Overview

overview

10

Static

static

3

5819d30d55...89.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 13:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5819d30d5536a389ede8af7ebff6905d6c5499615d279be504d50aab89c11989.exe

  • Size

    479KB

  • MD5

    992289fb5a8a6ea45d9c2c4ade6fb833

  • SHA1

    2148660453f3d8fa1be56fcd634e88229daa504c

  • SHA256

    5819d30d5536a389ede8af7ebff6905d6c5499615d279be504d50aab89c11989

  • SHA512

    e3027b5fd99061cc389e1181ffbaa9de18fddb0ac9fc06d5edcfbd2861f88327de6d33c216b637016e89cfd047e4ac97f9012a4e6f829a5bc6b8221f934a507f

  • SSDEEP

    12288:bMrZy90YeL+fdosBdtxugBx6e+IGZ/0DKp:OyldjdjrB+IaAe

Score
10/10
healerredlinediwerdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

diwer

C2

217.196.96.101:4132

Attributes
  • auth_value

    42abfa9e4f2e290c8bdbc776fd9bb6ad

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5819d30d5536a389ede8af7ebff6905d6c5499615d279be504d50aab89c11989.exe
    "C:\Users\Admin\AppData\Local\Temp\5819d30d5536a389ede8af7ebff6905d6c5499615d279be504d50aab89c11989.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7453089.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7453089.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8735734.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8735734.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:208
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8154928.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8154928.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7453089.exe
    Filesize

    307KB

    MD5

    a16d62461f79f3598d6a2257fb675fb1

    SHA1

    3a1142e34dbe1bd9caa6137e58f85ee1b6d9d843

    SHA256

    b00f24df948a75e912fdd19e9a9cae0bd0103d2e608e3860dbb8c395a9c4782a

    SHA512

    0633d5de3cc236dc1b6cdde258fc00c85595c40749732b3cb6e6017f8f7f1d9d4a474ca9754a864d687b041650ba5e541cbb6da1d5b83dfd63e359088e10ee22

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k8735734.exe
    Filesize

    176KB

    MD5

    8d0ff1c11d4495cba30aa60c4c4aa1e7

    SHA1

    29c076c7dc57d6bafe3f81b55710d2c6f341dd89

    SHA256

    39b0f3a682de1aa5cddc0338abb2a2a99ab4b7aaa6ca9734ff5b47ba1c5a5db3

    SHA512

    1d4dd9c3e5cb06acf2ed85ef9092a3a632b3c65f2fbe773840777e3317400f90b0fae241116202df818dbd3bae8fc01ded3823bde5b1c6b63688741c2b031c1c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8154928.exe
    Filesize

    168KB

    MD5

    d5cef3c1e0bad63308bf5c48ae0ba893

    SHA1

    aaf49c03ae67083a7a46dd8c12ff9c2e583d47cc

    SHA256

    cac141377be1bd0dc85d65e697659739efb03f8055d128f82f61b594aeb55a12

    SHA512

    07bfbd538ebc4f77cfa9bfcb54e3f14fc9f7ad5dfdfa6cf436d0fc38e62ffa4edbee699c7a1c29bacbd08249160b27445b2d7e912ea87948e53a5caf5158fc27

    Download Submit

  • memory/208-30-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-50-0x0000000073BF0000-0x00000000743A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/208-16-0x0000000073BF0000-0x00000000743A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/208-18-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/208-46-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-47-0x0000000073BF0000-0x00000000743A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/208-48-0x0000000073BF0000-0x00000000743A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/208-42-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-40-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-38-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-34-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-32-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-15-0x00000000049F0000-0x0000000004A0A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/208-28-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-44-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-24-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-22-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-19-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/208-49-0x0000000073BFE000-0x0000000073BFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/208-17-0x0000000004B90000-0x0000000005134000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/208-52-0x0000000073BF0000-0x00000000743A0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/208-14-0x0000000073BFE000-0x0000000073BFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1300-56-0x00000000008A0000-0x00000000008D0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1300-57-0x0000000000F30000-0x0000000000F36000-memory.dmp

    Filesize

    24KB

    Download

  • memory/1300-58-0x0000000005810000-0x0000000005E28000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1300-59-0x0000000005300000-0x000000000540A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1300-60-0x0000000005220000-0x0000000005232000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1300-61-0x0000000005280000-0x00000000052BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1300-62-0x0000000005410000-0x000000000545C000-memory.dmp

    Filesize

    304KB

    Download