Overview

overview

10

Static

static

3

cea9b534eb...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 15:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cea9b534ebf5165ad84227df5265abde9927bc9ab9fa83ca08eab5436bfc6575.exe

  • Size

    534KB

  • MD5

    f546226bfc9cb393349f861323436eb6

  • SHA1

    31b48c91c4d82007162f1a00de0a2bbc6593f3f3

  • SHA256

    cea9b534ebf5165ad84227df5265abde9927bc9ab9fa83ca08eab5436bfc6575

  • SHA512

    82c14a418630a0e8b255b82df5928afd8f93167730647e0fa6a784ac45111c10fd6536b3786a782b842d74af5209df2da9fa0469ea9aa7b33de0101ddc3c4d18

  • SSDEEP

    12288:sMr2y90yY/cHWGjFjD2ZgkzSbCWUe8m6xK:ay3pHWqhPkz6CFefh

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cea9b534ebf5165ad84227df5265abde9927bc9ab9fa83ca08eab5436bfc6575.exe
    "C:\Users\Admin\AppData\Local\Temp\cea9b534ebf5165ad84227df5265abde9927bc9ab9fa83ca08eab5436bfc6575.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:588
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZI1811.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZI1811.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4272
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr363524.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr363524.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1416
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku857798.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku857798.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziZI1811.exe
    Filesize

    392KB

    MD5

    57e7d5b258a86dc423f20fc8fe7378e5

    SHA1

    f249165679156c76bd3e42e2c7a29af1697f53ca

    SHA256

    0652430f4de9a499a44aa39335329e05c0c238f8b712af4882cbd61362032028

    SHA512

    db6147310a9659e599a5834999bd2417899057136356fb054dd55d234a29a7fe3ce278c774ecaf148a824d2cef46de533143f48799cde751d232e7e202c7bc70

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr363524.exe
    Filesize

    12KB

    MD5

    c35830f469263dba3b8cec8575589f54

    SHA1

    31eff0df981c595630eac2eaa827b170abe8733d

    SHA256

    97c01ac6c3f2875b222e71bfa0fe1ad210f0e70946ba45993c4ae34666c0e2fb

    SHA512

    3ff3c545f6278184e7795286e6752714f03633871718038ae627afe0730a95f1b922aaf987f42b4586b6fd9a63591422f14844009e5c4ecfa651fe9f1cfd8a79

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku857798.exe
    Filesize

    319KB

    MD5

    40d305e2db30285cef87d83fc342bd99

    SHA1

    9acea789f1486791b138c928b198df1b4076e3ae

    SHA256

    76e56f9efc38415ab8af65135e5b32e6e596c8117999797133caa24aed6aa7e2

    SHA512

    975f4b53aef4eef93c8e304b1891bd6e8f7f7a8a96be6163f0cd0efe97097d33fda19640d8546ebf7d89f7725f9407cd5d4bd981bad92b6143a6d7e46eb3f405

    Download Submit

  • memory/1416-14-0x00007FF8A7E83000-0x00007FF8A7E85000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1416-15-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1416-16-0x00007FF8A7E83000-0x00007FF8A7E85000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2264-83-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-73-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-24-0x0000000004AD0000-0x0000000004B14000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2264-34-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-38-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-36-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-56-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-42-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-32-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-30-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-28-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-26-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-25-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-88-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-86-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-84-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-22-0x00000000025E0000-0x0000000002626000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2264-80-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-78-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-77-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-74-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-23-0x0000000004BE0000-0x0000000005184000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2264-70-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-68-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-66-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-64-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-62-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-60-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-58-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-54-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-52-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-50-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-48-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-46-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-44-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-40-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2264-931-0x0000000005290000-0x00000000058A8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2264-932-0x00000000058D0000-0x00000000059DA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2264-933-0x0000000005A10000-0x0000000005A22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2264-934-0x0000000005A30000-0x0000000005A6C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2264-935-0x0000000005B80000-0x0000000005BCC000-memory.dmp

    Filesize

    304KB

    Download