Overview

overview

10

Static

static

3

b112fad4cf...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 02:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b112fad4cfd97612924231b76f0701cd932a72d686d8b77389a8fee29889f7e2.exe

  • Size

    537KB

  • MD5

    519dc391a18a007a27b20353af531818

  • SHA1

    b958b35094d80b53c51a9eb6bc841b05ab6c2403

  • SHA256

    b112fad4cfd97612924231b76f0701cd932a72d686d8b77389a8fee29889f7e2

  • SHA512

    d852b2ae21d55f936bb801fc2f8c24d56cace026aefc9b1d678822d648813fdc65d57bd24925368faab9e5aad2dcf31f35f122a1b6f6f2590cef6decd3d425be

  • SSDEEP

    12288:sMr+y90RwnB5Cx9/IVUupHuwhkJurHjjDVcY:KyhnC7gVhOwa4JcY

Score
10/10
healerredlinerosndiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b112fad4cfd97612924231b76f0701cd932a72d686d8b77389a8fee29889f7e2.exe
    "C:\Users\Admin\AppData\Local\Temp\b112fad4cfd97612924231b76f0701cd932a72d686d8b77389a8fee29889f7e2.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirC2318.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirC2318.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr586318.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr586318.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3252
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku661907.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku661907.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirC2318.exe
    Filesize

    395KB

    MD5

    1d6012b2296df8236694acc40226367b

    SHA1

    192b606e822a929f15f49fa4a2f2fb1c0cdd7567

    SHA256

    85c8e04d53502d33a0b93f177f415a117ee439a2509f8ae8cc9d8f387292f93c

    SHA512

    39df64533ef8bb2490ea43f1204ab8cdd8da420e288b8d946204b0251f5d655e0f8329d31bda536eeec8fb4c1f4ccd65222fb41a74b44b77c8cc74ad19e1eea5

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr586318.exe
    Filesize

    14KB

    MD5

    fdcaf0a6296b3e9bc17fd73ca4b69965

    SHA1

    c45a9fcb9c2b5e126a10d84748b84d0a4bd33872

    SHA256

    18d5f35444e41648f48bd21dceb0f0c34bcbe30f4c701c8ccfd2d006ef2630b1

    SHA512

    6930e02c5eb67e57cf7863876f98eaefc59a5a17a1bf8f5114b99da91df42a28092466072b0354a59ce8131445edff0be6884891b1ed4142db1504483ece5477

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku661907.exe
    Filesize

    352KB

    MD5

    b4cdcbfe90c19db48acc9afb9eaa02bf

    SHA1

    addd38356453238d1c28cb7204fea80768e72c8a

    SHA256

    03af0695380a6f537a3446daa9737062a8c57cd66662cc94af6ca97675e66c38

    SHA512

    ad9c76b178aceb4b91d06fe209278f92e3e3c8fb22c05afc8a9c3f70d78e17b6fb2c521d74b67d778e9f26c93575065f5badba3e71e6d9efc332a721ebc21c76

    Download Submit

  • memory/2916-76-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-22-0x0000000002720000-0x0000000002766000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2916-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2916-72-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-23-0x0000000005040000-0x00000000055E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2916-24-0x00000000029C0000-0x0000000002A04000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2916-30-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-34-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-32-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-84-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-74-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-28-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-70-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-25-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-88-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-86-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-82-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-80-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-78-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-934-0x0000000005C40000-0x0000000005C7C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2916-68-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-933-0x0000000005C20000-0x0000000005C32000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2916-26-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-66-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-64-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-62-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-60-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-59-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-56-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-55-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-52-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-50-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-49-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-46-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-44-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-43-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-40-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-38-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-37-0x00000000029C0000-0x00000000029FF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2916-931-0x00000000055F0000-0x0000000005C08000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2916-932-0x0000000004F00000-0x000000000500A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3252-17-0x00007FFB51D43000-0x00007FFB51D45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3252-14-0x00007FFB51D43000-0x00007FFB51D45000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3252-15-0x0000000000810000-0x000000000081A000-memory.dmp

    Filesize

    40KB

    Download