healer | 5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff

Analysis

max time kernel
138s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe
Size

914KB
MD5

754fa9b827fd368e9233e965d78d5e4e
SHA1

7162680e492388b80bad951345edaa4df1e60088
SHA256

5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff
SHA512

c9041c59fc22559aa88afd9d21bade9b8b3bc4e53a259efb425ec3413d6b6f39c56424ec09dbeb56cc939db4a1907e0db845e41fe1aabcb7922424f89571e1c7
SSDEEP

24576:Vy1colZezgTUGtApNaHQyVGRINZu1QS5j:w/WzMrteNqVQIN41x5

Score

10^/10

healer redline dark dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dark

185.161.248.73:4164

Attributes

auth_value
ae85b01f66afe8770afeed560513fc2d

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/memory/5260-2163-0x0000000000C60000-0x0000000000C6A000-memory.dmp	healer
behavioral1/files/0x000800000002345d-2162.dat	healer
behavioral1/memory/2648-2149-0x0000000004AC0000-0x0000000004ACA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	1.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/memory/5072-4317-0x0000000005760000-0x0000000005792000-memory.dmp	family_redline
behavioral1/files/0x0007000000023460-4322.dat	family_redline
behavioral1/memory/2468-4324-0x0000000000340000-0x0000000000370000-memory.dmp	family_redline

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 3 IoCs

resource	yara_rule
behavioral1/memory/5260-2163-0x0000000000C60000-0x0000000000C6A000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/files/0x000800000002345d-2162.dat	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
behavioral1/memory/2648-2149-0x0000000004AC0000-0x0000000004ACA000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Detects executables packed with ConfuserEx Mod 3 IoCs

resource	yara_rule
behavioral1/memory/5072-4317-0x0000000005760000-0x0000000005792000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/files/0x0007000000023460-4322.dat	INDICATOR_EXE_Packed_ConfuserEx
behavioral1/memory/2468-4324-0x0000000000340000-0x0000000000370000-memory.dmp	INDICATOR_EXE_Packed_ConfuserEx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	94600487.exe

Executes dropped EXE 5 IoCs

pid	Process
2956	st399543.exe
2648	94600487.exe
5260	1.exe
5072	kp746910.exe
2468	lr652360.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	1.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	st399543.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2888	5072	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5260	1.exe
5260	1.exe
5260	1.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	94600487.exe
Token: SeDebugPrivilege	5072	kp746910.exe
Token: SeDebugPrivilege	5260	1.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2956	4848	5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe	83
PID 4848 wrote to memory of 2956	4848	5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe	83
PID 4848 wrote to memory of 2956	4848	5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe	83
PID 2956 wrote to memory of 2648	2956	st399543.exe	85
PID 2956 wrote to memory of 2648	2956	st399543.exe	85
PID 2956 wrote to memory of 2648	2956	st399543.exe	85
PID 2648 wrote to memory of 5260	2648	94600487.exe	87
PID 2648 wrote to memory of 5260	2648	94600487.exe	87
PID 2956 wrote to memory of 5072	2956	st399543.exe	88
PID 2956 wrote to memory of 5072	2956	st399543.exe	88
PID 2956 wrote to memory of 5072	2956	st399543.exe	88
PID 4848 wrote to memory of 2468	4848	5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe	92
PID 4848 wrote to memory of 2468	4848	5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe	92
PID 4848 wrote to memory of 2468	4848	5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe	92

C:\Users\Admin\AppData\Local\Temp\5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe
"C:\Users\Admin\AppData\Local\Temp\5b184b535b6cb3f4996dfd2752b6dc2b5ae1adc30eee035e72b6a960323ff1ff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5260
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp746910.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp746910.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 1260
      4⤵
      Program crash
      PID:2888
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652360.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652360.exe
  2⤵
  - Executes dropped EXE
  PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5072 -ip 5072
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr652360.exe

Filesize
168KB

MD5
16cf18c8ef1d4be89b36e27c8fb88e9d

SHA1
7811ba84f75a1adc6d995c2c1121ec996d1cc003

SHA256
116156cc3af0bf4d81d9b2fba83c569cf9f4c9055b9c9cd5731538de036417e8

SHA512
4cb9e29db63d28c802c7c1799fd53e00b5facdc0b63d08b76d619c7a9be6cc06f11c0d435ad035bf3f9c3c96687e03e5157ae2ce7494a621c0762bc8083d9fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st399543.exe

Filesize
760KB

MD5
b4739ea60f15eb6ba8fbdc5eac898bcb

SHA1
fdb92d0e62090b4905aceaee3d0223381d16bf82

SHA256
1e76796e3f059435c6cc911c09ff4b9d344408967840a3f09e5f902feb660fa5

SHA512
76bde1021618cb750d07383bfe4c36eaeb7915d55bd6a99a5527d2d185d276b2f51613f0cd0211f879e3c915b20fdead0a933a004becb25d018c3e9f58ccdc40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94600487.exe

Filesize
300KB

MD5
a6e57af537e534299bc6a62830929d27

SHA1
dba2d850a6ac1dfbfd65c270342482bd47d5697d

SHA256
7f1beab773fb86c553330b4b9ddefc47d946d1c18ffde4318ea8ceeeeeaee9a2

SHA512
dbd565c08178aae2da49abcc5e2388ef06be7d8f445ab9ce4659f58e666ee10cc80b386a1d67381b2db13ec0bbc97a86db780f0ac9e54bca27881885c5bb553c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp746910.exe

Filesize
539KB

MD5
6a3d723b02bf5ff554f5bb99bdc9bfcb

SHA1
47ae2a203e2e41e17d078fe0d766570c1e30e65b

SHA256
ace2eb0e8f4dc0cef1f2307217222cd2db5acd060d565dc773e0b61a89b72c79

SHA512
5cb7419958b61168a7a4f3e8763a35af040b756aee8b4f9ec783ec24152bd35120cbec5d950342d5bce1d147343cef4a23cff635877514fc7c54039b7fdfef92

Download Submit
C:\Windows\Temp\1.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/2468-4330-0x0000000004FE0000-0x000000000502C000-memory.dmp

Filesize
304KB

Download
memory/2468-4326-0x00000000053D0000-0x00000000059E8000-memory.dmp

Filesize
6.1MB

Download
memory/2468-4329-0x0000000004E60000-0x0000000004E9C000-memory.dmp

Filesize
240KB

Download
memory/2468-4328-0x0000000004E00000-0x0000000004E12000-memory.dmp

Filesize
72KB

Download
memory/2468-4327-0x0000000004ED0000-0x0000000004FDA000-memory.dmp

Filesize
1.0MB

Download
memory/2468-4324-0x0000000000340000-0x0000000000370000-memory.dmp

Filesize
192KB

Download
memory/2468-4325-0x00000000025E0000-0x00000000025E6000-memory.dmp

Filesize
24KB

Download
memory/2648-39-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-76-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-68-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-66-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-64-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-62-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-60-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-58-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-56-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-54-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-52-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-48-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-46-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-44-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-2151-0x0000000073BD0000-0x0000000074380000-memory.dmp

Filesize
7.7MB

Download
memory/2648-2164-0x0000000073BD0000-0x0000000074380000-memory.dmp

Filesize
7.7MB

Download
memory/2648-2149-0x0000000004AC0000-0x0000000004ACA000-memory.dmp

Filesize
40KB

Download
memory/2648-42-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-72-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-37-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-35-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-33-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-78-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-70-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-50-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-41-0x0000000073BD0000-0x0000000074380000-memory.dmp

Filesize
7.7MB

Download
memory/2648-31-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-29-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-27-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-25-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-23-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-21-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-20-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-18-0x00000000049F0000-0x0000000004A46000-memory.dmp

Filesize
344KB

Download
memory/2648-16-0x0000000073BD0000-0x0000000074380000-memory.dmp

Filesize
7.7MB

Download
memory/2648-14-0x0000000073BDE000-0x0000000073BDF000-memory.dmp

Filesize
4KB

Download
memory/2648-15-0x0000000004910000-0x0000000004968000-memory.dmp

Filesize
352KB

Download
memory/2648-17-0x0000000004B00000-0x00000000050A4000-memory.dmp

Filesize
5.6MB

Download
memory/2648-19-0x0000000073BD0000-0x0000000074380000-memory.dmp

Filesize
7.7MB

Download
memory/2648-74-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-80-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-82-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/2648-84-0x00000000049F0000-0x0000000004A41000-memory.dmp

Filesize
324KB

Download
memory/5072-4318-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/5072-4317-0x0000000005760000-0x0000000005792000-memory.dmp

Filesize
200KB

Download
memory/5072-2170-0x0000000002A40000-0x0000000002AA6000-memory.dmp

Filesize
408KB

Download
memory/5072-2169-0x00000000025D0000-0x0000000002638000-memory.dmp

Filesize
416KB

Download
memory/5260-2163-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download