Overview

overview

10

Static

static

3

0a7a53ccfc...4d.exe

windows10-2004-x64

10

15fd14ba21...b7.exe

windows10-2004-x64

10

1ded3ef8a6...eb.exe

windows10-2004-x64

10

211c4e6a11...13.exe

windows10-2004-x64

10

2143b79ffb...90.exe

windows10-2004-x64

10

262bcbb295...79.exe

windows10-2004-x64

10

2db3eb661b...10.exe

windows10-2004-x64

10

38f672e7cb...04.exe

windows10-2004-x64

10

3a8f22ea92...1f.exe

windows10-2004-x64

10

4ad2507250...50.exe

windows10-2004-x64

10

4d264f872f...4d.exe

windows10-2004-x64

10

5dcad04e9c...98.exe

windows10-2004-x64

10

838e53197e...9e.exe

windows10-2004-x64

10

9fb3613b82...eb.exe

windows10-2004-x64

10

ada5308889...6d.exe

windows10-2004-x64

10

b7edb218fe...67.exe

windows10-2004-x64

10

c7a8b128f1...e0.exe

windows7-x64

10

c7a8b128f1...e0.exe

windows10-2004-x64

10

d0c2f16d85...04.exe

windows10-2004-x64

10

d686e13696...c7.exe

windows10-2004-x64

10

f2cce909ec...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    838e53197e2b7417e755d1062885d43a64760f6d02f778afd7cca835a5a99d9e.exe

  • Size

    320KB

  • MD5

    21ce59e90abf825b105a522f3cd1fa1d

  • SHA1

    9ce4e89534083ff434777f8bcc18e482748eded1

  • SHA256

    838e53197e2b7417e755d1062885d43a64760f6d02f778afd7cca835a5a99d9e

  • SHA512

    4faab91eb3b222d1112b1117cab29fe63b7fbe16213eae4d7f50a0c9c7a7f1acd283a1a29c260be5d7b337e6335d8ced841d1d31cbaf64c0bf2c91458b025380

  • SSDEEP

    6144:KEy+bnr+7p0yN90QE8RmYCYBRKO5hmP+DCt0rSGloXTwyZs:EMrXy90OkPYKfGZnoZa

Score
10/10
healerredlineviraddropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes
  • auth_value

    434dd63619ca8bbf10125913fb40ca28

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\838e53197e2b7417e755d1062885d43a64760f6d02f778afd7cca835a5a99d9e.exe
    "C:\Users\Admin\AppData\Local\Temp\838e53197e2b7417e755d1062885d43a64760f6d02f778afd7cca835a5a99d9e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g5417542.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g5417542.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1360
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3836 -s 580
        3⤵
        • Program crash
        PID:1912
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i0924761.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i0924761.exe
      2⤵
      • Executes dropped EXE
      PID:1640
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3836 -ip 3836
    1⤵
      PID:896

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g5417542.exe
      Filesize

      233KB

      MD5

      a1050ad62f423301bec4028a79a2df7a

      SHA1

      9552da5a232d7b460d878120ec4705b7349501d5

      SHA256

      552a40e4cf16d61294f0c9f884731c4fc795fe0d18feb75ae2f278e49e4a4d8f

      SHA512

      e8bee34d12079a25b2fad8c757dbf9062fe6a47411faf0b8495325bf781bd6d7351ca8b5bca9c002d961922127a9ef954f6c831219d4ceeecf296bb0f895fbfe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i0924761.exe
      Filesize

      174KB

      MD5

      46bdaedeb8000843802b9884e467733f

      SHA1

      4dfb83f5d58e68553d5d6acaf7641ab85c899bce

      SHA256

      e5c44623d734f62cdbe0a070c069a07bb731bea3a881064ac750d41575304d53

      SHA512

      95065e0d64376297bc181e9d1b92f40dda7f94fee426a092daba471a483430ea6dddc5147bc0d6329d4d38518f8a7e0895496b16d123e5e668f6f3e87dd66403

      Download Submit

    • memory/1360-7-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1360-8-0x000000007417E000-0x000000007417F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1640-14-0x0000000074170000-0x0000000074920000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1640-13-0x0000000004BD0000-0x0000000004BD6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/1640-12-0x00000000003B0000-0x00000000003E0000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1640-15-0x00000000053D0000-0x00000000059E8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1640-16-0x0000000004EC0000-0x0000000004FCA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1640-17-0x0000000004C30000-0x0000000004C42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1640-18-0x0000000004DB0000-0x0000000004DEC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1640-19-0x0000000004DF0000-0x0000000004E3C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1640-21-0x0000000074170000-0x0000000074920000-memory.dmp

      Filesize

      7.7MB

      Download