Overview

overview

10

Static

static

3

8d83b744ad...JC.exe

windows7-x64

10

8d83b744ad...JC.exe

windows10-1703-x64

10

8d83b744ad...JC.exe

windows10-2004-x64

10

8d83b744ad...JC.exe

windows11-21h2-x64

10

Resubmissions

09-04-2024 13:51

240409-q52wsagf78 10

09-04-2024 13:51

240409-q5199agf77 10

09-04-2024 13:51

240409-q5zfnaca3y 10

09-04-2024 13:51

240409-q5y5wsca3x 10

02-09-2023 11:46

230902-nxm2jscg99 10

Analysis

  • max time kernel
    1194s
  • max time network
    1210s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240221-en
  • resource tags

    arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09-04-2024 13:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe

  • Size

    820KB

  • MD5

    865c99ae19817cac9d40b35202f6f453

  • SHA1

    980d4e8229c3d7a6bf02596047a015c32d9210e3

  • SHA256

    8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b

  • SHA512

    091016e9888850d673d096090ad87563eb721cbcc311ca0fb4f0948f78f6679363795463081ae335b43061a1b1793c36b2bd1a0f7fe797cf6380303b98648458

  • SSDEEP

    12288:KMrWy90uxp7VpGrXpmKepnfpz4Ahwpkb7cCUOE1RZyYrB8MB1xZhxH0:Qyhp2pm9FBz4AhwpksCHGYYdd7U

Score
10/10
healermysticredlinesrutadropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sruta

C2

77.91.124.82:19071

Attributes
  • auth_value

    c556edcd49703319eca74247de20c236

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1174701.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1174701.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6302603.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6302603.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3304
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5756523.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5756523.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1204
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5896929.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5896929.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:2256
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7341166.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7341166.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:3288
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7297316.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7297316.exe
              6⤵
              • Executes dropped EXE
              PID:1440
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3956936.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3956936.exe
            5⤵
            • Executes dropped EXE
            PID:5036

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1174701.exe
    Filesize

    723KB

    MD5

    4d28a06bc7d389a286f2324caddf1e8c

    SHA1

    59af85cf36a459027b9292d8b73aec4f429ea328

    SHA256

    ac7fefffe24659c5db14a2bb4cc432004020acc268884bc518c6a142f0d8f5c2

    SHA512

    0538c7e09c9253b48d2c503e2dc58c55662d28284aad9c485cfd68582cc9eafa84850b28a517b0b3b5a19b67bddd5b69edc54112889fda881da50fb7b310e45c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6302603.exe
    Filesize

    497KB

    MD5

    1e0e32b87a93e15353432ccc538eab1f

    SHA1

    0d3e5f322b3595400fd5587e9e30dee9c01cf6f4

    SHA256

    3b754180b1912716d9cf97762322f660fc3b5a599c41f09287a63ed2db764702

    SHA512

    f8b75ddbb5d5b7956d975e3e8052c62d866b0c07de63c93fbc1f064d27f737de92d2b05f104910f0522c874afb0655770e67b3504dcde641be5b3085ed1446b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5756523.exe
    Filesize

    372KB

    MD5

    cc451ca9b12129e2af20c19f8c0b462d

    SHA1

    657c7c98063b2937e6fb7516f73a31beaeaa8a82

    SHA256

    e464ba3d27af55732f7be815fb3899287c808b69dd5221adbe20f945a78b0455

    SHA512

    159d56c233d25321117a3179d894161ce2bc7b3cb2979c0884e726d2ed89899999c423d83e4f6278f9fea77c621bef2544b02ce54c41d5eba81f4a8ab7604af4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3956936.exe
    Filesize

    175KB

    MD5

    b63224b9575d147711fa843872a4b52f

    SHA1

    bcbd067ca7570fa86276639a51f83acb871ba0a9

    SHA256

    6f5abaf57c657b33940a7564e780e4708227921f95ae46ca3c48c8ef9de12932

    SHA512

    97335a1a366b00e5df40dddbb25d91981b69f8fffdf90a55b95fb1bb978ed06ec4ca92334a45dfc276a88f0102e88f7d3c9c246160dd2925576505c24f3ced26

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5896929.exe
    Filesize

    217KB

    MD5

    a6c0a7109e1a0ea3364630b92deeda95

    SHA1

    1fe78c74047f279afca45340c6dfd9fc307b4361

    SHA256

    992d938558305206821d24cf8180ce06ff290309b4c4ef8eab13a6ec3a910c97

    SHA512

    20165dac6c17fbc51ce5b05969b318aaee1cf8dd83ab5133775fc14e404448a2ac633d0dad3ea9421cb8b72dda1f65e798db5610de6d12891217a15bb481a640

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7341166.exe
    Filesize

    18KB

    MD5

    952034a560be61e4d921f508df8a162b

    SHA1

    1b559a970c6b61dbdf0fbd13d38b150e015a5719

    SHA256

    028936f58c1e1504c9481a7c3da88c682e3d860ae96576305100ab0ccb954b70

    SHA512

    3708633775200299ce1da7402f5530afade06012092d986a0989fc2c1f4fa0f6b47f16a3bcdcaefa6b2ccc8ec0df8246a1faf56c688de006883485b5b65897f8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7297316.exe
    Filesize

    140KB

    MD5

    605d09ec259bdf6742ec4d801757f71b

    SHA1

    310b4e0464dc29061c9c3257798bad7905e72038

    SHA256

    2766f4e42fec4fdf0a7cfa874d2eb127a18ca9ddedfeaa987e7175df82bd4927

    SHA512

    a581a00b5b3e5f83d19a045a5ce6e1171f2d33a35d30aa655581779cef82017abb61f9d4701d16db7a570ba0b74be1a4e5a5ecbe2d8d7a783ea921ec40160d14

    Download Submit

  • memory/3288-35-0x00000000000C0000-0x00000000000CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3288-36-0x00007FF839080000-0x00007FF839B42000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3288-38-0x00007FF839080000-0x00007FF839B42000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/5036-45-0x0000000000460000-0x0000000000490000-memory.dmp

    Filesize

    192KB

    Download

  • memory/5036-46-0x0000000002800000-0x0000000002806000-memory.dmp

    Filesize

    24KB

    Download

  • memory/5036-47-0x00000000749B0000-0x0000000075161000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5036-48-0x00000000054B0000-0x0000000005AC8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5036-49-0x0000000004FA0000-0x00000000050AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5036-50-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5036-51-0x0000000004D80000-0x0000000004D90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5036-52-0x0000000004F10000-0x0000000004F4C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5036-53-0x0000000004F50000-0x0000000004F9C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5036-54-0x00000000749B0000-0x0000000075161000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5036-55-0x0000000004D80000-0x0000000004D90000-memory.dmp

    Filesize

    64KB

    Download