Overview

overview

10

Static

static

3

0848e1e7e1...63.exe

windows10-2004-x64

10

1106a57fdf...a5.exe

windows10-2004-x64

10

185a521367...e2.exe

windows10-2004-x64

10

1a2ed241f7...81.exe

windows10-2004-x64

10

3933af1a19...66.exe

windows10-2004-x64

10

4046412564...e5.exe

windows10-2004-x64

10

48b2c44ad3...cf.exe

windows10-2004-x64

10

6fdb50a007...59.exe

windows10-2004-x64

10

708b7d578b...65.exe

windows10-2004-x64

10

73dc042440...3f.exe

windows10-2004-x64

10

9a45e9c206...55.exe

windows10-2004-x64

10

9a8f8e9a46...09.exe

windows10-2004-x64

10

9ab135934b...fe.exe

windows10-2004-x64

10

ab010a807d...38.exe

windows10-2004-x64

10

b85fd724a0...c4.exe

windows10-2004-x64

10

d940f9b9c6...49.exe

windows10-2004-x64

10

dc87cba915...e1.exe

windows10-2004-x64

10

e7bd826b7a...05.exe

windows10-2004-x64

10

ffbf9f9530...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 09:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe

  • Size

    496KB

  • MD5

    9aef86abcad029040fa01e67befa91f9

  • SHA1

    9dcbf47ce36595b3eefe59bb1ea833ae5e9d5065

  • SHA256

    6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759

  • SHA512

    929d5efbf2ed51ded7b4d9a0a3c98cfb6ae8c6142e2dcb7f890e3d61243172d7efb24a367ad10165800dc96ac810fb204a9f3de239ff395e94f6305152af88b7

  • SSDEEP

    12288:wMrty90BxdBF3rKeE9ITD0lIfcVLpOrxf5++O/:Ny4/BFVEzIBrxfg

Score
10/10
healerredlinemrakdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mrak

C2

77.91.124.82:19071

Attributes
  • auth_value

    7d9a335ab5dfd42d374867c96fe25302

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe
    "C:\Users\Admin\AppData\Local\Temp\6fdb50a0079a54fd2c8a1914519edb8a2bee5d2cd01893a926c2b2b6fbb08759.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1155262.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1155262.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8607123.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8607123.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1812582.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1812582.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:720
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5253347.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5253347.exe
          4⤵
          • Executes dropped EXE
          PID:3216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1155262.exe
    Filesize

    371KB

    MD5

    fcf1f57155d18dc3eeeae3ba3024c5cd

    SHA1

    3c46a30cba2929a86ffa982c7214d4f9a05ea007

    SHA256

    871749affcfa66318f224cc36dba90f91a6b61711d9b0f60ca3a750fce692671

    SHA512

    75c0dfa105fbd900e09920e9997febcafd3c4fcdb48b0935bb964e48bca4776c5ae53d7ffbb1e5e8665680d37f2bd45b66f7c0a1b54321d5e785889b040e2150

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8607123.exe
    Filesize

    206KB

    MD5

    66e3b9b7f36e7de3e95b1c401fff6848

    SHA1

    50dcaf103c73dc81cf911605ebed639e1fa59219

    SHA256

    1a8d08a91d00544852fc393dd2837f086b6ed5db68d77eaebb912378c9a589ce

    SHA512

    823215218b7296cf325c8102730d5910c57a374d254c7e300d9a48f776efb01ea2e8a695fbfdb2b9f468154e8c0108e3fe1c159f58e45adc84ef733ad3417dc5

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a1812582.exe
    Filesize

    11KB

    MD5

    7d232b9f7a79a7957af9ca7a3833e7a3

    SHA1

    053a701744f111bc3a16e7e0664582e1bdb21a36

    SHA256

    afcd27d1469fd1ee627590f52914fa97d67e63c8b61b56b5c05112bc6b72c537

    SHA512

    636a7ed235650653ca6a8cde12264733f37246d9654242880bb0475b9c73f504956f33fee3cca39477e23f4ddd24602586b9b73af69260db3a3604d68291d557

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5253347.exe
    Filesize

    175KB

    MD5

    766ebcd4226d2ce03977e88693cc8904

    SHA1

    0f3540079f6d4b0becf56de695684d10b3eb79b3

    SHA256

    c668bf6d646ee4e28aaa20f28a72e31b1f383af3d125650a4ac3b4ccdb875744

    SHA512

    64dd98eda60d7e667420d844540e7eea17aab19fad1a964fa16361adcb2b5b2220d6f43d4e0c45174772294401fba1b285dba209043001ee9cb59053e4062432

    Download Submit
  • memory/720-21-0x00007FFD5B4D3000-0x00007FFD5B4D5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/720-22-0x0000000000F00000-0x0000000000F0A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3216-27-0x0000000000070000-0x00000000000A0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3216-28-0x00000000007E0000-0x00000000007E6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3216-29-0x000000000A4E0000-0x000000000AAF8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/3216-30-0x000000000A020000-0x000000000A12A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3216-31-0x0000000009F50000-0x0000000009F62000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3216-32-0x0000000009FB0000-0x0000000009FEC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3216-33-0x00000000043B0000-0x00000000043FC000-memory.dmp
    Filesize

    304KB

    Download