Overview

overview

10

Static

static

3

005cc897c6...01.exe

windows7-x64

3

005cc897c6...01.exe

windows10-2004-x64

10

0f5dadb4ff...d5.exe

windows10-2004-x64

10

15191ca573...45.exe

windows10-2004-x64

10

1f1cdd32ef...a5.exe

windows7-x64

3

1f1cdd32ef...a5.exe

windows10-2004-x64

10

33277efd72...bf.exe

windows7-x64

3

33277efd72...bf.exe

windows10-2004-x64

10

39b1b5acca...89.exe

windows10-2004-x64

10

41914bb3aa...45.exe

windows10-2004-x64

10

4dc93952d5...05.exe

windows10-2004-x64

10

636c6831e9...2d.exe

windows10-2004-x64

10

6371475aa9...ca.exe

windows10-2004-x64

10

6d98d2425a...11.exe

windows7-x64

3

6d98d2425a...11.exe

windows10-2004-x64

10

7d59382353...89.exe

windows7-x64

3

7d59382353...89.exe

windows10-2004-x64

10

7e9155d192...9c.exe

windows10-2004-x64

10

817be3f5a4...87.exe

windows10-2004-x64

10

84d690a678...8a.exe

windows10-2004-x64

10

8a833f1e2a...9a.exe

windows10-2004-x64

10

a6207c613c...04.exe

windows7-x64

3

a6207c613c...04.exe

windows10-2004-x64

10

b843b5d179...78.exe

windows10-2004-x64

10

bc0a361a97...2b.exe

windows10-2004-x64

10

ccede3ed34...14.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    817be3f5a49a23d678fd0cb76bb61abf50214569606ac3d0d0600befd2d9c787.exe

  • Size

    769KB

  • MD5

    5ceb022d8f8bde2558382ff1740e4f74

  • SHA1

    6e154dca96db9d140004d3b4e94afc45324b900b

  • SHA256

    817be3f5a49a23d678fd0cb76bb61abf50214569606ac3d0d0600befd2d9c787

  • SHA512

    0f9db2d85dde092ba468d9b87639241088fd5ec601cca79fc60040a28a2560c03667c2d8ab7b36f000ae8b4cf726ae728635e65d0c35a1b0b6546c04d8d41632

  • SSDEEP

    24576:5y2FbNBLcOOsSAoKKkGqUoD0x8n169Eimzsw:s2FbNBLcOOuKSn9Xs

Score
10/10
healerredlineviraddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\817be3f5a49a23d678fd0cb76bb61abf50214569606ac3d0d0600befd2d9c787.exe
    "C:\Users\Admin\AppData\Local\Temp\817be3f5a49a23d678fd0cb76bb61abf50214569606ac3d0d0600befd2d9c787.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9151909.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9151909.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7243473.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7243473.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:3532
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0855842.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0855842.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3044
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
              PID:1636
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              5⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2820
          • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2647096.exe
            C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2647096.exe
            4⤵
            • Executes dropped EXE
            PID:3624

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9151909.exe
      Filesize

      493KB

      MD5

      69120c5c337d0760ecd9fc3d392ba05d

      SHA1

      2cb95f326ae620c6bab0e70074b0f3a69503172f

      SHA256

      fd3a13df405ec7840acfbb7fbceff01eeded3bc2aeefe6e69d6e973571992890

      SHA512

      48bc00cfaf5b18d566469c689526a72dcb9a372e2439a82201bb440d63bd43a94af21afffee17bc71f34556d2a11f4631538e0e23e41f7b9cb670c2109b6cbfc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7243473.exe
      Filesize

      326KB

      MD5

      3715cf958a1646c65b5b3814df8f5110

      SHA1

      d4603bbee8b41a7f41366bff8ac786c86ca4f5fa

      SHA256

      ea0e785cfcaa95ed3442b571b7e63334b370e658d7b1c9edbb8d46293a708c06

      SHA512

      71a37e31f06e8cb50bb28c7cc595dc66099a7376bb5c2bd72903ae521e6c5a24670c26444a00403eee366daf71a4b00e6ebb0df796633d60b98dfd0f0b9f217b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0855842.exe
      Filesize

      256KB

      MD5

      40fa2caedf3246f2e988de9e1ec1ccb7

      SHA1

      48a086944b66bf757ab1cb630130239ae60a983c

      SHA256

      f0daaedc0d5c56b26c6f70eac16fcfe80dd2038c4d12df8066f63a77bfd22ea5

      SHA512

      1ac3e547190df155503a030931ff007f76e65f7ea10bf2fca9c6fcfa27ec3bbe5b8cf1880fbbcf451d362865b6e406f55c541cd5044e8c663a8093969e8c529d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2647096.exe
      Filesize

      175KB

      MD5

      29f1a5fbdef70a49315dd0808b9be57e

      SHA1

      df75f8e8236a578807b65fc317cc64b55bd1c1a1

      SHA256

      440b203c43f1aaedb919b2034731bd2453e0c94564ddac32bcb05eb6d8f497dd

      SHA512

      858fbe066d59940e80f41a8ece660360b3ae8ad521ad682516e7465302d53b0e1554bf9ab1c959aa341ccb2970f82615c9dca070d2e728272e4deb7f2d7935a6

      Download Submit

    • memory/2820-21-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3624-25-0x00000000006F0000-0x0000000000720000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3624-26-0x0000000002AE0000-0x0000000002AE6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3624-27-0x000000000ABF0000-0x000000000B208000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3624-28-0x000000000A6E0000-0x000000000A7EA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3624-29-0x000000000A5F0000-0x000000000A602000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3624-30-0x000000000A650000-0x000000000A68C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3624-31-0x0000000004B20000-0x0000000004B6C000-memory.dmp

      Filesize

      304KB

      Download