healer | 9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66

Resubmissions

29-10-2024 14:06

241029-regnlawcqp 10

29-10-2024 12:53

241029-p4zvcsvhqp 10

07-05-2023 04:57

230507-fldpqshh67 10

Analysis

max time kernel
142s
max time network
148s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-10-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe
Size

746KB
MD5

7c3dda2c9904ba420260b3489e2ef165
SHA1

c5ce5096c8d8175ff522ee68d1a68b8cea926c2d
SHA256

9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66
SHA512

2f10af6e5d497478f47813322d039012467c43d4bba12fe30b5a42a472379c9daa62529c73657d77886c5b8fcaab9cae959e5264124cec750091b0d9a237febd
SSDEEP

12288:Sy90N8arEZ38DLXqXNNsbiuQ4sbrXfUcXfSqXtXVtCX3b73xzR:Sy48arEJYLa9eenX8cXfVSb7/

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral4/memory/4784-19-0x0000000002810000-0x000000000282A000-memory.dmp	healer
behavioral4/memory/4784-21-0x0000000004FB0000-0x0000000004FC8000-memory.dmp	healer
behavioral4/memory/4784-47-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-49-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-45-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-43-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-39-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-35-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-31-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-29-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-25-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-41-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-23-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-37-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-34-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-22-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer
behavioral4/memory/4784-27-0x0000000004FB0000-0x0000000004FC2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	55874308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	55874308.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	55874308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	55874308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	55874308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	55874308.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral4/memory/4316-62-0x0000000002900000-0x000000000293C000-memory.dmp	family_redline
behavioral4/memory/4316-80-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-78-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-98-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-96-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-94-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-92-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-88-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-86-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-84-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-82-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-90-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-76-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-74-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-72-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-70-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-68-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-66-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-65-0x0000000002A90000-0x0000000002AC5000-memory.dmp	family_redline
behavioral4/memory/4316-64-0x0000000002A90000-0x0000000002ACA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
860	un721028.exe
4784	55874308.exe
4316	rk367654.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	55874308.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	55874308.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un721028.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3140	4784	WerFault.exe	78

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un721028.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	55874308.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk367654.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4784	55874308.exe
4784	55874308.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	55874308.exe
Token: SeDebugPrivilege	4316	rk367654.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 860	236	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe	77
PID 236 wrote to memory of 860	236	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe	77
PID 236 wrote to memory of 860	236	9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe	77
PID 860 wrote to memory of 4784	860	un721028.exe	78
PID 860 wrote to memory of 4784	860	un721028.exe	78
PID 860 wrote to memory of 4784	860	un721028.exe	78
PID 860 wrote to memory of 4316	860	un721028.exe	82
PID 860 wrote to memory of 4316	860	un721028.exe	82
PID 860 wrote to memory of 4316	860	un721028.exe	82

C:\Users\Admin\AppData\Local\Temp\9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe
"C:\Users\Admin\AppData\Local\Temp\9b7ba8dd0178eee5df00dcee5be7694514faead9a273fb3fd7bc6d532d750e66.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1040
      4⤵
      Program crash
      PID:3140
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4784 -ip 4784
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un721028.exe

Filesize
591KB

MD5
f39e96db71b850be0e8113dff1c58e96

SHA1
23a5a923212d5dba4e79a32d29a53e981ab15b21

SHA256
512a02378458eb8745bf6bdbc1eee575b557651072d935c96746f01c3eb30f7f

SHA512
2be9713d582dd079188c08ca9ec60c596e55f70ede81893d0a30add859687aae7e522fde85ea005c24eab6bc8587a31b57fd1b5a7fc8303a904406b8f15ea31f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\55874308.exe

Filesize
376KB

MD5
bfe8737b256d0abd4bd9b86dd51cf2d2

SHA1
91906151c3d615497a2685a1c2dfb8398a7524cb

SHA256
3dea26076cd2848c5544006f5d3d06b5d7b369c0a594f50b3175c805587756f8

SHA512
b581ab6ae61ceb4ad38b1888032fc53d4c972a97839096eb1b44a760377fc4eab12fb4b5fc2cb51d611355843e1f412631677e427c420b9e75cb2351e368cea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk367654.exe

Filesize
459KB

MD5
d041b732253fef6c275a1f5c490447ed

SHA1
15caa238a29b75ea279ef08684558f89145741cf

SHA256
f938c49409d99ce839e8b5de672c5a972c8348f96935b4ca7f73414e1bd406f1

SHA512
c044332361d1e8788882beddd5d4113c5147c87b39b80791bbe1328b14c6a5b9a5b211c049802798ae474f8082281556469f636ebc2ab078dd25eba36f68f440

Download Submit
memory/4316-72-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-90-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-68-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-70-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-63-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/4316-861-0x0000000002830000-0x000000000287C000-memory.dmp

Filesize
304KB

Download
memory/4316-74-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-76-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-858-0x0000000005100000-0x0000000005112000-memory.dmp

Filesize
72KB

Download
memory/4316-860-0x00000000081A0000-0x00000000081DC000-memory.dmp

Filesize
240KB

Download
memory/4316-859-0x0000000008080000-0x000000000818A000-memory.dmp

Filesize
1.0MB

Download
memory/4316-65-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-857-0x0000000007A60000-0x0000000008078000-memory.dmp

Filesize
6.1MB

Download
memory/4316-66-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-82-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-84-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-86-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-88-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-92-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-94-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-96-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-98-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-78-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-80-0x0000000002A90000-0x0000000002AC5000-memory.dmp

Filesize
212KB

Download
memory/4316-61-0x0000000000400000-0x0000000000817000-memory.dmp

Filesize
4.1MB

Download
memory/4316-62-0x0000000002900000-0x000000000293C000-memory.dmp

Filesize
240KB

Download
memory/4316-64-0x0000000002A90000-0x0000000002ACA000-memory.dmp

Filesize
232KB

Download
memory/4784-35-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4784-54-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4784-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4784-51-0x0000000000C30000-0x0000000000C5D000-memory.dmp

Filesize
180KB

Download
memory/4784-50-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download
memory/4784-27-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-22-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-34-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-37-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-23-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-41-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-25-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-29-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-31-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-39-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-43-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-45-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-49-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-47-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/4784-21-0x0000000004FB0000-0x0000000004FC8000-memory.dmp

Filesize
96KB

Download
memory/4784-20-0x0000000005140000-0x00000000056E6000-memory.dmp

Filesize
5.6MB

Download
memory/4784-19-0x0000000002810000-0x000000000282A000-memory.dmp

Filesize
104KB

Download
memory/4784-18-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/4784-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4784-16-0x0000000000C30000-0x0000000000C5D000-memory.dmp

Filesize
180KB

Download
memory/4784-15-0x0000000000960000-0x0000000000A60000-memory.dmp

Filesize
1024KB

Download