Overview

overview

10

Static

static

3

c16b92bf18...58.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-02-2025 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c16b92bf182f200f3e1c1a1b4c49399383934cc82737bc8f0bfcc3f3afcc0b58.exe

  • Size

    1.2MB

  • MD5

    85b02d852cfab7f15d6acaf1adbbf131

  • SHA1

    87d0c2106fb25e185766ab00d792e0e3feeec300

  • SHA256

    c16b92bf182f200f3e1c1a1b4c49399383934cc82737bc8f0bfcc3f3afcc0b58

  • SHA512

    a133667bba6b1a89bd5047a1706d88eccc832eafc331c9111975bb88940d0b04f2689586850c557d73565e48a8d880a84bc33cad3fb7b6fd5c4f5773c124129b

  • SSDEEP

    24576:Pyr2FP+ZXq03G1qsCEDKg7SnTdAOPJPJAxHlBufXkgk18lQKFU:ar2V+64GBrufT2OPjoFBuftk1gQ6

Score
10/10
healerredlinerumfadefense_evasiondiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c16b92bf182f200f3e1c1a1b4c49399383934cc82737bc8f0bfcc3f3afcc0b58.exe
    "C:\Users\Admin\AppData\Local\Temp\c16b92bf182f200f3e1c1a1b4c49399383934cc82737bc8f0bfcc3f3afcc0b58.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmCl05gd85.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmCl05gd85.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1092
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmqh60oV84.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmqh60oV84.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3984
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmrn40Zz59.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmrn40Zz59.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmpq73zB02.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmpq73zB02.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4732
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iNh21vi36.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iNh21vi36.exe
              6⤵
              • Modifies Windows Defender DisableAntiSpyware settings
              • Modifies Windows Defender Real-time Protection settings
              • Modifies Windows Defender TamperProtection settings
              • Modifies Windows Defender notification settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4536
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kxI33ng09.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kxI33ng09.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:5060
  • C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wuauserv
    1⤵
    • Launches sc.exe
    PID:5716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmCl05gd85.exe
    Filesize

    1.0MB

    MD5

    9559b6764bb053ef374f8a0ebc518a80

    SHA1

    ed5df95f3140da011c51d0b1d94b1c23ec1a8bff

    SHA256

    e3e0fe0993b25c371a62860a79aea1de19fe86b8cbb95722e947e178d68309bf

    SHA512

    71a1a41a02a8f0a313ed12e7504a0ad1cbfdfa49b2e19e621f011b153f5e220c4015a5eb29ecfc5d82676911d910a10180fd80781ce0a3e56b55728c97985126

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmqh60oV84.exe
    Filesize

    960KB

    MD5

    0c450c8065f93b028f1ca7748980b6f6

    SHA1

    9664fb8475ccc43f52f000558ce87423a2ea8fc6

    SHA256

    3ee08021d380ced1df1d161ee345b6015ad4aeee5a80d5a4dc6cec52ea396da3

    SHA512

    7815412baea20f1d9f7e486a85ccb23e439689ad53fc93f7450c135b6b0f0dc5408296bda8d54e72c274d276b2ee98541168c907c747af98cb26615e53e584cc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmrn40Zz59.exe
    Filesize

    683KB

    MD5

    629bdc5a18281d775af3531563ce0713

    SHA1

    d3abc72fca701254b1ad010f4436b2acbaaa3a5d

    SHA256

    60960d1ac314e56ac09374ad2ea66bcbec7f18cac3ccf9ef8140fd9b81f876ce

    SHA512

    42356330f23f263f9e918d87052ff15f05ffdebb6378f74fd9c7d26c73deedd25c2f913122ae6c702a30ab1891575eb05b4199defe5579f86e6717bef852c329

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmpq73zB02.exe
    Filesize

    399KB

    MD5

    4dcff982df64d87cdb2fe5d9a8d3c194

    SHA1

    c766b819912233df04eb1dd0ba84edcc0ac99e90

    SHA256

    37d60d5733acb3cd8343bdee3839f9346abcd6eaad08fcaa657640e5127fcd2b

    SHA512

    1d251819071ba7a8efd1e346c4c67ad83095c341fdf652f0b16262d274dcd2d5f1c58a4cf6532852c0a53aaa8460be23122124ec6b7ef6ea04eba13ce5f41f2c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iNh21vi36.exe
    Filesize

    12KB

    MD5

    5023973d6f79c4c32395e9ed27b7a5d0

    SHA1

    a5afa8ab95116f411f4ea962ce06530fd37002fe

    SHA256

    e2648d7d2883e11486fe08254b89c4fa868725dae673b10f3b69d67b87b79772

    SHA512

    bf17536584183b04749a10ccc565467ce88c5f26b74fad2ffa27ecd4de241624a63c153f9afe75bd355c76615bea3eaa36ad6d972d2f2b8b405e33252c4d9ede

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kxI33ng09.exe
    Filesize

    375KB

    MD5

    5ff32f757fe387c14ed8b1388ed9ec51

    SHA1

    43465ddc0d2b6107b9ec69f4852abedc6dc7a3e3

    SHA256

    ed7b94310be80b1aadad0043ae5539fbdf5a5b57626e275cf1e93cda3a307c60

    SHA512

    f89a31e03ae0ec6116b58136b1362bab031f04a340738d5878152905ca69964c833fb5b58c339af3e71fc804e6f727983e8a9db43e58ac37875fb1e2d83a2c92

    Download Submit

  • memory/4536-35-0x0000000000B50000-0x0000000000B5A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5060-79-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-69-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-43-0x00000000071F0000-0x0000000007234000-memory.dmp

    Filesize

    272KB

    Download

  • memory/5060-61-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-75-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-107-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-105-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-103-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-101-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-99-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-95-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-93-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-92-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-87-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-85-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-83-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-82-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-41-0x0000000004D20000-0x0000000004D66000-memory.dmp

    Filesize

    280KB

    Download

  • memory/5060-77-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-73-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-71-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-42-0x0000000007360000-0x0000000007904000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5060-67-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-65-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-63-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-59-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-57-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-55-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-53-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-51-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-49-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-97-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-89-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-47-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-45-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-44-0x00000000071F0000-0x000000000722E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5060-950-0x0000000007910000-0x0000000007F28000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5060-951-0x0000000007F30000-0x000000000803A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5060-952-0x00000000072E0000-0x00000000072F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5060-953-0x0000000007300000-0x000000000733C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5060-954-0x0000000008140000-0x000000000818C000-memory.dmp

    Filesize

    304KB

    Download