Overview

overview

10

Static

static

3

5f1a6822c4...1c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 23:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5f1a6822c4e74f628b558d60336f24653fafc637ab2eafc93ccd6990d04a251c.exe

  • Size

    403KB

  • MD5

    04d944c0b299f4a533e0076627897518

  • SHA1

    0f4efe8f0765786b4c3356bb8cda94ead5402fae

  • SHA256

    5f1a6822c4e74f628b558d60336f24653fafc637ab2eafc93ccd6990d04a251c

  • SHA512

    e6c2157aa5cae436abe41bc1d55668da186b346b05b2e786eaaae1367aae225e6d9835103cc04db7c63145cfc9aa82a3418e8a86568436a06383add5880a0d17

  • SSDEEP

    6144:KGy+bnr+Vp0yN90QE/ywCRfm5sogX4RZr7woCdC9wvNWBzfBTavC57hmqVqT:uMr1y90UJRfmRgX4RZ3MCDcCpXA

Score
10/10
healerredlinerumfadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5f1a6822c4e74f628b558d60336f24653fafc637ab2eafc93ccd6990d04a251c.exe
    "C:\Users\Admin\AppData\Local\Temp\5f1a6822c4e74f628b558d60336f24653fafc637ab2eafc93ccd6990d04a251c.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3560
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buks36BZ05.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buks36BZ05.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3968
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\caIu64HK52.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\caIu64HK52.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\buks36BZ05.exe
    Filesize

    15KB

    MD5

    5ba43b2a87acdb746c148852285b3838

    SHA1

    96be5bd1e230f52a2f8b594f7283c446a6c904c8

    SHA256

    4db821f2d5ed47d43631960fc9b664018e0ed15e057f8ab379b2c71a432c7ca9

    SHA512

    fe9bf9d86540d2e5a8b8e830d9b7319fe76db71e66d80b46d21dca605a554f1e4046df94ace4a455786341bf9a18a133f9130fe8fee77ebf446aecfa7ae3d7d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\caIu64HK52.exe
    Filesize

    377KB

    MD5

    8240ae7f59fb434977686a2040ea62e9

    SHA1

    c0fe02012d46dc9e12c388dd75cab32643708a18

    SHA256

    230a7452b0db2ecd65ee767d852990ff9cb94f65c485e3a68faa4bcb11b52605

    SHA512

    78c782edce8e3cdb57624f3be1bc69976691e1a1938b46214bde842b9cc02966be80872c7ae4093d8154c62fe9de20e2cfdf532feae5dfe647ba0d748777c96b

    Download Submit

  • memory/1628-15-0x0000000002C20000-0x0000000002D20000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1628-16-0x0000000002F80000-0x0000000002FCB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1628-17-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1628-18-0x0000000004BF0000-0x0000000004C36000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1628-19-0x0000000007260000-0x0000000007804000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1628-20-0x00000000071F0000-0x0000000007234000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1628-84-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-74-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-58-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-40-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-21-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-82-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-80-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-79-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-76-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-72-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-70-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-68-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-66-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-64-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-62-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-60-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-56-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-54-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-52-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-50-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-48-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-46-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-45-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-42-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-38-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-36-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-34-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-32-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-30-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-28-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-26-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-24-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-22-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1628-927-0x0000000007950000-0x0000000007F68000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1628-928-0x0000000007FE0000-0x00000000080EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1628-929-0x0000000008120000-0x0000000008132000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1628-930-0x0000000008140000-0x000000000817C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1628-931-0x0000000008290000-0x00000000082DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1628-932-0x0000000002C20000-0x0000000002D20000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/1628-933-0x0000000002F80000-0x0000000002FCB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/1628-935-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3968-7-0x00007FFAE2553000-0x00007FFAE2555000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3968-8-0x0000000000160000-0x000000000016A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3968-9-0x00007FFAE2553000-0x00007FFAE2555000-memory.dmp

    Filesize

    8KB

    Download