Overview

overview

10

Static

static

3

63ae309bd0...3N.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    63ae309bd0b7c61f65009fbb6a9fa7dcf04e11a140d8d4de13c3f253c52eda93N.exe

  • Size

    931KB

  • Sample

    250212-w4wahasncx

  • MD5

    e66cc4aec2b41c860bcc0cb8a12e9670

  • SHA1

    af7f460dcf12550afffdc6441074a847b3707e4a

  • SHA256

    63ae309bd0b7c61f65009fbb6a9fa7dcf04e11a140d8d4de13c3f253c52eda93

  • SHA512

    388309ca56a20654bb3761540d90445eb1ee018fc5c6e3886c991d53fe9fc546d43042e21e9defd1c0b4660d5cfac9e47f66781db089dd9876d3c735d2dcfd9c

  • SSDEEP

    24576:qyJ+ybVfPhLylGpvfqJTI6wMEhK5RlwFG846fnx2:xJ3tPhGlGCUJhKjlwFZ

Score
10/10
healerredlinelitornormdefense_evasiondiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

norm

C2

77.91.124.145:4125

Attributes
  • auth_value

    1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

litor

C2

77.91.124.145:4125

Attributes
  • auth_value

    d39ced97dbbaa8eab490390c2e2a6a10

Targets

    • Target

      63ae309bd0b7c61f65009fbb6a9fa7dcf04e11a140d8d4de13c3f253c52eda93N.exe

    • Size

      931KB

    • MD5

      e66cc4aec2b41c860bcc0cb8a12e9670

    • SHA1

      af7f460dcf12550afffdc6441074a847b3707e4a

    • SHA256

      63ae309bd0b7c61f65009fbb6a9fa7dcf04e11a140d8d4de13c3f253c52eda93

    • SHA512

      388309ca56a20654bb3761540d90445eb1ee018fc5c6e3886c991d53fe9fc546d43042e21e9defd1c0b4660d5cfac9e47f66781db089dd9876d3c735d2dcfd9c

    • SSDEEP

      24576:qyJ+ybVfPhLylGpvfqJTI6wMEhK5RlwFG846fnx2:xJ3tPhGlGCUJhKjlwFZ

    Score
    10/10
    healerredlinelitornormdefense_evasiondiscoverydropperevasioninfostealerpersistencetrojan

    • Detects Healer an antivirus disabler dropper

    • Healer

      Healer an antivirus disabler dropper.

      dropperhealer

    • Healer family

      healer

    • Modifies Windows Defender DisableAntiSpyware settings

      evasiontrojan

    • Modifies Windows Defender Real-time Protection settings

      defense_evasiontrojan

    • Modifies Windows Defender TamperProtection settings

      evasiontrojan

    • Modifies Windows Defender notification settings

      defense_evasiontrojan

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Windows security modification

      defense_evasiontrojan

    • Adds Run key to start application

      persistence
    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

4
T1543

Windows Service

4
T1543.003

Defense Evasion

Impair Defenses

5
T1562

Disable or Modify Tools

5
T1562.001

Modify Registry

6
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks