Overview

overview

10

Static

static

3

0b77ecaa1b...bd.exe

windows10-2004-x64

10

15a93b61b0...e6.exe

windows10-2004-x64

10

209703dd4d...93.exe

windows7-x64

3

209703dd4d...93.exe

windows10-2004-x64

10

371f83e057...f2.exe

windows10-2004-x64

10

4f86d48b3d...df.exe

windows10-2004-x64

10

613e8de3b5...a6.exe

windows7-x64

3

613e8de3b5...a6.exe

windows10-2004-x64

10

6bd55afbde...65.exe

windows10-2004-x64

10

74991b8b05...38.exe

windows10-2004-x64

10

75ccbf328f...af.exe

windows10-2004-x64

10

798aee8abb...5b.exe

windows10-2004-x64

10

7b57226b37...3e.exe

windows10-2004-x64

10

7fe3c52960...9b.exe

windows10-2004-x64

10

8e6c08ec1c...56.exe

windows10-2004-x64

10

9cb8e2b154...93.exe

windows10-2004-x64

10

a5bd0160df...49.exe

windows10-2004-x64

10

a62a548ffb...a0.exe

windows10-2004-x64

10

bfe644d3bd...29.exe

windows10-2004-x64

10

c606fbb70c...7c.exe

windows10-2004-x64

10

c84d7a88c3...a4.exe

windows10-2004-x64

10

d637403a7a...09.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 15:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe

  • Size

    280KB

  • MD5

    7df1e56d4c1a1612ee126463fcf8ceb4

  • SHA1

    774ab26898cfa2ace41b0d5fa53538d318e0fa57

  • SHA256

    a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0

  • SHA512

    a84427f66c991496b014e82a1e52a969da9b627d6dfebdb93b74acdda4907df02b7b7d17b25cb732999e4a01e7f6e327be630b93b6dd6c55ed78e3d920ccae15

  • SSDEEP

    6144:Kby+bnr+Qp0yN90QE7o6FzcJVDQvj6iftPO3pJ8M:JMrQy90xl9x2stgp+M

Score
10/10
healerredlinecrazydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

crazy

C2

83.97.73.129:19068

Attributes
  • auth_value

    66bc4d9682ea090eef64a299ece12fdd

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe
    "C:\Users\Admin\AppData\Local\Temp\a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:512
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4740
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        3⤵
          PID:2748
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 152
          3⤵
          • Program crash
          PID:2600
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:5104
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
          3⤵
          • Modifies Windows Defender Real-time Protection settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2340
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 152
          3⤵
          • Program crash
          PID:908
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4740 -ip 4740
      1⤵
        PID:2016
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5104 -ip 5104
        1⤵
          PID:3948

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a9751033.exe
                Filesize

                302KB

                MD5

                c0e3f771bcbb789d734e7d3e1b1f4e65

                SHA1

                02e6e5e508188955181ac98bb1b9c414d2c1aa9e

                SHA256

                53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02

                SHA512

                c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b2585981.exe
                Filesize

                141KB

                MD5

                cd5a529d645436b72dc72ebc19950ef3

                SHA1

                5f571b5fce5b5e210e812e28dad02b80bb1f5d80

                SHA256

                887d08bb7735494fa22a46935055d0c2d612f70e97ecdd07bccf427d8e49efa3

                SHA512

                b314a9d61340e1cafd67aef45b5151721a6100ca0f7d6ec787e4fc4d83d1cdb571cfafcd1cc1cee681f3016bfb3fc8074681633607221711163e7da2c2e6b123

                Download Submit

              • memory/2340-23-0x0000000000400000-0x000000000040A000-memory.dmp

                Filesize

                40KB

                Download

              • memory/2748-16-0x000000000A900000-0x000000000AA0A000-memory.dmp

                Filesize

                1.0MB

                Download

              • memory/2748-14-0x0000000002BE0000-0x0000000002BE6000-memory.dmp

                Filesize

                24KB

                Download

              • memory/2748-15-0x000000000AE10000-0x000000000B428000-memory.dmp

                Filesize

                6.1MB

                Download

              • memory/2748-13-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2748-18-0x000000000A7F0000-0x000000000A802000-memory.dmp

                Filesize

                72KB

                Download

              • memory/2748-8-0x0000000000400000-0x0000000000430000-memory.dmp

                Filesize

                192KB

                Download

              • memory/2748-20-0x000000000A850000-0x000000000A88C000-memory.dmp

                Filesize

                240KB

                Download

              • memory/2748-21-0x0000000073F20000-0x00000000746D0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/2748-28-0x0000000004D50000-0x0000000004D9C000-memory.dmp

                Filesize

                304KB

                Download

              • memory/2748-30-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2748-31-0x0000000073F20000-0x00000000746D0000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/4740-7-0x0000000000177000-0x0000000000178000-memory.dmp

                Filesize

                4KB

                Download