Overview

overview

10

Static

static

3

badf50be73...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 12:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    badf50be7344d5490811df76e7459ff91678dda698a0e1bf47d6ef268742e723.exe

  • Size

    530KB

  • MD5

    502ed4476c3dfa43e378098542f34454

  • SHA1

    48e47074a2daf44c0bf67e665dc0594244a7da02

  • SHA256

    badf50be7344d5490811df76e7459ff91678dda698a0e1bf47d6ef268742e723

  • SHA512

    23da1faf871aea9e21b5840075180f9cb975589929082c07630c62ff94557610bee004b550131221d15f6966e56d0a704fb326e131e98b7a1e0a41214692a385

  • SSDEEP

    12288:PMrGy90RCMowi1tXe2rPdiKDzMx4f5KXa/cKtjMA+O:JyajMXrrPdiMzDALK5MA+O

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\badf50be7344d5490811df76e7459ff91678dda698a0e1bf47d6ef268742e723.exe
    "C:\Users\Admin\AppData\Local\Temp\badf50be7344d5490811df76e7459ff91678dda698a0e1bf47d6ef268742e723.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKh9401.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKh9401.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr104584.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr104584.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1484
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku158803.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku158803.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:912

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziKh9401.exe
    Filesize

    388KB

    MD5

    f2138538307d70c9d3cebddf6bd52ee3

    SHA1

    8d40b33fd7de9feef2c5275a0c1fdcebd5579c9e

    SHA256

    958d081e4940cd900ad708b0a354d8a9e9195e86d4b8ed452f9ad0910765fdc1

    SHA512

    3d9c337beeac0e8268a45f298e1135ac05b0e1406b23d6dc661f656d0081a93e860645f8cbf5900324b715ead5417f116f29a28ede5e3894d271c0df11315f51

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr104584.exe
    Filesize

    12KB

    MD5

    728c2643f6171667a53b462e7d6de96b

    SHA1

    caee1641ad3f76999e20ce59cec3e4c26c8378ae

    SHA256

    05eb4456e2f1b5308f37f41427e353a3721db10b5ca39beec021a0f2170253e8

    SHA512

    cd4376b27b6fbbaa89fecd580545e8788e084baacb13c79079cfc792cb66580b1c01d6d2e1babf908a31b81afb77d63d3c8018a9eb4168e467b1bfae361d564e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku158803.exe
    Filesize

    434KB

    MD5

    22d1b8d00184871637a51b8ebc510f45

    SHA1

    e54d8f080bce986cd58efa7b5c9f4b8738cb7ad0

    SHA256

    56eeb3eedbab5c57d0c970613060462b44498862c3a2919c9c888fed0d979e81

    SHA512

    bba4922a430c4df6193ebd1eca8dbfa51181f4f5b02396f5d2c4f7eaa94c08f26b574f249f864a0803a83aa187696f95f33ba08131e38d2593b9e7711d07e169

    Download Submit

  • memory/912-72-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-22-0x0000000002580000-0x00000000025C6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/912-935-0x0000000005B40000-0x0000000005B8C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/912-68-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-23-0x0000000004DD0000-0x0000000005374000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/912-24-0x0000000002660000-0x00000000026A4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/912-32-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-30-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-28-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-26-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-70-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-44-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-66-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-84-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-82-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-80-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-78-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-76-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-74-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-934-0x00000000059F0000-0x0000000005A2C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/912-25-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-933-0x00000000059D0000-0x00000000059E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/912-86-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-64-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-60-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-58-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-56-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-54-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-52-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-48-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-46-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-43-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-40-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-38-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-36-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-34-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-88-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-63-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-50-0x0000000002660000-0x000000000269F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/912-931-0x0000000005380000-0x0000000005998000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/912-932-0x0000000004CB0000-0x0000000004DBA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1484-16-0x00007FFA47E03000-0x00007FFA47E05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1484-14-0x00007FFA47E03000-0x00007FFA47E05000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1484-15-0x00000000004B0000-0x00000000004BA000-memory.dmp

    Filesize

    40KB

    Download