healer | 40798ddaa6e449349224c60a980b73b4b082e8f19904c7b9acbadcbf8441a2e3

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40798ddaa6e449349224c60a980b73b4b082e8f19904c7b9acbadcbf8441a2e3.exe
Size

688KB
MD5

5443807248ff11ca1adcd7ba7624d2a3
SHA1

dd0634f2649e07d9c2d6ff743d2322524a81aa98
SHA256

40798ddaa6e449349224c60a980b73b4b082e8f19904c7b9acbadcbf8441a2e3
SHA512

3aabb9ae085db807cf2248a52ef41bda853c5571529a13d7d6dfb403163548266eafb1eeacd54f0939aeeeb280c95f5fe2f159002dbc18f7fe7e8f468d08908a
SSDEEP

12288:pMrfy90HzCb2NhIZ2KEMkaRfCZEPMREgUMImVYqgF61L5txx91DUQP:eygzC6fjFkKREg/R7gF61vxRP

Score

10^/10

healer redline rumfa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000002333e-12.dat	healer
behavioral1/memory/4840-14-0x0000000000040000-0x000000000004A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	buFK11zR68.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	buFK11zR68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	buFK11zR68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	buFK11zR68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	buFK11zR68.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	buFK11zR68.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4932-25-0x0000000004B30000-0x0000000004B76000-memory.dmp	family_redline
behavioral1/memory/4932-30-0x00000000072E0000-0x0000000007324000-memory.dmp	family_redline
behavioral1/memory/4932-31-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-34-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-32-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-36-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-38-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-40-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-42-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-44-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-46-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-48-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-50-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-52-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-54-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-58-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-56-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-60-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-62-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-64-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-66-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-68-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-70-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-72-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-74-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-76-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-78-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-80-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-84-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-82-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-86-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-88-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-90-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-92-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline
behavioral1/memory/4932-94-0x00000000072E0000-0x000000000731E000-memory.dmp	family_redline

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000002333e-12.dat	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/4840-14-0x0000000000040000-0x000000000004A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Executes dropped EXE 3 IoCs

pid	Process
3272	plaJ43Bn25.exe
4840	buFK11zR68.exe
4932	caXd58Kq46.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	buFK11zR68.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	40798ddaa6e449349224c60a980b73b4b082e8f19904c7b9acbadcbf8441a2e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plaJ43Bn25.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4840	buFK11zR68.exe
4840	buFK11zR68.exe
4840	buFK11zR68.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4840	buFK11zR68.exe
Token: SeDebugPrivilege	4932	caXd58Kq46.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 3272	2120	40798ddaa6e449349224c60a980b73b4b082e8f19904c7b9acbadcbf8441a2e3.exe	95
PID 2120 wrote to memory of 3272	2120	40798ddaa6e449349224c60a980b73b4b082e8f19904c7b9acbadcbf8441a2e3.exe	95
PID 2120 wrote to memory of 3272	2120	40798ddaa6e449349224c60a980b73b4b082e8f19904c7b9acbadcbf8441a2e3.exe	95
PID 3272 wrote to memory of 4840	3272	plaJ43Bn25.exe	97
PID 3272 wrote to memory of 4840	3272	plaJ43Bn25.exe	97
PID 3272 wrote to memory of 4932	3272	plaJ43Bn25.exe	101
PID 3272 wrote to memory of 4932	3272	plaJ43Bn25.exe	101
PID 3272 wrote to memory of 4932	3272	plaJ43Bn25.exe	101

C:\Users\Admin\AppData\Local\Temp\40798ddaa6e449349224c60a980b73b4b082e8f19904c7b9acbadcbf8441a2e3.exe
"C:\Users\Admin\AppData\Local\Temp\40798ddaa6e449349224c60a980b73b4b082e8f19904c7b9acbadcbf8441a2e3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plaJ43Bn25.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plaJ43Bn25.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buFK11zR68.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buFK11zR68.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caXd58Kq46.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caXd58Kq46.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3724 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8
1⤵
PID:4616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plaJ43Bn25.exe

Filesize
402KB

MD5
eba2ae75976f2bc2cc2c261f1c636df6

SHA1
564c3a2ba4c9a673dea15be8a42b45516eaa0930

SHA256
ac06571227457964d6f5a7b92f25af74fd00072cd9e74aa3c97ad79712a9129c

SHA512
d0111b6c340cf311d2f1dac0d65288ba4e084cd39e036b49837e2752b601ad265af06623aa1f221a341bcdd115f2b86990896b89bcba086ddac4ff36344cdbf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buFK11zR68.exe

Filesize
15KB

MD5
160d0c2c30e95d07fbba9d169afd28ee

SHA1
0a9246455a4a180d3044eef47233b0c9ab19a54f

SHA256
dd24dd359b03c8c50cf405496b8851aa757a9c21c6d361fcc48c9eb7637e0312

SHA512
106413001d3735b983a8bdca864f53987f9915aed33075c7c271968b1d5b1ae8f4e98df9e7ba06e768c614c02f1dc3afdd30446ac78bc0e58221d7c263e5e1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caXd58Kq46.exe

Filesize
376KB

MD5
51d83e219f7908c47e000ced515c41c5

SHA1
49860bcc7802e33498d0010de530f67573577ce1

SHA256
556b654b17afba716bb4859376467fc708829ff6c5b5a9c9e18e40a133b6b37d

SHA512
a9e0b625653af5ee0e90b91344ca01928888279b9936647c0f655ff3dd67fb2fa36067ad7e78ad8d2ecb78ec25926d31c541a97db72dc72b366188c163ee71f4

Download Submit
memory/4840-14-0x0000000000040000-0x000000000004A000-memory.dmp

Filesize
40KB

Download
memory/4840-15-0x00007FF912BC0000-0x00007FF913681000-memory.dmp

Filesize
10.8MB

Download
memory/4840-17-0x00007FF912BC0000-0x00007FF913681000-memory.dmp

Filesize
10.8MB

Download
memory/4932-22-0x0000000002D70000-0x0000000002E70000-memory.dmp

Filesize
1024KB

Download
memory/4932-23-0x0000000004810000-0x000000000485B000-memory.dmp

Filesize
300KB

Download
memory/4932-24-0x0000000000400000-0x0000000002BCB000-memory.dmp

Filesize
39.8MB

Download
memory/4932-25-0x0000000004B30000-0x0000000004B76000-memory.dmp

Filesize
280KB

Download
memory/4932-26-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4932-27-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/4932-28-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/4932-29-0x00000000074D0000-0x0000000007A74000-memory.dmp

Filesize
5.6MB

Download
memory/4932-30-0x00000000072E0000-0x0000000007324000-memory.dmp

Filesize
272KB

Download
memory/4932-31-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-34-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-32-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-36-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-38-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-40-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-42-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-44-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-46-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-48-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-50-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-52-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-54-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-58-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-56-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-60-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-62-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-64-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-66-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-68-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-70-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-72-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-74-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-76-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-78-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-80-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-84-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-82-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-86-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-88-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-90-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-92-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-94-0x00000000072E0000-0x000000000731E000-memory.dmp

Filesize
248KB

Download
memory/4932-937-0x0000000007A80000-0x0000000008098000-memory.dmp

Filesize
6.1MB

Download
memory/4932-938-0x00000000080A0000-0x00000000081AA000-memory.dmp

Filesize
1.0MB

Download
memory/4932-939-0x0000000007430000-0x0000000007442000-memory.dmp

Filesize
72KB

Download
memory/4932-940-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/4932-941-0x0000000007450000-0x000000000748C000-memory.dmp

Filesize
240KB

Download
memory/4932-942-0x00000000082B0000-0x00000000082FC000-memory.dmp

Filesize
304KB

Download
memory/4932-944-0x0000000000400000-0x0000000002BCB000-memory.dmp

Filesize
39.8MB

Download
memory/4932-945-0x0000000002D70000-0x0000000002E70000-memory.dmp

Filesize
1024KB

Download
memory/4932-946-0x0000000004810000-0x000000000485B000-memory.dmp

Filesize
300KB

Download
memory/4932-947-0x0000000074340000-0x0000000074AF0000-memory.dmp

Filesize
7.7MB

Download
memory/4932-949-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/4932-950-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/4932-952-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download