Overview

overview

10

Static

static

3

106445763c...34.exe

windows10-2004-x64

10

Resubmissions

23-11-2024 19:36

241123-ybkpeasndx 10

13-07-2024 16:26

240713-txqqbsybmj 3

13-07-2024 15:27

240713-sv4czawfkl 3

08-04-2024 13:45

240408-q2dpsaae25 10

21-11-2023 22:21

231121-196ewagh72 10

21-11-2023 22:20

231121-183ycshf5y 10

21-11-2023 22:06

231121-1z2c6sgh38 10

27-08-2023 18:38

230827-w98ssaee5z 10

01-06-2023 22:35

230601-2h4yeagg74 10

21-04-2023 17:56

230421-whz2kahb76 10

Analysis

  • max time kernel
    1798s
  • max time network
    1805s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2023 22:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe

  • Size

    1.2MB

  • MD5

    5b3b6822964b4151c6200ecd89722a86

  • SHA1

    ce7a11dae532b2ade1c96619bbdc8a8325582049

  • SHA256

    106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

  • SHA512

    2f0d99af35c326cf46810c7421325deb55ae7ca36a8edc2716a3d32d9e6769e0d374581a98912e22fceeb6973e972463ed8b2fa4d4399043c443fa100dfd17b0

  • SSDEEP

    24576:5yY4YriuQJ5X4SuIcmuBLahxwUzN1YyqoVKucvTNLF9:sY4FuIahGxRMoobNLF

Score
10/10
healerredlineronurdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ronur

C2

193.233.20.20:4134

Attributes
  • auth_value

    f88f86755a528d4b25f6f3628c460965

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe
    "C:\Users\Admin\AppData\Local\Temp\106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sbO31En07.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sbO31En07.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4084
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\smS09II74.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\smS09II74.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:864
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slc39Ad82.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slc39Ad82.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1504
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sko86jV13.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sko86jV13.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:3068
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4824
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of AdjustPrivilegeToken
              PID:3608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sbO31En07.exe
    Filesize

    1010KB

    MD5

    f8d3a0a73fbee1e94dcd0fedf9a31c4e

    SHA1

    71ef31102516e25e3b3aa347b5c697a85d237b16

    SHA256

    ad974386b5f8a42a0ff8d77d4f6e1919f2bfbe3f4008320acb1bc327e6f4947c

    SHA512

    81337186639f964ed048b288be37575ffaa989d9d6c6a91a27db8d6bfe5c4fb42f11d63ab32008e485f921bcb774304a6f96cb4e17778dcc38f1e4b072deca28

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sbO31En07.exe
    Filesize

    1010KB

    MD5

    f8d3a0a73fbee1e94dcd0fedf9a31c4e

    SHA1

    71ef31102516e25e3b3aa347b5c697a85d237b16

    SHA256

    ad974386b5f8a42a0ff8d77d4f6e1919f2bfbe3f4008320acb1bc327e6f4947c

    SHA512

    81337186639f964ed048b288be37575ffaa989d9d6c6a91a27db8d6bfe5c4fb42f11d63ab32008e485f921bcb774304a6f96cb4e17778dcc38f1e4b072deca28

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\smS09II74.exe
    Filesize

    869KB

    MD5

    5739bc2cafd62977daa950a317be8d14

    SHA1

    f7f582e1863642c4d5a8341e2005c06c0f3d9e74

    SHA256

    b3cad94dc96473ea46e9af91de2a2126ee2345d47a2d1a926182db447de2ecc9

    SHA512

    f55320fdf0383e3c7f8a9841c3444b58f9551d879d89ad1ee44388e9621b4b5f0f7e504915012e3acf24b3aa45a3d0f1e692ddee89a38d3987f95fe97d5bae8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\smS09II74.exe
    Filesize

    869KB

    MD5

    5739bc2cafd62977daa950a317be8d14

    SHA1

    f7f582e1863642c4d5a8341e2005c06c0f3d9e74

    SHA256

    b3cad94dc96473ea46e9af91de2a2126ee2345d47a2d1a926182db447de2ecc9

    SHA512

    f55320fdf0383e3c7f8a9841c3444b58f9551d879d89ad1ee44388e9621b4b5f0f7e504915012e3acf24b3aa45a3d0f1e692ddee89a38d3987f95fe97d5bae8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slc39Ad82.exe
    Filesize

    651KB

    MD5

    e12e7b53183d3b1c6cd53ef42aa815f8

    SHA1

    9dedb739590a02e37c82e54cc8eb3e0ce57248ee

    SHA256

    63ac9bdbd61a661f5bc96825ad4408df1312b18f455472b63c66f6e5efb05e63

    SHA512

    5e4a61453476d524cf3b96743e2f5163c01f3ae1d8f05653d9ed3ffd0614b43afa013554e6c0b0294763e80beca5081fc088ad6e595a2af67115a62f4cce410c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slc39Ad82.exe
    Filesize

    651KB

    MD5

    e12e7b53183d3b1c6cd53ef42aa815f8

    SHA1

    9dedb739590a02e37c82e54cc8eb3e0ce57248ee

    SHA256

    63ac9bdbd61a661f5bc96825ad4408df1312b18f455472b63c66f6e5efb05e63

    SHA512

    5e4a61453476d524cf3b96743e2f5163c01f3ae1d8f05653d9ed3ffd0614b43afa013554e6c0b0294763e80beca5081fc088ad6e595a2af67115a62f4cce410c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sko86jV13.exe
    Filesize

    383KB

    MD5

    7c29db2ac66b846cc00ca802838c116b

    SHA1

    23f9d79f7cf7d5fb41111bf4896645d3989b4f11

    SHA256

    e4519665ce98d8426aceadad26a6bbe92b455f59f6261a8240dcba5b40e6a51b

    SHA512

    a46c3d3a3e7ff2ae24cf67eed51367cd5b422cc793911d59de19d2ba0c763c29f569b9876ef41ad74ec3e9977ab280100c09755abdc6908e269bce4a1b761cb7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sko86jV13.exe
    Filesize

    383KB

    MD5

    7c29db2ac66b846cc00ca802838c116b

    SHA1

    23f9d79f7cf7d5fb41111bf4896645d3989b4f11

    SHA256

    e4519665ce98d8426aceadad26a6bbe92b455f59f6261a8240dcba5b40e6a51b

    SHA512

    a46c3d3a3e7ff2ae24cf67eed51367cd5b422cc793911d59de19d2ba0c763c29f569b9876ef41ad74ec3e9977ab280100c09755abdc6908e269bce4a1b761cb7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe
    Filesize

    275KB

    MD5

    ef9dd5707f37f0e2f802b3d7856e7bbc

    SHA1

    e9cbeca90f2edece7174b0fcffe65f311b5b3689

    SHA256

    de4cdd6ab46f28034be20c1a3231035ac3dc1aafbb443e0ccaaadd3ccdf0fadf

    SHA512

    24d042eb4715e4a9ed98609fe264bbd1aded094c2efa410e59a3bd800fc36561242c1433e8573de9581bea6e38b9f269dcd6b2eba20e4548e5cdd893c9334b44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe
    Filesize

    275KB

    MD5

    ef9dd5707f37f0e2f802b3d7856e7bbc

    SHA1

    e9cbeca90f2edece7174b0fcffe65f311b5b3689

    SHA256

    de4cdd6ab46f28034be20c1a3231035ac3dc1aafbb443e0ccaaadd3ccdf0fadf

    SHA512

    24d042eb4715e4a9ed98609fe264bbd1aded094c2efa410e59a3bd800fc36561242c1433e8573de9581bea6e38b9f269dcd6b2eba20e4548e5cdd893c9334b44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe
    Filesize

    275KB

    MD5

    ef9dd5707f37f0e2f802b3d7856e7bbc

    SHA1

    e9cbeca90f2edece7174b0fcffe65f311b5b3689

    SHA256

    de4cdd6ab46f28034be20c1a3231035ac3dc1aafbb443e0ccaaadd3ccdf0fadf

    SHA512

    24d042eb4715e4a9ed98609fe264bbd1aded094c2efa410e59a3bd800fc36561242c1433e8573de9581bea6e38b9f269dcd6b2eba20e4548e5cdd893c9334b44

    Download Submit

  • memory/3608-43-0x0000000000660000-0x0000000000760000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3608-44-0x0000000000590000-0x00000000005DB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3608-45-0x0000000000400000-0x000000000058C000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3608-46-0x0000000073FD0000-0x0000000074780000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3608-47-0x0000000002500000-0x0000000002510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3608-48-0x00000000026F0000-0x0000000002736000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3608-49-0x0000000002500000-0x0000000002510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3608-50-0x0000000004D20000-0x00000000052C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3608-51-0x0000000002770000-0x00000000027B4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3608-52-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-53-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-55-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-57-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-59-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-61-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-63-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-65-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-67-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-69-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-71-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-73-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-75-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-77-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-79-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-81-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-83-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-85-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-87-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-89-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-91-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-93-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-95-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-97-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-99-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-101-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-103-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-105-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-107-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-109-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-111-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-113-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-115-0x0000000002770000-0x00000000027AE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3608-958-0x0000000005300000-0x0000000005918000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3608-959-0x00000000059A0000-0x0000000005AAA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3608-960-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3608-961-0x0000000002500000-0x0000000002510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3608-962-0x0000000005B00000-0x0000000005B3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3608-963-0x0000000005C50000-0x0000000005C9C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3608-964-0x0000000000660000-0x0000000000760000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3608-966-0x0000000000590000-0x00000000005DB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3608-967-0x0000000000400000-0x000000000058C000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3608-968-0x0000000073FD0000-0x0000000074780000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3608-970-0x0000000002500000-0x0000000002510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3608-971-0x0000000002500000-0x0000000002510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3608-972-0x0000000002500000-0x0000000002510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3608-974-0x0000000002500000-0x0000000002510000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4824-35-0x0000000000E80000-0x0000000000E8A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4824-36-0x00007FFBD6350000-0x00007FFBD6E11000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4824-38-0x00007FFBD6350000-0x00007FFBD6E11000-memory.dmp

    Filesize

    10.8MB

    Download