Overview

overview

10

Static

static

3

4f57fa45a4...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f57fa45a4eec7ed70fd9855d0ae00061f5fd3a610fcf5a6db7b2cfcb2289bb2.exe

  • Size

    538KB

  • MD5

    cf563b8b2dc800d709581b157a8a0208

  • SHA1

    8d90c01554a68b3f3b0359191cfd0e678eed579e

  • SHA256

    4f57fa45a4eec7ed70fd9855d0ae00061f5fd3a610fcf5a6db7b2cfcb2289bb2

  • SHA512

    99cc4540f4d5c8e0199dcf1812d6ed3f8a5f21fd5c6b6158bc151664729aefed950eccdf6fef853b2de357fdfd82c9f4ee7ac1b614d1beef1098491b3dd9e31a

  • SSDEEP

    12288:GMrgy90a1ymGuqcojbYXx4wMNFrygK+E/FPMvhM:OybexQXewMNFGgKlFJ

Score
10/10
healerredlineruzhpediscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

ruzhpe

C2

pepunn.com:4162

Attributes
  • auth_value

    f735ced96ae8d01d0bd1d514240e54e0

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f57fa45a4eec7ed70fd9855d0ae00061f5fd3a610fcf5a6db7b2cfcb2289bb2.exe
    "C:\Users\Admin\AppData\Local\Temp\4f57fa45a4eec7ed70fd9855d0ae00061f5fd3a610fcf5a6db7b2cfcb2289bb2.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1396
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkTM0365Lj.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkTM0365Lj.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:668
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw90ke37lP47.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw90ke37lP47.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:828
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkgx47on63Cy.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkgx47on63Cy.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkTM0365Lj.exe
    Filesize

    393KB

    MD5

    a88c56832e0e65d9ab721febf0041f27

    SHA1

    b8a40c78b55def1977bccfe66524136e40b7867d

    SHA256

    7399b34518806ee94aaa65b69191495dabfae56ff36c59f94a84e1bb3b415ed0

    SHA512

    10664263fc3fa6714875ab225ac290f20a1f442db86d4d92423382c21c431b1b4bd3df25f10270a29ab10d50e651ecae901e21e11aba541aaff1a7e6f92e3e60

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw90ke37lP47.exe
    Filesize

    18KB

    MD5

    ba34dd50359511f3db959704545e36da

    SHA1

    5888f8353ebb4b3716b4e01e0d0193164e35f21a

    SHA256

    f343fbe82030907188280097ad0f235d803f5dd35a4bbaa3e9297a9b2818b67a

    SHA512

    024ceeace1d1249c558df19b2edfc632dd4e1974865a84c1760e7f94df100d1b44ce348fe1e43a23787610212cfeb27a92dba6344c306fab555b2108714ca8c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tkgx47on63Cy.exe
    Filesize

    309KB

    MD5

    ad05fcfd3e5c54f2f09e0d5d11cadde8

    SHA1

    3309af9f3ba27dce1acfe21f1b5e0c025d9da266

    SHA256

    28668b0252c666afd029f66fd8165adfe4957ab4196f535e1bd58dd1ad4e71b2

    SHA512

    1c4128526b291a35eebc27947227e02f9abc094dd0d4a4f3d07534476eb54d60cf8324861c4afa479050b5fc41b2a13067f87f6160fcb54605bb459b7e5c8e58

    Download Submit

  • memory/828-14-0x00007FFA03B23000-0x00007FFA03B25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/828-15-0x0000000000E00000-0x0000000000E0A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/828-16-0x00007FFA03B23000-0x00007FFA03B25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4000-60-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-44-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-24-0x0000000002610000-0x0000000002654000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4000-40-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-46-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-88-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-84-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-82-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-80-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-78-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-76-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-74-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-72-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-66-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-64-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-62-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-22-0x0000000002420000-0x0000000002466000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4000-58-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-56-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-52-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-48-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-23-0x0000000004C20000-0x00000000051C4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4000-42-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-38-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-36-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-34-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-32-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-30-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-86-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-70-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-69-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-54-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-50-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-28-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-26-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-25-0x0000000002610000-0x000000000264E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4000-931-0x00000000051D0000-0x00000000057E8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4000-932-0x0000000005870000-0x000000000597A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4000-933-0x00000000059B0000-0x00000000059C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4000-934-0x00000000059D0000-0x0000000005A0C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4000-935-0x0000000005B20000-0x0000000005B6C000-memory.dmp

    Filesize

    304KB

    Download