Overview

overview

10

Static

static

3

j5520135.exe

windows7-x64

10

j5520135.exe

windows10-2004-x64

10

x2665667.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    114s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-08-2024 08:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    x2665667.exe

  • Size

    481KB

  • MD5

    5159171ed6475bc06366524e8dbc68b7

  • SHA1

    08fa75bd802d8c3872a7621ffbacd1bc4356b2ed

  • SHA256

    6316e65ea3595400e6df1a4dd79f98f3b49ecd4fad754bcb6f79efec95c5b092

  • SHA512

    4c5720c823412cc078e2ac75b3465adf1a897972c511cb5cb6d77925a2869be3df2ff60a718fc52603e8fbf09dc4765b7004167141357bb7836f6417fb8deca9

  • SSDEEP

    12288:/MrLy90CjFLAyoJCQ3oQqVZ19tc8Tb1H:sypFLAeQ4QUZ19tL

Score
10/10
healerredlinepetindiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

petin

C2

77.91.124.82:19071

Attributes
  • auth_value

    f6cf7a48c0291d1ef5a3440429827d6d

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x2665667.exe
    "C:\Users\Admin\AppData\Local\Temp\x2665667.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4144
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4776
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2968
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:832

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5976294.exe
    Filesize

    315KB

    MD5

    d07a8d025ad5167e0519e860780f58b0

    SHA1

    930163600ba309aa6f8c72844d133378bb1df911

    SHA256

    50f4fdfafc46731ed6f310d378ddda0a39d4b4cc10da9729a45b12f63e17aee4

    SHA512

    55ea0e4ca8f6202539254f10e87a608a0c8a1ad03ae0263a207664bb385cb78119641838bfc9e293c2e7799e9027b458694ae984ef5c8a8aacd62c4349e9ea25

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g9422113.exe
    Filesize

    229KB

    MD5

    c04574bae7475ceb34295dba472371fd

    SHA1

    69644e2718e135c484d62abd409e10c94a280863

    SHA256

    38484c394c6c62deb85ee75b30cd5ff568c5dc23ca08a3366d0f2482dfefe11c

    SHA512

    9ffc37140111861f4b645fa7015beed57291bd45a0e02145391fed3638f853eff9b8beb7e60709716e3dc368abbc91d0a2e8e7088e3f138287d846cd3cf87a87

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h9251280.exe
    Filesize

    174KB

    MD5

    2ebab37f88bd95040550fddf6b98086b

    SHA1

    c87316aea7a90fbb0b058a5c472c294e1a711848

    SHA256

    81110de81c715b9b50429ca1f7a1ee9d83bc6a2ff10a79175a61e0ef344ebc1a

    SHA512

    42461327fdf3ef262861af2746f6a809d6c9867fae1f4bb6e1cff9b497e2a85fd2f95058be98dfae54aa35b841e3e93dd342ab0e5fd16df919ef76892baf212b

    Download Submit

  • memory/832-18-0x0000000000560000-0x0000000000590000-memory.dmp

    Filesize

    192KB

    Download

  • memory/832-19-0x0000000004D80000-0x0000000004D86000-memory.dmp

    Filesize

    24KB

    Download

  • memory/832-20-0x000000000A8E0000-0x000000000AEF8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/832-21-0x000000000A3D0000-0x000000000A4DA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/832-22-0x000000000A310000-0x000000000A322000-memory.dmp

    Filesize

    72KB

    Download

  • memory/832-23-0x000000000A370000-0x000000000A3AC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/832-24-0x0000000002740000-0x000000000278C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2968-14-0x0000000000400000-0x000000000040A000-memory.dmp

    Filesize

    40KB

    Download