Overview

overview

10

Static

static

3

1d059ca891...d4.exe

windows10-2004-x64

10

1d90edda9f...51.exe

windows7-x64

3

1d90edda9f...51.exe

windows10-2004-x64

10

1e44c41d8d...91.exe

windows10-2004-x64

10

1ed736973c...3e.exe

windows10-2004-x64

10

559234fc52...e2.exe

windows10-2004-x64

10

5a4570005d...a4.exe

windows7-x64

3

5a4570005d...a4.exe

windows10-2004-x64

10

61f1a776dc...62.exe

windows10-2004-x64

10

67045db960...01.exe

windows10-2004-x64

10

6d684b37ca...5c.exe

windows10-2004-x64

10

77cbabe9fe...cf.exe

windows7-x64

3

77cbabe9fe...cf.exe

windows10-2004-x64

10

8a73bb4899...c3.exe

windows10-2004-x64

10

8db3c27c31...88.exe

windows7-x64

3

8db3c27c31...88.exe

windows10-2004-x64

10

b72cfb2517...df.exe

windows10-2004-x64

10

c2ef692d84...7e.exe

windows7-x64

3

c2ef692d84...7e.exe

windows10-2004-x64

10

c39106a352...4e.exe

windows7-x64

10

c39106a352...4e.exe

windows10-2004-x64

10

ca6d56a637...da.exe

windows10-2004-x64

10

db14966ca7...cb.exe

windows7-x64

10

db14966ca7...cb.exe

windows10-2004-x64

10

e800205bb9...fd.exe

windows7-x64

3

e800205bb9...fd.exe

windows10-2004-x64

10

f8a2da44f9...41.exe

windows10-2004-x64

10

fc8b501a18...d3.exe

windows7-x64

3

fc8b501a18...d3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 12:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe

  • Size

    479KB

  • MD5

    1b385dfef9c3683b4849ce42c7b6b5f3

  • SHA1

    8aa540ad4ad25b905fdfadc3e351ba1c49e3e9b7

  • SHA256

    61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562

  • SHA512

    20e65a503be4341c386046a617c4875e006527eebd214299d971650a22c245450bfccd600d9fd9e2d0b6d1a9c5dd719037b2477452e29ddf4bdaaf20b83998b3

  • SSDEEP

    12288:MMr2y90GYO4OtK8z1J6Rxt0wptqtOTy2A8xADCvc:qyGV8z1YRgOuUAkc

Score
10/10
healerredlinedumuddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes
  • auth_value

    3e18d4b90418aa3e78d8822e87c62f5c

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe
    "C:\Users\Admin\AppData\Local\Temp\61f1a776dcd13885a5979397d5b945e89d26cfcfe61e000ac89070e4a45bc562.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3504
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1012
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe
        3⤵
        • Executes dropped EXE
        PID:1768

Network

  • flag-us
    DNS
    14.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    77.190.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    77.190.18.2.in-addr.arpa
    IN PTR
    Response
    77.190.18.2.in-addr.arpa
    IN PTR
    a2-18-190-77deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    GET
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    Remote address:
    23.62.61.192:443
    Request
    GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
    host: www.bing.com
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-type: image/png
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    content-length: 1107
    date: Fri, 10 May 2024 12:35:39 GMT
    alt-svc: h3=":443"; ma=93600
    x-cdn-traceid: 0.bc3d3e17.1715344539.ca51df
  • flag-us
    DNS
    192.61.62.23.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    192.61.62.23.in-addr.arpa
    IN PTR
    Response
    192.61.62.23.in-addr.arpa
    IN PTR
    a23-62-61-192deploystaticakamaitechnologiescom
  • flag-us
    DNS
    157.123.68.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    157.123.68.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    56.126.166.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    56.126.166.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    139.53.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    139.53.16.96.in-addr.arpa
    IN PTR
    Response
    139.53.16.96.in-addr.arpa
    IN PTR
    a96-16-53-139deploystaticakamaitechnologiescom
  • flag-us
    DNS
    48.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    48.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 23.62.61.192:443
    https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90
    tls, http2
    1.5kB
     7.5kB
     18
    12

    HTTP Request

    GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

    HTTP Response

    200
  • 217.196.96.101:4132
    l6925739.exe
    260 B
     5
  • 217.196.96.101:4132
    l6925739.exe
    260 B
     5
  • 217.196.96.101:4132
    l6925739.exe
    260 B
     5
  • 217.196.96.101:4132
    l6925739.exe
    260 B
     5
  • 217.196.96.101:4132
    l6925739.exe
    260 B
     5
  • 217.196.96.101:4132
    l6925739.exe
    208 B
     4
  • 8.8.8.8:53
    14.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    14.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    77.190.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    77.190.18.2.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    192.61.62.23.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    192.61.62.23.in-addr.arpa

  • 8.8.8.8:53
    157.123.68.40.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    157.123.68.40.in-addr.arpa

  • 8.8.8.8:53
    56.126.166.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    56.126.166.20.in-addr.arpa

  • 8.8.8.8:53
    139.53.16.96.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    139.53.16.96.in-addr.arpa

  • 8.8.8.8:53
    48.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    48.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3756826.exe
    Filesize

    307KB

    MD5

    ca2ad17b64a10b961c2b14a7e47a8030

    SHA1

    a339ebb686b832fc87af3c287f67d8ef52e140e8

    SHA256

    23bc83a4a63831c87e6d79e2b366e2534c967a13a377e66f4d92e226f9e8be94

    SHA512

    ad5e5a03336562d58b02f2556eb833fe3c39d2a7c47584379059cc5a584be1efc981cde4c84a350a4bb244502a73fb7bf0bee7b03b4ef002bb6ecc17d3caff04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k3719439.exe
    Filesize

    180KB

    MD5

    0e2a8712db80505e38c2816483598edf

    SHA1

    8ff6735fc1c080fb73825928f2bf9aa409b3758c

    SHA256

    a88a17437aa434a4c8df1657b4ac4c72d5d65247c160b7d2351101a2955ecd0c

    SHA512

    1076c1d65c2bd3be562d57ebe5a00af294242456a80a4149e3ae5ed1816a35abdab48cca90617ccb9839a14020391ed425cedba42f63c75b8488f45485108d91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6925739.exe
    Filesize

    168KB

    MD5

    9eb1e1ed0fb5f198b60699f1d6f2c4d8

    SHA1

    0a93100586a585ffaceecff9c67cf28e703b67d2

    SHA256

    0fce1f4c2a87e2bdccfe4c3112f837d1fdeb91edb113f055787e29000a4a348b

    SHA512

    fe9679472176c5d0648355a230eb9b77a19d565b17cb957a14d96d60df338f039ddbbdc97c611776239e8b5b3e842c85e8ac6b50882feb59917a1bb12496140d

    Download Submit

  • memory/1012-28-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-48-0x0000000073FD0000-0x0000000074780000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1012-16-0x0000000073FD0000-0x0000000074780000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1012-18-0x00000000024B0000-0x00000000024C8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1012-46-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-44-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-42-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-40-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-38-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-36-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-34-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-32-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-30-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-15-0x0000000002490000-0x00000000024AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1012-17-0x00000000049D0000-0x0000000004F74000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1012-26-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-14-0x0000000073FDE000-0x0000000073FDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1012-19-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-24-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-47-0x0000000073FD0000-0x0000000074780000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1012-22-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1012-50-0x0000000073FD0000-0x0000000074780000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1012-20-0x00000000024B0000-0x00000000024C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1768-54-0x0000000000BC0000-0x0000000000BF0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1768-55-0x0000000002DB0000-0x0000000002DB6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1768-56-0x000000000AF30000-0x000000000B548000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1768-57-0x000000000AA30000-0x000000000AB3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1768-58-0x000000000A960000-0x000000000A972000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1768-59-0x000000000A9C0000-0x000000000A9FC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1768-60-0x0000000004DF0000-0x0000000004E3C000-memory.dmp

    Filesize

    304KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.