Overview

overview

10

Static

static

3

0bd57c625c...1b.exe

windows10-2004-x64

10

0e85c02906...31.exe

windows10-2004-x64

10

1ad22f7c20...da.exe

windows10-2004-x64

10

2f0934382a...84.exe

windows7-x64

10

2f0934382a...84.exe

windows10-2004-x64

10

421c712a06...0d.exe

windows10-2004-x64

10

4958361c2a...c0.exe

windows10-2004-x64

10

4ee34ec273...69.exe

windows10-2004-x64

10

54ae781e47...0d.exe

windows10-2004-x64

10

597fd86cf2...51.exe

windows10-2004-x64

10

5af8e5b632...c7.exe

windows10-2004-x64

10

5edd2b7f66...17.exe

windows10-2004-x64

10

5eee268a87...c9.exe

windows10-2004-x64

10

65a4c04d9e...25.exe

windows10-2004-x64

10

6d2e6d5049...21.exe

windows10-2004-x64

10

77dcf40927...b4.exe

windows10-2004-x64

10

8c279e4e62...12.exe

windows10-2004-x64

10

8ee3fa55ce...d5.exe

windows10-2004-x64

10

8efb2f072c...7a.exe

windows10-2004-x64

10

a717651d7f...a0.exe

windows10-2004-x64

10

cecc5213e2...a1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 19:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5af8e5b632a39ba2220e0edd14997e390e73614f2bbcd55986f62325da0e16c7.exe

  • Size

    729KB

  • MD5

    82c85db59edaa8dc52bf1c07c43bf40b

  • SHA1

    94560464456584401c8bb85a979a43cd91dde5dc

  • SHA256

    5af8e5b632a39ba2220e0edd14997e390e73614f2bbcd55986f62325da0e16c7

  • SHA512

    4c5e45ccf84d7fae3168c99afacefc436faa185eeb1038b11ffeb3bb120515a4ba61756c84c5fa9c60d81774c8de1841372cffdfb60d7d151fc8923a124e179d

  • SSDEEP

    12288:uMrvy90TqAzTul9aPd5v/QYxKNFAdtI2DPCztUKAMhFN+08EvFne99jnEl5m4cdz:xyKX3R5HSIt3u2B8FN709Il5hy/r7zJ

Score
10/10
healerredlineramondropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes
  • auth_value

    3197576965d9513f115338c233015b40

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5af8e5b632a39ba2220e0edd14997e390e73614f2bbcd55986f62325da0e16c7.exe
    "C:\Users\Admin\AppData\Local\Temp\5af8e5b632a39ba2220e0edd14997e390e73614f2bbcd55986f62325da0e16c7.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9581646.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9581646.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:244
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5930192.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5930192.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:692
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:1456
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
            4⤵
            • Modifies Windows Defender Real-time Protection settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2124
        • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9341362.exe
          C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9341362.exe
          3⤵
          • Executes dropped EXE
          PID:4920

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9581646.exe
      Filesize

      563KB

      MD5

      22965f7ec6f49c719bbae6f273909843

      SHA1

      902ad7a28c271298606ead82823c78aa31ea032d

      SHA256

      e5850ab8ff6f6795ef16fc89ad74de650d9c9f9553c6c777f91f78e8924a19c8

      SHA512

      230f15569b329c11a5d587e58e03af97cd8d9356d2c25baaca36d6ba910bedd74f9a2a663ebbf224377e76b4e2afae679965f62e496b20cbff6ad49ceb932e92

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g5930192.exe
      Filesize

      1.6MB

      MD5

      eb3c0509f21f9d835a123677b6bbcb74

      SHA1

      86efb4b4e51a5d401a4e1d01e0cd3ba4d698a8fd

      SHA256

      83705d942d7b4383c880655f8fe209940e96a4be2cb7fa06aaccde563433ceff

      SHA512

      593228c929b5301fbd6ecff79dd300664cba57fe7bfa4d94d5d0b0eda27c13e30b7e05015a516138d66b7da4cbff42f9db37e3f673979e705e61f14838f5d2af

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9341362.exe
      Filesize

      174KB

      MD5

      fe84e130785d60cc5d8850a4894ef7a0

      SHA1

      7fcc729ad8bc46daf45957b9578c6cc8ae08c391

      SHA256

      77496efa7a2d722a7841136d62f21e701ce9d4c3c87eb799c0de54e978289313

      SHA512

      5e2cea1922e6a6ad8d45e1767817ed62e554127e279a6cea81030757c43677937e3ad1d956ebed9ef6ce2a62bd6f09af760cd4382b26753269c38c4aaf9ce26c

      Download Submit
    • memory/2124-14-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4920-18-0x0000000000940000-0x0000000000970000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4920-19-0x00000000076F0000-0x00000000076F6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/4920-20-0x000000000AD70000-0x000000000B388000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/4920-21-0x000000000A8F0000-0x000000000A9FA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/4920-22-0x000000000A830000-0x000000000A842000-memory.dmp
      Filesize

      72KB

      Download
    • memory/4920-23-0x000000000A890000-0x000000000A8CC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/4920-24-0x0000000004CF0000-0x0000000004D3C000-memory.dmp
      Filesize

      304KB

      Download