Overview

overview

10

Static

static

3

49d01a899f...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    49d01a899f8a3bc02cff528f4a64f831dd43168875727c0221bf094aaa7d6abf.exe

  • Size

    690KB

  • MD5

    5270fb64c6cc733b7b2bb5d37ab44606

  • SHA1

    6207a4240bb5821e492f034fbb4639a996d0d37e

  • SHA256

    49d01a899f8a3bc02cff528f4a64f831dd43168875727c0221bf094aaa7d6abf

  • SHA512

    379008ced53e35634bf70218a4111c93f944c6460b226f3cbc2a6011d90a876d70e3543962e63ec2cb9f128f333e3e8eab55a826cb92fd2024c956f1b4863023

  • SSDEEP

    12288:AMrgy90wt7NPGsQpyzbQvya65hLuZyG4gNZsKDoEmJfvzFnrfig/Hysp7sa0:QyBDKpylpfa8YZsMoZfpnragPR6R

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\49d01a899f8a3bc02cff528f4a64f831dd43168875727c0221bf094aaa7d6abf.exe
    "C:\Users\Admin\AppData\Local\Temp\49d01a899f8a3bc02cff528f4a64f831dd43168875727c0221bf094aaa7d6abf.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3976
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un416149.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un416149.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3429.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3429.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2872
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1084
          4⤵
          • Program crash
          PID:3096
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5275.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5275.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3172
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2872 -ip 2872
    1⤵
      PID:1556

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un416149.exe
      Filesize

      548KB

      MD5

      1d3aaaabb0cc1a8259a13a01a7709a5d

      SHA1

      098293afda2621f8c6742a7e76dae6314eb91660

      SHA256

      46e1e48cc84c24644d1c049d7ea09efd0b5b0dd483e9f062dbfa741e1095c654

      SHA512

      c34cb670e4652ad3ee123140ea5f90f660ee50153014788dafb2666b9bbb9b7bd9082250b0bc56938c3997e0687dbfb709014e4cf5c880545fbe77e70647d91d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3429.exe
      Filesize

      291KB

      MD5

      ef084c5c6191c5ba16ac2a93e55ed89d

      SHA1

      d582897bc4d6bb73f1771a8350ddaa2c5701c47e

      SHA256

      5037f96b420fef689507b162ebe3fc969f15739acff8a45f61e52384fd98cf3c

      SHA512

      f4cf01767c4f159a056e3779f6446208aa2482433d43e04f1ad8eeb761b6c89756144daa067a93a42775e0b5527d84bd5a55606d9a0c81a0d9719254674ea8fb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5275.exe
      Filesize

      345KB

      MD5

      665a08e26ad4e7864ba7921823da10ef

      SHA1

      5112ffe1dbe5da7d8f192ce4ee2ae230fb993bbe

      SHA256

      7b0c5b8cb19569f92d6d032951affd8c9d138b6bd6c5223ba432197dc73d19ed

      SHA512

      fd5dd8efe348add95ea36b16f8769099b703027d85c19c0ee33ef70d9448a90414a81d9d919d515cc5c69fa5c6bcd8971bc17f84b6d7360adab4285dddc8b24d

      Download Submit

    • memory/2872-15-0x0000000000780000-0x0000000000880000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2872-16-0x0000000000730000-0x000000000075D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2872-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2872-18-0x0000000000400000-0x000000000070B000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2872-19-0x00000000026E0000-0x00000000026FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2872-20-0x0000000004DD0000-0x0000000005374000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2872-21-0x0000000002750000-0x0000000002768000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2872-22-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-49-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-47-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-45-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-43-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-41-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-39-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-37-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-35-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-33-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-31-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-29-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-27-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-25-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-24-0x0000000002750000-0x0000000002762000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2872-50-0x0000000000780000-0x0000000000880000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2872-51-0x0000000000730000-0x000000000075D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2872-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2872-55-0x0000000000400000-0x000000000070B000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2872-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3172-61-0x0000000003880000-0x00000000038C6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3172-62-0x0000000005F60000-0x0000000005FA4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3172-70-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-76-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-96-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-94-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-92-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-88-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-86-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-84-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-82-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-80-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-78-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-74-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-72-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-90-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-68-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-66-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-64-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-63-0x0000000005F60000-0x0000000005F9F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3172-969-0x00000000066B0000-0x0000000006CC8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3172-970-0x0000000006D00000-0x0000000006E0A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3172-971-0x0000000006E40000-0x0000000006E52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3172-972-0x0000000006E60000-0x0000000006E9C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3172-973-0x0000000006FB0000-0x0000000006FFC000-memory.dmp

      Filesize

      304KB

      Download