Overview

overview

10

Static

static

3

f25cff028f...b4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 01:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f25cff028f7ce8ccce8306b93b3d880620c451a5de27dbbd6a4467174c7513b4.exe

  • Size

    479KB

  • MD5

    d49ee99c9e0c6c81b8bade073114e99b

  • SHA1

    7aa399c0820c6149b7a37a7c6807e75afb6365cd

  • SHA256

    f25cff028f7ce8ccce8306b93b3d880620c451a5de27dbbd6a4467174c7513b4

  • SHA512

    f79dd40145f440b51a08507bc58e01ca462390a9d85ff63af6aad0fa40387f880fb70adb0c92040b686913e214ca23a49df25c68f947272c4740e222c255caf6

  • SSDEEP

    12288:ZMrIy90Tu8fJy+fvSWwUYeenfsTCVb9pCBmDv3YG2IHEBmEP:hyAu8fVfKWwUQfvbvdDv3YGlEBjP

Score
10/10
healerredlinemaherdiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

maher

C2

217.196.96.101:4132

Attributes
  • auth_value

    c57763165f68aabcf4874e661a1ffbac

Signatures

  • Detects Healer an antivirus disabler dropper 17 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f25cff028f7ce8ccce8306b93b3d880620c451a5de27dbbd6a4467174c7513b4.exe
    "C:\Users\Admin\AppData\Local\Temp\f25cff028f7ce8ccce8306b93b3d880620c451a5de27dbbd6a4467174c7513b4.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3956
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8586207.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8586207.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3488
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8937561.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8937561.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1324
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0232377.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0232377.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:456

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8586207.exe
    Filesize

    307KB

    MD5

    9231b52bf277e450ff8cf62e23a3fca7

    SHA1

    3b1ff2ba0a0bcf8574ff3e88a9c34b68397ef82b

    SHA256

    48edf350b5424a0ab19ab7f32ea3b0459ed82a191d281d09cebaae4262d13f98

    SHA512

    ac75f01a223f823547e54498d51bd58dca938d95c8d3bc84bf583162b6448e32090f1044416e3290b55bd0d5281cb1114b8078ed207a6228b4a0f80829e8bd65

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8937561.exe
    Filesize

    179KB

    MD5

    c113d6d9c32cd214fdfb2a89273eaca6

    SHA1

    06bd3e9999940d2faead75f2d9000bbd53317ed9

    SHA256

    320f9fc821bb8a260e88dc05dc628137fd0e2a08c534a9fe2293d4d9e6b7b3e9

    SHA512

    2481ae41c61fe5cc2334642dd193e4e02420bc6f4601e4d9568b8e28386e2724c559d158a1ee04a969e94b303d9e0e470240a284ccd1171a3844879e46d4da24

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0232377.exe
    Filesize

    168KB

    MD5

    22d731fd1cfec69d96a8eebcfbd32c69

    SHA1

    c96a83314f30b8e8534ed44ab8607d6f3fc5f362

    SHA256

    beac1c7bc092feb55f0e8c4ba37f103a07cdda90c42624379f80524f43d308c2

    SHA512

    636426a2377816325012b96a54e1b48c2d54c5bd52f557eec548812b27d599092eeb8f074915b9a42302ea5405cd9e748d3772dca7fbb9eb6ea670bea9d7281d

    Download Submit

  • memory/456-61-0x0000000005680000-0x00000000056CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/456-60-0x0000000005500000-0x000000000553C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/456-59-0x00000000054A0000-0x00000000054B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/456-58-0x0000000005570000-0x000000000567A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/456-57-0x0000000005A80000-0x0000000006098000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/456-56-0x00000000077E0000-0x00000000077E6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/456-55-0x0000000000B30000-0x0000000000B60000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1324-31-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-21-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-39-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-37-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-35-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-33-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-43-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-29-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-27-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-25-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-23-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-41-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-20-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-48-0x00000000741AE000-0x00000000741AF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-49-0x00000000741A0000-0x0000000074950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1324-51-0x00000000741A0000-0x0000000074950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1324-45-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-47-0x0000000004980000-0x0000000004992000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1324-17-0x00000000741A0000-0x0000000074950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1324-18-0x0000000004980000-0x0000000004998000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1324-19-0x00000000741A0000-0x0000000074950000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1324-16-0x0000000004AB0000-0x0000000005054000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1324-15-0x0000000002450000-0x000000000246A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1324-14-0x00000000741AE000-0x00000000741AF000-memory.dmp

    Filesize

    4KB

    Download