Overview

overview

10

Static

static

3

42d1b2c9a9...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 12:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42d1b2c9a98013539bac7aa2bbaf64e25e97fef6a033acaa5ccabb37d0381c8e.exe

  • Size

    561KB

  • MD5

    e1e2a2a9b3909f9ad12d9e45fd8cf3ba

  • SHA1

    0fdad4e1483d6c68f0ee43ea10d384c0b8c5e6d7

  • SHA256

    42d1b2c9a98013539bac7aa2bbaf64e25e97fef6a033acaa5ccabb37d0381c8e

  • SHA512

    6968346c3f543377f7bd0819e440948add4fc7a84199ad9f526391ef09a2aa5a1b747fbde99f973802b13d078e853c8ba8ff43acf28a8f7113e77b37f2f3a683

  • SSDEEP

    12288:NMr5y90CtWYqXsSqDJ4Ff2E3xJplIogvFCk7:My5UAiF+E3NlmFV

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\42d1b2c9a98013539bac7aa2bbaf64e25e97fef6a033acaa5ccabb37d0381c8e.exe
    "C:\Users\Admin\AppData\Local\Temp\42d1b2c9a98013539bac7aa2bbaf64e25e97fef6a033acaa5ccabb37d0381c8e.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4844
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOg0347.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOg0347.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2520
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr619399.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr619399.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2364
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku821568.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku821568.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1132

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziOg0347.exe
    Filesize

    407KB

    MD5

    dfd2d1abb53a7f70183e7e881701345a

    SHA1

    b14639d99b824af0ed534e5ff601399c6c72d0fb

    SHA256

    adf8fe17e09f47a76e85b922cacaeb52a1c3e07564021d8c9b82db22b9242727

    SHA512

    03fc15b6bd9710594474f45861e53286b49919cf4cbd99224cd393b9478a81554db465106277c786d207152528528d04a7fade80976582cd71d5bb47af949bab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr619399.exe
    Filesize

    12KB

    MD5

    c6b08d8f453329d11d73f45d856f5a1c

    SHA1

    aa96024cca186cefd706f8690bd848345f60fc4f

    SHA256

    9a22b8d3ab5edc2501d15abd0c0b991c90af32626fce56cb31015846b6d4ff52

    SHA512

    fa3d32a1a8c60b1a3f63cd3ac65547c85412597f7e66cf27c9c878664278aad2c7a4d4826bd4ca8311f897395abfeeaaca55e7fb6de8f9e4590e9482dec69b43

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku821568.exe
    Filesize

    372KB

    MD5

    bafee456103dbbbaa86ffeb96b607f5e

    SHA1

    6696d2ac973318d5642f64ad8959fd65372e5982

    SHA256

    db4d45120aae7f364a6e1260be42f269512af8393b4dd92ffef9c7fd62c9fc25

    SHA512

    47720fba97f85ada7dac897272c50aaa7acaac8cdd96f8ed99509e54df6564f5011d4529c5841fcb4bc4a8cc263b76d61aeed7530936fa009bc1dd326d45ed16

    Download Submit

  • memory/1132-66-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-22-0x0000000004E70000-0x0000000004EB6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1132-935-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1132-62-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-23-0x0000000004FC0000-0x0000000005564000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1132-24-0x0000000004F30000-0x0000000004F74000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1132-39-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-40-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-88-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-86-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-64-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-82-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-60-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-78-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-76-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-74-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-72-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-70-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-68-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-934-0x0000000005D90000-0x0000000005DCC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1132-84-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-933-0x0000000005D70000-0x0000000005D82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1132-80-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-56-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-54-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-52-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-50-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-49-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-46-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-44-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-42-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-36-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-34-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-32-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-30-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-58-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-28-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-26-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-25-0x0000000004F30000-0x0000000004F6F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/1132-931-0x0000000005590000-0x0000000005BA8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1132-932-0x0000000005C30000-0x0000000005D3A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2364-16-0x00007FF81E343000-0x00007FF81E345000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2364-14-0x00007FF81E343000-0x00007FF81E345000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2364-15-0x0000000000A30000-0x0000000000A3A000-memory.dmp

    Filesize

    40KB

    Download