Overview

overview

10

Static

static

3

5ffe53e32b...61.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 17:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ffe53e32bacd5fb13b8dc666b6b841ecef8adf4ec2c9a4ad897a15e34344d61.exe

  • Size

    560KB

  • MD5

    df85b47b652a590dc70ed08635120ca3

  • SHA1

    96a2081866d3f44b6f28a79ba7863b902ddcd4ac

  • SHA256

    5ffe53e32bacd5fb13b8dc666b6b841ecef8adf4ec2c9a4ad897a15e34344d61

  • SHA512

    fbb3e68cf749da3e333b1d4a88136fbeed6a35767e1e1db349da48396eeab82826fa446a73a46bf9bb05bf4b51456564125954840cfe00100f0fd449509ae7ef

  • SSDEEP

    12288:nMrPy90CAxzGe5ti5IVimRJkbN9yYzUzrEqQdjLKa8q:UygzGOaIDJDzAldj+jq

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ffe53e32bacd5fb13b8dc666b6b841ecef8adf4ec2c9a4ad897a15e34344d61.exe
    "C:\Users\Admin\AppData\Local\Temp\5ffe53e32bacd5fb13b8dc666b6b841ecef8adf4ec2c9a4ad897a15e34344d61.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLq6872.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLq6872.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3932
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr374823.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr374823.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:756
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku159959.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku159959.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3276

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLq6872.exe
    Filesize

    407KB

    MD5

    cf71cccc904f911b2be56bc9029ce918

    SHA1

    565d97d7b11380127aa17bc0f99d7ed4fe30588a

    SHA256

    17a5e2e4201378a4ea95b8b3d7a06177af911ba2b618aca318c0e53801e9f827

    SHA512

    f01808c706fb0027111d3e273616b420f344262d734ac1c3976c709155ddf991302972a63f33b5e3b70cb9154e5a200266a6958d7428e207617cafda15a1337e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr374823.exe
    Filesize

    13KB

    MD5

    c0ef296003c1a399aab119b5b787156d

    SHA1

    ce451d5e60d649d8cf78ae15ba7035bb14316f26

    SHA256

    5ad1e1e32f6142244ccac95e65976af46700f600678e13fd31eb6c2333deca78

    SHA512

    7a2d89ca6dd36e09b820d8cb04e18742e76f405620821d8e670d56afeb9b3b6258025d8e384f650775feefe62e3239ee605d0851433674dd89edd2159f21e53a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku159959.exe
    Filesize

    370KB

    MD5

    6b1b120e49ca1009406340d5ffc4e2ea

    SHA1

    0a22326df11b78676fd7d4acd32c345210960b78

    SHA256

    b50a72cc713e52b46a702071f511552cd7e8364f174f1c586417239f6161aec5

    SHA512

    3a9da4a9403c7dd38e357c2058440d5655f7853607e569e77bfd011cdcb91667745497031dc3d579e2e4ec94df443ecc572cadf804e969a7003eba37fa14b79f

    Download Submit

  • memory/756-14-0x00007FFE0A923000-0x00007FFE0A925000-memory.dmp

    Filesize

    8KB

    Download

  • memory/756-15-0x00000000004A0000-0x00000000004AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/756-16-0x00007FFE0A923000-0x00007FFE0A925000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3276-62-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-50-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-24-0x0000000004E20000-0x0000000004E64000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3276-28-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-42-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-88-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-86-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-84-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-80-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-78-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-76-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-74-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-72-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-68-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-66-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-64-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-22-0x00000000027F0000-0x0000000002836000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3276-60-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-56-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-54-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-52-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-23-0x0000000004F10000-0x00000000054B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3276-48-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-46-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-40-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-38-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-36-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-34-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-32-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-30-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-82-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-70-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-58-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-44-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-26-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-25-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3276-931-0x00000000054C0000-0x0000000005AD8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3276-932-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3276-933-0x0000000005C30000-0x0000000005C42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3276-934-0x0000000005C50000-0x0000000005C8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3276-935-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

    Filesize

    304KB

    Download