Overview

overview

10

Static

static

3

02808bf834...f3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02808bf83418f79b1069efc2cb6d08b43a644324edde7b6b21844c96652feff3.exe

  • Size

    561KB

  • MD5

    c0a33f777ca1d3a4bd5ccae1a8f30ef3

  • SHA1

    31cbfdeb56114d3a1188e39653ddb396d3b99067

  • SHA256

    02808bf83418f79b1069efc2cb6d08b43a644324edde7b6b21844c96652feff3

  • SHA512

    0714f34e634235e849443cc4e3faedd76a6f4297e6ec8d067824253327b2200c1d6d2af1ab870bd79ce286c86fb57e26968a622b0b60d520822e760b88519445

  • SSDEEP

    12288:yMrwy90iHCyAvCYo565Bi715D4y9b9iXh6rQ6/I:GypiyCm65I715DL9b9Uh4QP

Score
10/10
healerredlinefuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02808bf83418f79b1069efc2cb6d08b43a644324edde7b6b21844c96652feff3.exe
    "C:\Users\Admin\AppData\Local\Temp\02808bf83418f79b1069efc2cb6d08b43a644324edde7b6b21844c96652feff3.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSs7435mY.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSs7435mY.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf71Rn69il95.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf71Rn69il95.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4860
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf32mq12aS31.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf32mq12aS31.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhSs7435mY.exe
    Filesize

    417KB

    MD5

    1d1a4d3ab3b160acb5e900b6cbb93050

    SHA1

    8ace785a049987da6a70a2e22f9a0f7780b2d037

    SHA256

    8b2bf3d9795bef744716440204c886dfdbdd8862ec0910ac955c49781d09b6d7

    SHA512

    d8872e3d8b0381e2a1b85216527ad387c8f4e611da5fabc638831f8b0ebec9714d24b7df82c08487d6a2770be7eda2a017ec8516895611e56cb50b0f951695f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf71Rn69il95.exe
    Filesize

    11KB

    MD5

    d212b2211164b92758273e4adbaec531

    SHA1

    8dd9e9b2e05cb83583ee50fddc4248a4e05915c0

    SHA256

    54a8d5920f45830bc26e78548dd5de7887282cc91d3da0f54fb3826cad306111

    SHA512

    976ead1194cb07bef15877dfcdcade11e1fc86a48f2a07ce552e999f5805ff2b1ebc6ca7614534f449214b7e467fd09b8bfd6dd2b89f2b9dc757dc82a5bd4d85

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf32mq12aS31.exe
    Filesize

    416KB

    MD5

    3298bce398b0b8db15538825fc22ec70

    SHA1

    97382a7c1ec70bd6549554c69ae3a8b18daddc9c

    SHA256

    c85fde6aeb312030435d285771cf28b3aaca92431f2a8e4f50227ddbd05d31fd

    SHA512

    4bcae254153697dfc1d54415b5571cece4cc33f0dec3423d89fa6879238d6939a3e4be6992085e1365f9b7150d64c642d36e694541f0e1eabdf212cabab4f737

    Download Submit

  • memory/3248-63-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-22-0x0000000004D50000-0x0000000004D96000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3248-935-0x00000000082C0000-0x000000000830C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3248-58-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-23-0x00000000074A0000-0x0000000007A44000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3248-24-0x0000000007340000-0x0000000007384000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3248-84-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-88-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-86-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-82-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-60-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-78-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-56-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-75-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-72-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-70-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-69-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-66-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-64-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-934-0x0000000008180000-0x00000000081BC000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3248-80-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-933-0x0000000007440000-0x0000000007452000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3248-76-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-54-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-52-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-50-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-48-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-46-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-44-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-40-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-38-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-36-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-34-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-32-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-42-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-30-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-28-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-26-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-25-0x0000000007340000-0x000000000737E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3248-931-0x0000000007A50000-0x0000000008068000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3248-932-0x0000000008070000-0x000000000817A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4860-16-0x00007FFE57D23000-0x00007FFE57D25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4860-14-0x00007FFE57D23000-0x00007FFE57D25000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4860-15-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

    Filesize

    40KB

    Download