Overview

overview

10

Static

static

3

fc8c2f09cf...6b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-11-2024 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc8c2f09cf780c1bf2e3945e906f78201ab3d18c80cb4391e02359e437022f6b.exe

  • Size

    537KB

  • MD5

    fb4897077c6881a78a0c6a0c5b24cb60

  • SHA1

    22f0816f4a4529b035b2030a358d4455705d1a2e

  • SHA256

    fc8c2f09cf780c1bf2e3945e906f78201ab3d18c80cb4391e02359e437022f6b

  • SHA512

    0132be3c76ccab3e5117a52dadf44fcaa914968df0025b4c90d5e7fc3799180e0158d0af5ed392fd958c028bb7f22332dcdb359256e13f037572df6064ef3265

  • SSDEEP

    12288:BMrMy90rprvNCXvNsepFUkDHSwCu53/C6/BA:xyqzsXvuepFlywCu53/5pA

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fc8c2f09cf780c1bf2e3945e906f78201ab3d18c80cb4391e02359e437022f6b.exe
    "C:\Users\Admin\AppData\Local\Temp\fc8c2f09cf780c1bf2e3945e906f78201ab3d18c80cb4391e02359e437022f6b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4516
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidg8455.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidg8455.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3920
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr479156.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr479156.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1160
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku392368.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku392368.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zidg8455.exe
    Filesize

    395KB

    MD5

    21ed967adaa95aeb231f9c7c72cf5d7e

    SHA1

    c34db32af142c128c56003674c0050bd3b06d8d7

    SHA256

    29bf93c8fcca3a1d079a926a6bf618925ebd6868985cd7718cdbc2c0ae7edac1

    SHA512

    e84b224c728fdbf1825a3cbb842d91de97213552ca15ecaafd6c85866ea1cb604b9d894bc5d01731709ccbbf9e60b717cd6b02adc2bce397ae6e5d1fdc16fe5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr479156.exe
    Filesize

    13KB

    MD5

    31b27ebe55181fcce72054cf621f0915

    SHA1

    47453079e0859a591ec2d3892780e9a7fc093600

    SHA256

    ac2598b15cd51f577522aec244c128762ff0033f6d3494cc15870f036bbc1604

    SHA512

    70dc7ef2808a8beb0ec9b720e6313c6b7eae16e04cde2f7b334d3c68c33d8e5c42c7504a3393aa74fe95a53ad368fc8377ee9c47df2813e9012cc5648bf35cf1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku392368.exe
    Filesize

    352KB

    MD5

    b7b0dbe43794580ef57dc219f4002482

    SHA1

    37858eca79e84d50d3035fb57f15ac4de621eb48

    SHA256

    2006613ef9e6cf95640e0715cc33be31176883541875a55ff8c0d2d4e2b727c8

    SHA512

    a02af811889de315838b7e368c768db9e873239fee064851f70179aa3c2d87d0dad1839746bf0c0fb8c1291c29ca4310e661125cf908bca6563b98247cb6ca39

    Download Submit

  • memory/1160-14-0x00007FFDEE6B3000-0x00007FFDEE6B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1160-15-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1160-17-0x00007FFDEE6B3000-0x00007FFDEE6B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1524-64-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-54-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-24-0x00000000028A0000-0x00000000028E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1524-46-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-68-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-88-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-86-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-84-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-82-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-80-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-78-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-76-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-74-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-72-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-70-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-66-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-22-0x00000000027B0000-0x00000000027F6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1524-62-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-60-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-58-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-56-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-23-0x0000000004EC0000-0x0000000005464000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1524-52-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-50-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-48-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-44-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-42-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-38-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-36-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-34-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-32-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-40-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-30-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-28-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-26-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-25-0x00000000028A0000-0x00000000028DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1524-931-0x0000000005470000-0x0000000005A88000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1524-932-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1524-933-0x0000000005C20000-0x0000000005C32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1524-934-0x0000000005C40000-0x0000000005C7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1524-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

    Filesize

    304KB

    Download