Overview

overview

10

Static

static

3

d88bc6e133...eN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/11/2024, 16:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d88bc6e13338b94593d81e8e2949be1913c195094f8d5de2e9474959f282267eN.exe

  • Size

    380KB

  • MD5

    00aa67efa71a1d43044965fed0229010

  • SHA1

    3f177d0f4a0f5284759742bf3f36d5fb69f2b759

  • SHA256

    d88bc6e13338b94593d81e8e2949be1913c195094f8d5de2e9474959f282267e

  • SHA512

    ec096375591fdc3a4e96b88b6485c25e7511b717b972e76371f02e06c3651ae78c4e8f76d6a20d29d6ba2654236ce96df4f387ad353c6e003d7c1f0b46a57a61

  • SSDEEP

    6144:KCy+bnr+Kp0yN90QEzP6Eka6odUMY59PwAuIroiQ:6Mr+y904wZSo3iQ

Score
10/10
healerredlinefuddiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

fud

C2

193.233.20.27:4123

Attributes
  • auth_value

    cddc991efd6918ad5321d80dac884b40

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 2 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d88bc6e13338b94593d81e8e2949be1913c195094f8d5de2e9474959f282267eN.exe
    "C:\Users\Admin\AppData\Local\Temp\d88bc6e13338b94593d81e8e2949be1913c195094f8d5de2e9474959f282267eN.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf26uy10gk17.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf26uy10gk17.exe
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Executes dropped EXE
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1968
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tf38GV10Df12.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tf38GV10Df12.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:3060

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf26uy10gk17.exe
    Filesize

    12KB

    MD5

    b70ed0b35d1b4c93b2b9568d1f1ac8be

    SHA1

    b7cafbc3e1fe77dc39f9ed78a48a6f59165ec0c5

    SHA256

    ac2627c375b18b2ca5b56f2aff522941b4e1fff94dea0982fc07693fed461ddb

    SHA512

    57d767e0212df8b2d8d2bc4e629323df5ad9a963bf2b5712d3979c3a818963e213290e436541cd3ae6d00d92352d95c1398cfee1f6cb98d156d1cfd7f5633677

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tf38GV10Df12.exe
    Filesize

    291KB

    MD5

    434e2d5a4767741895ef183a448da368

    SHA1

    1e1d795ae169d4068d8da31d1aa89027804a21a3

    SHA256

    ad32f3b0b1f7b775e4235d6969f27886cc2fafeeb1bd02853fde41ddee1db27a

    SHA512

    e50de394d28557d67ae62bba669dacf8afcc1c925cfd04dcbf07f14ff2c7939579d12337cc8ed822c82bdfcbfcd1114289eede2411113a17c8f92485a15e50f0

    Download Submit

  • memory/1968-7-0x00007FFC2FA93000-0x00007FFC2FA95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1968-8-0x00000000008F0000-0x00000000008FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1968-9-0x00007FFC2FA93000-0x00007FFC2FA95000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3060-15-0x00000000004C0000-0x00000000005C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3060-16-0x00000000005C0000-0x000000000060B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3060-17-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/3060-18-0x0000000004B00000-0x0000000004B46000-memory.dmp

    Filesize

    280KB

    Download

  • memory/3060-19-0x0000000004B40000-0x00000000050E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3060-20-0x0000000005140000-0x0000000005184000-memory.dmp

    Filesize

    272KB

    Download

  • memory/3060-21-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-46-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-84-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-82-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-80-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-79-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-76-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-74-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-72-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-70-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-68-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-66-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-64-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-62-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-60-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-58-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-56-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-54-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-52-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-50-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-48-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-44-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-43-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-40-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-38-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-36-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-34-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-32-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-30-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-28-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-26-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-24-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-22-0x0000000005140000-0x000000000517E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/3060-927-0x00000000051E0000-0x00000000057F8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3060-928-0x0000000005880000-0x000000000598A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3060-929-0x00000000059C0000-0x00000000059D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3060-930-0x00000000059E0000-0x0000000005A1C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3060-931-0x0000000005B30000-0x0000000005B7C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3060-932-0x00000000004C0000-0x00000000005C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/3060-933-0x00000000005C0000-0x000000000060B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/3060-935-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download