Overview

overview

10

Static

static

3

aabd5ae087...80.exe

windows7-x64

5

aabd5ae087...80.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    206s
  • max time network
    224s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2023 03:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aabd5ae087211d2a787688d403cd2cb88455d4dd374daefed2d9de2631885880.exe

  • Size

    929KB

  • MD5

    967bae478b6f71fa77af48c2cd440fd1

  • SHA1

    dcc8f4f9bbe28d4dc092f4d75f1e290aec782305

  • SHA256

    aabd5ae087211d2a787688d403cd2cb88455d4dd374daefed2d9de2631885880

  • SHA512

    f7d82075423c173c11574d862eac5ff15d0e9cb2974ce3c32290244e4b057205f07f736daa84a8bfd4ddc9540963c2e42b98696d6bdd62b604b03243bc96a0b1

  • SSDEEP

    12288:qJ//yfYb5BIQZVtyHnvGZIPLBY2LlG+eaqGb7hV9lnG8fs3K9Q2UOiPT6Kt/F9:uiuBtZcGZIPLphG+eH2b9c8E3Qi7D

Score
10/10
healerredlinemonerdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes
  • auth_value

    a94cd9e01643e1945b296c28a2f28707

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aabd5ae087211d2a787688d403cd2cb88455d4dd374daefed2d9de2631885880.exe
    "C:\Users\Admin\AppData\Local\Temp\aabd5ae087211d2a787688d403cd2cb88455d4dd374daefed2d9de2631885880.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4192
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3953730.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3953730.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5036
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6730037.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6730037.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3964
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8264898.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8264898.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2484
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1148
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4044919.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4044919.exe
            5⤵
            • Executes dropped EXE
            PID:4092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3953730.exe
    Filesize

    472KB

    MD5

    3f6a3c3611d53ceb7203a87e469ce9e8

    SHA1

    5120d55006567309dbe6ac37ab7044524fb84546

    SHA256

    82e2f011bd54da5cb8062152e77d936687b1ee99d747e63eb804818cbeb37787

    SHA512

    571e70edb09efe43f7ac5cfd0a7b42147f14da0be21fb512792e2fa89a74a7710dcfaaafb809ce97bbbca98e167c60b22297924eaf32d274781f3fdfe798c431

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3953730.exe
    Filesize

    472KB

    MD5

    3f6a3c3611d53ceb7203a87e469ce9e8

    SHA1

    5120d55006567309dbe6ac37ab7044524fb84546

    SHA256

    82e2f011bd54da5cb8062152e77d936687b1ee99d747e63eb804818cbeb37787

    SHA512

    571e70edb09efe43f7ac5cfd0a7b42147f14da0be21fb512792e2fa89a74a7710dcfaaafb809ce97bbbca98e167c60b22297924eaf32d274781f3fdfe798c431

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6730037.exe
    Filesize

    306KB

    MD5

    b3b1c741d1a4309c826bcc71f5c819b4

    SHA1

    ab27c794603374fc0b327e1e942fbfea4f9ee537

    SHA256

    d27815def1746142a6c62cbfad679bae0743c2de9544ae0bae89d47c9bf0fc1b

    SHA512

    cd1f59ad3d4b861b477b287bc97e0607d720144088bd5c8c31f5bee39dc1d2649a3a86e6e0728a59991dd0663a1f39faff5222caaca7fe9416870dbe341049d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6730037.exe
    Filesize

    306KB

    MD5

    b3b1c741d1a4309c826bcc71f5c819b4

    SHA1

    ab27c794603374fc0b327e1e942fbfea4f9ee537

    SHA256

    d27815def1746142a6c62cbfad679bae0743c2de9544ae0bae89d47c9bf0fc1b

    SHA512

    cd1f59ad3d4b861b477b287bc97e0607d720144088bd5c8c31f5bee39dc1d2649a3a86e6e0728a59991dd0663a1f39faff5222caaca7fe9416870dbe341049d4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8264898.exe
    Filesize

    213KB

    MD5

    fc44bbf4777b03126ab93c2a9d5d4011

    SHA1

    3d3783a05f8f6c6792ab1e6a398f39679c127bd2

    SHA256

    1fa5780d9cac113ad08a95b702d9ac3518e73822186819e2de6395b04826692c

    SHA512

    5ae53a3fe60d342d0722bb5cbe14dcbb7e6bb1e449932498cea4fd00667513d568ff55af4bb1f204bf26bf5f72e73318424f1e984460729af4c08c55628b2a27

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8264898.exe
    Filesize

    213KB

    MD5

    fc44bbf4777b03126ab93c2a9d5d4011

    SHA1

    3d3783a05f8f6c6792ab1e6a398f39679c127bd2

    SHA256

    1fa5780d9cac113ad08a95b702d9ac3518e73822186819e2de6395b04826692c

    SHA512

    5ae53a3fe60d342d0722bb5cbe14dcbb7e6bb1e449932498cea4fd00667513d568ff55af4bb1f204bf26bf5f72e73318424f1e984460729af4c08c55628b2a27

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4044919.exe
    Filesize

    174KB

    MD5

    655012b9205cc9f9de6cb2dec1e9d6ea

    SHA1

    a71243b189da821d2f799dfb3716209210f35dea

    SHA256

    0696e16145fba260db5032cbb53528e62dfa9d666f9719fcc27f92b149f6c062

    SHA512

    84f04982f08bdf9ee28da64acba14986aa07fef1c53a5f1d1ee30cf3cf98c51ceb9a3d50884082f38cc5317c202736b7d97022e4dd8488afa79b96e6f0e2dc5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4044919.exe
    Filesize

    174KB

    MD5

    655012b9205cc9f9de6cb2dec1e9d6ea

    SHA1

    a71243b189da821d2f799dfb3716209210f35dea

    SHA256

    0696e16145fba260db5032cbb53528e62dfa9d666f9719fcc27f92b149f6c062

    SHA512

    84f04982f08bdf9ee28da64acba14986aa07fef1c53a5f1d1ee30cf3cf98c51ceb9a3d50884082f38cc5317c202736b7d97022e4dd8488afa79b96e6f0e2dc5e

    Download Submit

  • memory/1148-34-0x0000000074120000-0x00000000748D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1148-25-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1148-31-0x0000000074120000-0x00000000748D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1148-44-0x0000000074120000-0x00000000748D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2724-3-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2724-2-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2724-1-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2724-26-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/2724-0-0x0000000000400000-0x00000000004BB000-memory.dmp

    Filesize

    748KB

    Download

  • memory/4092-30-0x0000000000620000-0x0000000000650000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4092-33-0x00000000029B0000-0x00000000029B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4092-35-0x0000000074120000-0x00000000748D0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4092-36-0x00000000057F0000-0x0000000005E08000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4092-37-0x0000000005330000-0x000000000543A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4092-38-0x0000000004F80000-0x0000000004F90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4092-39-0x0000000005270000-0x0000000005282000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4092-40-0x00000000052D0000-0x000000000530C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4092-41-0x0000000005440000-0x000000000548C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4092-42-0x0000000004F80000-0x0000000004F90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4092-32-0x0000000074120000-0x00000000748D0000-memory.dmp

    Filesize

    7.7MB

    Download