Overview

overview

10

Static

static

10

012700a410...85.exe

windows10-2004-x64

10

02a23f59da...1f.exe

windows10-2004-x64

10

053ddd7019...99.exe

windows10-2004-x64

10

072f59f857...a5.exe

windows7-x64

1

072f59f857...a5.exe

windows10-2004-x64

1

07b9d54ca0...2c.exe

windows10-2004-x64

10

085092942b...7b.elf

ubuntu-18.04-amd64

085092942b...7b.elf

debian-9-armhf

085092942b...7b.elf

debian-9-mips

085092942b...7b.elf

debian-9-mipsel

08cbd1cc0c...d1.elf

debian-12-armhf

1

0a50e4e96f...61.exe

windows7-x64

10

0a50e4e96f...61.exe

windows10-2004-x64

10

0bdd1bc4a2...54.elf

debian-12-armhf

1

0c349ec65f...e3.exe

windows10-2004-x64

10

0c6a7849d4...d3.exe

windows10-2004-x64

10

0ceb0dadfa...de.elf

debian-9-mips

0dd32a3e7e...85.exe

windows7-x64

10

0dd32a3e7e...85.exe

windows10-2004-x64

10

0dd3f8b254...7f.exe

windows10-2004-x64

10

1100f4a753...15.exe

windows10-2004-x64

10

124c02ed92...f5.exe

windows7-x64

10

124c02ed92...f5.exe

windows10-2004-x64

10

1267a2b9b9...dc.exe

windows7-x64

10

1267a2b9b9...dc.exe

windows10-2004-x64

10

13a5b3d41f...f1.exe

windows7-x64

10

13a5b3d41f...f1.exe

windows10-2004-x64

10

13a63fbb66...62.exe

windows10-2004-x64

10

143dea0e6e...5c.exe

windows10-2004-x64

10

14779e087a...9a.elf

ubuntu-24.04-amd64

1

15f6ddf672...e3.exe

windows10-2004-x64

10

16478becee...e4.elf

debian-12-armhf

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Analysis

  • max time kernel
    137s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-06-2024 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c349ec65fde9efebd2ff123c6b223cce44c6fdbafa19b46c12d43eccde3a3e3.exe

  • Size

    729KB

  • MD5

    6b1a9cac89d36bfac5c5035809a3d484

  • SHA1

    5d1a7d8d3b0eee361215f739a1fb9971efcbea53

  • SHA256

    0c349ec65fde9efebd2ff123c6b223cce44c6fdbafa19b46c12d43eccde3a3e3

  • SHA512

    cedb70fb89194f705a4c08ee514d666fbcdf5b95cc4a869144aebbc296a762d7dc3eb98e6f0d49a4206b8b1362629cc0646e2165201ecece9f5c780a447eabcd

  • SSDEEP

    12288:iMrNy90Tvvx7thoce2cRQlY5ORPAsbZZI7LmL5AZFYqyItiwZsJJr/jigI:3yEZgRQKDEKKuc9IwwkFbBI

Score
10/10
healerredlineduzadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

duza

C2

83.97.73.129:19071

Attributes
  • auth_value

    787a4e3bbc78fd525526de1098cb0621

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c349ec65fde9efebd2ff123c6b223cce44c6fdbafa19b46c12d43eccde3a3e3.exe
    "C:\Users\Admin\AppData\Local\Temp\0c349ec65fde9efebd2ff123c6b223cce44c6fdbafa19b46c12d43eccde3a3e3.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5840727.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5840727.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8533544.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8533544.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4764
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1435691.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1435691.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:4320
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j1084574.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j1084574.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1288
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k0511144.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k0511144.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1768
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6707854.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6707854.exe
          4⤵
          • Executes dropped EXE
          PID:2388

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5840727.exe
    Filesize

    526KB

    MD5

    c6cc963f97f08ff3ccd5494607a91e55

    SHA1

    6deb5bdecca523a91cc4fb456594d7f1eedc6ad8

    SHA256

    5993a0b1058c556c9dc93f76b0d38954e988c3498c3cadb977f067ec48ecf2c3

    SHA512

    6619248f965c962c2b309d55c081438c828373cef04b77e0be14792ad6ba13505628e745ec18b58493cd833ff6db77ffedb29ba9f56e8a4723f977bdd24e0589

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y8533544.exe
    Filesize

    354KB

    MD5

    4954764c0e5ca95e24be1905b769f0e4

    SHA1

    4e04c6fd7c27a66c1489886645e3df96ef095025

    SHA256

    2b60e92cc54f1fd63fd86d61477599849ac901295420cd320629ad10edeea057

    SHA512

    1d9d26b37b57e78f82d07842239f02c1bc51f0b8cd997df40a4757df050cd3195eecea73a6153142f381cbb6d7c9f48502789d6c4bcd727611d5558b8d6f30af

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l6707854.exe
    Filesize

    172KB

    MD5

    fa80431feae517f8c57bc484e37b8b15

    SHA1

    6a1f49a51d6b85effd164ea877ca8c1cf7c31fa0

    SHA256

    6a1dcbf1b52696deff082f928a32bf833f451c3c6bbe160f8ef055bb829a8e8c

    SHA512

    9d068df4a4bbe15f77e9c50a138d972cc4cccce851668827cbaeada030a9fed89cda336673493be21cfe6856ff0c6a128eff9180a92367d7cf4a904e8c1ca95d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y1435691.exe
    Filesize

    199KB

    MD5

    a0dd9865874037306994055a30748fc4

    SHA1

    f6e82c7c7305b5c62d7b2a9326960dd03b00fc90

    SHA256

    ec486b885aa1405b2e91b1d33989af54943b5db186113fd65a99e6531146c9aa

    SHA512

    8954f944eb96ab0495493cc6da08012373168f1e1bb00d03c7d068a556cbf944ff618ea192e535c7bc8333f002e61a8858188d52f80a4933164a5dd68672f145

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j1084574.exe
    Filesize

    101KB

    MD5

    1c4c23c32290cea338a865447b4db78a

    SHA1

    3ac58d393c341523b06a6ffbd093b2cd37bfb6e4

    SHA256

    775f392bcbb7da733d032e42711f575268cc3a0638ae7b933b05295c27860c0f

    SHA512

    d2573065b64f094959b64839b122c8518db4a3cc2f2a99b3437c08cd61b357626b4ea12364bf988c5aaa747788d05e0c89654415dc96e8eac6c3e02f9b93576e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k0511144.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • memory/1288-28-0x0000000000580000-0x000000000058A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1768-37-0x0000000000A70000-0x0000000000A7A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2388-42-0x0000000000A60000-0x0000000000A90000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2388-43-0x0000000002D10000-0x0000000002D16000-memory.dmp
    Filesize

    24KB

    Download
  • memory/2388-44-0x0000000005B10000-0x0000000006128000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2388-45-0x0000000005600000-0x000000000570A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2388-46-0x0000000005530000-0x0000000005542000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2388-47-0x0000000005590000-0x00000000055CC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2388-48-0x0000000005710000-0x000000000575C000-memory.dmp
    Filesize

    304KB

    Download