Overview

overview

10

Static

static

3

1d90edda9f...51.exe

windows7-x64

3

1d90edda9f...51.exe

windows10-2004-x64

10

1e44c41d8d...91.exe

windows10-2004-x64

10

1ed736973c...3e.exe

windows10-2004-x64

10

40d54c2855...14.exe

windows10-2004-x64

10

41c3e42a10...04.exe

windows10-2004-x64

10

559234fc52...e2.exe

windows10-2004-x64

10

55c06ba8dc...48.exe

windows10-2004-x64

10

67045db960...01.exe

windows10-2004-x64

10

6d684b37ca...5c.exe

windows10-2004-x64

10

755b6a534e...41.exe

windows10-2004-x64

10

77cbabe9fe...cf.exe

windows7-x64

3

77cbabe9fe...cf.exe

windows10-2004-x64

10

b0f8fc9921...32.exe

windows10-2004-x64

10

b72cfb2517...df.exe

windows10-2004-x64

10

ca6d56a637...da.exe

windows10-2004-x64

10

cd303f71ad...fd.exe

windows10-2004-x64

10

d7a90d1783...78.exe

windows10-2004-x64

10

db14966ca7...cb.exe

windows7-x64

10

db14966ca7...cb.exe

windows10-2004-x64

10

e800205bb9...fd.exe

windows7-x64

3

e800205bb9...fd.exe

windows10-2004-x64

10

f8a2da44f9...41.exe

windows10-2004-x64

10

fc8b501a18...d3.exe

windows7-x64

3

fc8b501a18...d3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 14:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    755b6a534ecd54fe181f1ec9de55ba3fba4d9177430ed1586a6ecc6183812e41.exe

  • Size

    1.5MB

  • MD5

    1bb75354d6a880535e819b8fdf2c8d44

  • SHA1

    94e0291d9d7edf7ccd5f353aa0ada8e05e6c8dd4

  • SHA256

    755b6a534ecd54fe181f1ec9de55ba3fba4d9177430ed1586a6ecc6183812e41

  • SHA512

    006930c07e78a96131c1a339f014a82ce92ca1ecdacb6a23415316fb89a3f0394cd8379958278e8482483730d5435bea8f6bd81411ca84ac4a69ed31952aef21

  • SSDEEP

    24576:iyVX5loIiP1DgjsZYPlJ4HIpTuWNMrNMbKXtmwHHRe6YYZDQQDljvq8Ek:JVXAvPKIELmUTXNMrnRReFY5QQJjvq8

Score
10/10
healerredlinemashadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

masha

C2

77.91.68.48:19071

Attributes
  • auth_value

    55b9b39a0dae383196a4b8d79e5bb805

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\755b6a534ecd54fe181f1ec9de55ba3fba4d9177430ed1586a6ecc6183812e41.exe
    "C:\Users\Admin\AppData\Local\Temp\755b6a534ecd54fe181f1ec9de55ba3fba4d9177430ed1586a6ecc6183812e41.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3380
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2323350.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2323350.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4232
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4949453.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4949453.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1480
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6321787.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6321787.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1540
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8252631.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8252631.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1788
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6285919.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6285919.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4008
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9599982.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9599982.exe
          4⤵
          • Executes dropped EXE
          PID:432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2323350.exe
    Filesize

    1.4MB

    MD5

    0d85fc69da9324944242e79dbc1eefde

    SHA1

    395ff38307e576a0b6620f3af95ce1a6a661bcad

    SHA256

    2c0c54f060489cc82a15e95c8c2819583482cc493d3c58341453a173e8d87bb9

    SHA512

    7ca13450dfc269e0e858eeba715d8f191d98d36de1e9ade4f52ee415cc61ee31f0ecc7f92525ab058e4e057b97e0c229af58805c7d4d77fa049e4f3a3e8aa35f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4949453.exe
    Filesize

    1.2MB

    MD5

    73c53ab529c8a6fa83de95bf5ebb304b

    SHA1

    c063d1e63fb64d020da7582a67e17a3357d2a819

    SHA256

    5be2d1bcc4d9ee4f6e33bee68338b55812fe96d3f854b6d950ea43fd16290d69

    SHA512

    884949c9e742b3c15268808da62d6323510159fc1066a6eee00f602731b6cd0e336638ea6e35410dbe9fdd057bfe28f746e69d23d0e3471ea49d60f4e4924a13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c9599982.exe
    Filesize

    692KB

    MD5

    475d0ecc8694f7095508c0bd5b0ae28e

    SHA1

    dc069c0912dcfbefd45a500cb3278e39c67c955e

    SHA256

    8712754417238e8bccd196c9235446c7bc25b95be69774d359b49057325e4f8d

    SHA512

    b11a2067a2f103df629fc030a32ceff4d0bdbbe040b01411fc060925225486a9a1c6a0a1cd72eb987bd8d0e3e64bf88d1938e7214cf365ffdc8a2b0edc1b26e9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6321787.exe
    Filesize

    620KB

    MD5

    5ad3b8790bf7d920f98f4d64ff7c7412

    SHA1

    e999531a09f6856535a3adc0d90d796486a33b99

    SHA256

    42c8992894c5db50511241661e52512a2c55078102f8693fd4f229a1d868aec2

    SHA512

    f8ff9fa3cc42dccb6628b991b2ce1d37474f5e05d0f4dc8497a77d7c30d155862e4bc18626b95f9e08e0b6c814a31abf2870ee2feb605ebf4db918cf93ff78d5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8252631.exe
    Filesize

    530KB

    MD5

    d74cb65d452b63e69711a30e3f15ff47

    SHA1

    030a72a4b9dae5e353d720068c5eb7ef6080bdb3

    SHA256

    93b8bbb8698f84222d85143b6580eae2e743572ea364378b0322fe17f2400da2

    SHA512

    d038a10ac29af26469b85783072851390918de10dfb285ad794f034d4deef5c2e860ec16750685a11fde5ce2c886016bddbef8097db9f8f59fcd94a98fe47acd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6285919.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • memory/432-49-0x000000000A510000-0x000000000A61A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/432-43-0x0000000000440000-0x0000000000470000-memory.dmp

    Filesize

    192KB

    Download

  • memory/432-47-0x0000000002370000-0x0000000002376000-memory.dmp

    Filesize

    24KB

    Download

  • memory/432-48-0x0000000009EF0000-0x000000000A508000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/432-50-0x000000000A640000-0x000000000A652000-memory.dmp

    Filesize

    72KB

    Download

  • memory/432-51-0x000000000A660000-0x000000000A69C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/432-52-0x00000000044B0000-0x00000000044FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1788-28-0x0000000000420000-0x000000000042A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4008-37-0x0000000000490000-0x000000000049A000-memory.dmp

    Filesize

    40KB

    Download