Overview

overview

10

Static

static

3

106445763c...34.exe

windows10-2004-x64

10

Resubmissions

08-04-2024 13:45

240408-q2dpsaae25 10

21-11-2023 22:21

231121-196ewagh72 10

21-11-2023 22:20

231121-183ycshf5y 10

21-11-2023 22:06

231121-1z2c6sgh38 10

27-08-2023 18:38

230827-w98ssaee5z 10

01-06-2023 22:35

230601-2h4yeagg74 10

21-04-2023 17:56

230421-whz2kahb76 10

16-04-2023 14:28

230416-rtht7sad45 10

16-04-2023 14:28

230416-rs4qaaca91 1

16-04-2023 14:22

230416-rpvyzaad38 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

  • Size

    1.2MB

  • Sample

    240408-q2dpsaae25

  • MD5

    5b3b6822964b4151c6200ecd89722a86

  • SHA1

    ce7a11dae532b2ade1c96619bbdc8a8325582049

  • SHA256

    106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

  • SHA512

    2f0d99af35c326cf46810c7421325deb55ae7ca36a8edc2716a3d32d9e6769e0d374581a98912e22fceeb6973e972463ed8b2fa4d4399043c443fa100dfd17b0

  • SSDEEP

    24576:5yY4YriuQJ5X4SuIcmuBLahxwUzN1YyqoVKucvTNLF9:sY4FuIahGxRMoobNLF

Score
10/10
healerredlineronurbootkitdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ronur

C2

193.233.20.20:4134

Attributes
  • auth_value

    f88f86755a528d4b25f6f3628c460965

Targets

    • Target

      106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

    • Size

      1.2MB

    • MD5

      5b3b6822964b4151c6200ecd89722a86

    • SHA1

      ce7a11dae532b2ade1c96619bbdc8a8325582049

    • SHA256

      106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

    • SHA512

      2f0d99af35c326cf46810c7421325deb55ae7ca36a8edc2716a3d32d9e6769e0d374581a98912e22fceeb6973e972463ed8b2fa4d4399043c443fa100dfd17b0

    • SSDEEP

      24576:5yY4YriuQJ5X4SuIcmuBLahxwUzN1YyqoVKucvTNLF9:sY4FuIahGxRMoobNLF

    Score
    10/10
    healerredlineronurbootkitdropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Executes dropped EXE

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Writes to the Master Boot Record (MBR)

      Bootkits write to the MBR to gain persistence at a level below the operating system.

      bootkitpersistence

    • Drops file in System32 directory

    behavioral1

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Tasks