Overview

overview

10

Static

static

3

0cc30df7f6...35.exe

windows10-2004-x64

10

1208df4133...ab.exe

windows10-2004-x64

10

2d6ce3858d...b0.exe

windows7-x64

3

2d6ce3858d...b0.exe

windows10-2004-x64

10

3a484bb7d4...29.exe

windows10-2004-x64

10

3e36cb02ee...9a.exe

windows10-2004-x64

10

3f3ae36481...68.exe

windows7-x64

1

3f3ae36481...68.exe

windows10-2004-x64

1

4be1f370e8...6b.exe

windows7-x64

3

4be1f370e8...6b.exe

windows10-2004-x64

10

54ca5c456c...76.exe

windows10-2004-x64

10

6aa8d5d0d6...df.exe

windows10-2004-x64

10

8db6f54494...1f.exe

windows10-2004-x64

10

b07c30e9c2...0f.exe

windows10-2004-x64

10

b62068be50...da.exe

windows10-2004-x64

10

c1c526ed2a...52.exe

windows10-2004-x64

10

cd9de412cd...04.exe

windows7-x64

10

cd9de412cd...04.exe

windows10-2004-x64

10

dce60a71ca...cc.exe

windows10-2004-x64

e25842dbe6...9e.exe

windows10-2004-x64

10

f358ce518b...e2.exe

windows10-2004-x64

9

f5bf417643...17.exe

windows7-x64

3

f5bf417643...17.exe

windows10-2004-x64

10

f6dc0b4c65...d6.exe

windows10-2004-x64

10

f8dfa98c4e...be.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 18:07 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe

  • Size

    925KB

  • MD5

    dd93ee60c259b6d6649066385f4244ee

  • SHA1

    d07a767c2cc5a3f4e22536f80cd5403d48e79f31

  • SHA256

    b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f

  • SHA512

    77da63cbd5f5c49e42b7c8d31388ce5a5f310ab7435e9200ad94f74339d371dd8e4100c1de2700f908c44f849e293b4ae80d8354c03e9c20ab5057df4d2d126f

  • SSDEEP

    24576:jyvRZtvqBOv+fxZ0j5MqJu/2vUx4SoSoG:2vXtCVxZ06qg/lX

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe
    "C:\Users\Admin\AppData\Local\Temp\b07c30e9c2f5b9fe74bfb66f2c8682edde02cb68cd4e8a75976cca328e48e60f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2482363.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2482363.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2472
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5282091.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5282091.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:220
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4201526.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4201526.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4364
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6091152.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6091152.exe
          4⤵
          • Executes dropped EXE
          PID:4644
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:8
    1⤵
      PID:4072

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      71.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      88.156.103.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      88.156.103.20.in-addr.arpa
      IN PTR
      Response
    • flag-be
      GET
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      Remote address:
      88.221.83.203:443
      Request
      GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
      host: www.bing.com
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-type: image/png
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      content-length: 1107
      date: Thu, 09 May 2024 18:08:08 GMT
      alt-svc: h3=":443"; ma=93600
      x-cdn-traceid: 0.c753dd58.1715278088.966dbbd
    • flag-us
      DNS
      203.83.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      203.83.221.88.in-addr.arpa
      IN PTR
      Response
      203.83.221.88.in-addr.arpa
      IN PTR
      a88-221-83-203deploystaticakamaitechnologiescom
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      198.187.3.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      198.187.3.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      31.121.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.121.18.2.in-addr.arpa
      IN PTR
      Response
      31.121.18.2.in-addr.arpa
      IN PTR
      a2-18-121-31deploystaticakamaitechnologiescom
    • flag-us
      DNS
      31.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      31.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      79.190.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.190.18.2.in-addr.arpa
      IN PTR
      Response
      79.190.18.2.in-addr.arpa
      IN PTR
      a2-18-190-79deploystaticakamaitechnologiescom
    • 88.221.83.203:443
      https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
      tls, http2
      1.4kB
       6.4kB
       16
      12

      HTTP Request

      GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

      HTTP Response

      200
    • 77.91.68.56:19071
      l6091152.exe
      260 B
       5
    • 77.91.68.56:19071
      l6091152.exe
      260 B
       5
    • 77.91.68.56:19071
      l6091152.exe
      260 B
       5
    • 77.91.68.56:19071
      l6091152.exe
      260 B
       5
    • 77.91.68.56:19071
      l6091152.exe
      260 B
       5
    • 77.91.68.56:19071
      l6091152.exe
      208 B
       4
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      71.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      71.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      88.156.103.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      88.156.103.20.in-addr.arpa

    • 8.8.8.8:53
      203.83.221.88.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      203.83.221.88.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
       156 B
       1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      198.187.3.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      198.187.3.20.in-addr.arpa

    • 8.8.8.8:53
      31.121.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      31.121.18.2.in-addr.arpa

    • 8.8.8.8:53
      31.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      31.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      79.190.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      79.190.18.2.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
      Filesize

      226B

      MD5

      916851e072fbabc4796d8916c5131092

      SHA1

      d48a602229a690c512d5fdaf4c8d77547a88e7a2

      SHA256

      7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

      SHA512

      07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2482363.exe
      Filesize

      769KB

      MD5

      672bff291b38885617823399ef70b555

      SHA1

      4a7f60f83e53a7da12068d50e8e0a92c4633f187

      SHA256

      b536b905629c03cb86e63c1bf94b1cbf8a7a792df24d4904c4918e64d7c18fec

      SHA512

      167ecae7df2a247e326c6bb329953b19e41b2cff7e730e11a3f6fabf1aefb6c119f1cf2495388dec0961328c2e7b585b0b01b4ccc9ed32f6f206c56d08afb769

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y5282091.exe
      Filesize

      585KB

      MD5

      b33a2914d46d878780b909b6f1c9e28a

      SHA1

      37365cb918168c76217112923047b8cb5fce24ff

      SHA256

      cd76d29e86c9061251c4db66dd62b6e9721e8f333e800e7b3e8dd3ab7f23384b

      SHA512

      1c42a950e9b4ad4c63d07b2da343cb273057337d379f38bbd7914de31b8a527b2c7b0bc9fe07a2096fd4726ca88a3c1df2e2e7a7d2a643b24f84aff32325ee49

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k4201526.exe
      Filesize

      295KB

      MD5

      09eec7f364a56ec5491caf643ad17697

      SHA1

      6b1d0a4ca9ed4ced105e7eec6dfc2a7d3e65d415

      SHA256

      3c95a536651751d027c53005524d9d580917f52e4c0a0c30fac8f6fd55279cf3

      SHA512

      4f97ae75bdbac6f2c52c8189c31ee3b80c6991a15b017f0a5aac6feebe83c6505fefaf0d79c980f967bd5efec7c35961d30e50ddb19969a05be8aec5cdbbb1a0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6091152.exe
      Filesize

      493KB

      MD5

      dc11c027caa1f3eca389e929921e4a1a

      SHA1

      7bc540dbfa7367f8c7e1761c4de6cb110aceda76

      SHA256

      cc338e14b24d1832ff2badca78ba12388cc65b05124b525e95080c969e805966

      SHA512

      b1153e9eecbf5bdae7093fc472f331f0c71aedeee8072fc54b9657986d42a5a653e88a8712fa9230bdf1bc516ff630e5c1c791ab41ed822b6592ff60103c5105

      Download Submit

    • memory/4364-21-0x0000000000570000-0x00000000005AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4364-27-0x0000000000401000-0x0000000000404000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4364-28-0x0000000000570000-0x00000000005AE000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4364-29-0x0000000002330000-0x0000000002331000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4644-36-0x0000000002040000-0x00000000020CC000-memory.dmp

      Filesize

      560KB

      Download

    • memory/4644-42-0x0000000002040000-0x00000000020CC000-memory.dmp

      Filesize

      560KB

      Download

    • memory/4644-44-0x00000000022D0000-0x00000000022D6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4644-45-0x0000000005E30000-0x0000000006448000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4644-46-0x0000000004A90000-0x0000000004B9A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/4644-47-0x0000000006470000-0x0000000006482000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4644-48-0x0000000006490000-0x00000000064CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4644-49-0x0000000006500000-0x000000000654C000-memory.dmp

      Filesize

      304KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.