Overview

overview

10

Static

static

3

0d17733c30...5d.exe

windows10-2004-x64

10

12afd6aace...a7.exe

windows10-2004-x64

10

1a9919325d...ce.exe

windows10-2004-x64

10

1b565f7ed3...1d.exe

windows10-2004-x64

10

2c58ee5805...6e.exe

windows10-2004-x64

10

33598ea86e...12.exe

windows10-2004-x64

10

4e5d421522...cb.exe

windows10-2004-x64

10

4ff3477e4f...b7.exe

windows10-2004-x64

10

6ee2a56c58...f5.exe

windows10-2004-x64

10

803bdeb4bc...3b.exe

windows10-2004-x64

10

82c26e730c...f6.exe

windows10-2004-x64

10

92d5779e2c...c1.exe

windows10-2004-x64

10

b0845c677f...61.exe

windows10-2004-x64

10

b82c1f093a...b3.exe

windows10-2004-x64

10

c52f1aa452...c1.exe

windows10-2004-x64

10

c7bf16d19a...5c.exe

windows10-2004-x64

10

d85805160c...b3.exe

windows10-2004-x64

10

e4e49b8568...6d.exe

windows10-2004-x64

10

e5ef76e6dd...ba.exe

windows10-2004-x64

10

fac8fce7e3...0e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    135s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d17733c3019d71570f413fb2cf93247ef44984d57c0d378e5853597b1efcc5d.exe

  • Size

    769KB

  • MD5

    47b821a1e8276b20bd60053bf3fafda6

  • SHA1

    94125bdec51a0d41a1320061bad65a0d0c906100

  • SHA256

    0d17733c3019d71570f413fb2cf93247ef44984d57c0d378e5853597b1efcc5d

  • SHA512

    dc2bbe4eb7672a757425e5b47a6541cfc02c5f4c64f20654e57cba7a8fba2ec68c831e8cd084065373c3be1c72cae842f91ce43ed7a15eaf2b9ee2951ed462e7

  • SSDEEP

    12288:2Mrjy90hZu5CgHTvbqC3tSvwJYu+Oxxitk7DzpT/ir04gyJEL5BziITzRQ0lg:ty8ZHyzqGiwTitk7Dt6r049ELHH5QOg

Score
10/10
healerredlineviraddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d17733c3019d71570f413fb2cf93247ef44984d57c0d378e5853597b1efcc5d.exe
    "C:\Users\Admin\AppData\Local\Temp\0d17733c3019d71570f413fb2cf93247ef44984d57c0d378e5853597b1efcc5d.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9767554.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9767554.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8058804.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8058804.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1304
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3713843.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3713843.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:5064
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3928
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9060603.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9060603.exe
          4⤵
          • Executes dropped EXE
          PID:3956

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9767554.exe
    Filesize

    492KB

    MD5

    2cc8d4d08ca86088ea97e3800470f3b4

    SHA1

    4a6ef2727ee56a7e9033625ba08fc3ec17dbef26

    SHA256

    71fc4b39abc6fb1166b490546c254393a10dc9ac16a366410a8ffc783a0cbd4e

    SHA512

    5adf235e95f25e20eade125f045e5250a8b42849d539d99340080faa8bcf6e50804f5812826232199b1520856a3b48c3049a6d8155391d60d690d98220da1303

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8058804.exe
    Filesize

    326KB

    MD5

    b45cb90cea579f37bff4892b1489b1d5

    SHA1

    5feb5a82f3b630b213736c10c2c1acb286ae7bf5

    SHA256

    79164567b015b730f018b6c9581c40469b83ea3dd9ff31614e23c29c08fc7bab

    SHA512

    aa5c52b8426362de9c400738b74b5755d3bad53153f097ee0c999d7c4986d4983ff44319206d488801d6d71e75adad5d6ce1dda0eb95183c0c59106d19afd41a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3713843.exe
    Filesize

    256KB

    MD5

    65ce76b468e52563c1c4fe5022b991cc

    SHA1

    71742f18b6467c9e4725f0a4bda4bc8bcfc119bf

    SHA256

    388674a6878f5b656c63be49d4d0f8c7d4071af12128a6807c7a5c0975bb5945

    SHA512

    43a88da68425ff5a17a97eb4d38a7668eb0f37423f14cb207afbc51a65eadf7ffa685a373809e3539500d9728a31521760ae185964d2096880e63dbda1733164

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9060603.exe
    Filesize

    175KB

    MD5

    2d7f84a0f75157c8ba010c79c40abb6f

    SHA1

    cf08b02df8a2850406486f1b65ab966b10d19383

    SHA256

    84a92707a61053ac87bdc6a6e02574117c805495eec32be7639c7b23a7405946

    SHA512

    bb85fbbf4dd73b8574fde502b222b46bbbe283304856beac708d05ef96f75b03317201af220ac9a6add0ff2b417f5b5218236e6693cd8187493321821990e3e1

    Download Submit

  • memory/3928-21-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3956-25-0x0000000000FC0000-0x0000000000FF0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/3956-26-0x0000000003210000-0x0000000003216000-memory.dmp

    Filesize

    24KB

    Download

  • memory/3956-27-0x0000000005F20000-0x0000000006538000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3956-28-0x0000000005A10000-0x0000000005B1A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3956-29-0x0000000005950000-0x0000000005962000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3956-30-0x00000000059B0000-0x00000000059EC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3956-31-0x0000000005B20000-0x0000000005B6C000-memory.dmp

    Filesize

    304KB

    Download