Overview

overview

10

Static

static

3

06d3b7d2ba...d0.exe

windows10-2004-x64

10

08bd377a60...53.exe

windows10-2004-x64

10

2847bdc35d...e1.exe

windows10-2004-x64

10

2bed4ea70d...7f.exe

windows10-2004-x64

10

3ab0d6f60e...46.exe

windows10-2004-x64

10

3c1c5a94c5...69.exe

windows10-2004-x64

10

76530ae1ec...23.exe

windows10-2004-x64

10

7b80c0170b...d1.exe

windows10-2004-x64

10

80633f3a01...36.exe

windows10-2004-x64

10

888619cf7b...9e.exe

windows10-2004-x64

10

8db1b8c1b5...85.exe

windows10-2004-x64

10

9ea70f7e17...5f.exe

windows10-2004-x64

10

9f8dd013ec...7e.exe

windows10-2004-x64

10

aa0c9ad482...cc.exe

windows10-2004-x64

10

aaf88983ad...f6.exe

windows10-2004-x64

10

b12a5fda99...06.exe

windows10-2004-x64

10

b754f77f3f...44.exe

windows10-2004-x64

10

c6c6e2b36c...88.exe

windows10-2004-x64

10

dce2842856...6c.exe

windows10-2004-x64

10

e2d9100264...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 17:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f8dd013ec5282675e933ad77e4db925e8ed2b10bc12f5bee6b62bc0147b0d7e.exe

  • Size

    758KB

  • MD5

    91c26abd7319a3d3985366b6b5b66684

  • SHA1

    1eb2220d917c4179c078594ee15e0b0c77a7cb6a

  • SHA256

    9f8dd013ec5282675e933ad77e4db925e8ed2b10bc12f5bee6b62bc0147b0d7e

  • SHA512

    db088565268bb2f1a0351fc040de184b4bb081f4a902b2844ccf51eb734e761fe1f790fe3233d4c502e1e1592fbde343645dea3574d8be5e4b41092f7d80c297

  • SSDEEP

    12288:UMrqy90Jjt6YnZ71F0rFq8DJ97cW7ASuugdee7ZH00Xbt7j3pqRq1411DRSMnpz:Oy01Z7oFBcWqBdek1bXbtfetRS8p

Score
10/10
healerredlineramondropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes
  • auth_value

    3197576965d9513f115338c233015b40

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f8dd013ec5282675e933ad77e4db925e8ed2b10bc12f5bee6b62bc0147b0d7e.exe
    "C:\Users\Admin\AppData\Local\Temp\9f8dd013ec5282675e933ad77e4db925e8ed2b10bc12f5bee6b62bc0147b0d7e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6358287.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6358287.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4284
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9455845.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9455845.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:116
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5711447.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5711447.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4956
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4688
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5370842.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5370842.exe
          4⤵
          • Executes dropped EXE
          PID:1436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6358287.exe
    Filesize

    487KB

    MD5

    8570f7265d7851d85fa400562711f05f

    SHA1

    1e2d60570b4f6d12cd8a07c46e2b56a8e03c6c3e

    SHA256

    35d0fae87dba31491806b5ae3cb58ac6a33c64aa6d5501ffe9784fbc7dd9b509

    SHA512

    cf5f62ebd7ae9870a6e60fed070685094c2e9720e97a5dfb296375d73df52f1ed87a2e726156a36a60d629bbdeb9fdcc0052a7d8694b2a5be9ff7e66586fcf2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9455845.exe
    Filesize

    321KB

    MD5

    46ca14b2b5c21b597389108ace3a0ca8

    SHA1

    81ae138f14b0865fcb6f60adb603d8cd03d85b8d

    SHA256

    5331b806746bd84cab8d8eb7c5f1dab8175a547dd72cc2792a90d35e35f215f1

    SHA512

    3ae9079428cb2222656ade0e20749b7a65d27149b393100ce3ca22c5a6f0e9c8206349f1557df6f419bee490ad3a3ccf843c2caa7c5027c89020880a57d86e9d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5711447.exe
    Filesize

    243KB

    MD5

    bb0e3d4033cd11c900616fd9312431af

    SHA1

    8f6b58992d2f936bec79da0ff77e23046bbef9e5

    SHA256

    b7ec84b5bb245c6338ec00574664035e44f784ef98b65aa3321b3ff0c6b3d0a9

    SHA512

    d054a4dedf679d44155651e37cb529a5b23bfca44565939362052a8104042ed98626f6eec580003e4c59bf55869a5fae3510ef6ef7d8f91809f7f9a0d72abbb2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5370842.exe
    Filesize

    174KB

    MD5

    c3ef7adeaad931dfe20f001c9df9f8bc

    SHA1

    62e4d44ade695c6e66fa984f88aff7929de0ea29

    SHA256

    ba2fda1f809fe04deb4812f3c5bedb127b6df964692a9f986729ee27c5b829d9

    SHA512

    a312803a75b91c3211fe2051a2af78fec543a251aba5696d688cbcaf3935381cbc707ad7b62c9836f1c4982219b050d48fb03813831d11e1b472dcd2f636aeea

    Download Submit

  • memory/1436-25-0x0000000000FF0000-0x0000000001020000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1436-26-0x00000000057D0000-0x00000000057D6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1436-27-0x0000000005FE0000-0x00000000065F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1436-28-0x0000000005AD0000-0x0000000005BDA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1436-29-0x0000000005870000-0x0000000005882000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1436-30-0x0000000005A00000-0x0000000005A3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1436-31-0x0000000005A40000-0x0000000005A8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4688-21-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download