Overview

overview

10

Static

static

3

b984e1decb...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b984e1decb5f81585d6dbbf63b14d64fe3092c6d1252d6247ac33da087f0c02b.exe

  • Size

    689KB

  • MD5

    bb5b53f7b0f0501957a56d863a361876

  • SHA1

    362646f2b546acdbd370c84c7c9a41138e2b7829

  • SHA256

    b984e1decb5f81585d6dbbf63b14d64fe3092c6d1252d6247ac33da087f0c02b

  • SHA512

    2c75a636a89eb0fed3cfcb5b727aff0c94cb0a88748577ad82ae1cecc7a5aed2caf2da6f91312be28cfce35018d4fe13dd995cb40d3afa9d049c3a956dfd1b2d

  • SSDEEP

    12288:jMray90Gj0uTEV4InUvdOfzPuBN4IPvkZEOzXFIbdGr8v/IU:py9YV4InUFOfzmBN4gvkJX+BG4Z

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b984e1decb5f81585d6dbbf63b14d64fe3092c6d1252d6247ac33da087f0c02b.exe
    "C:\Users\Admin\AppData\Local\Temp\b984e1decb5f81585d6dbbf63b14d64fe3092c6d1252d6247ac33da087f0c02b.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un506872.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un506872.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3516
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0665.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0665.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1352
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 1088
          4⤵
          • Program crash
          PID:2508
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2053.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2053.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2676
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1352 -ip 1352
    1⤵
      PID:3996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un506872.exe
      Filesize

      536KB

      MD5

      5dbbd357a13dab44fa7c8c1cde22caea

      SHA1

      e8dd421e9777fe3373c4c30f32b291fccd758078

      SHA256

      e903384028686bef0588e9199b8459c525f90b656ca4590d9120e3cc15fb5ddc

      SHA512

      6d7d9d6b7c83d8c0400a5bdbaf3d846b2aceaa7958053f5290075eef3c7fa961586af6c6ce988d0638b90ff8452631ee10f4190a3fe02f2e09dc44dc4b745265

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0665.exe
      Filesize

      314KB

      MD5

      29634d74191350541025a6b358267513

      SHA1

      edbc57ece093cc675aca4eb62035f80e4def5086

      SHA256

      6ef83cc5e302c1257ac894aab9fcf2718b2a0f8f4613580f5b2b3825e0db69ad

      SHA512

      7803c00563739d5cc7b8084ca6df873df4597c4c22743babb8b4259ad007e3a76d0c4d7d098d0a9f2e949411b80a41e9d407ce070284830ae4088130afdc4c3d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2053.exe
      Filesize

      372KB

      MD5

      d05a8e2399f42b85b04cad5728f00c46

      SHA1

      35edb895db5479e00a0b7ac5b9775be343cdb138

      SHA256

      99eed778db2426b28ac50a2aa4cdf93f6cff8ad7d00d76c0228ff792dbfebb8e

      SHA512

      64bbcd203289162410a461153d76082a21624408aeceb85f8302bd114399b4b816e58105dfa32198fac151aba06b19d32ca6a8fa03394d10014165a62f406e25

      Download Submit

    • memory/1352-15-0x0000000000920000-0x0000000000A20000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1352-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1352-16-0x0000000000A20000-0x0000000000A4D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1352-18-0x0000000000400000-0x0000000000802000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/1352-19-0x00000000023E0000-0x00000000023FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1352-20-0x0000000004DC0000-0x0000000005364000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1352-21-0x0000000005370000-0x0000000005388000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1352-29-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-47-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-45-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-43-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-41-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-39-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-37-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-35-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-33-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-31-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-27-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-49-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-25-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-23-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-22-0x0000000005370000-0x0000000005382000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1352-50-0x0000000000920000-0x0000000000A20000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1352-51-0x0000000000A20000-0x0000000000A4D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1352-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1352-56-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/1352-55-0x0000000000400000-0x0000000000802000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/2676-61-0x0000000004D80000-0x0000000004DC6000-memory.dmp

      Filesize

      280KB

      Download

    • memory/2676-62-0x00000000053F0000-0x0000000005434000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2676-74-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-78-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-96-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-94-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-92-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-88-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-86-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-84-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-82-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-80-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-76-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-72-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-70-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-68-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-90-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-66-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-64-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-63-0x00000000053F0000-0x000000000542F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/2676-969-0x0000000005450000-0x0000000005A68000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2676-970-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2676-971-0x0000000005C30000-0x0000000005C42000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2676-972-0x0000000005C50000-0x0000000005C8C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2676-973-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

      Filesize

      304KB

      Download