Overview

overview

10

Static

static

3

623d879734...f4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2025 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    623d879734f42cab0cd23bf39e73f67d960d9969c17f9a4ec6813299e9f316f4.exe

  • Size

    1.1MB

  • MD5

    1ca9dc1b462d871d56a299e00cc46771

  • SHA1

    676d3240f271a9872f4ed1b4bdd2f1ea27e4e8a5

  • SHA256

    623d879734f42cab0cd23bf39e73f67d960d9969c17f9a4ec6813299e9f316f4

  • SHA512

    49eb4599e3bd0a2d99ba311ad4139aa1705085388be91d60be2d783336d8b83e3f04f5f367d4a6bbdefbacf31bc0dea590304530617e5bd4dd48084d161e89eb

  • SSDEEP

    24576:ayb57ppwhv3HEuynqXDzQjZlIdDCgkRoHiRT:hb5Xo3kuOkDkjTIdDCxmHiN

Score
10/10
healerredlinerumfadefense_evasiondiscoverydropperevasioninfostealerpersistencetrojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

C2

193.233.20.24:4123

Attributes
  • auth_value

    749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

  • Detects Healer an antivirus disabler dropper 2 IoCs
  • Healer

    Healer an antivirus disabler dropper.

    dropperhealer
  • Healer family
    healer
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    defense_evasiontrojan
  • Modifies Windows Defender TamperProtection settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender notification settings 3 TTPs 2 IoCs
    defense_evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 35 IoCs
  • Redline family
    redline
  • Downloads MZ/PE file 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    defense_evasiontrojan
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\623d879734f42cab0cd23bf39e73f67d960d9969c17f9a4ec6813299e9f316f4.exe
    "C:\Users\Admin\AppData\Local\Temp\623d879734f42cab0cd23bf39e73f67d960d9969c17f9a4ec6813299e9f316f4.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2916
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plUq13Cd16.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plUq13Cd16.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1996
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pleM37Qh78.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pleM37Qh78.exe
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4976
        • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plyr33LB00.exe
          C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plyr33LB00.exe
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pldO82BE25.exe
            C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pldO82BE25.exe
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:340
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buEa09ZA24.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buEa09ZA24.exe
              6⤵
              • Modifies Windows Defender DisableAntiSpyware settings
              • Modifies Windows Defender Real-time Protection settings
              • Modifies Windows Defender TamperProtection settings
              • Modifies Windows Defender notification settings
              • Executes dropped EXE
              • Windows security modification
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2128
            • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caXv66kg14.exe
              C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caXv66kg14.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:5072
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzgyNDM4MzEtMkQ2Mi00RkUzLUIxQzgtQzM4NzlCQkUyMkQxfSIgdXNlcmlkPSJ7RUFGNENDMUEtNkNCMC00RjkzLThCMUEtRDlEMDhENjBDMUI2fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUEzM0U2MzgtQjc1MC00Mzg3LUIwMzctRjM0M0IyNDcyMDVEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODcxMjUwMzQ5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:2192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plUq13Cd16.exe
    Filesize

    1009KB

    MD5

    26b327f7288c7ed7f4602174b9fe18c4

    SHA1

    b78363b0798fa0555225bbb5c72128e13a1dd3df

    SHA256

    64b641d7c521e13ddd0aae74d5e3d98518289109299533a5d62b2d381a4e9117

    SHA512

    2ccbe49556533bae64b36a27610c4f3e6a56fae5152b0ac122563cb4daf3699cb8915219892748259ed8e829d932e078dc5bb3e7fa0bdea69971792e92ec89e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pleM37Qh78.exe
    Filesize

    906KB

    MD5

    14eb272af95df42ff1873dbacdafc5ed

    SHA1

    2c2b07710ab559a53053f794ac302ae3ae63fa31

    SHA256

    989126436627491e48798132effdb1870ff5cb6f18ccd0f409daa7cd89bd6bd8

    SHA512

    fc4e16950ebd5d826e4f731220a02acd74904af35268562edfc200b1ccfa5c12b25faaa8d3ef306d8d0c2f1f8613a60a29128c2a98d7b054c0be4bdc344447a1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plyr33LB00.exe
    Filesize

    682KB

    MD5

    854371217e49a9fb0e6beee12329b3f9

    SHA1

    0adb6552a69d7b3944437cad80a1523dbf391180

    SHA256

    bfe448a8b1898bee1a0b1f1475c91c1911b49d6adb29044d6a1d295c558a86d7

    SHA512

    906c60d0b053927f382f79c66499f311121da2a156c0ccef0a95f50fbf2c83c59803a16fc368b24d83b6d1f6ef3b25eee18e8726c0c418e66899f2b1ba4225b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\pldO82BE25.exe
    Filesize

    399KB

    MD5

    d56abf22fae8e47c3d0ce9ca7a4edea8

    SHA1

    b480f1ce07db681f9272cd0748b1a5a88f0de992

    SHA256

    9ac8863cdf347e26664a8098fff3d2fb2fa5029a259824cf49807fcb7d043143

    SHA512

    c79df7d7765d7c4456ffa5eb576572238f8b3abccf2500e337e12681352bdb4dfd4f9acb26f265511002a58b1f69f90b3638ac3e71dee6fb21dc29f334f020b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buEa09ZA24.exe
    Filesize

    12KB

    MD5

    a0e70241520eff3e4b5b6eb4e8b7d34e

    SHA1

    28cb3dcdbaef7f2781da50704d16aa36ce4e576c

    SHA256

    b9ee2eb95e784610bc9c397f10741b0631dc578592d2b3ca086b1dbea1405df2

    SHA512

    336bd6898363a1d0aec65bae699650c917f7a0edc2fe3097d1bc6c93c02ca7a05871d94f5807dab443984a45254d3df4faf661a92d273be0af7aeed742f3d7b2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caXv66kg14.exe
    Filesize

    375KB

    MD5

    5ff32f757fe387c14ed8b1388ed9ec51

    SHA1

    43465ddc0d2b6107b9ec69f4852abedc6dc7a3e3

    SHA256

    ed7b94310be80b1aadad0043ae5539fbdf5a5b57626e275cf1e93cda3a307c60

    SHA512

    f89a31e03ae0ec6116b58136b1362bab031f04a340738d5878152905ca69964c833fb5b58c339af3e71fc804e6f727983e8a9db43e58ac37875fb1e2d83a2c92

    Download Submit

  • memory/2128-35-0x0000000000E30000-0x0000000000E3A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5072-82-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-72-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-44-0x0000000007190000-0x00000000071D4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/5072-54-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-58-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-108-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-106-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-104-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-102-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-100-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-98-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-96-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-92-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-90-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-88-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-86-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-84-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-42-0x0000000004BA0000-0x0000000004BE6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/5072-80-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-78-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-76-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-43-0x0000000007330000-0x00000000078D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5072-70-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-68-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-66-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-64-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-62-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-60-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-56-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-52-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-50-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-94-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-74-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-48-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-46-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-45-0x0000000007190000-0x00000000071CE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/5072-951-0x00000000078E0000-0x0000000007EF8000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/5072-952-0x0000000007F00000-0x000000000800A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/5072-953-0x00000000072E0000-0x00000000072F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/5072-954-0x0000000008010000-0x000000000804C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/5072-955-0x0000000008150000-0x000000000819C000-memory.dmp

    Filesize

    304KB

    Download