Overview

overview

10

Static

static

3

143e14de3a...c5.exe

windows10-2004-x64

10

22c5bd0a3e...19.exe

windows10-2004-x64

10

291dafd231...e9.exe

windows10-2004-x64

10

2e0a9b6a39...9b.exe

windows10-2004-x64

10

499d652934...48.exe

windows7-x64

1

499d652934...48.exe

windows10-2004-x64

1

4b8eb94185...c3.exe

windows10-2004-x64

10

4d09936a4a...bf.exe

windows10-2004-x64

10

4fbcb0a2f4...73.exe

windows10-2004-x64

10

53ecffef24...36.exe

windows10-2004-x64

10

59a57474eb...06.exe

windows10-2004-x64

10

61f1416a77...2b.exe

windows10-2004-x64

10

6aec183a58...31.exe

windows10-2004-x64

10

7182994846...ce.exe

windows7-x64

3

7182994846...ce.exe

windows10-2004-x64

10

7506757ba8...b0.exe

windows10-2004-x64

10

80ada740eb...52.exe

windows10-2004-x64

10

9e8418826f...52.exe

windows10-2004-x64

10

a898d72b49...84.exe

windows10-2004-x64

10

e6baad5a7e...5c.exe

windows10-2004-x64

10

ea3dd01036...9e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    59a57474ebe62f572bb724c334e3f51070b9605bdb8a26ca62aa328af1683a06.exe

  • Size

    919KB

  • MD5

    7744901dc80e2afe3afa4c7b5c399d3b

  • SHA1

    78f4dbbd8afb9973e7927e8d11602eda9f1d7cd3

  • SHA256

    59a57474ebe62f572bb724c334e3f51070b9605bdb8a26ca62aa328af1683a06

  • SHA512

    22c73528904d0f012e057e565a21ef8c1c583704c25d82f6b628056b02ede91aed7fe6c2323b16f140b7a792ccb10dab610bce923959b35ab2137b46171a7161

  • SSDEEP

    24576:OyIUn4LTjk0iz8Bw5jfsEyAHVTUk19I/faYKbrVa5Y:dIHbPE84fxy6HIFKb

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\59a57474ebe62f572bb724c334e3f51070b9605bdb8a26ca62aa328af1683a06.exe
    "C:\Users\Admin\AppData\Local\Temp\59a57474ebe62f572bb724c334e3f51070b9605bdb8a26ca62aa328af1683a06.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7840011.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7840011.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2864
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6426330.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6426330.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4864
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:5116
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3380806.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3380806.exe
          4⤵
          • Executes dropped EXE
          PID:2508

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7840011.exe
    Filesize

    763KB

    MD5

    78f324849aa7b1f850517cf94be2ef54

    SHA1

    143654cbf93522937131f0a56f6ffdb94d62b693

    SHA256

    d37e270ae2e841d2d7e02bca9b2b8722ee36bc8634203dd51a26a7768448c774

    SHA512

    6e82a48af65e3bd4211e9e10913bfcbe98506e5a34c66ff0077b5e4ce841c739365461f9995c5bba442e0805e64a5d5b04e1a4ed5dbdf7039305ca190a1a2083

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6426330.exe
    Filesize

    580KB

    MD5

    26efa76c4c09af119b5cf26ba265bd6a

    SHA1

    f9211e30771cda4c1e33d39414e62c077225e6cb

    SHA256

    2188d5c86aa35a1374137c1f2757f2d21b66e47e7649886cd9717ad6f858fef2

    SHA512

    44e72b50b0cfea2255f5cd10716ab02b3dd336679cec9307866a47c14a609c6271c217d396009456fd1f1b2bbfee06b1c2a645e7887d2faf2495ab87b5de9644

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k2737969.exe
    Filesize

    295KB

    MD5

    97bedc3847c2a75396c6c97cf29285ac

    SHA1

    e55c17be6b028426f3580337facd941e456cb060

    SHA256

    f4787b70b2a4f6e0b9350ddbdddbbca942b8a2f4d48a9f82e43d1cde06fa8759

    SHA512

    b99680cb988118acf40b417048fd99dad120409da63f110bf9100b43aa16d124aa83e266f4db5585681dd90ec442eda9bf04d81eaa835e095ff4438cf531983f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3380806.exe
    Filesize

    489KB

    MD5

    dfb42870a5a35dc280f750653cd769c5

    SHA1

    835406a72260124183d0968490f41e22f43a3a2f

    SHA256

    0e00c1394a7c5563999d0fa119b0be98739dc40619cf0cc133244a06f99bc6de

    SHA512

    469f45c6640402704251c00a32758c5c78b0a596b8b437f7765d101c81cb1bcd05cff30b7347f03464c963ac4200c82171bd4c8f7d7826f14a54c4c180c86663

    Download Submit

  • memory/2508-45-0x0000000007EF0000-0x0000000008508000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2508-35-0x0000000000510000-0x000000000059C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2508-42-0x0000000000510000-0x000000000059C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/2508-44-0x0000000002270000-0x0000000002276000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2508-46-0x0000000008580000-0x000000000868A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2508-47-0x00000000086B0000-0x00000000086C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2508-48-0x00000000086D0000-0x000000000870C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2508-49-0x0000000005A00000-0x0000000005A4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5116-29-0x0000000002350000-0x0000000002351000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5116-28-0x0000000000690000-0x00000000006CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5116-27-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download

  • memory/5116-21-0x0000000000690000-0x00000000006CE000-memory.dmp

    Filesize

    248KB

    Download