Overview

overview

10

Static

static

7

05b48b2909...29.exe

windows10-2004-x64

10

143e14de3a...c5.exe

windows10-2004-x64

10

2c899ff55c...31.exe

windows10-2004-x64

10

2e0a9b6a39...9b.exe

windows10-2004-x64

10

4250b0250d...ee.exe

windows10-2004-x64

10

464a716862...38.exe

windows10-2004-x64

10

4d09936a4a...bf.exe

windows10-2004-x64

10

59c1607382...01.exe

windows10-2004-x64

10

61f1416a77...2b.exe

windows10-2004-x64

10

68ca177d42...f8.exe

windows7-x64

7

68ca177d42...f8.exe

windows10-2004-x64

7

6ba0db3b66...b3.exe

windows10-2004-x64

10

8b549a8688...5b.exe

windows10-2004-x64

10

a8dffd83e4...8a.exe

windows10-2004-x64

7

b6b53c7022...c9.exe

windows10-2004-x64

10

ccc5c313f4...94.exe

windows10-2004-x64

10

e04ecd64b5...1b.exe

windows7-x64

3

e04ecd64b5...1b.exe

windows10-2004-x64

10

e38bd93e74...28.exe

windows7-x64

3

e38bd93e74...28.exe

windows10-2004-x64

10

eab14d8dad...38.exe

windows10-2004-x64

10

f943251c5b...1b.exe

windows10-2004-x64

10

fb49b50c0d...90.exe

windows7-x64

3

fb49b50c0d...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/05/2024, 13:21 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe

  • Size

    1.2MB

  • MD5

    3084e5a05ec994a172379bb42d1f4a6e

  • SHA1

    d5705086a050a075520d1e19aa047f924e079ba5

  • SHA256

    b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9

  • SHA512

    7988b8ced595a143db70f1e668bb0e645fa19621e363061379cd5b042ec6444bf8f9a14184bd65afb126a851e8acfb23eee6f71bce930d135c9eab36d87e06a0

  • SSDEEP

    24576:my9QoTLxsXrQ8m0Y3lsvmLEBXibYVetVVosYmmL9hK:19Qwss8ytLqqYjsJmJh

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe
    "C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4268
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2896
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1524
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4664
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe
              6⤵
              • Modifies Windows Defender Real-time Protection settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4444
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe
            5⤵
            • Executes dropped EXE
            PID:4808

Network

  • flag-us
    DNS
    29.243.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    29.243.111.52.in-addr.arpa
    IN PTR
    Response
  • 77.91.68.56:19071
    c9863785.exe
    260 B
     5
  • 77.91.68.56:19071
    c9863785.exe
    260 B
     5
  • 77.91.68.56:19071
    c9863785.exe
    260 B
     5
  • 77.91.68.56:19071
    c9863785.exe
    260 B
     5
  • 77.91.68.56:19071
    c9863785.exe
    260 B
     5
  • 8.8.8.8:53
    29.243.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    29.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe
    Filesize

    1.0MB

    MD5

    8f452b4a4326c38e4571b85753f14835

    SHA1

    39e82691dbf838c5929a85c0ccea571b2eeaa762

    SHA256

    2c425603871cfae47a16427da45eb520a5ed3d232c7cd61f40106132368da097

    SHA512

    5a562cd0ba0c785afe7121fd99bc39173a2121452c011bdb7424ffe30c95e181d4848dbe70996f40d02e03518328159b8913ae7351cfb4da9d4da1b4cd36a061

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe
    Filesize

    905KB

    MD5

    c01e50a9b08254b6225359b71398aec4

    SHA1

    69290aa4f0cfff274bd47cbea733cd1494329fff

    SHA256

    e11371b57008d6851d429072eb585f23a66ef95ba1f2fe63bd2ee922b8583a12

    SHA512

    73b878812254dbf5854e5cd330bcb063eca437b2f84b127f6f8fae664d274b3de5904a97ea070c77f32fe3838d69926aa7e9f19d3abaa4b81cc8684c9acc0b5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe
    Filesize

    722KB

    MD5

    b047020daecfcd4d6486280843970ca3

    SHA1

    1126405fb85088855aa5c5b0a4fe8c53deff0d25

    SHA256

    6347410a710cfe628661defb8efdb525f50735c3eeb0911a1b4c40888708bab8

    SHA512

    78d6bbedafae407382fb5e27982c03d04c8036406742168203577974d0632915125324292665ff07e82ef42faeca5a24add5ac0ccf0ac7a5ced4152bfad44a65

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe
    Filesize

    492KB

    MD5

    c0cb72fd5b63fa6a0e23311a69b60989

    SHA1

    bc1d486836b34d78d9169fec03e4b60433e1374c

    SHA256

    875aa2484a1a2abf76d5e4888f69df5ef6eac968473931e34bfd7a571eaa3a1d

    SHA512

    a469239d9e7178b1127af703d1347670173ec45f446bc47e96b1edc8f6ecc1482de44d055a9183b8e9f441a9b0d1625da2b48d36392c919ca5be3ad6f542c805

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe
    Filesize

    325KB

    MD5

    3700b23c6984dc6b04ae254478422acf

    SHA1

    c96f67a6cd8c1c5c421a2f7268fdb0cbbcf5969d

    SHA256

    53432dba21043cefad2ee82a5077c1aea9238fa7a57f8701799c03717b27b344

    SHA512

    5c9b84a799ae5178ff835fb31e8a9b986bd923fc6fa5d13aff1df33ed66f0eea4826066ec741b04deafd5370a08dbdf154668c3dfde2177c9b1378198fb1ce75

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe
    Filesize

    295KB

    MD5

    52a2bfba5bb378ef0d888bff0a0a9a4c

    SHA1

    e407c2042a2751b2643c4ba379b37f5c98242c07

    SHA256

    46aedf9813ed0c38fac92d5493e5dde9b57dbc6304456fc2ececa49e07feed65

    SHA512

    cd46b3f4f4165ddc64c3c87ad8ef0b855c032e8ecb863092b9fb08cd5885a31178f8538dfd447c4e0848cdf09cd7e2ce4e972c2ac4719cb60dd5c36ae8713ec8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe
    Filesize

    11KB

    MD5

    a489f76b1e20676c44e20a1265d95bd2

    SHA1

    4adea8e3285c282db000d943bb98a5a7b9f797b7

    SHA256

    4c2d887e30ef21d4754b422f989dd02647ffd5ecfeea4342034e646e914ea32d

    SHA512

    06b205ec385ac02692a039cff628c8c5dcc4d1e388a05d4bdc8ad6b7f6efc61a3caf8c9bd9f18d08f321a4e11d27932af8a0ca8bc60bf62d2dbf0a8075bbcfa3

    Download Submit

  • memory/4444-48-0x0000000000A00000-0x0000000000A0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4664-35-0x00000000004A0000-0x00000000004DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4664-42-0x0000000004580000-0x0000000004581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4664-41-0x00000000004A0000-0x00000000004DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4808-53-0x0000000000590000-0x000000000061C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4808-60-0x0000000000590000-0x000000000061C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/4808-62-0x0000000002290000-0x0000000002296000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4808-63-0x00000000049F0000-0x0000000005008000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4808-64-0x00000000050A0000-0x00000000051AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4808-65-0x00000000051D0000-0x00000000051E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4808-66-0x00000000051F0000-0x000000000522C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4808-67-0x0000000005260000-0x00000000052AC000-memory.dmp

    Filesize

    304KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.