Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
23-05-2024 17:01
General
-
Target
3303790f7ca29df0e39764e876baec5513b2ca1cc3ffeed56f9fc006a9eaec90.exe
-
Size
493KB
-
MD5
eae83c8fc8b81895b7ac50e11704d42f
-
SHA1
89739814fbd5a39670511e0e77c7d84087a470e7
-
SHA256
3303790f7ca29df0e39764e876baec5513b2ca1cc3ffeed56f9fc006a9eaec90
-
SHA512
b2b7f4247624a031f4d41ab4b30081c312c56b8fd06d5d8a43fb5a2f62951ef12032e46ff379111e65831d61965be372d93e6528dfbde35b05ed718ed2857115
-
SSDEEP
12288:mMryy90YqoqNqfSJX4/KlfAgmlP8/ADHSB87:oy6oKZo/KlE84TSi7
Malware Config
Extracted
redline
virad
77.91.124.82:19071
-
auth_value
434dd63619ca8bbf10125913fb40ca28
Signatures
-
Detects Healer an antivirus disabler dropper 1 IoCs
-
Healer
Healer an antivirus disabler dropper.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3303790f7ca29df0e39764e876baec5513b2ca1cc3ffeed56f9fc006a9eaec90.exe"C:\Users\Admin\AppData\Local\Temp\3303790f7ca29df0e39764e876baec5513b2ca1cc3ffeed56f9fc006a9eaec90.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1441365.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1441365.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8945823.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g8945823.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i0126443.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i0126443.exe3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327KB
MD53094733c69a42b05d0a268467d278a61
SHA141f8eeb8f897e8fa3a442c7c11c7ba9c6942057d
SHA2567f96253c4c815e2b77c52f73df3573e9eca4909f6d25f22c6cda06df021e163e
SHA5123fcf2470fd9f6f49d6658ee44e0cddfc28de06e1c1189e81645f181858011321c5c6c20fa8c3ca7005218a075154666145d008dfa597ad92ea24de60ddd3a31e
-
Filesize
256KB
MD5bc122fc8daf95c755c0b72e8b79fc599
SHA135f1be653cd835ffc70c1c38d52a6d463a454f06
SHA256158842a417f6307cc9000441bd46e70101a41a659912a4ee0b79bd0a956add90
SHA5125614786d8b13f0994c2fcc81798c3f0f9760bcc860b3ffc6c1305e1340e444c321b47d21d0eabbe6a2b2567e320393c487a0dc6d5028daa4e7c27a08d974d8e5
-
Filesize
175KB
MD56b9feb5366b287a8515b013304c79304
SHA154aae2325f87d2c6aff85ebc84de3ca183225474
SHA2562905f98a6dffb16d0501c9e06bf63fa3bffbd97cb5e9be2e7425ad993f027c0d
SHA512f391896eb5389339186b81e4a985a14c692d90f89567a83292abb955839ba93fe594c5685dfdd056a3f2032411060f1dd7c06ed35baae96fb7f1c0d44318e809
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
24KB
-
Filesize
6.1MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
240KB
-
Filesize
304KB