Overview

overview

10

Static

static

3

0a973a7562...06.exe

windows7-x64

5

0a973a7562...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    157s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2023, 03:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0a973a7562ae29b1d139982a51f23b68670764fd92a29cb131ef0aa10f19d106.exe

  • Size

    930KB

  • MD5

    8e45781a495c31858ee36eaa7756da0f

  • SHA1

    7db5ec48ac923aea0781241dd8c8c6deedf8291a

  • SHA256

    0a973a7562ae29b1d139982a51f23b68670764fd92a29cb131ef0aa10f19d106

  • SHA512

    68230ef47598fc6186a5083c72064f5c2a1fcf6c5005d5bd8142223f5c23fa9d5539a297da8f06ec3ab571a66e89415013266ed063dd3bb8dfad345dce9d658d

  • SSDEEP

    24576:oiuBtZRIXaM6NUeI1p/VXksfsF1wR3XFo:fuBfRIKhUeIL/RkOsF1wR3C

Score
10/10
healerredlinemonerdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes
  • auth_value

    a94cd9e01643e1945b296c28a2f28707

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0a973a7562ae29b1d139982a51f23b68670764fd92a29cb131ef0aa10f19d106.exe
    "C:\Users\Admin\AppData\Local\Temp\0a973a7562ae29b1d139982a51f23b68670764fd92a29cb131ef0aa10f19d106.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2165888.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2165888.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3648
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4042046.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4042046.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:776
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4491373.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4491373.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:5108
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
                PID:5104
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                6⤵
                • Modifies Windows Defender Real-time Protection settings
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4896
            • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6164498.exe
              C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6164498.exe
              5⤵
              • Executes dropped EXE
              PID:2164

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2165888.exe
      Filesize

      472KB

      MD5

      16492699e2e2f82596baf425b2483f9c

      SHA1

      9144aa448a5e38468cde19ec9f6fb14c8a765734

      SHA256

      44c39e0e75d124f07a51717310bcdf8617c2ffdfde587b0e20ad7f911f025cda

      SHA512

      c1fb50d3bd06a60bcd4f0c7f5c3d41f0c21dcbfecb6d0599222fadfb47ad47e083876fa0efca027470c387d6f099c9e87c786ef605a0934a66c1f477f2204bc0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2165888.exe
      Filesize

      472KB

      MD5

      16492699e2e2f82596baf425b2483f9c

      SHA1

      9144aa448a5e38468cde19ec9f6fb14c8a765734

      SHA256

      44c39e0e75d124f07a51717310bcdf8617c2ffdfde587b0e20ad7f911f025cda

      SHA512

      c1fb50d3bd06a60bcd4f0c7f5c3d41f0c21dcbfecb6d0599222fadfb47ad47e083876fa0efca027470c387d6f099c9e87c786ef605a0934a66c1f477f2204bc0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4042046.exe
      Filesize

      306KB

      MD5

      37b202ab4cd74a5819cc5c669c49d3ec

      SHA1

      7d2d66d69cec52f0ef9b11e9de1c712970505f7c

      SHA256

      beb1dadeec16ab3d79410a5d3691391b95357040770b24386dc30786fef52953

      SHA512

      4c8091002ef561f4e07b5c35eead9a666439bd675acda68fde56c2e75141a3dbafc67f3f732096fb29bea967219417526b379d3d01b558438c0173baf02a523f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4042046.exe
      Filesize

      306KB

      MD5

      37b202ab4cd74a5819cc5c669c49d3ec

      SHA1

      7d2d66d69cec52f0ef9b11e9de1c712970505f7c

      SHA256

      beb1dadeec16ab3d79410a5d3691391b95357040770b24386dc30786fef52953

      SHA512

      4c8091002ef561f4e07b5c35eead9a666439bd675acda68fde56c2e75141a3dbafc67f3f732096fb29bea967219417526b379d3d01b558438c0173baf02a523f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4491373.exe
      Filesize

      213KB

      MD5

      d463db7a8d451e70961a5b93a0629e0b

      SHA1

      8e5c32077faf87e750b3bbfbaa51869d2418be05

      SHA256

      fade796f4ca83ce2bd9e22e7ca73a08618280aa65580ef726b46ecf175554f09

      SHA512

      00915c145d58bb57f8c01ac362c9666e1415b919f919b1b8cb8f21a8c464ae5b7f6bc920cb842fa8af5be80ee56651bb0aba6438af094c64994135b1b7ab46ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4491373.exe
      Filesize

      213KB

      MD5

      d463db7a8d451e70961a5b93a0629e0b

      SHA1

      8e5c32077faf87e750b3bbfbaa51869d2418be05

      SHA256

      fade796f4ca83ce2bd9e22e7ca73a08618280aa65580ef726b46ecf175554f09

      SHA512

      00915c145d58bb57f8c01ac362c9666e1415b919f919b1b8cb8f21a8c464ae5b7f6bc920cb842fa8af5be80ee56651bb0aba6438af094c64994135b1b7ab46ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6164498.exe
      Filesize

      174KB

      MD5

      6552ea4c6ae4aa85da043aec3cb5de02

      SHA1

      55aaa012196d5cdee4830a2b9246f47bf9c31eef

      SHA256

      18626cc630807b5338e00f34c9db745cca986017361d238d247f46b541607cdb

      SHA512

      fdaa5a22987a2b3155d0038733b84179f32bda40d223e46f79a99d3a4f2ab39fe0474fafe9fd516601247e88afedaca5842008be7e2c9c0a0bf558812a62231e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6164498.exe
      Filesize

      174KB

      MD5

      6552ea4c6ae4aa85da043aec3cb5de02

      SHA1

      55aaa012196d5cdee4830a2b9246f47bf9c31eef

      SHA256

      18626cc630807b5338e00f34c9db745cca986017361d238d247f46b541607cdb

      SHA512

      fdaa5a22987a2b3155d0038733b84179f32bda40d223e46f79a99d3a4f2ab39fe0474fafe9fd516601247e88afedaca5842008be7e2c9c0a0bf558812a62231e

      Download Submit

    • memory/2164-38-0x0000000005830000-0x0000000005E48000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2164-35-0x0000000074010000-0x00000000747C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2164-44-0x0000000005100000-0x0000000005110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-43-0x0000000004FB0000-0x0000000004FFC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2164-42-0x0000000005450000-0x000000000548C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2164-41-0x00000000050C0000-0x00000000050D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2164-40-0x0000000005100000-0x0000000005110000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2164-31-0x0000000074010000-0x00000000747C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2164-32-0x0000000000680000-0x00000000006B0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2164-33-0x0000000001040000-0x0000000001046000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2164-39-0x0000000005520000-0x000000000562A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2704-1-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

      Download

    • memory/2704-0-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

      Download

    • memory/2704-11-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

      Download

    • memory/2704-2-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

      Download

    • memory/2704-3-0x0000000000400000-0x00000000004BB000-memory.dmp

      Filesize

      748KB

      Download

    • memory/4896-37-0x0000000074010000-0x00000000747C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4896-34-0x0000000074010000-0x00000000747C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4896-30-0x0000000074010000-0x00000000747C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4896-26-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download