Overview

overview

10

Static

static

3

c08f51b9ca...cf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c08f51b9ca4b4bcf97ddab796514ea60fd6f6f812b079a8a8be42fdacc89e8cf.exe

  • Size

    560KB

  • MD5

    18f7a57313ce697d38c0507f7563d098

  • SHA1

    bba9a10a576c72d37d75e44110af18be45441cd5

  • SHA256

    c08f51b9ca4b4bcf97ddab796514ea60fd6f6f812b079a8a8be42fdacc89e8cf

  • SHA512

    bd47b10a1ff11f87d005c27fcf541a604e78ba95baaadd38fb2f89bd95994ccd296f1f72a321477b6598e1de20252489c1e2bbb19f521b462bdba73554e2faba

  • SSDEEP

    12288:UMrAy90ojdNrUx/QxSnU+YsfHEHVL9AI5kKA6lROv:sy/JNrDsvMAI5krzv

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c08f51b9ca4b4bcf97ddab796514ea60fd6f6f812b079a8a8be42fdacc89e8cf.exe
    "C:\Users\Admin\AppData\Local\Temp\c08f51b9ca4b4bcf97ddab796514ea60fd6f6f812b079a8a8be42fdacc89e8cf.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2124
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBd4514.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBd4514.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1956
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr429713.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr429713.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2728
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku342366.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku342366.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4736

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziBd4514.exe
    Filesize

    407KB

    MD5

    a980b0e851c498e951d7c44ec5b5f441

    SHA1

    0ad77e8bd2b9c102d618798a889d28bf25d85f4c

    SHA256

    959f3eddfd758c9224157a41cdbff40514e77a504dda0238bcf06d57b5df45a0

    SHA512

    01a45a3aa2ab19560d731b015f9c9765a76154ed9978ff2a897c4da9b2123a4704431d00db1df1200b710d91521eaf849d469153e107da41c4ce9310237e34c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr429713.exe
    Filesize

    13KB

    MD5

    4e3dc94cd5ce065af5b9df86565be9f7

    SHA1

    cbacfae0390941a8f0bb603acdcb66583a5672a5

    SHA256

    a7d16596dc2ab52b51d73f17ff3a47d4909779ee279d8a02e96f25bfdace8958

    SHA512

    3f83600a1d73b17b486634a3ea953ddc8d71b333739c26c011b7e5bb146ab2d261bcc66d6a66b302e9df834c4912ec1ec3f7b34e46ab3e5c5f49633278c422ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku342366.exe
    Filesize

    370KB

    MD5

    a4fdaaa61c54a502fbc369cd655bd4fb

    SHA1

    b4b149e4e94c0d7f30a5bb7a8bdac16456e155e4

    SHA256

    e15f18fbfa6f94a774bf52d8d3cdc20da6b3a26f40cfd76245462d3466f22bf3

    SHA512

    884d27160bc6003353b520e812eede2c9734245c30c96a93d93bed5af88daa6bb39466d78d2810690e859a6aea3e1c5fa44129f9d9cdc11ddd22c2ffb39e0165

    Download Submit

  • memory/2728-15-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2728-14-0x00007FFC9DC53000-0x00007FFC9DC55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2728-16-0x00007FFC9DC53000-0x00007FFC9DC55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4736-82-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-70-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-24-0x0000000004DF0000-0x0000000004E34000-memory.dmp

    Filesize

    272KB

    Download

  • memory/4736-34-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-38-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-36-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-88-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-76-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-64-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-32-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-30-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-28-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-26-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-25-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-86-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-84-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-22-0x00000000028B0000-0x00000000028F6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/4736-80-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-78-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-74-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-72-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-23-0x0000000004FD0000-0x0000000005574000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4736-68-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-66-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-62-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-60-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-58-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-56-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-54-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-53-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-50-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-49-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-46-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-44-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-42-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-40-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/4736-931-0x0000000005580000-0x0000000005B98000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4736-932-0x0000000005BA0000-0x0000000005CAA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4736-933-0x0000000004F40000-0x0000000004F52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4736-934-0x0000000004F60000-0x0000000004F9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4736-935-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

    Filesize

    304KB

    Download