Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2024, 11:36 UTC

General

  • Target

    3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe

  • Size

    484KB

  • MD5

    d34c8daec0857501415d1d5c1226dd33

  • SHA1

    ebe5f0a615efb5ef3787324539a289571e52344e

  • SHA256

    3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc

  • SHA512

    fad88abf636e1370ca801dcfd9f707e1e9d91e8b6a325ec7dca62c15d8b2fc1dcf8b452dac971ee893c519365a8fba8762a9af31fc752e71f32be5eabffcca43

  • SSDEEP

    12288:WMrsy90Fixx+UxocCDL02Kgr4wsjDMIP65:Oy/FudLqY4lMIP65

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes
  • auth_value

    e5783636fbd9e4f0cf9a017bce02e67e

Signatures

  • Detects Healer an antivirus disabler dropper 19 IoCs
  • Healer

    Healer an antivirus disabler dropper.

  • Healer family
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe
    "C:\Users\Admin\AppData\Local\Temp\3e4d79dc7cb8a9e45d3bc2d3b2341da4bb619753324e1f0c78d52c2bf6f1aabc.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nkT95wm87.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nkT95wm87.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dsV00Jv.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dsV00Jv.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3784
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\evf41hu.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\evf41hu.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2380
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fSQ37Lf.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fSQ37Lf.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4988

Network

  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    14.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    14.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    83.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    83.210.23.2.in-addr.arpa
    IN PTR
    Response
    83.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-83deploystaticakamaitechnologiescom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 193.233.20.13:4136
    fSQ37Lf.exe
    260 B
    5
  • 193.233.20.13:4136
    fSQ37Lf.exe
    260 B
    5
  • 193.233.20.13:4136
    fSQ37Lf.exe
    260 B
    5
  • 193.233.20.13:4136
    fSQ37Lf.exe
    260 B
    5
  • 193.233.20.13:4136
    fSQ37Lf.exe
    260 B
    5
  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    14.160.190.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    14.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    83.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    83.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fSQ37Lf.exe

    Filesize

    175KB

    MD5

    a5f5c5d6291c7ae9e1d1b7ed1e551490

    SHA1

    3d06413341893b838549939e15f8f1eec423d71a

    SHA256

    1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

    SHA512

    d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nkT95wm87.exe

    Filesize

    339KB

    MD5

    8f3ba88e26ce640ac201e0478aa4f842

    SHA1

    76e2c645a3e4f618b3c369ed6869c1f774c1ec22

    SHA256

    f04f7dc4e9f738994b05e4f0635a579f9b551993b56c459c8d6381da5c1de063

    SHA512

    fd3bfac5beea7b08009ea26abd45110611875bc73f215add40b4f49841fcceb130b5653d05573f99c332788c01d53595af89d6d9b716fe6695dcc1465d030169

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dsV00Jv.exe

    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\evf41hu.exe

    Filesize

    249KB

    MD5

    566f734554b2800514afb7cfd9d0e541

    SHA1

    e580309b4ce2d38f9ece2a14bb675e8ceb62de73

    SHA256

    dba4c1abdeaa378d90094d0a223d8a670786e7b402654646375e0cdf64103567

    SHA512

    cb2eef0a8ef41ee026672395e1d74fe26ed3da3b89cd2b6a5684caa2501ec1f8a1e7c51359bdb80140d84e2e8259fe5980785703c99fa215aa01c23081855cc2

  • memory/2380-42-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-34-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-22-0x0000000002630000-0x000000000264A000-memory.dmp

    Filesize

    104KB

  • memory/2380-23-0x0000000004DC0000-0x0000000005364000-memory.dmp

    Filesize

    5.6MB

  • memory/2380-24-0x00000000026F0000-0x0000000002708000-memory.dmp

    Filesize

    96KB

  • memory/2380-25-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-40-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-52-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-50-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-48-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-46-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-44-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-55-0x0000000000400000-0x0000000000570000-memory.dmp

    Filesize

    1.4MB

  • memory/2380-38-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-36-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-53-0x0000000000400000-0x0000000000570000-memory.dmp

    Filesize

    1.4MB

  • memory/2380-32-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-30-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-28-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/2380-26-0x00000000026F0000-0x0000000002702000-memory.dmp

    Filesize

    72KB

  • memory/3784-16-0x00007FFC18343000-0x00007FFC18345000-memory.dmp

    Filesize

    8KB

  • memory/3784-15-0x00000000006C0000-0x00000000006CA000-memory.dmp

    Filesize

    40KB

  • memory/3784-14-0x00007FFC18343000-0x00007FFC18345000-memory.dmp

    Filesize

    8KB

  • memory/4988-59-0x0000000000D30000-0x0000000000D62000-memory.dmp

    Filesize

    200KB

  • memory/4988-60-0x0000000005BE0000-0x00000000061F8000-memory.dmp

    Filesize

    6.1MB

  • memory/4988-61-0x00000000056D0000-0x00000000057DA000-memory.dmp

    Filesize

    1.0MB

  • memory/4988-62-0x0000000005620000-0x0000000005632000-memory.dmp

    Filesize

    72KB

  • memory/4988-63-0x0000000005680000-0x00000000056BC000-memory.dmp

    Filesize

    240KB

  • memory/4988-64-0x00000000057E0000-0x000000000582C000-memory.dmp

    Filesize

    304KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.