healer | 641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe
Size

1.0MB
MD5

3dd8cb2401ad5b815c866f4a3f86c8ea
SHA1

0df300712595162340c38619b592d5a3b66b0598
SHA256

641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba
SHA512

953ae3b7b94c4e9d59a41cce5fce02d5f1f4b803f37968bd9a291b601a04e0d559e05548b2fbfca9c5bf7de8dc2078ada91041e52e5936b3d458e44eec23b6c7
SSDEEP

24576:5yWypHMKIpakv2trPBMcTETh0JBhei9GmnaReG:sWypgaJJBTeaFtn

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca4-26.dat	healer
behavioral1/memory/1556-28-0x00000000001C0000-0x00000000001CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bujS90JC90.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bujS90JC90.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bujS90JC90.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bujS90JC90.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bujS90JC90.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bujS90JC90.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4692-34-0x0000000002520000-0x0000000002566000-memory.dmp	family_redline
behavioral1/memory/4692-36-0x0000000004B60000-0x0000000004BA4000-memory.dmp	family_redline
behavioral1/memory/4692-42-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-52-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-100-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-98-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-96-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-94-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-92-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-90-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-82-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-81-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-76-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-74-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-72-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-70-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-68-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-64-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-62-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-58-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-56-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-50-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-48-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-46-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-44-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-88-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-86-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-78-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-66-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-60-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-54-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-40-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-38-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline
behavioral1/memory/4692-37-0x0000000004B60000-0x0000000004B9E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
2044	plHS90Ml45.exe
1164	plsK82Aw16.exe
4972	plhU87xn05.exe
1556	bujS90JC90.exe
4692	caSJ17Xq60.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bujS90JC90.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plHS90Ml45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plsK82Aw16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plhU87xn05.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caSJ17Xq60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plHS90Ml45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plsK82Aw16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plhU87xn05.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1556	bujS90JC90.exe
1556	bujS90JC90.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	bujS90JC90.exe
Token: SeDebugPrivilege	4692	caSJ17Xq60.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 2044	4548	641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe	85
PID 4548 wrote to memory of 2044	4548	641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe	85
PID 4548 wrote to memory of 2044	4548	641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe	85
PID 2044 wrote to memory of 1164	2044	plHS90Ml45.exe	86
PID 2044 wrote to memory of 1164	2044	plHS90Ml45.exe	86
PID 2044 wrote to memory of 1164	2044	plHS90Ml45.exe	86
PID 1164 wrote to memory of 4972	1164	plsK82Aw16.exe	87
PID 1164 wrote to memory of 4972	1164	plsK82Aw16.exe	87
PID 1164 wrote to memory of 4972	1164	plsK82Aw16.exe	87
PID 4972 wrote to memory of 1556	4972	plhU87xn05.exe	88
PID 4972 wrote to memory of 1556	4972	plhU87xn05.exe	88
PID 4972 wrote to memory of 4692	4972	plhU87xn05.exe	95
PID 4972 wrote to memory of 4692	4972	plhU87xn05.exe	95
PID 4972 wrote to memory of 4692	4972	plhU87xn05.exe	95

C:\Users\Admin\AppData\Local\Temp\641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe
"C:\Users\Admin\AppData\Local\Temp\641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1164
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caSJ17Xq60.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caSJ17Xq60.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe

Filesize
885KB

MD5
050363a72618cd8daeceb3e578a5f608

SHA1
7f72580dc1f29095191147279ac3ea7ee976eff5

SHA256
5adcef5c45714294a236f5c66484e82b313aef84bf56cdce8577caef77896598

SHA512
b4e59378df88b3bcf97b86582d441b28ad93801ca377674994553c3e08183d0a6565ea4077cb5348e002c30e1ec8113eb455014789de4bb67765b73734689a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe

Filesize
661KB

MD5
eab9bb6d89f5701078f19c722f8e0dc6

SHA1
594daf0e997b94c904a35c257cee897f4667241d

SHA256
1f3dab058b3609ae76936cfe8367d8ffb7bc1f0e8680781c58f293f33080f582

SHA512
8b4ff732d63c86970d17100c330b729d065089aae9f4382b0eaafbc0238433264d196e014350bc8968c13166fca973218ec45b28b60be5a47592988a2fdca1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe

Filesize
389KB

MD5
e111d6fa6e42fad9c8fae534f9aec3b2

SHA1
48271a3e0d921e33151188a3a6c94d6d053b0107

SHA256
3e5843acfdda309c2adfa2b9ada9c1f203520ff5fa107156ddfa4a7e19d8712e

SHA512
f1f8f4c0dca540115bf63aee244c7c8e7984674534ff79ad4dfa2ebe662e6776de094fce049c922563566450f537916dad2e59ce943e78f35c9a786412acb480

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe

Filesize
11KB

MD5
73d2cf827d90dc57b44c4eed04b3b059

SHA1
49fa2dc46b0cd5b7267dbf3329ed870a78146889

SHA256
df65178a5efd3bcc968265fe47d85b0498a48cde9506cebc5cf3f5cf89ea1a2f

SHA512
a399fd11406b94bd876da627cb71f2bbc3b84d539705613cbab957ba5a827893f8745561eebe05d458d21c9d8efb0e027c88617bb88e71329ab52e66ff3ef7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caSJ17Xq60.exe

Filesize
306KB

MD5
28be961ba67309680c97708ff13bda38

SHA1
b117a1cdde51ca937c2f9c4c0e9b708bb5fee405

SHA256
1f80921dbca4c527f14120c3fbeda5b47ec92c9edbfc83cc1c768385cc7ef436

SHA512
979af5c41f486139f05928ed4adb59c0fedf38b698bcfb367fc8fb97118a91cb2b37b413962a241ced3a497a3fb54cea419394d68c3d932cc85447cbfc4fc4c5

Download Submit
memory/1556-28-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download
memory/4692-70-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-56-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-36-0x0000000004B60000-0x0000000004BA4000-memory.dmp

Filesize
272KB

Download
memory/4692-42-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-52-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-100-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-98-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-96-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-94-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-92-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-90-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-82-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-81-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-76-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-74-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-72-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-34-0x0000000002520000-0x0000000002566000-memory.dmp

Filesize
280KB

Download
memory/4692-68-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-64-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-62-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-58-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-35-0x0000000004BC0000-0x0000000005164000-memory.dmp

Filesize
5.6MB

Download
memory/4692-50-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-48-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-46-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-44-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-88-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-86-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-78-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-66-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-60-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-54-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-40-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-38-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-37-0x0000000004B60000-0x0000000004B9E000-memory.dmp

Filesize
248KB

Download
memory/4692-943-0x0000000005300000-0x0000000005918000-memory.dmp

Filesize
6.1MB

Download
memory/4692-944-0x00000000059A0000-0x0000000005AAA000-memory.dmp

Filesize
1.0MB

Download
memory/4692-945-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

Filesize
72KB

Download
memory/4692-946-0x0000000005B00000-0x0000000005B3C000-memory.dmp

Filesize
240KB

Download
memory/4692-947-0x0000000005C50000-0x0000000005C9C000-memory.dmp

Filesize
304KB

Download