healer | f66854431dc57070e060e776be18cba0992366fab22b71f8cf929b91c81a6c26

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b.exe
Size

479KB
MD5

3ab2ff06d401aa79ecc0a828734aa965
SHA1

79f8c82403a2c4eba7333bbe8a8cea43043c1443
SHA256

f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b
SHA512

b7d56a909168f4841e017122351439b13b932d8e79631294e3798df47e01619739248b238f2c89aab67da67f885013705ffe71881aac02fb23b157b1d0f4ad21
SSDEEP

6144:Kay+bnr+Hkp0yN90QESbWCWKAw5UH4MDtIA/EzylcSAGRArr8wtc5VrgGL8F9KaE:iMrwy90Yf3UYeZMzylcyqFtucF30

Score

10^/10

healer redline dumud dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dumud

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral26/memory/2216-15-0x0000000002460000-0x000000000247A000-memory.dmp	healer
behavioral26/memory/2216-18-0x0000000004980000-0x0000000004998000-memory.dmp	healer
behavioral26/memory/2216-47-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-45-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-43-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-42-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-39-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-37-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-35-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-33-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-31-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-29-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-27-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-25-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-23-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-21-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral26/memory/2216-20-0x0000000004980000-0x0000000004992000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k1520744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1520744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1520744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1520744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1520744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1520744.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral26/files/0x0007000000023404-52.dat	family_redline
behavioral26/memory/3320-54-0x00000000004D0000-0x0000000000500000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
2996	y4258701.exe
2216	k1520744.exe
3320	l4036908.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k1520744.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1520744.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4258701.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2216	k1520744.exe
2216	k1520744.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	k1520744.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 2996	1376	f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b.exe	83
PID 1376 wrote to memory of 2996	1376	f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b.exe	83
PID 1376 wrote to memory of 2996	1376	f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b.exe	83
PID 2996 wrote to memory of 2216	2996	y4258701.exe	84
PID 2996 wrote to memory of 2216	2996	y4258701.exe	84
PID 2996 wrote to memory of 2216	2996	y4258701.exe	84
PID 2996 wrote to memory of 3320	2996	y4258701.exe	90
PID 2996 wrote to memory of 3320	2996	y4258701.exe	90
PID 2996 wrote to memory of 3320	2996	y4258701.exe	90

C:\Users\Admin\AppData\Local\Temp\f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b.exe
"C:\Users\Admin\AppData\Local\Temp\f5c518fe92fb2a2cb7e24aef95c0ce906e790b67bbc704f3311706b11b6a7d4b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4258701.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4258701.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1520744.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1520744.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4036908.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4036908.exe
    3⤵
    - Executes dropped EXE
    PID:3320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4258701.exe

Filesize
307KB

MD5
367ff3cd17fe97143cd8cb5f9e323046

SHA1
0a213bcb8d4e658992d1e083b0b206ac3650ba69

SHA256
ff54e8ca62b5d37f515d9883b629f0761bba9e583cfd91abda232bc4e5b5cd50

SHA512
9c2fd4077ecd277d91e83160a5c2a0a3bcc2c8774dda670dad8566a789fef7be158a87397cf2fa7360fda1916fac8331b61c55add4d4018ae2dfacbba6a32894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1520744.exe

Filesize
180KB

MD5
7ae5c9c884c8a206085a31b28559a56e

SHA1
62ee3946087638f78cb879cec7873e931c3ea386

SHA256
d78fc25515b72db855c730b5e4a5bd2db040c857f8921ddead622d646bd6c98e

SHA512
54270113c6f8671b4ccd236e096f673dd8d0ca10f61bb90b798288c1340812893bb6db49db40d9e204f864c60091446603f1e1e2e6e4eb5233615cee8c0847e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l4036908.exe

Filesize
168KB

MD5
faa7957999bc9ed6a221c8c19b9d09f0

SHA1
eef2368343aa03127958ec5a7cc507e469b5a028

SHA256
9bf4ace7974b14c0c0d4b9913f95ebcd3a4512c54dd4a04281af685ba1bdd895

SHA512
d9e747f865ecd24b5f95369cc5cc824a14cfbd827615331639c0d99ae512a2e18479c10e17f1368f4f96da741f4129e6bfd426f82f44346edd384d2bca5789c8

Download Submit
memory/2216-33-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-18-0x0000000004980000-0x0000000004998000-memory.dmp

Filesize
96KB

Download
memory/2216-29-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-17-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/2216-19-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/2216-47-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-48-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/2216-45-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-43-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-42-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-39-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-37-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-35-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-15-0x0000000002460000-0x000000000247A000-memory.dmp

Filesize
104KB

Download
memory/2216-31-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-16-0x00000000049E0000-0x0000000004F84000-memory.dmp

Filesize
5.6MB

Download
memory/2216-27-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-25-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-23-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-21-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-20-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/2216-50-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/2216-14-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/3320-54-0x00000000004D0000-0x0000000000500000-memory.dmp

Filesize
192KB

Download
memory/3320-55-0x00000000026B0000-0x00000000026B6000-memory.dmp

Filesize
24KB

Download
memory/3320-56-0x000000000A800000-0x000000000AE18000-memory.dmp

Filesize
6.1MB

Download
memory/3320-57-0x000000000A340000-0x000000000A44A000-memory.dmp

Filesize
1.0MB

Download
memory/3320-58-0x000000000A270000-0x000000000A282000-memory.dmp

Filesize
72KB

Download
memory/3320-59-0x000000000A2D0000-0x000000000A30C000-memory.dmp

Filesize
240KB

Download
memory/3320-60-0x00000000048A0000-0x00000000048EC000-memory.dmp

Filesize
304KB

Download