc9ad0d60ea348894ef618d1a057fc796d76795ea59685b57f28897e5a30021d4e00c97

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1057155.exe
          Filesize

          174KB

          MD5

          e3d003fa911a70d59cd67a6018aa93f3

          SHA1

          4bed1faa114cedd63b83fb4519c3390e9d2e6b58

          SHA256

          a87fa0754a8b1c56583db0cec1a481357fd7b3bce7f6fe5f5610deb119b9991a

          SHA512

          39b8f274e0fd7ddd30f5b6240f85b5fb12115ec96e37f7f544a2dca76dc9ad0d60ea348894ef618d1a057fc796d76795ea59685b57f28897e5a30021d4e00c97

          Download Submit

        • memory/1164-33-0x0000000000400000-0x000000000040A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1164-50-0x0000000074000000-0x00000000747B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1164-48-0x0000000074000000-0x00000000747B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1164-40-0x0000000074000000-0x00000000747B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1676-22-0x0000000000400000-0x0000000000505000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1676-3-0x0000000000400000-0x0000000000505000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1676-2-0x0000000000400000-0x0000000000505000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1676-1-0x0000000000400000-0x0000000000505000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/1676-0-0x0000000000400000-0x0000000000505000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3248-39-0x0000000005620000-0x0000000005626000-memory.dmp

          Filesize

          24KB

          Download

        • memory/3248-41-0x0000000005DF0000-0x0000000006408000-memory.dmp

          Filesize

          6.1MB

          Download

        • memory/3248-42-0x00000000058E0000-0x00000000059EA000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/3248-43-0x00000000056C0000-0x00000000056D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3248-44-0x0000000005680000-0x0000000005692000-memory.dmp

          Filesize

          72KB

          Download

        • memory/3248-45-0x0000000005810000-0x000000000584C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3248-46-0x0000000005850000-0x000000000589C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/3248-47-0x0000000074000000-0x00000000747B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3248-38-0x0000000074000000-0x00000000747B0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3248-37-0x0000000000E00000-0x0000000000E30000-memory.dmp

          Filesize

          192KB

          Download

        • memory/3248-51-0x00000000056C0000-0x00000000056D0000-memory.dmp

          Filesize

          64KB

          Download