Overview

overview

10

Static

static

10

012700a410...85.exe

windows10-2004-x64

10

02a23f59da...1f.exe

windows10-2004-x64

10

053ddd7019...99.exe

windows10-2004-x64

10

072f59f857...a5.exe

windows7-x64

1

072f59f857...a5.exe

windows10-2004-x64

1

07b9d54ca0...2c.exe

windows10-2004-x64

10

085092942b...7b.elf

ubuntu-18.04-amd64

085092942b...7b.elf

debian-9-armhf

085092942b...7b.elf

debian-9-mips

085092942b...7b.elf

debian-9-mipsel

08cbd1cc0c...d1.elf

debian-12-armhf

1

0a50e4e96f...61.exe

windows7-x64

10

0a50e4e96f...61.exe

windows10-2004-x64

10

0bdd1bc4a2...54.elf

debian-12-armhf

1

0c349ec65f...e3.exe

windows10-2004-x64

10

0c6a7849d4...d3.exe

windows10-2004-x64

10

0ceb0dadfa...de.elf

debian-9-mips

0dd32a3e7e...85.exe

windows7-x64

10

0dd32a3e7e...85.exe

windows10-2004-x64

10

0dd3f8b254...7f.exe

windows10-2004-x64

10

1100f4a753...15.exe

windows10-2004-x64

10

124c02ed92...f5.exe

windows7-x64

10

124c02ed92...f5.exe

windows10-2004-x64

10

1267a2b9b9...dc.exe

windows7-x64

10

1267a2b9b9...dc.exe

windows10-2004-x64

10

13a5b3d41f...f1.exe

windows7-x64

10

13a5b3d41f...f1.exe

windows10-2004-x64

10

13a63fbb66...62.exe

windows10-2004-x64

10

143dea0e6e...5c.exe

windows10-2004-x64

10

14779e087a...9a.elf

ubuntu-24.04-amd64

1

15f6ddf672...e3.exe

windows10-2004-x64

10

16478becee...e4.elf

debian-12-armhf

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Analysis

  • max time kernel
    137s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-06-2024 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02a23f59da1c37d7ed4e0f14e61fa5b264083dc4bdf35a1b09f0a3d29293981f.exe

  • Size

    726KB

  • MD5

    603947b90bbf3dc52aa799d6d74ecc3f

  • SHA1

    3af5d58a9da2971fdbe0097712d19051cf0eae81

  • SHA256

    02a23f59da1c37d7ed4e0f14e61fa5b264083dc4bdf35a1b09f0a3d29293981f

  • SHA512

    ead2ec945c1853cacde72d20182cdb5d282e74b6a236d4cbd191faffb68e30f3a5afab117ae3fc73a1ef8ebb8d392eee07a18143f0b52240c4ea9433f6f3df31

  • SSDEEP

    12288:nMrty908YkYKWr3HLkkKPYPGjBbrY6t34+ZOLtQ48ErdVhR0X+5:6yakYHHfKwqY694+Zct3lXD4M

Score
10/10
healerredlineduzadropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

duza

C2

83.97.73.129:19071

Attributes
  • auth_value

    787a4e3bbc78fd525526de1098cb0621

Signatures

  • Detects Healer an antivirus disabler dropper 3 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02a23f59da1c37d7ed4e0f14e61fa5b264083dc4bdf35a1b09f0a3d29293981f.exe
    "C:\Users\Admin\AppData\Local\Temp\02a23f59da1c37d7ed4e0f14e61fa5b264083dc4bdf35a1b09f0a3d29293981f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:5036
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3662660.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3662660.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:5100
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0062469.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0062469.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:4636
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9151891.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9151891.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:1248
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7404106.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7404106.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3972
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k9327528.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k9327528.exe
            5⤵
            • Modifies Windows Defender Real-time Protection settings
            • Executes dropped EXE
            • Windows security modification
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1672
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3382483.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3382483.exe
          4⤵
          • Executes dropped EXE
          PID:1668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3662660.exe
    Filesize

    526KB

    MD5

    6289824a1644a295ca95c7618dfc2d57

    SHA1

    99dcc49a413a1cd103f3b84d63893f5693274f8a

    SHA256

    e4cdc42e8afc467142a629153fcfccf450227e6b3705d1c27bf779197ef1f546

    SHA512

    b15bb7263b9d05f326b7e42e6e7cc518b098614a94918aa25693747176801c0d983139b21e6214192bbd99b01fe483deb55d12255d0f48e6b838ed7b48faa700

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0062469.exe
    Filesize

    354KB

    MD5

    caf9369f954917ec47ca66553998f145

    SHA1

    82f19fa39e630efce6562a44b74c332338f5c12f

    SHA256

    fe80270bc8981afb506e4aeb7781fbdb90b137c6ea7ec728f793413a4ecb2837

    SHA512

    88bddd3273f2d3b873f1414afdc4e21c1b8664cf2248e219e937e22ecb4a9309a2984406910ade9847a77bdd768636b9c0ac5cd7f46621b387241efeb7bd1f7e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3382483.exe
    Filesize

    172KB

    MD5

    271700b19d450d6ec7df159584d5afdf

    SHA1

    52f6143c0f0f92c58757ab92af3401c19a8fe91a

    SHA256

    4dd3ce52ec8a76830130c2fff28eccddb6091417f50126ede4b36371525b4ba5

    SHA512

    aced014acce41469c11c1ba14f0faa6ccc53cb03cd045dd0944eb55b528967ae7870ecd163bff2bf7a52c58b861edec186390fcacb647048c43e7e60d2f22779

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y9151891.exe
    Filesize

    199KB

    MD5

    b536677bdd86084d557d956c8a1f9e82

    SHA1

    6be501a406dca1cade61a126ace78800895b14ba

    SHA256

    a76a9bb01ee56d41b16aa1454920546376f3d59152e25f0e2c58fe6744dcd7a6

    SHA512

    7d18a8abfe7570b3313e030f990650e6203dafbb9de18e3e75e2634f2a9c952a8be56a5739f767032e924bbe0b5643fcd092c4cfad2654e5b8e3925556fbbaf6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j7404106.exe
    Filesize

    102KB

    MD5

    d4f4ac636a8e6b2d06da0e5b2ae19ad4

    SHA1

    f468bca795e587529c49d31dcfe657b97da7b44b

    SHA256

    c110ec903537181eca058ba0e1b702c084c4d5c6920d2edfcadbc7a314c32add

    SHA512

    cef572a202012404013cc725b32c4f888c0ea786cb4c1be1f5b401e5ba1d078d318e75092d83960b71c23891a7832717f85d9f5bbecdb55ba9a93751684d9c72

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k9327528.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit
  • memory/1668-43-0x00000000021D0000-0x00000000021D6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1668-42-0x00000000000B0000-0x00000000000E0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1668-44-0x0000000005100000-0x0000000005718000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1668-45-0x0000000004C40000-0x0000000004D4A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1668-46-0x0000000004B80000-0x0000000004B92000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1668-47-0x0000000004BE0000-0x0000000004C1C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1668-48-0x0000000004D50000-0x0000000004D9C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1672-37-0x00000000001B0000-0x00000000001BA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3972-28-0x0000000000460000-0x000000000046A000-memory.dmp
    Filesize

    40KB

    Download