Overview

overview

10

Static

static

3

eb0431670c...37.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 22:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137.exe

  • Size

    561KB

  • MD5

    8f51bfa09372660c4245fb56e03d69e4

  • SHA1

    97ea3fcd075c8210137856abf5fe02820e3dc5ae

  • SHA256

    eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137

  • SHA512

    bcb82162c82f5f1835c0079c9db02a686bc737752086113c47980ff94232a35c6f84881b4245e9864f3c431f93f5d438cfe33e33652721f619bc6438788963aa

  • SSDEEP

    12288:BMrMy90Jpo/EWFwuuwbELzTm5HLxeXPMDhUdqE+NGCp:FySehK1/TmZLx+ES0NGCp

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137.exe
    "C:\Users\Admin\AppData\Local\Temp\eb0431670cfbc66af8c8c4114a31fedb35b022519d5c8dcf2e46d1aadb116137.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilr1226.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilr1226.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr054536.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr054536.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:912
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku709415.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku709415.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilr1226.exe
    Filesize

    407KB

    MD5

    c6d932a1380d6bf75e6a9cbde1765b50

    SHA1

    439dc397c9e6e028d2183449746c18c096a14c2b

    SHA256

    12e6dc1687f79f6a34e728abb8e836501f435b784afc44677190c2ea6cb3364a

    SHA512

    b815036936ca30b0efc94f3e7c2ace2b6c7b642689be54d6a2a2cad43a3f42ed7b40ece135f1c8222b9f25941c1717eb5a6d522d39ac24029c7ece63db29d869

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr054536.exe
    Filesize

    12KB

    MD5

    69ae814bd0f2f5c008c8c2e086c3e81c

    SHA1

    31a5ca19b25094ed72b287f709e75de8e2d984ea

    SHA256

    254045ce880196020992a144f5f638c2b3367e0def65a90b771db13e37135ed8

    SHA512

    d4253e3520c019b25a0bde87f1aa3af6205e1f63182dc89cf767847a7c8131d2382a907bc8da8c531450348ea0535cbd9ac37f89cd37cd61f6462c83f77459e3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku709415.exe
    Filesize

    372KB

    MD5

    c0e740b20f74d285eb0f581e59c92483

    SHA1

    8938c8deb4d6fa6e27e844f03e88b9fdb1c29494

    SHA256

    b012c391d0272e4cf5e49f2272e65ffcb5f69a3cc6e6780a9f6c9cfb545297de

    SHA512

    2ebe0be5335b801ec274845f7045702339571aa5b08718bc39b1978829951ceca67128cefb655b94e1d2c639c953d0102997ca7127281423ecc47d58331576d6

    Download Submit

  • memory/912-14-0x00007FFE567A3000-0x00007FFE567A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/912-15-0x0000000000290000-0x000000000029A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/912-16-0x00007FFE567A3000-0x00007FFE567A5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2184-64-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-52-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-24-0x00000000053B0000-0x00000000053F4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2184-28-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-36-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-88-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-86-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-82-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-80-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-78-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-76-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-74-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-72-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-70-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-68-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-66-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-22-0x00000000027C0000-0x0000000002806000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2184-62-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-58-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-56-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-54-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-23-0x0000000004DC0000-0x0000000005364000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2184-50-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-48-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-46-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-42-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-40-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-38-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-34-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-32-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-30-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-84-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-60-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-44-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-26-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-25-0x00000000053B0000-0x00000000053EF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2184-931-0x0000000005580000-0x0000000005B98000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2184-932-0x0000000005C20000-0x0000000005D2A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2184-933-0x0000000005D60000-0x0000000005D72000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2184-934-0x0000000005D80000-0x0000000005DBC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2184-935-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

    Filesize

    304KB

    Download