Overview

overview

10

Static

static

3

2ae72cafa8...de.exe

windows10-2004-x64

10

2d225565e0...be.exe

windows10-2004-x64

10

5f94dabf69...6d.exe

windows10-2004-x64

10

65296f4680...95.exe

windows7-x64

3

65296f4680...95.exe

windows10-2004-x64

10

7618ddb9e4...07.exe

windows10-2004-x64

10

8865ec3f94...5a.exe

windows10-2004-x64

10

8d796a364d...e4.exe

windows10-2004-x64

10

aabdc92d30...96.exe

windows10-2004-x64

10

bae99364dc...55.exe

windows10-2004-x64

10

cc35c0b2bc...24.exe

windows10-2004-x64

10

d63c4114c3...86.exe

windows10-2004-x64

10

d65bb810cc...a7.exe

windows10-2004-x64

10

d764830962...c8.exe

windows10-2004-x64

10

d9124df1a4...d1.exe

windows10-2004-x64

10

e1564be8f1...ad.exe

windows10-2004-x64

10

e7ee230707...d5.exe

windows10-2004-x64

10

e8a7f5f2b3...4b.exe

windows10-2004-x64

10

e8bf7b5c22...96.exe

windows10-2004-x64

10

eb214d5f58...c6.exe

windows10-2004-x64

10

edacb614f4...95.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exe

  • Size

    731KB

  • MD5

    77d27efd5c42bfed4fbc15af6461b04f

  • SHA1

    1d8e3d0bb2e1560257ddfca9cbf1d92de7722c2c

  • SHA256

    2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe

  • SHA512

    68a474f4021be855e74d8bf6c8e45b3d64480964a7ae2f3a559fd859988ccfd6f322cb94e7a0f9a4f8e49faa0bbc8a9c79fb774562b585e5cf010127f3fc42d9

  • SSDEEP

    12288:VMrRy909oJomjcs/4c7SDjZCjqEP9ylQSbY5dJJ9Hd+FwPCHMnY:8yhbcsgc744q+QlMdJJ9db2

Score
10/10
healerredlineramondropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes
  • auth_value

    3197576965d9513f115338c233015b40

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exe
    "C:\Users\Admin\AppData\Local\Temp\2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8647530.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8647530.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4667930.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4667930.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:216
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:1268
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
              PID:2948
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
              4⤵
              • Modifies Windows Defender Real-time Protection settings
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1712
          • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i1863921.exe
            C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i1863921.exe
            3⤵
            • Executes dropped EXE
            PID:3704

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8647530.exe
        Filesize

        565KB

        MD5

        60dc0bc6e0cba3fc8dc243eb9e1cd44c

        SHA1

        11fcec600038029f6aa1791553a0dc8b0de031d1

        SHA256

        46c926cc3cb91068b8b7b0c92f78d7a74dc558a47cefd42f460bd8a16c4dfc89

        SHA512

        dffe480393d89d5efb7b810417ab8380187c622476e8789792ee095fe64bd812a8e331e8d61c2ed98701b7e65c4c7d95c923ef12f246a93e08e65ec3a120cf78

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4667930.exe
        Filesize

        1.6MB

        MD5

        8cbfad69ee18aea6b9e07fc64be58559

        SHA1

        2f347e9b92f509e9d0e6faac736bf11b2b137bb4

        SHA256

        3cb5937c03f0a2d43ef08066527577b93afc03bb68da7f73e1d798434b8ab566

        SHA512

        b2cce7fdfacd8fc8d1d8b791aec1c8d08dce58fd19079b928dc76751828e6164ea6d26c742c78499532dcc86d9e0b91b657f04c0d71e2408ebd5813d9f3c175f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i1863921.exe
        Filesize

        174KB

        MD5

        8c1b51d7584ff1bf439fb04df414add0

        SHA1

        e2f8ef595b52fb830eaed8b0643d1ad9c3722061

        SHA256

        eb4c98f436b15c51b747c27f7fe7d5b90f6a7d9e94d578faa32d5a47e32e7a94

        SHA512

        582a6142e272b13722f608389e7cd7b1dd9e93a263ff34ea6fd4a5c53f69ea279aff5ccf1b9beb69089d0d11864e79ab719afb7686c833d1059c0d6e57e9a5da

        Download Submit

      • memory/1712-14-0x0000000000400000-0x000000000040A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3704-18-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

        Filesize

        192KB

        Download

      • memory/3704-19-0x0000000002D70000-0x0000000002D76000-memory.dmp

        Filesize

        24KB

        Download

      • memory/3704-20-0x000000000AF40000-0x000000000B558000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/3704-21-0x000000000AA70000-0x000000000AB7A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/3704-22-0x000000000A9B0000-0x000000000A9C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/3704-23-0x000000000AA10000-0x000000000AA4C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/3704-24-0x0000000004EB0000-0x0000000004EFC000-memory.dmp

        Filesize

        304KB

        Download