Overview

overview

10

Static

static

3

2ae72cafa8...de.exe

windows10-2004-x64

10

2d225565e0...be.exe

windows10-2004-x64

10

5f94dabf69...6d.exe

windows10-2004-x64

10

65296f4680...95.exe

windows7-x64

3

65296f4680...95.exe

windows10-2004-x64

10

7618ddb9e4...07.exe

windows10-2004-x64

10

8865ec3f94...5a.exe

windows10-2004-x64

10

8d796a364d...e4.exe

windows10-2004-x64

10

aabdc92d30...96.exe

windows10-2004-x64

10

bae99364dc...55.exe

windows10-2004-x64

10

cc35c0b2bc...24.exe

windows10-2004-x64

10

d63c4114c3...86.exe

windows10-2004-x64

10

d65bb810cc...a7.exe

windows10-2004-x64

10

d764830962...c8.exe

windows10-2004-x64

10

d9124df1a4...d1.exe

windows10-2004-x64

10

e1564be8f1...ad.exe

windows10-2004-x64

10

e7ee230707...d5.exe

windows10-2004-x64

10

e8a7f5f2b3...4b.exe

windows10-2004-x64

10

e8bf7b5c22...96.exe

windows10-2004-x64

10

eb214d5f58...c6.exe

windows10-2004-x64

10

edacb614f4...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d76483096202fb3172705ac386f325854d2d6409275d9bbde9e10e329832b2c8.exe

  • Size

    769KB

  • MD5

    4f98b84064e02998c0704c24e4cdf335

  • SHA1

    eb839525ab5e8a2b57ca801780b7c4cf82022bd2

  • SHA256

    d76483096202fb3172705ac386f325854d2d6409275d9bbde9e10e329832b2c8

  • SHA512

    49d8501731a4409071d3d691b7d4fadbb636fa51e1ef4bf3e61d02190f75651eb8cd5a930b716d1cffd8bb883cee60e29d5c6409fca305644d679172878f6d2d

  • SSDEEP

    24576:/yO0MJVj1CUPrHUtQSXXSxbWg0MUyK+o90z:KHM31xr0tQSyZWQUH

Score
10/10
healerredlineviraddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d76483096202fb3172705ac386f325854d2d6409275d9bbde9e10e329832b2c8.exe
    "C:\Users\Admin\AppData\Local\Temp\d76483096202fb3172705ac386f325854d2d6409275d9bbde9e10e329832b2c8.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9945475.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9945475.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3640
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5663925.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5663925.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1564
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5155081.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5155081.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4080
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2552
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6643370.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6643370.exe
          4⤵
          • Executes dropped EXE
          PID:868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9945475.exe
    Filesize

    493KB

    MD5

    0dd111191cfacd3e2e2e8a2b4255acaa

    SHA1

    67f4500ecf2bc710fcae5fb6f492dcd9cc1cccab

    SHA256

    aaa1753f3d462df0ffbe9936540ba860a6d539889cdd40569668cf5a11453d5e

    SHA512

    121eecdfe8e9bc98440d41a9ca8c0b015bf827f76901fabcc3950c5ddc82defe39b6fa694f69ff6b5f47d71ce93eb4a0e8690dcda940e94e5af523fa65927898

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5663925.exe
    Filesize

    327KB

    MD5

    490f3be9c454ba8fee69122a27cb8a52

    SHA1

    b2e865c0368ed7be8ee8a2a03796b5f891f98601

    SHA256

    e9e4c970aa74fdfc7424366d498129579981d01943cabb43665801980e0a2e9f

    SHA512

    743b7c9ff2629018eed19e39a6c3be8e8589b33afd1e1bd9426a8f295ce0f65f4e8c22989a50ca1fef608882275b4d0f7e269aadf8488e0bd375565a2d3f5c67

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5155081.exe
    Filesize

    256KB

    MD5

    293d7149e0167334c2e47f9460dced75

    SHA1

    d1b1170d8aa7167692dbd0d19ea013ff7873c6a1

    SHA256

    9a45610c8711c1438a0941a4d44536a0f5770030052bc601b7a03fc361c07110

    SHA512

    4fc11c06c8316d6d9b1552aa59fbc943c199c156aacc9104ff4d29e83d7a5243377880a69cca9245a02f43625130eba151e24d6213baf801e53215e50c1f5f35

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6643370.exe
    Filesize

    175KB

    MD5

    de3d7902e2dc52ce62d276bed249f982

    SHA1

    bc63e1067a6cbc12cf6dae3269d6b7798b0a24b8

    SHA256

    a735baeec9c42b55e69c47acaf2ef25891f567f88834b0c11596d20d15454cee

    SHA512

    b7b103510754cdfb91655f81175c6d2fb020b95c5399ad84add5737a1f4128182dee6cfe30f3529113245462486f5a68b307a2b190ac7f9e6d6fe0ec0d329c44

    Download Submit
  • memory/868-25-0x0000000000DF0000-0x0000000000E20000-memory.dmp
    Filesize

    192KB

    Download
  • memory/868-26-0x0000000005710000-0x0000000005716000-memory.dmp
    Filesize

    24KB

    Download
  • memory/868-27-0x0000000005E20000-0x0000000006438000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/868-28-0x0000000005910000-0x0000000005A1A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/868-29-0x0000000005770000-0x0000000005782000-memory.dmp
    Filesize

    72KB

    Download
  • memory/868-30-0x0000000005800000-0x000000000583C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/868-31-0x0000000005840000-0x000000000588C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2552-21-0x0000000000400000-0x000000000040A000-memory.dmp
    Filesize

    40KB

    Download