Overview

overview

10

Static

static

3

f0c3519fe5...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 09:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0c3519fe5b90daa5c859775fcbab5f5d3a0662baafa98a0d4b214ce3f549805.exe

  • Size

    534KB

  • MD5

    0edacbb2ba7354141bb86583ebb074b0

  • SHA1

    7d6876a204a4c927f8bd9d58909798826ca7e0d2

  • SHA256

    f0c3519fe5b90daa5c859775fcbab5f5d3a0662baafa98a0d4b214ce3f549805

  • SHA512

    1bb906e9c92ed37b62531937db220fab1f4fe7f7f8ad1e5a79a44dcaaac98998c79e17fea9bcd2473b48e47caaa1a255a2e8e83b87683ef64278ec447fd0ecb5

  • SSDEEP

    12288:rMr+y90lkZmlrppU3CYz1nYCWZHnMd09w:NysqYrEJYC0syS

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0c3519fe5b90daa5c859775fcbab5f5d3a0662baafa98a0d4b214ce3f549805.exe
    "C:\Users\Admin\AppData\Local\Temp\f0c3519fe5b90daa5c859775fcbab5f5d3a0662baafa98a0d4b214ce3f549805.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3404
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYp1522.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYp1522.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4060
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr165384.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr165384.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2064
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739797.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739797.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3268

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYp1522.exe
    Filesize

    380KB

    MD5

    6f155779c92930052bd4b02ba2a7af42

    SHA1

    38d1d8ec6dee1ce8374d91d9172259885521ff94

    SHA256

    eea340eff089860afaf75738a70fb29cb6c67f64b8c0fee780b9f9a3924f3a9b

    SHA512

    a1473622ac3e731785e186f9c1616686e5aa3d0b0a426fe71a782d7cf001b79c021147eacd8d3f3ae7c65d449e264026bea7d520b63cc6d593083090914315c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr165384.exe
    Filesize

    11KB

    MD5

    72f6e5b3d37f8e459aa8d443f0dee42c

    SHA1

    b2bf68250386a762387d32d12fe9034773b3b274

    SHA256

    177dfde9f2a767310111bd9e285cf0b4134bb0753af04033a561fee4d45b817f

    SHA512

    323188ab51bc45876a804acaa2585522a1fd20a468d2b0112f5c90ec439ee63212036e1d892941766ec5abb23c8c2c9b93a8258129767b37455efa78a4230ea4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku739797.exe
    Filesize

    295KB

    MD5

    ea2f5e43cf6401f4219f61aca1f7fe48

    SHA1

    c43e3327fb9d616729a5a08da3c050e044b067cb

    SHA256

    b8be1e4b06d7fbc30054d3d5671e6c9592bf1b33b154719d9a101e86ee1ba5ed

    SHA512

    7c8cedb1529949dcff9576df4216d5b7c322a0e0324b59de94b75d281638c4eebf2e2bade085c4e51f066d0d516c3963de30e254a153b579952aeb92087375dc

    Download Submit

  • memory/2064-14-0x00007FFB47243000-0x00007FFB47245000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2064-15-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3268-61-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-49-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-23-0x00000000025A0000-0x00000000025E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3268-29-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-39-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-87-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-85-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-83-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-79-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-77-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-75-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-73-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-71-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-69-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-67-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-65-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-63-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-21-0x00000000023C0000-0x0000000002406000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3268-57-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-55-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-54-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-22-0x0000000004BB0000-0x0000000005154000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3268-47-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-45-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-44-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-37-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-35-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-33-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-31-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-81-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-59-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-51-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-41-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-27-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-25-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-24-0x00000000025A0000-0x00000000025DF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3268-930-0x0000000005160000-0x0000000005778000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3268-931-0x0000000005790000-0x000000000589A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3268-932-0x00000000058D0000-0x00000000058E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3268-933-0x00000000058F0000-0x000000000592C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3268-934-0x0000000005A40000-0x0000000005A8C000-memory.dmp

    Filesize

    304KB

    Download