Overview

overview

10

Static

static

3

256d719e2d...8d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 23:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    256d719e2d2cebd5b359a29a7f07a15e79699f4457c545b5d8f0b625f973e98d.exe

  • Size

    537KB

  • MD5

    61f02fb0b62abe0bfc9eebaf9e3f2fc6

  • SHA1

    f8e496c7f863d967f83c18b8c761b98e00111df7

  • SHA256

    256d719e2d2cebd5b359a29a7f07a15e79699f4457c545b5d8f0b625f973e98d

  • SHA512

    c7b5d6dac8e2404ee05cdbccdd083f95912db69bc3704ddfeccc8c291eccbce0e0bc9559efd24f97d8f9a2b49ef6a1e29329a3edd232f3dc28700eaeb1f522dc

  • SSDEEP

    12288:fMr4y90VT2qcwEPOAXgU0eAsprU6SHOw7mZJrF1ary4:nyu/cw4gor4uwiZVW

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\256d719e2d2cebd5b359a29a7f07a15e79699f4457c545b5d8f0b625f973e98d.exe
    "C:\Users\Admin\AppData\Local\Temp\256d719e2d2cebd5b359a29a7f07a15e79699f4457c545b5d8f0b625f973e98d.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilU3675.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilU3675.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927654.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927654.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4616
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku507633.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku507633.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilU3675.exe
    Filesize

    395KB

    MD5

    b9ef4d92a101aa2243d6ebced61bd9cc

    SHA1

    d8405e904e1594c33d729461f86e431f0c2d36a9

    SHA256

    3d523559e4cf61d6fd34f83a5a89e69d0171ea65ba9724f5a9a916f549e6638a

    SHA512

    11dbd755783fd0188841519a397d579088da2311c03f83ab911dd1b6d4e97ae4efef4c601d35ccabcb9cc1ec4738dd7729585e5d45bd05cc96e6113f966e0353

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr927654.exe
    Filesize

    14KB

    MD5

    ecead8b97a811978d45c668979e6009d

    SHA1

    95d9b16ce53d3e064de65d10680950742d4b69d7

    SHA256

    2b13e1e423bb2ed815e21bfa96fdba6bbaec1c455a4e6ebebdc733db5cb26fd4

    SHA512

    08b2ffaabedcc8b79b7f69011f39b60e3a4c0b6421715a4d20ba4fadac23426d504aa10a1ade9c102c0e75ec87b8f751763951ac70f7c7b1d1b247a62dc0fc46

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku507633.exe
    Filesize

    352KB

    MD5

    1a9503b13bdd0b5b99e1e04e8020336e

    SHA1

    1c32fc13ca1b774578c5b9ca58c750d29c986489

    SHA256

    d3b8c7ca382a49d909315d04e8b11763d19b16478c37360f1501e642fbfc9957

    SHA512

    20af0c059479dd58fe55f4b3c0fa96df8e800bca13609c2afda0b830d36bb5d4e4a3f19566fdf928c811d83a104eb93c0c4ce5f022efc0d958d6af9f9e35bdd6

    Download Submit

  • memory/2148-72-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-44-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2148-22-0x00000000026E0000-0x0000000002726000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2148-23-0x0000000004FB0000-0x0000000005554000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2148-24-0x0000000004E20000-0x0000000004E64000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2148-82-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-70-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-48-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-34-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-26-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-25-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-88-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-86-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-84-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-80-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-78-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-76-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-74-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-934-0x0000000004F50000-0x0000000004F8C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2148-64-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-933-0x0000000004F30000-0x0000000004F42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2148-66-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-62-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-60-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-58-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-56-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-54-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-52-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-50-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-46-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-68-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-42-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-40-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-38-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-36-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-32-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-30-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-28-0x0000000004E20000-0x0000000004E5F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2148-931-0x0000000005560000-0x0000000005B78000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2148-932-0x0000000005B80000-0x0000000005C8A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4616-16-0x00007FFF96073000-0x00007FFF96075000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4616-15-0x0000000000080000-0x000000000008A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4616-14-0x00007FFF96073000-0x00007FFF96075000-memory.dmp

    Filesize

    8KB

    Download