Overview

overview

10

Static

static

3

b0e76812c2...7d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 11:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b0e76812c2c55567d623036035d510c3727946e1b226467fed36b3c63b43ef7d.exe

  • Size

    684KB

  • MD5

    9f9b8faf8e2832c48d2e37ac136bcd09

  • SHA1

    24b63d5d2079403eb4e1259937064f1cdbdc8119

  • SHA256

    b0e76812c2c55567d623036035d510c3727946e1b226467fed36b3c63b43ef7d

  • SHA512

    5bd3a47fd2248ba350de4c37ebf3d4ad027daa6c5d202df013862a51eaa7e87f64b9bfd93cea234def21c09ed2957edf18627fc84572bd5698e05338d10da3f2

  • SSDEEP

    12288:uMrCy90ceGYODDhnY6yjC89R5NgrMaZpSUJSm2L3zvU:oy3eG/pAjCQ5NSTpSdm2Ljc

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 20 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b0e76812c2c55567d623036035d510c3727946e1b226467fed36b3c63b43ef7d.exe
    "C:\Users\Admin\AppData\Local\Temp\b0e76812c2c55567d623036035d510c3727946e1b226467fed36b3c63b43ef7d.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4328
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773226.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773226.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3525.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3525.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2324
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 1004
          4⤵
          • Program crash
          PID:4612
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2165.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2165.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3856
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2324 -ip 2324
    1⤵
      PID:4260

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773226.exe
      Filesize

      542KB

      MD5

      7a26ae23ac3ce5930ef88646f9c6cee3

      SHA1

      a54817ef432894c938cad049dfe93e690e2fe0a4

      SHA256

      10190a3d53fd757e853dad20eab0d4234a4927249b4623bab32dea4bcd5cc539

      SHA512

      b049b79c3cf3c8960461f7ff4570e94b15166dc7f99f0b06dd0851b2eda21a44b3fc96599c8cd8e940a5c3efeae42746adb046f4a494993692b61cf4f2bd9494

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3525.exe
      Filesize

      321KB

      MD5

      80867ea9cd48a70c1df417e6f3f58f6b

      SHA1

      64bd823e98dcac35c5c500998cfd737eeeb8e064

      SHA256

      099635b40fda0f86619bd08af140ee57573efa80c60f41f87b48e95901a07094

      SHA512

      3220accf17323cc276cdec3c7818fdc1e539926ff7474080d40320273942db6b6ce381962da1501ded9de164676cc00c4c42aca62d3e81d305fb90d9490147b4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2165.exe
      Filesize

      380KB

      MD5

      5acc0e7dc1ea0836dbbac2db66c56b89

      SHA1

      b5e78f18fff41e20fd958d584e9aedec6fb3025d

      SHA256

      e375114e6f6269b558e5340a6e8c59450c971572e4cfe7b7db72e7f0913a2be2

      SHA512

      b840653da7b7d6b23cd73bbb1c9797c78b1c9f22da03e9b7f75590d95cbdb071831cc7620e1b195ea5fce4113c9fec54b5ba1a446fd4f8313b90387913f6b868

      Download Submit

    • memory/2324-15-0x0000000002C30000-0x0000000002D30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2324-16-0x0000000002B90000-0x0000000002BBD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2324-17-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2324-18-0x0000000004C00000-0x0000000004C1A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2324-19-0x0000000007170000-0x0000000007714000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2324-20-0x0000000007110000-0x0000000007128000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2324-42-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-48-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-46-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-44-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-40-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-38-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-36-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-35-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-32-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-30-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-28-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-26-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-24-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-22-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-21-0x0000000007110000-0x0000000007122000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2324-49-0x0000000002C30000-0x0000000002D30000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2324-50-0x0000000002B90000-0x0000000002BBD000-memory.dmp

      Filesize

      180KB

      Download

    • memory/2324-52-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2324-51-0x0000000000400000-0x0000000002B7E000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/2324-55-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2324-54-0x0000000000400000-0x0000000002B7E000-memory.dmp

      Filesize

      39.5MB

      Download

    • memory/3856-60-0x0000000004850000-0x0000000004896000-memory.dmp

      Filesize

      280KB

      Download

    • memory/3856-61-0x0000000004C30000-0x0000000004C74000-memory.dmp

      Filesize

      272KB

      Download

    • memory/3856-89-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-67-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-95-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-93-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-91-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-87-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-85-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-83-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-81-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-79-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-77-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-75-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-73-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-71-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-69-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-65-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-64-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-62-0x0000000004C30000-0x0000000004C6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3856-968-0x0000000007A70000-0x0000000008088000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3856-969-0x0000000008090000-0x000000000819A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3856-970-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3856-971-0x0000000004EC0000-0x0000000004EFC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3856-972-0x0000000007460000-0x00000000074AC000-memory.dmp

      Filesize

      304KB

      Download