Overview

overview

10

Static

static

3

1ba653eb8a...78.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 14:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778.exe

  • Size

    688KB

  • MD5

    f512cb02b5dec6a85650deb4fc67b0d9

  • SHA1

    12581df072761537e742f552ad821df245ec1415

  • SHA256

    1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778

  • SHA512

    a6a60cbaddb7b12003be259eb81b68572a7b503ea601c0aa14a4c31a661fe2fc138e782c61e9df0af03f1b59a9ef7425342deedd508b4a975c76c83af59bd1c2

  • SSDEEP

    12288:WMrOy909EHIHwRdTeEPEL0KS3Hfyu65hLuGoLb0CYvlWakutKdmJvvGFNIfigwA0:sy7HIHaAk+Y61fapPDIlWak7dmJvSNIg

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778.exe
    "C:\Users\Admin\AppData\Local\Temp\1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1332
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:968
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:860
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1084
          4⤵
          • Program crash
          PID:4948
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9834.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9834.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1040
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 860 -ip 860
    1⤵
      PID:4596

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe
      Filesize

      547KB

      MD5

      38942ed647966139df59d55976fc3bb2

      SHA1

      6f794775747cb151bfd5c176f63b95e4190f6a9a

      SHA256

      3d2d216db8b6cc38cbf1976613b655b36cff090a8c37fc14e0d35380963b08e3

      SHA512

      e413494e927dfeecd1630fe52b998ebdf3fc3ee732835acd25a1bdda5a2203444cd1909586b6263ea93775639676d33d97d5b0a2212b6e73fcf5f4fea3a21cca

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe
      Filesize

      291KB

      MD5

      2382f9d8ee4d02f6c02384c461045a96

      SHA1

      a0cf995e4315f581d637d85df713b408994d6736

      SHA256

      530d67e57e8bbe63aeb502f0c811a8fd8a707219b0f0f0ae11c1bc1c0732afc8

      SHA512

      6f3823e12a02a9d0971c7a8b121d172128ead58e9eb4ac1344e814c6a5e4aa883b4ec3da3259250f904ff4b218951df71968e50e42425aca413676ab4a377936

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9834.exe
      Filesize

      345KB

      MD5

      ff67e130b6d70b2883c7f60f37d134ff

      SHA1

      f48375438d3724a25b06f88c9fec7cbb56810fab

      SHA256

      4edf96b78713c72114987d50d05eeffca11e604e123e30cb185b8e81879f8428

      SHA512

      c9a030656c6452757c2e7e8b31cbb72a71e9c719ff060f7b1c1df397beacdfdc6b4eea166c09a01e7f67c359b49506954d55184ce8452b81a534b2c30b215abf

      Download Submit

    • memory/860-15-0x0000000000950000-0x0000000000A50000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/860-16-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/860-17-0x0000000000400000-0x000000000070B000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/860-18-0x0000000000400000-0x000000000070B000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/860-19-0x0000000002670000-0x000000000268A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/860-20-0x0000000004DE0000-0x0000000005384000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/860-21-0x0000000004CA0000-0x0000000004CB8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/860-22-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-47-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-43-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-49-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-41-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-39-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-37-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-35-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-33-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-31-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-29-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-27-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-25-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-23-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-45-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/860-50-0x0000000000950000-0x0000000000A50000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/860-51-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/860-54-0x0000000000400000-0x000000000070B000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/860-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1040-60-0x00000000037D0000-0x0000000003816000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1040-61-0x00000000039B0000-0x00000000039F4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1040-69-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-71-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-95-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-93-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-89-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-87-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-85-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-83-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-81-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-79-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-77-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-75-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-73-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-67-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-65-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-91-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-63-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-62-0x00000000039B0000-0x00000000039EF000-memory.dmp

      Filesize

      252KB

      Download

    • memory/1040-968-0x0000000006780000-0x0000000006D98000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1040-969-0x0000000006DA0000-0x0000000006EAA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1040-970-0x0000000003D10000-0x0000000003D22000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1040-971-0x0000000003D30000-0x0000000003D6C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1040-972-0x0000000006FB0000-0x0000000006FFC000-memory.dmp

      Filesize

      304KB

      Download