Overview

overview

10

Static

static

3

0314c3cf58...62.exe

windows10-2004-x64

10

142ed11f80...59.exe

windows10-2004-x64

10

1f54336cee...4f.exe

windows10-2004-x64

10

2470f02746...37.exe

windows10-2004-x64

10

357dca1dd0...e2.exe

windows7-x64

10

357dca1dd0...e2.exe

windows10-2004-x64

10

367729c840...03.exe

windows10-2004-x64

10

3ae8cc733e...e3.exe

windows10-2004-x64

10

3ff87c5bd0...30.exe

windows10-2004-x64

10

4157cda315...a6.exe

windows10-2004-x64

10

5f318080c6...ea.exe

windows10-2004-x64

10

620f9ee1b4...8f.exe

windows10-2004-x64

10

6817354347...3a.exe

windows10-2004-x64

10

753cdc12b9...91.exe

windows10-2004-x64

10

a4215d26b6...74.exe

windows10-2004-x64

10

a4375e040f...82.exe

windows10-2004-x64

10

a619ae77d5...2e.exe

windows10-2004-x64

10

aaab139650...12.exe

windows10-2004-x64

10

aefec08eba...49.exe

windows10-2004-x64

10

d12f5fa25c...70.exe

windows10-2004-x64

7

e5b42981fd...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 05:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2470f02746e0ace28b3f21135e43ca5574a20964c1ebe76b4d37e025bc74cf37.exe

  • Size

    702KB

  • MD5

    3551b070d8f8c5788e7a26b7eb3e2167

  • SHA1

    c4f2f2a5e1534aa6745a4fa10cd33082e796a449

  • SHA256

    2470f02746e0ace28b3f21135e43ca5574a20964c1ebe76b4d37e025bc74cf37

  • SHA512

    8cf570cae3fe1afcde148277a893bbd95711709792adda13b74132ed4374542999cd4e2a7bca1e35ebf6f4fce1b86a55d8d32d978016d3e70402ba5badc44723

  • SSDEEP

    12288:mMr4y90EPnLmwuetmnJuSDno0t3Iu2FKZmtQVpzIZpFCMq48YdavcJynY4y5d:ay9LmwuetmncSDnh3IubZmipzzMq/YOw

Score
10/10
healerredlinemangodropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

mango

C2

193.233.20.28:4125

Attributes
  • auth_value

    ecf79d7f5227d998a3501c972d915d23

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2470f02746e0ace28b3f21135e43ca5574a20964c1ebe76b4d37e025bc74cf37.exe
    "C:\Users\Admin\AppData\Local\Temp\2470f02746e0ace28b3f21135e43ca5574a20964c1ebe76b4d37e025bc74cf37.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9261.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9261.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4676
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bus7443.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bus7443.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1492
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\con2811.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\con2811.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4168
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1080
          4⤵
          • Program crash
          PID:2296
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dWa97s47.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dWa97s47.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2284
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4168 -ip 4168
    1⤵
      PID:1964

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dWa97s47.exe
      Filesize

      395KB

      MD5

      e25387fb916a34d4affe07ade28d8455

      SHA1

      b5bb0ac2c95612be258c13f03718e33ac07f508a

      SHA256

      db9c125de03bc9f7a939cbed3d5b4c78a8b3cf58a1fb95c588a9b6644abcae80

      SHA512

      4fe8bedbb69141284d61a765023422d1a570f15a66144f03f5e3977839dd14dafaa7c9e05845acb56c385742ad46d1cf79792dc01fec40c88b201d9d5c2bd789

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\kino9261.exe
      Filesize

      348KB

      MD5

      1efa83425eabab9a22fbe7729b0152ae

      SHA1

      819eb1db62529387bc29f5e06f665cea513cfe28

      SHA256

      0e22f456ec421185445bcea21c2f9c9be7b980dc99a98a33f65396b7c1b2bf90

      SHA512

      3bcc1baa1e85fe455be3511040e0588999f99d49d830327b56b5309a4c19aaf71631fb8457fb8eb9f55a4d91460273482b9d7936bcdef64e8493e1e2b0b0f5d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bus7443.exe
      Filesize

      11KB

      MD5

      7e93bacbbc33e6652e147e7fe07572a0

      SHA1

      421a7167da01c8da4dc4d5234ca3dd84e319e762

      SHA256

      850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

      SHA512

      250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\con2811.exe
      Filesize

      338KB

      MD5

      5cd6b1f2c41d7a661c6df2e1b21f36c4

      SHA1

      4e491407a4fa3cb2141ac1e53add2d2e6eaa87c7

      SHA256

      92fdfed7ca6e16c859119ff3f2cc57f05e1f2ce56593f9e77af55edbdfb2559e

      SHA512

      490ed23ef3b20e77e6fe3fc7963c1299770b4ebc0f9b9fba543faac27cbbe3ad64ec21687871b4ba0858ca07234193227f6c166703716633eedb7295c0e5ea6b

      Download Submit

    • memory/1492-15-0x00000000008A0000-0x00000000008AA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1492-14-0x00007FFE5A793000-0x00007FFE5A795000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2284-75-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-74-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-970-0x00000000081E0000-0x000000000822C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2284-969-0x0000000008090000-0x00000000080CC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2284-968-0x0000000008070000-0x0000000008082000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2284-967-0x0000000007F40000-0x000000000804A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2284-966-0x0000000007920000-0x0000000007F38000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2284-67-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-71-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-60-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-61-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-63-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-65-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-69-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-77-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-79-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-81-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-83-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-58-0x0000000004A60000-0x0000000004AA6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2284-59-0x0000000004C00000-0x0000000004C44000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2284-85-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-93-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-91-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-89-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/2284-87-0x0000000004C00000-0x0000000004C3E000-memory.dmp

      Filesize

      248KB

      Download

    • memory/4168-31-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-51-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-53-0x0000000000400000-0x0000000002B05000-memory.dmp

      Filesize

      39.0MB

      Download

    • memory/4168-25-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-27-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-21-0x0000000007030000-0x000000000704A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4168-23-0x00000000070A0000-0x00000000070B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4168-29-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-24-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-22-0x0000000007220000-0x00000000077C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4168-38-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-35-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-39-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-42-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-43-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-45-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-47-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-49-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4168-33-0x00000000070A0000-0x00000000070B2000-memory.dmp

      Filesize

      72KB

      Download