Overview

overview

10

Static

static

3

400f5a766c...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 21:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    400f5a766c970b353d7dd079b3cc4bebb312e1c94c336b3d8d1db707606394b8.exe

  • Size

    536KB

  • MD5

    426cb31b0b7f2355457d2cd359993ecb

  • SHA1

    a72c73b8be47193ff1c4633912f64330e0c5b119

  • SHA256

    400f5a766c970b353d7dd079b3cc4bebb312e1c94c336b3d8d1db707606394b8

  • SHA512

    256a61564ea3824655755a4bd81ec8080c006408110e548ee18e3d53105d055558440185432c9978dc0892ae91ce8870c740064a94d8e5cff9af1927bb62e278

  • SSDEEP

    12288:bMrLy90HeS8wyaHdmfYp1N6zM6/WLgb0gky:QyIeS8CUfuN6zWko2

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\400f5a766c970b353d7dd079b3cc4bebb312e1c94c336b3d8d1db707606394b8.exe
    "C:\Users\Admin\AppData\Local\Temp\400f5a766c970b353d7dd079b3cc4bebb312e1c94c336b3d8d1db707606394b8.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziva7792.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziva7792.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:960
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr812878.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr812878.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2708
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku542918.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku542918.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziva7792.exe
    Filesize

    394KB

    MD5

    8cf067160491de9f15c487e280193555

    SHA1

    3154b9cdead8ebfe83299fac1c75ec54d34bafe3

    SHA256

    5f82fd9da9a4209e0ef2fddaf24bfd382307f3ba2e9c1de9eab0af2cc67fd59a

    SHA512

    fe5707f68e239095dd07f2f0045489f33a55def77fd66ce1a1e6a6b7e1877d1c1958b5a360a8abafa20d67ff7b3a53ff0b533a8ac126145b38b885de6e721a5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr812878.exe
    Filesize

    13KB

    MD5

    b2f4aa661d42273b2043abf6d33ae280

    SHA1

    31bddbbf46602e19d22db0722abc0ec5266f7ff5

    SHA256

    78c4232d98c7b8f1d92f7eb6e82a399b0e6e8e7ae11a536237de89a5569de3d7

    SHA512

    eda7a75e0bdd8c5da76dd9e1f7254a42ff58be578940bc9ab6022c7af8e58b791bfc81cebabfcb9f78f7a13fb0f397471b379627db6e34d14b19788b3de4e94d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku542918.exe
    Filesize

    353KB

    MD5

    a2d53cf3af6b6b0a173323e1fb510988

    SHA1

    9872fdbaf96510ba9bdb508aad42c0b9f3dd32c3

    SHA256

    087c4b53eb9bb8ef54967a64ace767787548a49a66acf2edf01a070f090870ff

    SHA512

    07edcf42d1cdb548133ea162a4e1d3c377fc4e882b0563b2a8353abdaaaf72d65cece8be233ae39d70b5fd67ec96640e17e4134dc37df483ec30a777164d0932

    Download Submit

  • memory/2708-15-0x00000000006F0000-0x00000000006FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2708-14-0x00007FFC27833000-0x00007FFC27835000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3240-57-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-932-0x0000000005C20000-0x0000000005C32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3240-23-0x0000000005400000-0x0000000005444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3240-35-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-47-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-87-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-85-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-81-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-79-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-77-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-76-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-71-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-69-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-67-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-63-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-61-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-59-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-21-0x00000000028F0000-0x0000000002936000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3240-55-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-53-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-51-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-22-0x0000000004E50000-0x00000000053F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3240-931-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3240-930-0x0000000005440000-0x0000000005A58000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3240-49-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-45-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-43-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-41-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-39-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-37-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-33-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-31-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-30-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-27-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-83-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-73-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-65-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-25-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-24-0x0000000005400000-0x000000000543F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3240-933-0x0000000005C40000-0x0000000005C7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3240-934-0x0000000005D90000-0x0000000005DDC000-memory.dmp

    Filesize

    304KB

    Download