Overview

overview

10

Static

static

3

061ed335bc...9b.exe

windows7-x64

3

061ed335bc...9b.exe

windows10-2004-x64

10

067e5c3ecf...b6.exe

windows10-2004-x64

10

1ec8ce9ace...96.exe

windows10-2004-x64

10

349cf4c964...66.exe

windows10-2004-x64

10

4250b0250d...ee.exe

windows10-2004-x64

10

56dbfb10e0...5d.exe

windows10-2004-x64

10

5951daaf24...9a.exe

windows10-2004-x64

10

59c1607382...01.exe

windows10-2004-x64

10

74cf5b47d1...8d.exe

windows10-2004-x64

10

795a49ee81...4a.exe

windows10-2004-x64

10

8b549a8688...5b.exe

windows10-2004-x64

10

91da85daf6...d8.exe

windows10-2004-x64

10

a8dffd83e4...8a.exe

windows10-2004-x64

7

ab124875ee...6a.exe

windows10-2004-x64

10

ccc5c313f4...94.exe

windows10-2004-x64

10

cce5498639...83.exe

windows10-2004-x64

10

ce9f75c073...16.exe

windows10-2004-x64

10

dda511575f...2f.exe

windows10-2004-x64

10

eb81f341bc...da.exe

windows10-2004-x64

10

f943251c5b...1b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    168s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-05-2024 17:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab124875eee3aa9c0b98e5ed0dbab9856acaf99e011d97b92abd4d2cf0f5aa6a.exe

  • Size

    919KB

  • MD5

    6ae13efc8817a2e5640ab617edc0ef66

  • SHA1

    56dd6153047a0cd1cdbd047b63e579fd5b8ae25f

  • SHA256

    ab124875eee3aa9c0b98e5ed0dbab9856acaf99e011d97b92abd4d2cf0f5aa6a

  • SHA512

    88e45ea5d7ae364df9c0b8bfc0e3d83f75d844b0bca8b06386f78aa83a1dcfe703595fa648bbf14519529bce6281109675508cd57769011ba46f439767fcc437

  • SSDEEP

    24576:GyF7GXiF68lRgtjHF4l/MI6OxDgdcqSvNB:VFqXic8lRg3PDVcq

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab124875eee3aa9c0b98e5ed0dbab9856acaf99e011d97b92abd4d2cf0f5aa6a.exe
    "C:\Users\Admin\AppData\Local\Temp\ab124875eee3aa9c0b98e5ed0dbab9856acaf99e011d97b92abd4d2cf0f5aa6a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2992
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6463558.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6463558.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3480
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3231341.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3231341.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2448
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6640824.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6640824.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2820
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3023210.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3023210.exe
          4⤵
          • Executes dropped EXE
          PID:3640
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1352 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3212

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
      Filesize

      226B

      MD5

      916851e072fbabc4796d8916c5131092

      SHA1

      d48a602229a690c512d5fdaf4c8d77547a88e7a2

      SHA256

      7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

      SHA512

      07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6463558.exe
      Filesize

      763KB

      MD5

      1c40f0767b3afcbbe40162e2209e9ea7

      SHA1

      a559ecd1945339b03e80318b3e5fc5a1743e5be5

      SHA256

      fc089dab52c3e61ec12bd19365ab4eb37c304c21ce0e0daf4e3dffdf4c32a0cc

      SHA512

      b74d974f4a923ba359304f7d1f04f79ca35a103e89b652ad51546c147e7dd42b175cffecd565f93c1190d9d0c461a14b25da5b3e3eb9a2e40d8bf956a5b2403e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3231341.exe
      Filesize

      580KB

      MD5

      4a42a0c0f1c6cdb18d674bbda1759aba

      SHA1

      586856be171af6ec0503242fe1894c160588a461

      SHA256

      a3d63f0a54bc7ba0fa176fd82668f354a96bad04d0ec694f01f0235716cbf212

      SHA512

      68bbe16a6d420b10872ef212733071f46176d46063446facfb69ff8cdab56cb3b2ac832a5ba2cdafaabd5e9ba0d3374b614e6fa6dae0f0d445300389bdcd467b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6640824.exe
      Filesize

      294KB

      MD5

      066823c8ddcfa4b9ba01c446de71af3f

      SHA1

      e3d2e4d0e4dbdc9a48345587385f61a1795fa857

      SHA256

      38abefade8dc5549d901c8bb1cdedcf5e8b7840f6e024d2a49d71600055c6150

      SHA512

      a5215cf324ae0bb0fd95c003a7985e0ec7137ed63a96ed0bd44a05a11d2e0a8b609d54ecad9d5ab2eda3931d0231ae3cbcf0ab7046824d1a425e2ecccf75ea4b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3023210.exe
      Filesize

      491KB

      MD5

      c872ddc430a6d7d695e783130dd4c4f1

      SHA1

      af818368cf10cd3eb9a364599d8d269bf3c2f8d3

      SHA256

      bfc4f8c7c20cc73da1bd6c18ec7c47ada80629322e8c6b3769d08c8dc5c75a9a

      SHA512

      1d45fd346ab6c8194b1acc2d0004c5a21fcca7ee2dd565dcc1ec7435b11893b5777a14a35f784b610fed08db696293056b1c77acbad573ef65b2fac81a9c37d6

      Download Submit

    • memory/2820-21-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

      Download

    • memory/2820-22-0x0000000000560000-0x000000000059E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2820-28-0x0000000000560000-0x000000000059E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2820-29-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3640-35-0x0000000001FA0000-0x000000000202C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/3640-42-0x0000000001FA0000-0x000000000202C000-memory.dmp

      Filesize

      560KB

      Download

    • memory/3640-44-0x00000000044B0000-0x00000000044B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3640-45-0x00000000049E0000-0x0000000004FF8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3640-46-0x0000000005090000-0x000000000519A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3640-47-0x00000000051C0000-0x00000000051D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3640-48-0x00000000051E0000-0x000000000521C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3640-49-0x0000000005250000-0x000000000529C000-memory.dmp

      Filesize

      304KB

      Download