Overview

overview

10

Static

static

3

45379fd4bb...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2024 14:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    45379fd4bba6e95ba6dfb6c52db7d067ff7a8301873197df44ca36c77f98eb0b.exe

  • Size

    560KB

  • MD5

    a721237fc59826593b16e05a77c9936c

  • SHA1

    498bcc6de832789d8bd6cbd941a7e62164e6c041

  • SHA256

    45379fd4bba6e95ba6dfb6c52db7d067ff7a8301873197df44ca36c77f98eb0b

  • SHA512

    72cfb4d3bd17f84fd875f0729f5efa2cac1f32c0d39c86f404e4dc7103e2770bd93187a8c3c3bbcc75b688c4d7e10b43798a10e1097c9cb0bb8f691174c5c977

  • SSDEEP

    12288:jMrGy90kTg90DFAtleqvYmb+eB853zqtd8MeLbWgnC0:FyHkeDStlzvYqsJi8MUbxC0

Score
10/10
healerredlinefuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\45379fd4bba6e95ba6dfb6c52db7d067ff7a8301873197df44ca36c77f98eb0b.exe
    "C:\Users\Admin\AppData\Local\Temp\45379fd4bba6e95ba6dfb6c52db7d067ff7a8301873197df44ca36c77f98eb0b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3580
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhtD5163dm.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhtD5163dm.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:184
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf37Et27Wx29.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf37Et27Wx29.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4740
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf72kw99bn23.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf72kw99bn23.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1408

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhtD5163dm.exe
    Filesize

    416KB

    MD5

    3807fccbf75d9af066b5806228a8e22a

    SHA1

    7150b1585a9c800f6ff5b7dbee6af4196996a719

    SHA256

    4c8aa517f37d1687b59afc2e7fe24ecd40e02e2a6655841868192f203961bfc2

    SHA512

    54f09c6a795596a65c2b966e37bb81c1b50b50ecad69efe85136a99d6c3e7e5a5f35f2d765f8d6711bc4fb5aa017fb715621d699d79200695ca1fe1c4dd16eef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf37Et27Wx29.exe
    Filesize

    11KB

    MD5

    5bf6bc3d5a8523694995b75a9a2f132f

    SHA1

    ad56cb421bc1e1fb54f6328d79a3c8fab167d72d

    SHA256

    1750c0ac6b1ac15d6764a920221efd05b1d5272ebb3ade0ce327142bc9097db2

    SHA512

    41e33b009a5ab6bce5ebe4d2f28190debe59b8728ba7384a5e42f40b5594a9ee270f19f91856ba915ce3d84735bb2de96f1c888076798be6e9b7c485e5b7a302

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf72kw99bn23.exe
    Filesize

    416KB

    MD5

    197d8f3be31e2a0e255e510348dccf49

    SHA1

    c55404597c3904b99ebb6eac727feeef78fda213

    SHA256

    e0f10554868f152ebcb4cbc700ca36c4e4661b8211b6af815c2e028ebb8da58c

    SHA512

    efd1b3f491868fa6b90876b8357a551d381f710016a5f398c1e0d273828bd42c4d9d4bfc3eaa98a65461b7b95811bf577f96cb45480b3c395fefb76ccdcbafc2

    Download Submit

  • memory/1408-68-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-22-0x0000000004DF0000-0x0000000004E36000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1408-935-0x00000000082B0000-0x00000000082FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1408-64-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-23-0x00000000074D0000-0x0000000007A74000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1408-24-0x0000000004FA0000-0x0000000004FE4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1408-28-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-46-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-58-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-74-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-66-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-86-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-62-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-82-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-80-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-78-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-76-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-72-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-70-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-934-0x0000000007460000-0x000000000749C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1408-88-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-933-0x0000000007440000-0x0000000007452000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1408-84-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-60-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-57-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-54-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-52-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-50-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-48-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-44-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-42-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-41-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-38-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-36-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-35-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-32-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-30-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-26-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-25-0x0000000004FA0000-0x0000000004FDE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1408-931-0x0000000007A80000-0x0000000008098000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1408-932-0x00000000080A0000-0x00000000081AA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4740-16-0x00007FFFA5243000-0x00007FFFA5245000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4740-14-0x00007FFFA5243000-0x00007FFFA5245000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4740-15-0x0000000000620000-0x000000000062A000-memory.dmp

    Filesize

    40KB

    Download