Overview

overview

10

Static

static

10

012700a410...85.exe

windows10-2004-x64

10

02a23f59da...1f.exe

windows10-2004-x64

10

053ddd7019...99.exe

windows10-2004-x64

10

072f59f857...a5.exe

windows7-x64

1

072f59f857...a5.exe

windows10-2004-x64

1

07b9d54ca0...2c.exe

windows10-2004-x64

10

085092942b...7b.elf

ubuntu-18.04-amd64

085092942b...7b.elf

debian-9-armhf

085092942b...7b.elf

debian-9-mips

085092942b...7b.elf

debian-9-mipsel

08cbd1cc0c...d1.elf

debian-12-armhf

1

0a50e4e96f...61.exe

windows7-x64

10

0a50e4e96f...61.exe

windows10-2004-x64

10

0bdd1bc4a2...54.elf

debian-12-armhf

1

0c349ec65f...e3.exe

windows10-2004-x64

10

0c6a7849d4...d3.exe

windows10-2004-x64

10

0ceb0dadfa...de.elf

debian-9-mips

0dd32a3e7e...85.exe

windows7-x64

10

0dd32a3e7e...85.exe

windows10-2004-x64

10

0dd3f8b254...7f.exe

windows10-2004-x64

10

1100f4a753...15.exe

windows10-2004-x64

10

124c02ed92...f5.exe

windows7-x64

10

124c02ed92...f5.exe

windows10-2004-x64

10

1267a2b9b9...dc.exe

windows7-x64

10

1267a2b9b9...dc.exe

windows10-2004-x64

10

13a5b3d41f...f1.exe

windows7-x64

10

13a5b3d41f...f1.exe

windows10-2004-x64

10

13a63fbb66...62.exe

windows10-2004-x64

10

143dea0e6e...5c.exe

windows10-2004-x64

10

14779e087a...9a.elf

ubuntu-24.04-amd64

1

15f6ddf672...e3.exe

windows10-2004-x64

10

16478becee...e4.elf

debian-12-armhf

Resubmissions

23-06-2024 06:12

240623-gyd2psscqf 10

16-07-2023 19:09

230716-xt4pkahc8t 10

Analysis

  • max time kernel
    142s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-06-2024 06:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0dd3f8b25459c4e5e8eabfe91f24381813035cf7c71837ccb6e5f6899e48c27f.exe

  • Size

    624KB

  • MD5

    b680b95a2ca063dd15b0dd77f8f09ebe

  • SHA1

    796f4d63fc05f166c128124a011f165fbe28105f

  • SHA256

    0dd3f8b25459c4e5e8eabfe91f24381813035cf7c71837ccb6e5f6899e48c27f

  • SHA512

    2be2930fb6670d84b4b48abf201ed69453014d68ac4a2d8bb9177e7b92bf9ac6954e472f2bfa26d7ffcd1e1f2055737f9aea5fc2cf105dbe791c4ab04ce31adf

  • SSDEEP

    12288:wMr7y90LHqjnE/4dW/NFws2tbSP29adN5jZk4qh0r4A8bEMmHbk:byIKjnE/4dANxG42o3nrqh0r4So

Score
10/10
healerredlinejasondropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

jason

C2

83.97.73.129:19071

Attributes
  • auth_value

    87d1dc01751f148e9bec02edc71c5d94

Signatures

  • Detects Healer an antivirus disabler dropper 1 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0dd3f8b25459c4e5e8eabfe91f24381813035cf7c71837ccb6e5f6899e48c27f.exe
    "C:\Users\Admin\AppData\Local\Temp\0dd3f8b25459c4e5e8eabfe91f24381813035cf7c71837ccb6e5f6899e48c27f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1912
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2300770.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2300770.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4792
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0784825.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0784825.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\j4968224.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\j4968224.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1320
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5957917.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5957917.exe
          4⤵
          • Executes dropped EXE
          PID:4796

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

3
T1112

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
    Filesize

    226B

    MD5

    916851e072fbabc4796d8916c5131092

    SHA1

    d48a602229a690c512d5fdaf4c8d77547a88e7a2

    SHA256

    7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

    SHA512

    07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y2300770.exe
    Filesize

    452KB

    MD5

    347467799807f9d1844a374e97f6816a

    SHA1

    55c893332d74eed9aa762521da10ddeda631a3cf

    SHA256

    e7ef06ad60bc0df1bd321a18ec8ab4ecbca98e4794099767b79362cdccce8e8c

    SHA512

    452cee5638fac7040950ae627d2620bf47278fd312fd13345624bf7d599dd72d7de3fa943241c063cb93a8ec0ac7642852803c10a531dcce5844c4e158d6e73f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0784825.exe
    Filesize

    296KB

    MD5

    a073de30e4c5d7d07ba94a01688645bb

    SHA1

    a691f837d29dd114adce3bbeb71384f39053a6e5

    SHA256

    bf1ac07e22168e27add1d461fc99363e3d27b664bbf01a2fc7b977fdc2f46866

    SHA512

    73034e664682346bf59170c6c24678d91514eb1b4cc8bb37f52d3ee24e6ea92bdd435b91431157425f7837336ed9ef6c3479094082fa0963453330bf96285b3a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\j4968224.exe
    Filesize

    175KB

    MD5

    8bb77dc6257b5592c6f70cd957e1e344

    SHA1

    eacdea3ff48993970f0c0a60011a16bfd86ce841

    SHA256

    f797b816075d0a0a6609965c95c482e14916cb69f16d27893bc708fa44444747

    SHA512

    0626f9f83eeb0c49b6eb94220817c192c6b00d2648a3282db84a4c3746bd005787a00ddc6a5217a06711f83d9eb9a382565d6c231177b492625f912210ae8ce4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k5957917.exe
    Filesize

    336KB

    MD5

    5638cb299ff9460fbba59195e4aaf609

    SHA1

    fab551060943e28b2e0cc720b35c1d01d065e58d

    SHA256

    cc78a3e00a23aead26d5d2642359047f0ad5ef4686c8e284044741a15107e83c

    SHA512

    350e4e92febcbfd8c8bc3eea4112046ce0624b2f7b9f0aa30a8606151ff81b1150610166deb03a7587f914bb93cd015aad67fda32fe8840f62a1fba642b58363

    Download Submit
  • memory/1320-21-0x0000000000400000-0x000000000042B000-memory.dmp
    Filesize

    172KB

    Download
  • memory/1320-22-0x0000000000580000-0x000000000058A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4796-31-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/4796-33-0x0000000002090000-0x00000000020C0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4796-37-0x00000000023F0000-0x00000000023F6000-memory.dmp
    Filesize

    24KB

    Download
  • memory/4796-38-0x0000000005130000-0x0000000005748000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4796-39-0x0000000004B10000-0x0000000004C1A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4796-40-0x0000000004C30000-0x0000000004C42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/4796-41-0x0000000004C50000-0x0000000004C8C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4796-42-0x0000000004CF0000-0x0000000004D3C000-memory.dmp
    Filesize

    304KB

    Download