Overview

overview

10

Static

static

3

bdc94c688a...7c.exe

windows7-x64

10

bdc94c688a...7c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2024 20:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bdc94c688a45edd35d57b114679ba844194daf1026f3abf5b8f1223c8d6ff47c.exe

  • Size

    497KB

  • MD5

    b86c688c83ea1a7fd4f3c0030ea16dd0

  • SHA1

    f3f0c529bff95b9d8eab4b3b34255d056cac6952

  • SHA256

    bdc94c688a45edd35d57b114679ba844194daf1026f3abf5b8f1223c8d6ff47c

  • SHA512

    a140ce40462f355d721543e02a44cc759c9ae095b6b2f002046633dfa9fdeb48373d0cf945049379f5bcfe3df5ae04e2acd1ed36d68f6a28db3c66713fe79a30

  • SSDEEP

    12288:3MrZy90oLn5mW+xggEhkbXsbF8QqVUbx3KE:+yL5mRxgGzKynVex3B

Score
10/10
healerredlinestasdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

stas

C2

77.91.124.82:19071

Attributes
  • auth_value

    db6d96c4eade05afc28c31d9ad73a73c

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Executes dropped EXE 5 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bdc94c688a45edd35d57b114679ba844194daf1026f3abf5b8f1223c8d6ff47c.exe
    "C:\Users\Admin\AppData\Local\Temp\bdc94c688a45edd35d57b114679ba844194daf1026f3abf5b8f1223c8d6ff47c.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8044467.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8044467.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4256
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5027616.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5027616.exe
        3⤵
        • Executes dropped EXE
        PID:2968
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7991102.exe
    C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7991102.exe
    1⤵
    • Modifies Windows Defender Real-time Protection settings
    • Executes dropped EXE
    • Windows security modification
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:60
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3607374.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3607374.exe
    1⤵
    • Executes dropped EXE
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3824
    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4104776.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4104776.exe
      2⤵
      • Executes dropped EXE
      PID:1088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8044467.exe
    Filesize

    94KB

    MD5

    17c2f820a972f4edd7539a4bb4103890

    SHA1

    447ce1338d38b683c888aa8936b97fda2007504d

    SHA256

    2e5f843876c345bd16f7351861063263304e66836ce861b64fd1b09d4a779ebc

    SHA512

    b76a846452c41cd368bd6b63af7afee45393847d9ca109aaf2457a4449b9aeb9efc5a0278fddff7f74be95bec241a4a8c19f4bc741f402895931292f2b13659e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8044467.exe
    Filesize

    92KB

    MD5

    d665a46be32e3056f777d87ff0c7f7f9

    SHA1

    9b5e95b1d3cfca69dca6a10da6f3e26b06093915

    SHA256

    2106b7a74a7d6b18f40d1de764bdf3e0939afa68f51505cb9e3e4583924fa801

    SHA512

    8e3db4632a18ff2bf2ed3f47f43fd3cd8d2a658b2b2e7793bf40586c10e333c458d009715dd35eca13243e3f9d13e01d5af9a61b25efb93e2639accd3ea62f4c

    Download Submit

  • memory/60-21-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/60-22-0x00007FFBE8E90000-0x00007FFBE9951000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/60-24-0x00007FFBE8E90000-0x00007FFBE9951000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2968-35-0x0000000005430000-0x000000000553A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2968-32-0x0000000074360000-0x0000000074B10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2968-33-0x0000000002B60000-0x0000000002B66000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2968-37-0x0000000005310000-0x0000000005320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2968-38-0x00000000053A0000-0x00000000053DC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2968-39-0x00000000053E0000-0x000000000542C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2968-36-0x0000000005340000-0x0000000005352000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2968-34-0x0000000005940000-0x0000000005F58000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2968-31-0x0000000000870000-0x00000000008A0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2968-40-0x0000000074360000-0x0000000074B10000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2968-41-0x0000000005310000-0x0000000005320000-memory.dmp

    Filesize

    64KB

    Download