Overview

overview

10

Static

static

3

196993766d...e4.exe

windows10-2004-x64

10

2cb02eeff0...07.exe

windows10-2004-x64

10

515ca9dbb0...70.exe

windows10-2004-x64

10

637e68df5f...fc.exe

windows10-2004-x64

10

67adfef018...3f.exe

windows10-2004-x64

10

753ea0d141...ee.exe

windows10-2004-x64

10

75a099d51b...a2.exe

windows10-2004-x64

10

7bc60a53f2...61.exe

windows10-2004-x64

10

878c11674c...59.exe

windows10-2004-x64

10

905a82b666...03.exe

windows10-2004-x64

10

9e0acffebc...ef.exe

windows10-2004-x64

10

9e61b06119...c5.exe

windows10-2004-x64

10

a8e7ed480b...c2.exe

windows10-2004-x64

10

b55e0e5824...a8.exe

windows10-2004-x64

10

b6f3ae7c80...fd.exe

windows10-2004-x64

10

c3d6d3e893...ba.exe

windows10-2004-x64

10

d68f556e86...13.exe

windows10-2004-x64

10

f67e1f80fb...aa.exe

windows10-2004-x64

10

fb8a184cad...cb.exe

windows10-2004-x64

10

fe5b99ae2f...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    196993766d9fd8e527e04ab6a57e61f104a8d6b651d9eff81ea121f7261d88e4.exe

  • Size

    306KB

  • MD5

    a4a729b09f4a75c3ac51a91a765bd930

  • SHA1

    469db840ba4fa1fb157a3496ffb8168da4c73828

  • SHA256

    196993766d9fd8e527e04ab6a57e61f104a8d6b651d9eff81ea121f7261d88e4

  • SHA512

    112ed4cfeb28712ba6775c76a538b83b245e0c0b8b89d6f28b48a14ba5672c6ebf69f01ef534c26556ab59338944f2d4f583cabfdd958f9e43ac6988db6937f5

  • SSDEEP

    6144:KOy+bnr+Fp0yN90QEQlN+1JQVAkMtjQj1zVV9QtDip:iMrty902lNEJQBMt4Vu6

Score
10/10
healerredlinemonerdropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

moner

C2

77.91.124.82:19071

Attributes
  • auth_value

    a94cd9e01643e1945b296c28a2f28707

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\196993766d9fd8e527e04ab6a57e61f104a8d6b651d9eff81ea121f7261d88e4.exe
    "C:\Users\Admin\AppData\Local\Temp\196993766d9fd8e527e04ab6a57e61f104a8d6b651d9eff81ea121f7261d88e4.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0503830.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0503830.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:5020
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1052
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3344030.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3344030.exe
      2⤵
      • Executes dropped EXE
      PID:1076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g0503830.exe
    Filesize

    213KB

    MD5

    95a73139e6147d6adfbe211547393ab1

    SHA1

    28964d79dc123be8edc53602c23a107f8b2c56dd

    SHA256

    b68d4ae6e047b8b16b58a3304411b67ea39db34caeb302e76682330d7ec6409b

    SHA512

    876da8fe4396936105731ae8c51134e05971e514b8ca23a23355635eae18c69c5cd74487ee37ab9f7f15e27aee31886ce1da12742e79055b58e9bbdfa1fbda27

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i3344030.exe
    Filesize

    174KB

    MD5

    258ed0fd7ff6fcee922a3c0ead144175

    SHA1

    7d14fb8c35e90fc66ada65e3ab6d29bd8655b5fa

    SHA256

    63a64005cdb6530be4c9604213b2c842bd8015a7461bfcf30ac51febd555b90c

    SHA512

    e8fb9adc4698d2ffcaf5e85b83379f4486f2e4be2744314f6c94dd92a81a71768383d4e5e70dc9eaa30000d33d2277d4e6857bc440ccf250f531eb117ea3cc64

    Download Submit

  • memory/1052-14-0x0000000073F50000-0x0000000074700000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1052-7-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1052-21-0x0000000073F50000-0x0000000074700000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1076-11-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1076-13-0x0000000003060000-0x0000000003066000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1076-15-0x0000000005C60000-0x0000000006278000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1076-16-0x0000000005760000-0x000000000586A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1076-17-0x00000000056A0000-0x00000000056B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1076-18-0x0000000005700000-0x000000000573C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1076-19-0x0000000005870000-0x00000000058BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1076-12-0x0000000000BD0000-0x0000000000C00000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1076-22-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

    Filesize

    4KB

    Download