Overview

overview

10

Static

static

3

a46a1cff52...2N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/01/2025, 02:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a46a1cff522d4ee9386ed969178e98ffba9f6bfd6a66e134c8085e46314e3fe2N.exe

  • Size

    1.2MB

  • MD5

    6e492f750c4043be9cc12df790623b80

  • SHA1

    c8c8a225461f075d163b08f16cf03d2570f77223

  • SHA256

    a46a1cff522d4ee9386ed969178e98ffba9f6bfd6a66e134c8085e46314e3fe2

  • SHA512

    93bb3307807a88b8e9dc34d3a05eaaed734e3fe5630f58ae46647d6c7b95fd0a4e6323a4d26fbc5b853e67847b865c8f07bb3bd78e06fc7f360e555ba16011ff

  • SSDEEP

    24576:GyKhjzlmeF0GfvoSZk1VjxZiCECSL3fd9lZfOQksbE0J1z:V+Hlme7oSy1/ECSL3l9/fOKDP

Score
10/10
healerredlinerumfadefense_evasiondiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a46a1cff522d4ee9386ed969178e98ffba9f6bfd6a66e134c8085e46314e3fe2N.exe
    "C:\Users\Admin\AppData\Local\Temp\a46a1cff522d4ee9386ed969178e98ffba9f6bfd6a66e134c8085e46314e3fe2N.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:780
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmAr33Tx24.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmAr33Tx24.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4452
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmhy78ex57.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmhy78ex57.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4456
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzi19Qe75.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzi19Qe75.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1356
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdD97oU90.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdD97oU90.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2736
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iMo52lk84.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iMo52lk84.exe
              6⤵
              • Modifies Windows Defender DisableAntiSpyware settings
              • Modifies Windows Defender Real-time Protection settings
              • Modifies Windows Defender TamperProtection settings
              • Modifies Windows Defender notification settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:732
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\knC72ul74.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\knC72ul74.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:2936

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    182.129.81.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    182.129.81.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5.114.82.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.114.82.104.in-addr.arpa
    IN PTR
    Response
    5.114.82.104.in-addr.arpa
    IN PTR
    a104-82-114-5deploystaticakamaitechnologiescom
  • flag-us
    DNS
    76.32.126.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    76.32.126.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    202.110.86.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    202.110.86.104.in-addr.arpa
    IN PTR
    Response
    202.110.86.104.in-addr.arpa
    IN PTR
    a104-86-110-202deploystaticakamaitechnologiescom
  • 193.233.20.24:4123
    knC72ul74.exe
    260 B
     5
  • 193.233.20.24:4123
    knC72ul74.exe
    260 B
     5
  • 193.233.20.24:4123
    knC72ul74.exe
    260 B
     5
  • 193.233.20.24:4123
    knC72ul74.exe
    260 B
     5
  • 193.233.20.24:4123
    knC72ul74.exe
    104 B
     2
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    182.129.81.91.in-addr.arpa
    dns
    72 B
     147 B
     1
    1

    DNS Request

    182.129.81.91.in-addr.arpa

  • 8.8.8.8:53
    76.32.126.40.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    76.32.126.40.in-addr.arpa

  • 8.8.8.8:53
    5.114.82.104.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    5.114.82.104.in-addr.arpa

  • 8.8.8.8:53
    202.110.86.104.in-addr.arpa
    dns
    73 B
     139 B
     1
    1

    DNS Request

    202.110.86.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmAr33Tx24.exe
    Filesize

    1.0MB

    MD5

    1e06db2b3bd88f6f8eddab57989fa575

    SHA1

    48a59521f032984e1ffe471557983d8b62e3a946

    SHA256

    0fea80158e21b95a0c613b0fa33cf94c5dbfb88e54c112fbf7282bf80ccde6f4

    SHA512

    6bf6d14dd349fb49a73bb656a54f3e9aa7a8d422fe56785db932adc8576e4139812a386a66a69c0d03f03a410d9ab98c667929c84aa6ac2b5ddedf050882fa37

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmhy78ex57.exe
    Filesize

    971KB

    MD5

    2428a411f9ad29f388367cd3f7d8ff03

    SHA1

    d924c8629a7560b94e79d5535d759497a77391c9

    SHA256

    f3219750da98d3905f4cc903881f602fc634b2bfb4b28a8e7c41c4f29c16cb19

    SHA512

    f1c628cd964b3e2685cae422dd4f42124328052320d5915a3415d1a336ffdf91edd084c207ca3d24fdde195d6e86f958a73bb2989fb5f6f340882e25d9f10db4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmzi19Qe75.exe
    Filesize

    690KB

    MD5

    9fddd132a6b2350403868bfe51385556

    SHA1

    f34332c6a32d6329a48666e76535b5376911f3c1

    SHA256

    70e7a63b3a2851007c7ad9520f8e3f25a33d0264399793a846a2bffd77192de1

    SHA512

    62f55877a363e670f78fc5d079639917c981d67ba9bce672880c30b710f7dce31e4514fc134ba7e6b40351e94596e3988c68b0467e28ef7e60e27b186c576285

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmdD97oU90.exe
    Filesize

    403KB

    MD5

    dccb638aea0c389d454fba061bd893a5

    SHA1

    53803a91b23abc9e17ce9f154b77f5e3bc967eee

    SHA256

    37aff99224a9c1dcf413b276bfea11d0a09693d4a3f848dcfd99abc4a4c93ec4

    SHA512

    87b47f2392c87a978b3182c5df82c7d2404f1f387fbc672f871b3babb55c5da9c0c8d0ab3569096c9fe4585214cebb1b04cf11cf02fc38e57653d4081a88d842

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iMo52lk84.exe
    Filesize

    15KB

    MD5

    00e522be29c30f70b2898080e326e729

    SHA1

    e3a85d9bd78ba7790fe429e20e64959de67fb9a5

    SHA256

    26bfd636d758a5ce00b2d56a00d8a672228a092aa096cf8e1549ac0b1b9fc820

    SHA512

    11731e1920c21a3649fff24a5964eb83be301428d905b14cc98e8a795dc96a0b8e3bad74d656d08891bfadf363653b6815d6737683a4d97e10cabb18aca6a6c9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\knC72ul74.exe
    Filesize

    377KB

    MD5

    8240ae7f59fb434977686a2040ea62e9

    SHA1

    c0fe02012d46dc9e12c388dd75cab32643708a18

    SHA256

    230a7452b0db2ecd65ee767d852990ff9cb94f65c485e3a68faa4bcb11b52605

    SHA512

    78c782edce8e3cdb57624f3be1bc69976691e1a1938b46214bde842b9cc02966be80872c7ae4093d8154c62fe9de20e2cfdf532feae5dfe647ba0d748777c96b

    Download Submit

  • memory/732-35-0x0000000000530000-0x000000000053A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2936-81-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-71-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-43-0x00000000071A0000-0x00000000071E4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2936-44-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-99-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-107-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-105-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-103-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-101-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-97-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-95-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-94-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-91-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-89-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-87-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-85-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-83-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-41-0x0000000004BA0000-0x0000000004BE6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2936-79-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-77-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-73-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-42-0x00000000071F0000-0x0000000007794000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2936-69-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-67-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-65-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-63-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-61-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-59-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-57-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-55-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-51-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-49-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-47-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-75-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-53-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-45-0x00000000071A0000-0x00000000071DE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2936-950-0x0000000007940000-0x0000000007F58000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2936-951-0x0000000007FE0000-0x00000000080EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2936-952-0x0000000008120000-0x0000000008132000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2936-953-0x0000000008140000-0x000000000817C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2936-954-0x0000000008290000-0x00000000082DC000-memory.dmp

    Filesize

    304KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.