Overview

overview

10

Static

static

3

d8c42a8c12...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 21:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d8c42a8c12adbe298bd3da2bbf2ef9df3acc637626d88de0af46f74d307a861c.exe

  • Size

    530KB

  • MD5

    81f56c5a5476bd1b2a841e1a7c9ac81c

  • SHA1

    2620937a56d060968a6426cc2009c220c47d1d64

  • SHA256

    d8c42a8c12adbe298bd3da2bbf2ef9df3acc637626d88de0af46f74d307a861c

  • SHA512

    5ecf2c22fe227d32fdc016d4eab61b577d148b8814232f6c08ca592bc59658198c5c5b9e927119d1ba5b05a806b0dba8144f65a196852bc769f295bf61b4f966

  • SSDEEP

    12288:EMrMy90tNwFmSsB918l5KK5QKqBgepRi9Ohx:AyMO6BX8OAQZo9sx

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d8c42a8c12adbe298bd3da2bbf2ef9df3acc637626d88de0af46f74d307a861c.exe
    "C:\Users\Admin\AppData\Local\Temp\d8c42a8c12adbe298bd3da2bbf2ef9df3acc637626d88de0af46f74d307a861c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVR1640.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVR1640.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:748
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr987144.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr987144.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3024
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku766933.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku766933.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVR1640.exe
    Filesize

    388KB

    MD5

    15f6b81aaf6f027c2871e45ccd0d5ba6

    SHA1

    2839b3340af51230461db93681ee99d0c45dec34

    SHA256

    ccd958ea736ad2adcecf1e51bbaf78d08ed3c2e790bd247ff1832152fc1b6136

    SHA512

    b5eb545f36b7a25189e0ff99021bbf5570df15f6d8a3fd99a57b6fa73dc315c3beedbb764817f20323108c9b38f2e692a31966ca3a4ee92bfbed2f61621da41f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr987144.exe
    Filesize

    11KB

    MD5

    642377b5de019d773408064ec1e1f04c

    SHA1

    dff912e15d670066d80b8ac8da841ea2dd1baef8

    SHA256

    28333858d408966ad797a0ec919d1df4ed50795006babf0d7fd787b4cf1c534e

    SHA512

    e843a4c78f19021e4b737a68170fbdf701489fd0c3d10d51a9b2e2832550d1147e1c6991ff28e6fb130c272abfe293a073befb4ca130bc01aaf43517d0de6fe5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku766933.exe
    Filesize

    354KB

    MD5

    6dddf353a028f9b77385f2373efb4d96

    SHA1

    a9c3095cd3b3b58d9fd92ac4e56ea77223f10edd

    SHA256

    aca0f42a1fa4ee5ffd4b8890bedaa1863e2e823c0c8689a6a3608bcbdf3bf050

    SHA512

    fbc1e9506c91b109824ec880842524a0d2dc9f1b24b7957fe8922f59818cc395eafb9e0270792b5df5f683f3e6f58bad65016be508c555f2074aa85ad519a29f

    Download Submit

  • memory/1416-62-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-22-0x0000000004950000-0x0000000004996000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1416-935-0x0000000008150000-0x000000000819C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1416-52-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-23-0x0000000007370000-0x0000000007914000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1416-24-0x0000000004B50000-0x0000000004B94000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1416-28-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-38-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-88-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-84-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-56-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-78-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-50-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-74-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-72-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-70-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-68-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-66-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-64-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-934-0x00000000072D0000-0x000000000730C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1416-80-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-933-0x00000000072B0000-0x00000000072C2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1416-76-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-48-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-46-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-44-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-42-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-40-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-36-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-34-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-32-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-30-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-86-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-82-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-60-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-58-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-54-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-26-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-25-0x0000000004B50000-0x0000000004B8F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1416-931-0x0000000007920000-0x0000000007F38000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1416-932-0x0000000007F40000-0x000000000804A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3024-16-0x00007FF908C93000-0x00007FF908C95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3024-14-0x00007FF908C93000-0x00007FF908C95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3024-15-0x00000000006B0000-0x00000000006BA000-memory.dmp

    Filesize

    40KB

    Download