Overview

overview

10

Static

static

3

98f9a4c64e...5f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    98f9a4c64ef1b7a01855e70e78e33359219ec03684aecb52a662e2b418fb4b5f.exe

  • Size

    703KB

  • MD5

    0158ba0b74ad14081499f0c20c5746cd

  • SHA1

    ebd2e7c9d00f3e5e67300a96e6632d319a4fed74

  • SHA256

    98f9a4c64ef1b7a01855e70e78e33359219ec03684aecb52a662e2b418fb4b5f

  • SHA512

    d7bb8d3f2d5536b0cad576bf41a5aff819ce11bea10ab633597933a534b3d4db380d9225c3ed9a1ff7205d6c5d85997f018fd8c08ddf503617dd3eaf073e8649

  • SSDEEP

    12288:gMrty909eyMoL3NsGPXgUll2/mg/28HWI165b5WpJ5lweMjwM37:9ykeyMoL24RlluO8VIWpXlwbw+7

Score
10/10
healerredlinefumadiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

fuma

C2

193.233.20.17:4139

Attributes
  • auth_value

    116ab7335d0316d186d563bd6d41b9dd

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\98f9a4c64ef1b7a01855e70e78e33359219ec03684aecb52a662e2b418fb4b5f.exe
    "C:\Users\Admin\AppData\Local\Temp\98f9a4c64ef1b7a01855e70e78e33359219ec03684aecb52a662e2b418fb4b5f.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4496
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nny95VM22.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nny95VM22.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nOU38SQ30.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nOU38SQ30.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4064
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dqb85Zp.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dqb85Zp.exe
          4⤵
          • Modifies Windows Defender Real-time Protection settings
          • Executes dropped EXE
          • Windows security modification
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3608
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eUc47DU.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eUc47DU.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1080

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nny95VM22.exe
    Filesize

    346KB

    MD5

    831bad8efcdc3afcb84e614648d4cc7f

    SHA1

    92411cc5faca2ebf833a91403c1928badca4f1bf

    SHA256

    c61155d8c81d5e0c47f318ac46c39c4fa9316214b831a6167adb6944e8ca8843

    SHA512

    86b1e9056b752ca045a7b101145fd24bd01e57fe341bf8f192fbe5f210ebb555dfdd231105bf25626855a3a8502b818894eeb3c68515c9fe2dee97439a3a5086

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nOU38SQ30.exe
    Filesize

    202KB

    MD5

    3f97f148eebd21b677e53d616a26eee8

    SHA1

    452a2966bbdbe4242c36dca07dd15d5100614f6e

    SHA256

    e6bf68a8f678738a0c0aeab56bf3d36a1063b5b2b676340498a842e0ee1171c6

    SHA512

    79a35034311da9e94366bbbbe6b9ca8e59202799d8dbc1e1d29ec53b1d6df6273122dbddcebf10f47dac5f12dfb4fe7a3ccbc7da8732950fe05e81f79f852e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dqb85Zp.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\eUc47DU.exe
    Filesize

    175KB

    MD5

    49bcfcdf691f7f064efe833bb548f3ee

    SHA1

    5cd584332d71af58865bb1c1b0acd127e8ced7fc

    SHA256

    9c7a3fcd95e07c795991d968f023e251e1b19033acbdeff99a2534ed804b283b

    SHA512

    75f6191c5c4422fee685747c2636b8f38db26e2e3fbb54da78c2b5b16075b9f08bd5a74bac06cd97c32ae3d3ec81f39894a0b51f13f7a7a1b8369125ff007d3c

    Download Submit

  • memory/1080-30-0x0000000005390000-0x000000000549A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1080-28-0x00000000009F0000-0x0000000000A22000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1080-29-0x0000000005870000-0x0000000005E88000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1080-31-0x00000000052D0000-0x00000000052E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1080-32-0x0000000005330000-0x000000000536C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1080-33-0x00000000054A0000-0x00000000054EC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3608-23-0x00007FFEC11B3000-0x00007FFEC11B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3608-22-0x00000000004F0000-0x00000000004FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3608-21-0x00007FFEC11B3000-0x00007FFEC11B5000-memory.dmp

    Filesize

    8KB

    Download