Overview

overview

10

Static

static

3

8d83b744ad...JC.exe

windows7-x64

10

8d83b744ad...JC.exe

windows10-1703-x64

10

8d83b744ad...JC.exe

windows10-2004-x64

10

8d83b744ad...JC.exe

windows11-21h2-x64

10

Resubmissions

09-04-2024 13:51

240409-q52wsagf78 10

09-04-2024 13:51

240409-q5199agf77 10

09-04-2024 13:51

240409-q5zfnaca3y 10

09-04-2024 13:51

240409-q5y5wsca3x 10

02-09-2023 11:46

230902-nxm2jscg99 10

Analysis

  • max time kernel
    594s
  • max time network
    603s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 13:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe

  • Size

    820KB

  • MD5

    865c99ae19817cac9d40b35202f6f453

  • SHA1

    980d4e8229c3d7a6bf02596047a015c32d9210e3

  • SHA256

    8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b

  • SHA512

    091016e9888850d673d096090ad87563eb721cbcc311ca0fb4f0948f78f6679363795463081ae335b43061a1b1793c36b2bd1a0f7fe797cf6380303b98648458

  • SSDEEP

    12288:KMrWy90uxp7VpGrXpmKepnfpz4Ahwpkb7cCUOE1RZyYrB8MB1xZhxH0:Qyhp2pm9FBz4AhwpksCHGYYdd7U

Score
10/10
healermysticredlinesrutadropperevasioninfostealerpersistencestealertrojan

Malware Config

Extracted

Family

redline

Botnet

sruta

C2

77.91.124.82:19071

Attributes
  • auth_value

    c556edcd49703319eca74247de20c236

Signatures

  • Detect Mystic stealer payload 1 IoCs
  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • Mystic

    Mystic is an infostealer written in C++.

    stealermystic
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\8d83b744ad7ae7be2bbe9b1b0a9b857b8606944a166194f5b80250c1e066016b_JC.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4076
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1174701.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1174701.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6302603.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6302603.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3880
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5756523.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5756523.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:3688
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5896929.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5896929.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:4692
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7341166.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7341166.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:396
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7297316.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7297316.exe
              6⤵
              • Executes dropped EXE
              PID:4504
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3956936.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3956936.exe
            5⤵
            • Executes dropped EXE
            PID:512
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5360 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4796
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3904 --field-trial-handle=2256,i,6057863739127169200,6895476048812676039,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:1080

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1174701.exe
        Filesize

        723KB

        MD5

        4d28a06bc7d389a286f2324caddf1e8c

        SHA1

        59af85cf36a459027b9292d8b73aec4f429ea328

        SHA256

        ac7fefffe24659c5db14a2bb4cc432004020acc268884bc518c6a142f0d8f5c2

        SHA512

        0538c7e09c9253b48d2c503e2dc58c55662d28284aad9c485cfd68582cc9eafa84850b28a517b0b3b5a19b67bddd5b69edc54112889fda881da50fb7b310e45c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6302603.exe
        Filesize

        497KB

        MD5

        1e0e32b87a93e15353432ccc538eab1f

        SHA1

        0d3e5f322b3595400fd5587e9e30dee9c01cf6f4

        SHA256

        3b754180b1912716d9cf97762322f660fc3b5a599c41f09287a63ed2db764702

        SHA512

        f8b75ddbb5d5b7956d975e3e8052c62d866b0c07de63c93fbc1f064d27f737de92d2b05f104910f0522c874afb0655770e67b3504dcde641be5b3085ed1446b1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5756523.exe
        Filesize

        372KB

        MD5

        cc451ca9b12129e2af20c19f8c0b462d

        SHA1

        657c7c98063b2937e6fb7516f73a31beaeaa8a82

        SHA256

        e464ba3d27af55732f7be815fb3899287c808b69dd5221adbe20f945a78b0455

        SHA512

        159d56c233d25321117a3179d894161ce2bc7b3cb2979c0884e726d2ed89899999c423d83e4f6278f9fea77c621bef2544b02ce54c41d5eba81f4a8ab7604af4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3956936.exe
        Filesize

        175KB

        MD5

        b63224b9575d147711fa843872a4b52f

        SHA1

        bcbd067ca7570fa86276639a51f83acb871ba0a9

        SHA256

        6f5abaf57c657b33940a7564e780e4708227921f95ae46ca3c48c8ef9de12932

        SHA512

        97335a1a366b00e5df40dddbb25d91981b69f8fffdf90a55b95fb1bb978ed06ec4ca92334a45dfc276a88f0102e88f7d3c9c246160dd2925576505c24f3ced26

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5896929.exe
        Filesize

        217KB

        MD5

        a6c0a7109e1a0ea3364630b92deeda95

        SHA1

        1fe78c74047f279afca45340c6dfd9fc307b4361

        SHA256

        992d938558305206821d24cf8180ce06ff290309b4c4ef8eab13a6ec3a910c97

        SHA512

        20165dac6c17fbc51ce5b05969b318aaee1cf8dd83ab5133775fc14e404448a2ac633d0dad3ea9421cb8b72dda1f65e798db5610de6d12891217a15bb481a640

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7341166.exe
        Filesize

        18KB

        MD5

        952034a560be61e4d921f508df8a162b

        SHA1

        1b559a970c6b61dbdf0fbd13d38b150e015a5719

        SHA256

        028936f58c1e1504c9481a7c3da88c682e3d860ae96576305100ab0ccb954b70

        SHA512

        3708633775200299ce1da7402f5530afade06012092d986a0989fc2c1f4fa0f6b47f16a3bcdcaefa6b2ccc8ec0df8246a1faf56c688de006883485b5b65897f8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7297316.exe
        Filesize

        140KB

        MD5

        605d09ec259bdf6742ec4d801757f71b

        SHA1

        310b4e0464dc29061c9c3257798bad7905e72038

        SHA256

        2766f4e42fec4fdf0a7cfa874d2eb127a18ca9ddedfeaa987e7175df82bd4927

        SHA512

        a581a00b5b3e5f83d19a045a5ce6e1171f2d33a35d30aa655581779cef82017abb61f9d4701d16db7a570ba0b74be1a4e5a5ecbe2d8d7a783ea921ec40160d14

        Download Submit

      • memory/396-35-0x0000000000E40000-0x0000000000E4A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/396-36-0x00007FFF80300000-0x00007FFF80DC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/396-38-0x00007FFF80300000-0x00007FFF80DC1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/512-45-0x0000000074A50000-0x0000000075200000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/512-46-0x0000000000BC0000-0x0000000000BF0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/512-47-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

        Filesize

        24KB

        Download

      • memory/512-48-0x0000000005CE0000-0x00000000062F8000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/512-49-0x00000000057D0000-0x00000000058DA000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/512-51-0x00000000055B0000-0x00000000055C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/512-50-0x0000000005580000-0x0000000005592000-memory.dmp

        Filesize

        72KB

        Download

      • memory/512-52-0x0000000005700000-0x000000000573C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/512-53-0x0000000005740000-0x000000000578C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/512-54-0x0000000074A50000-0x0000000075200000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/512-55-0x00000000055B0000-0x00000000055C0000-memory.dmp

        Filesize

        64KB

        Download