Overview

overview

10

Static

static

3

213b73e467...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2025 01:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    213b73e4676e16960befd5bb789404486fc51a8ca717089f1c1de6b9763997bdN.exe

  • Size

    539KB

  • MD5

    49dc41f9b02f6bd84f886295ec176530

  • SHA1

    b5f93ad3247e11060fa6874d49d82ad9d613d5f7

  • SHA256

    213b73e4676e16960befd5bb789404486fc51a8ca717089f1c1de6b9763997bd

  • SHA512

    a21b1a2f4fba1babcfe59f093afd71d82fafbad11d8c8b37080a0a838c8f684103d97c9b98ede790a632cfd780240e4bc533832e81f41758243efe90ac7f02ea

  • SSDEEP

    12288:LMrgy90UpG1VuHduC9nHL3xku9UmumKFG9:DywVj0nt9UFmp

Score
10/10
healerredlinefukiadefense_evasiondiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes
  • auth_value

    e5783636fbd9e4f0cf9a017bce02e67e

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\213b73e4676e16960befd5bb789404486fc51a8ca717089f1c1de6b9763997bdN.exe
    "C:\Users\Admin\AppData\Local\Temp\213b73e4676e16960befd5bb789404486fc51a8ca717089f1c1de6b9763997bdN.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2884
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scU52vL.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scU52vL.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4568
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\isB29Ec.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\isB29Ec.exe
        3⤵
        • Modifies Windows Defender DisableAntiSpyware settings
        • Modifies Windows Defender Real-time Protection settings
        • Modifies Windows Defender TamperProtection settings
        • Modifies Windows Defender notification settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4616
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kXY30rQ.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kXY30rQ.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3112
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTJBMUE3QTItMjc2MC00OEQ4LUJFQkUtODgyRDBFNjU2NzNGfSIgdXNlcmlkPSJ7OEQxRkVBQkUtNzM5OS00QkEyLUE2ODYtRDM1QjlCQUM3OUQ2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NEQzQjI3RjgtMjIyQy00NTc1LTkwNTktOEJBMDVGOTdBMzlGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI4IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTA3NDEzMjcwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:1068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\scU52vL.exe
    Filesize

    202KB

    MD5

    d9df8d91540200a4f0cf69674c4317a5

    SHA1

    098b4f81e0aff065ae0e6b163fb6cb8885c572a6

    SHA256

    15ea447fc52c881d9dfec58849ca21501901e74bee6db4ef7b5d78f1a368a9a1

    SHA512

    4826a4c22028b3c4de1871f3594975c730c3685f712fff175fff2fa7e70c4b4b9282eefbb0054412eb7b71b16f4d7a61f86df456aa23cab2dcfefa7abd4ba79d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\isB29Ec.exe
    Filesize

    11KB

    MD5

    7e93bacbbc33e6652e147e7fe07572a0

    SHA1

    421a7167da01c8da4dc4d5234ca3dd84e319e762

    SHA256

    850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

    SHA512

    250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kXY30rQ.exe
    Filesize

    175KB

    MD5

    a5f5c5d6291c7ae9e1d1b7ed1e551490

    SHA1

    3d06413341893b838549939e15f8f1eec423d71a

    SHA256

    1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

    SHA512

    d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

    Download Submit

  • memory/3112-21-0x00000000005E0000-0x0000000000612000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3112-22-0x00000000053F0000-0x0000000005A08000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3112-23-0x0000000004F70000-0x000000000507A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/3112-24-0x0000000004EA0000-0x0000000004EB2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3112-25-0x0000000004F00000-0x0000000004F3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3112-26-0x0000000005080000-0x00000000050CC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4616-14-0x00007FFC72493000-0x00007FFC72495000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4616-15-0x0000000000510000-0x000000000051A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4616-16-0x00007FFC72493000-0x00007FFC72495000-memory.dmp

    Filesize

    8KB

    Download