Overview

overview

10

Static

static

3

9e42f3b3bb...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 10:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e42f3b3bbe2494259d65671f3190341a2cd36a1edb4ed11a67a3db56bc9106b.exe

  • Size

    561KB

  • MD5

    d4f1f202afedcf09bc0fb3d177e027b2

  • SHA1

    8c7b41d8c9f0cf93f8004f899acb5d6eaf85711c

  • SHA256

    9e42f3b3bbe2494259d65671f3190341a2cd36a1edb4ed11a67a3db56bc9106b

  • SHA512

    2e40eab7ae2459f99e9447917b3694a0d3c57d20c5cdb89305a7a82055e0e896a063afa83f83bb9fa79521e7c0173d0c35f244a2be5c4f3caff565894960ffb6

  • SSDEEP

    12288:lMr+y90wahlywIM4kdcM68AeXPMi9DBtDHe9O:Py/IlTdcM6AEcDzDHe9O

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e42f3b3bbe2494259d65671f3190341a2cd36a1edb4ed11a67a3db56bc9106b.exe
    "C:\Users\Admin\AppData\Local\Temp\9e42f3b3bbe2494259d65671f3190341a2cd36a1edb4ed11a67a3db56bc9106b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2072
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuv2628.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuv2628.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1428
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr758837.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr758837.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:208
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku315964.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku315964.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziuv2628.exe
    Filesize

    407KB

    MD5

    863a1294238ab0d9fa75640d7bbf845b

    SHA1

    16b01791e41088681c5b9a02592149d4f11c1c34

    SHA256

    19d79bc03bdfc7e1c9d2bf08098aab27260bcb4697669fa47fa68164ee9291f9

    SHA512

    7065a522750918ff691236644610b11f85743b4bf1523f3b43be99393e482e18e30aa2279b633019091b03bb3e794d7c800b6f167945ed6d53cc483015556e16

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr758837.exe
    Filesize

    12KB

    MD5

    5f848c930165b59cde5a1f95cd0c69b7

    SHA1

    4354e1b63d2cd0cb63875974a9ed93b796c8d661

    SHA256

    b88b6224bbc194a3d6a752db261d497779c301ac5602343dc5a7032125df04ea

    SHA512

    01eae269a325ad382c1d44508770869146464ccabafa64490d0e86f1599cd20be536770ab62f87dfebe8e84d37022c51619f7f6e8d7c9cf98334d47f174393b0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku315964.exe
    Filesize

    372KB

    MD5

    c6766cc04615269fe814609818876d16

    SHA1

    35208f26d465d93de58585109c96b4b74be11c32

    SHA256

    8b39a0c7a2e0267b2603fa242dcb6180e205805632685d257a3c1cf490855526

    SHA512

    2a18df3cf935e8b31ad1ddff9dc3ad53a3ed15f74b29d10434ebe63b416efbe1ed5561f85d935bf88c0723af385289572aa422fdc371f001d864ac433b9f952b

    Download Submit

  • memory/208-15-0x00000000007B0000-0x00000000007BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/208-14-0x00007FF8E7EE3000-0x00007FF8E7EE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/208-16-0x00007FF8E7EE3000-0x00007FF8E7EE5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3760-62-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-53-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-24-0x0000000004F30000-0x0000000004F74000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3760-64-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-72-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-88-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-86-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-84-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-82-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-81-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-78-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-76-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-74-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-70-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-68-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-66-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-22-0x0000000004E60000-0x0000000004EA6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3760-60-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-58-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-57-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-54-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-23-0x0000000005040000-0x00000000055E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3760-50-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-48-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-46-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-44-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-42-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-40-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-36-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-34-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-38-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-32-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-30-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-28-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-26-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-25-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3760-931-0x00000000055F0000-0x0000000005C08000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3760-932-0x0000000005C30000-0x0000000005D3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3760-933-0x0000000005D70000-0x0000000005D82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3760-934-0x0000000005D90000-0x0000000005DCC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3760-935-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

    Filesize

    304KB

    Download