healer | 3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe
Size

690KB
MD5

644b4cdb5f0abec98232d153692849b8
SHA1

884935cc25d6cee17caa6e4ad5fff0a8266990f7
SHA256

3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f
SHA512

8df55e0bfe9a6b84c7503f36a849b71ebd5850730f2f8dc6e52a86587cb7b928a6db3f1035ad4ed4b7f55a7bc7fa5017972ae104d1714ca8999946f9569a29c4
SSDEEP

12288:7y90S1y44DmrYDFMq6ed6U7ExQBBzZIJpjNxMSn7brL/rGX6U5Tv0s0x:7yc4RrYDp/57EMzZkjjM07b3/rGX6eTi

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3980-19-0x0000000002290000-0x00000000022AA000-memory.dmp	healer
behavioral1/memory/3980-21-0x0000000002370000-0x0000000002388000-memory.dmp	healer
behavioral1/memory/3980-47-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-45-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-43-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-41-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-40-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-49-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-38-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-35-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-33-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-31-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-29-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-27-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-25-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-22-0x0000000002370000-0x0000000002383000-memory.dmp	healer
behavioral1/memory/3980-23-0x0000000002370000-0x0000000002383000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	41350789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	41350789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	41350789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	41350789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	41350789.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	41350789.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/964-61-0x0000000002290000-0x00000000022CC000-memory.dmp	family_redline
behavioral1/memory/964-62-0x0000000005030000-0x000000000506A000-memory.dmp	family_redline
behavioral1/memory/964-64-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-63-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-74-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-96-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-94-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-92-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-90-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-88-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-86-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-84-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-80-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-78-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-76-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-72-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-71-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-68-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-66-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline
behavioral1/memory/964-82-0x0000000005030000-0x0000000005065000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3096	un325942.exe
3980	41350789.exe
964	rk759595.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	41350789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	41350789.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un325942.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4868	3980	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un325942.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41350789.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk759595.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3980	41350789.exe
3980	41350789.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3980	41350789.exe
Token: SeDebugPrivilege	964	rk759595.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 3096	4432	3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe	84
PID 4432 wrote to memory of 3096	4432	3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe	84
PID 4432 wrote to memory of 3096	4432	3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe	84
PID 3096 wrote to memory of 3980	3096	un325942.exe	85
PID 3096 wrote to memory of 3980	3096	un325942.exe	85
PID 3096 wrote to memory of 3980	3096	un325942.exe	85
PID 3096 wrote to memory of 964	3096	un325942.exe	99
PID 3096 wrote to memory of 964	3096	un325942.exe	99
PID 3096 wrote to memory of 964	3096	un325942.exe	99

C:\Users\Admin\AppData\Local\Temp\3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe
"C:\Users\Admin\AppData\Local\Temp\3577233e8b9ad2718ceb30b2a0e650e1c6e55bc44d0dcfd37da3ea0d5bf6c78f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un325942.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un325942.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41350789.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41350789.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 1080
      4⤵
      Program crash
      PID:4868
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk759595.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk759595.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3980 -ip 3980
1⤵
PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un325942.exe

Filesize
536KB

MD5
8ebfb38433d1bee7ec9bc0c21de0e0c5

SHA1
6010922d7ebefe910f92ad3bfca63ff35de0dc89

SHA256
1c60ef70dec2dd0a17ccec26c2e92560d92431c0d763bf930d1acd6ac7aa6834

SHA512
b277f56954709bc466fba26bba1c39ca793b32228e4d005ec769fe66a7aaa588f0271c4f49ae675b75b7a2964f05136ab0ba727a9989557ef7e26508368581fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\41350789.exe

Filesize
259KB

MD5
9e2522aae3412dd4b18a4166243d7029

SHA1
826eaa7af9db24f30c872363467397088fbc0daf

SHA256
33054e9609688176741b402b79830535109ef3f76d7fe2cb53decbcb16fe2de9

SHA512
4aa5ad5dc059cf8e9bb04a610cfb2a3fecd404539c8a84dd7095ea5bec065d03d7e6e6f4c7691ec13d1f0c0765502f25dad5ed9c7a60f8880bdc192c58e36e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk759595.exe

Filesize
341KB

MD5
6fa9d48a28ad790199358fb07b93e924

SHA1
25057bd62dfca8c034e5bbd59cf68d5e4ed6cf51

SHA256
e826a13ae56f4253f3f934dde0803a2d2ced6af70550f4aa3bf13b502ef8b46b

SHA512
e47ebca06dd307ae76c8ff8931ef8ff70d5b178300e5980d880c0925eaa6aa66bfe1b1e6a9e19f9384ce167ad9c877ea73bb189659c08c9b43b4ad69b4488f9b

Download Submit
memory/964-78-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-84-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-856-0x0000000007BF0000-0x0000000007C02000-memory.dmp

Filesize
72KB

Download
memory/964-855-0x0000000007530000-0x0000000007B48000-memory.dmp

Filesize
6.1MB

Download
memory/964-82-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-66-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-68-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-71-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-72-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-76-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-858-0x0000000007D30000-0x0000000007D6C000-memory.dmp

Filesize
240KB

Download
memory/964-859-0x00000000045B0000-0x00000000045FC000-memory.dmp

Filesize
304KB

Download
memory/964-80-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-857-0x0000000007C10000-0x0000000007D1A000-memory.dmp

Filesize
1.0MB

Download
memory/964-86-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-88-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-90-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-92-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-94-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-96-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-74-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-63-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-64-0x0000000005030000-0x0000000005065000-memory.dmp

Filesize
212KB

Download
memory/964-62-0x0000000005030000-0x000000000506A000-memory.dmp

Filesize
232KB

Download
memory/964-61-0x0000000002290000-0x00000000022CC000-memory.dmp

Filesize
240KB

Download
memory/3980-40-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3980-55-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3980-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3980-51-0x00000000005B0000-0x00000000005DD000-memory.dmp

Filesize
180KB

Download
memory/3980-50-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/3980-23-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-22-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-25-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-27-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-29-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-31-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-33-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-35-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-38-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-49-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-41-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-43-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-45-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-47-0x0000000002370000-0x0000000002383000-memory.dmp

Filesize
76KB

Download
memory/3980-21-0x0000000002370000-0x0000000002388000-memory.dmp

Filesize
96KB

Download
memory/3980-20-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/3980-19-0x0000000002290000-0x00000000022AA000-memory.dmp

Filesize
104KB

Download
memory/3980-18-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3980-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3980-16-0x00000000005B0000-0x00000000005DD000-memory.dmp

Filesize
180KB

Download
memory/3980-15-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download