Overview

overview

10

Static

static

3

eab3e27e19...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 04:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe

  • Size

    269KB

  • MD5

    94d8582df5fde8a4f1e3e47b1a464b5f

  • SHA1

    d466d7326164cb6b0f40497b3629c6ea070b4cd0

  • SHA256

    eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb

  • SHA512

    2752d4e804e948fd26610646437c48464006c080b01484fb1ef51644cf3d0c7ba2d10a4bab1f8913bb7834696bdb6251c3a048c586301ac5db55fc7925ad1af2

  • SSDEEP

    6144:Khy+bnr+Sp0yN90QEf92P0yqvSnEFDtt6:7MrGy90ZEsyqv6az6

Score
10/10
healerredlinesmokedropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

smoke

C2

83.97.73.131:19071

Attributes
  • auth_value

    aaa47198b84c95fcce9397339e8af9d4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 2 IoCs
  • Detects executables packed with ConfuserEx Mod 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe
    "C:\Users\Admin\AppData\Local\Temp\eab3e27e19b610a1a1a8a23092835343e10f25e6c145be41f93e618a44e9bebb.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9557499.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9557499.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3388
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l2120662.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l2120662.exe
      2⤵
      • Executes dropped EXE
      PID:4872
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:1372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\k9557499.exe
    Filesize

    112KB

    MD5

    fa3a56cad8451afde73a3100b2f8a7eb

    SHA1

    75bb944648d199bca0b2c60aafef136d3cb8c470

    SHA256

    9714e35cad133ee52b73ca48c098ca49a89e6dca7ad94f4d52117609c63cedfe

    SHA512

    8d722f040939d9a486d7ce2bd16df3edf91e2d89bc06f3ba7e32a1170c763a6ae74dd43214e9303cd39c5861ecdc98ae86fc75a4fcdec75656910ab3297721bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l2120662.exe
    Filesize

    274KB

    MD5

    5d3bb93a0305b1f9b6a714973b62f767

    SHA1

    1367eff6f08640623b117164fcae05bc34cc36ad

    SHA256

    169ad6bc316a08fd5e2a6abe0b61812a084a075ad85e504bd050518dc14e43be

    SHA512

    9017373926ec1bb1f63e83d883ff6f960c23d4d2da64c09347d38d27679a9120bcd586432679fea29c9749a8ef1fa464111dde1059cb6149b5270e86676d64f1

    Download Submit

  • memory/3388-7-0x0000000000420000-0x000000000042A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3388-11-0x0000000000402000-0x0000000000405000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3388-12-0x0000000000400000-0x000000000041C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/4872-22-0x0000000000400000-0x0000000000445000-memory.dmp

    Filesize

    276KB

    Download

  • memory/4872-18-0x0000000000580000-0x00000000005B0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/4872-24-0x00000000022C0000-0x00000000022C6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/4872-25-0x0000000009E70000-0x000000000A488000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4872-26-0x000000000A510000-0x000000000A61A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4872-27-0x000000000A650000-0x000000000A662000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4872-28-0x000000000A670000-0x000000000A6AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4872-29-0x0000000004440000-0x000000000448C000-memory.dmp

    Filesize

    304KB

    Download