Overview

overview

10

Static

static

3

0e13a10fd6...cb.exe

windows10-2004-x64

10

1d089addfe...b5.exe

windows10-2004-x64

10

35d50aca92...42.exe

windows10-2004-x64

10

3ab23a3036...c6.exe

windows10-2004-x64

10

58ac39bbc6...9e.exe

windows10-2004-x64

10

64792ffeec...35.exe

windows10-2004-x64

10

654aa4d5e8...3b.exe

windows10-2004-x64

10

677afbc183...fd.exe

windows7-x64

3

677afbc183...fd.exe

windows10-2004-x64

10

71d1420ff1...80.exe

windows10-2004-x64

10

7a08e2a624...2b.exe

windows10-2004-x64

10

8c7a2623ea...7d.exe

windows10-2004-x64

10

c64d3873d4...2e.exe

windows10-2004-x64

10

cbd8058875...48.exe

windows7-x64

3

cbd8058875...48.exe

windows10-2004-x64

10

ec20c35511...9b.exe

windows10-2004-x64

10

eca60134d9...3f.exe

windows10-2004-x64

10

ecc005f21f...de.exe

windows10-2004-x64

f0fb625894...03.exe

windows10-2004-x64

10

f66a0103e4...71.exe

windows10-2004-x64

10

ffa14d4c0b...02.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-05-2024 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c7a2623ea0bfbad72a17add57243068958fa7289cd1319d5cbc3af84eeac07d.exe

  • Size

    925KB

  • MD5

    3e90b5f8e46ec833c865faa7b4d1bc60

  • SHA1

    28f893f8c74afb560f3d58113176a6417d561fbe

  • SHA256

    8c7a2623ea0bfbad72a17add57243068958fa7289cd1319d5cbc3af84eeac07d

  • SHA512

    caeea27ce211e797c65de526a4a1d597f00117f0f6a64755a433142f9425e85672ae86cac7d71fb7f8c2ee9b38af3766b669c513e54ab279508e9f8f212f78ad

  • SSDEEP

    24576:zySEW8KZohbEF0cN+j+EQJBBenV9CSEsVTrPhc:G1WLZohi+jvQJBULCPsZrP

Score
10/10
healerredlinelampdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

lamp

C2

77.91.68.56:19071

Attributes
  • auth_value

    ee1df63bcdbe3de70f52810d94eaff7d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c7a2623ea0bfbad72a17add57243068958fa7289cd1319d5cbc3af84eeac07d.exe
    "C:\Users\Admin\AppData\Local\Temp\8c7a2623ea0bfbad72a17add57243068958fa7289cd1319d5cbc3af84eeac07d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4846081.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4846081.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4296
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1925105.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1925105.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3864
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3288
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4584379.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4584379.exe
          4⤵
          • Executes dropped EXE
          PID:3640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4846081.exe
    Filesize

    769KB

    MD5

    02f4833c0c6516c5cfef394d3b9eb7ec

    SHA1

    fe78922d829ff5d0c1321fc6a82c2e0022fffd7d

    SHA256

    00e6ec6ca0ea5d14532e2f75af89658dad92a777d76023b9b56f02366e10baeb

    SHA512

    0959074ad192f172928111239a7584d55ed6a434d88f193327386c2a603d09b7dba0ab06f8d6dccdfcc2c48a84f227e95140cb73d516b8c3b4f86624c809ae13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1925105.exe
    Filesize

    585KB

    MD5

    aefd88bf78d38520127335f71ce127e6

    SHA1

    556478abe734493103cbaea50f7debb2c1d81694

    SHA256

    b52531c03cf4d2369515c81b7d0b5991c5bcc9fad953d224fb5b7fabf753b96a

    SHA512

    1fe416f984c321aa49c37774287e6dbbbf4b31c49c89a62e884ee9183de3a657bdc78fe68f76cd2092e044c57809d8c9e74a288acc5534bc0b2ff25d38d856f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k3866968.exe
    Filesize

    294KB

    MD5

    a591f6df7b933436a7cb019fe4f2d67d

    SHA1

    87d9b91e6d1ff08b2d9b3f24bd9f737f93a6eefd

    SHA256

    b943a4dad97943ca50984fa33a55c9dcd7ef0d3aa9d4b17e7f3acd1a15cfc3c7

    SHA512

    6916702db6a8e459277a0051883f0d01ed95ebef24301625ceff4ec06e17ca62ea412c376b832891dc16e3929ab328db9b30c4a5060b576a91349ea9fb941c24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4584379.exe
    Filesize

    493KB

    MD5

    3a8c9ba37b9448ebda8303351a3d9aaf

    SHA1

    1eab9447cdb12a312d0c43ff2b74d9906dcc7cb9

    SHA256

    2444d26a0a4996437fe72fdb2e128a20bebb8eee11c40c78f5bf15de0e58aebe

    SHA512

    1470b5849946293b16b5afdec3319d56348e3768ad415acc0c4310216ec2ff2aee0b7439da67070f6aaa90b10083f35f9f67e2bb19daee1f5f0fd72945148f0f

    Download Submit

  • memory/3288-21-0x00000000006A0000-0x00000000006DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3288-27-0x0000000000401000-0x0000000000404000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3288-28-0x00000000006A0000-0x00000000006DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3288-29-0x00000000044A0000-0x00000000044A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3640-36-0x00000000005D0000-0x000000000065C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/3640-42-0x00000000005D0000-0x000000000065C000-memory.dmp

    Filesize

    560KB

    Download

  • memory/3640-44-0x00000000044C0000-0x00000000044C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3640-45-0x0000000009ED0000-0x000000000A4E8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3640-46-0x000000000A580000-0x000000000A68A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3640-47-0x000000000A6B0000-0x000000000A6C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3640-48-0x000000000A6D0000-0x000000000A70C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3640-49-0x0000000006A00000-0x0000000006A4C000-memory.dmp

    Filesize

    304KB

    Download