healer | f5aa125c807a79c83ed8d135711c2e4d862788cacabae1ebd885c17f28b105a3

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5aa125c807a79c83ed8d135711c2e4d862788cacabae1ebd885c17f28b105a3.exe
Size

536KB
MD5

a34154085aed6230686e76a4e422e5bd
SHA1

c7337e7ef88139b489a6f849960c76622c8209b7
SHA256

f5aa125c807a79c83ed8d135711c2e4d862788cacabae1ebd885c17f28b105a3
SHA512

7962cecd8581454cacdcab9dddbd2cf2a1c03c1563f161fc5e4ecc1cce3293b039eac5251b2ab2e002f7a7ae13386b22ab331e7ebacbec7e4d4b07c6a4e29ed2
SSDEEP

12288:TMrsy90sQcaN5/lmuCtoLGgNbzhw1tLQrjiG:vyf9abqtoqgNbatcyG

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b5e-12.dat	healer
behavioral1/memory/3632-15-0x00000000006F0000-0x00000000006FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr886161.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr886161.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr886161.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr886161.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr886161.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr886161.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/404-21-0x0000000002A00000-0x0000000002A46000-memory.dmp	family_redline
behavioral1/memory/404-23-0x0000000005500000-0x0000000005544000-memory.dmp	family_redline
behavioral1/memory/404-31-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-41-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-85-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-83-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-81-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-79-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-77-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-75-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-73-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-71-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-67-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-65-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-63-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-61-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-59-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-58-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-55-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-53-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-51-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-49-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-47-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-43-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-39-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-37-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-35-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-33-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-87-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-69-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-45-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-29-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-27-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-25-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline
behavioral1/memory/404-24-0x0000000005500000-0x000000000553F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2932	ziiO8199.exe
3632	jr886161.exe
404	ku250141.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr886161.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziiO8199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f5aa125c807a79c83ed8d135711c2e4d862788cacabae1ebd885c17f28b105a3.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5aa125c807a79c83ed8d135711c2e4d862788cacabae1ebd885c17f28b105a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziiO8199.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku250141.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3632	jr886161.exe
3632	jr886161.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3632	jr886161.exe
Token: SeDebugPrivilege	404	ku250141.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2932	1840	f5aa125c807a79c83ed8d135711c2e4d862788cacabae1ebd885c17f28b105a3.exe	84
PID 1840 wrote to memory of 2932	1840	f5aa125c807a79c83ed8d135711c2e4d862788cacabae1ebd885c17f28b105a3.exe	84
PID 1840 wrote to memory of 2932	1840	f5aa125c807a79c83ed8d135711c2e4d862788cacabae1ebd885c17f28b105a3.exe	84
PID 2932 wrote to memory of 3632	2932	ziiO8199.exe	85
PID 2932 wrote to memory of 3632	2932	ziiO8199.exe	85
PID 2932 wrote to memory of 404	2932	ziiO8199.exe	96
PID 2932 wrote to memory of 404	2932	ziiO8199.exe	96
PID 2932 wrote to memory of 404	2932	ziiO8199.exe	96

C:\Users\Admin\AppData\Local\Temp\f5aa125c807a79c83ed8d135711c2e4d862788cacabae1ebd885c17f28b105a3.exe
"C:\Users\Admin\AppData\Local\Temp\f5aa125c807a79c83ed8d135711c2e4d862788cacabae1ebd885c17f28b105a3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiO8199.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiO8199.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr886161.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr886161.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku250141.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku250141.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziiO8199.exe

Filesize
394KB

MD5
7a9321ecb86d038181341114c791000b

SHA1
67cea13dd94ff5bce07e027254e7569c32f33bcd

SHA256
7b4aed1ce175ea965ca49a1b9fef550d2291cd9dbbb9a07722a61a242ce1f9d0

SHA512
0f7ba135b223e54b08564c6360c20bfa23f663218517e61e4f2a8b9f2d662839a881c5bcb485148901520476d674e7b8d88e5b37f4ce9a919cd6ac0891ff4ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr886161.exe

Filesize
13KB

MD5
47c176aedb0cf8796fc844bedd325b45

SHA1
c647ed6b21e4fea0e7ee26e4e27cc8e22230669b

SHA256
b1296d1026a21aa4d5b9267196fa0cec0ac29d432f41011fd4ffca385b3379c0

SHA512
96c0fbfea8ad9b4cdd9e8007ff2d5e84b1fe3d5c80dd679981793839cb8e80f0c3dd91e8f7c2700af19353e4244826dbbf16a02896937984ce7d4acc03b1e120

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku250141.exe

Filesize
353KB

MD5
2835e3e39fa9c50afcd6867a11491946

SHA1
437c97b750b8fd011ea2117eefbbc51d3ac9ce10

SHA256
a458bf7f1d70dd63fe9e227e3be014322a022162b63d9e1d053c38813b3145e8

SHA512
b33fece240dfba13556c9f54eaa8e2ee376bf380c8cfdfe7e13cc3d96bb2b843686ebb3e7d4d043e188451bb7f62824b7a79db2a95fd097964dc92680af97b19

Download Submit
memory/404-59-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-22-0x0000000004F10000-0x00000000054B4000-memory.dmp

Filesize
5.6MB

Download
memory/404-21-0x0000000002A00000-0x0000000002A46000-memory.dmp

Filesize
280KB

Download
memory/404-55-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-23-0x0000000005500000-0x0000000005544000-memory.dmp

Filesize
272KB

Download
memory/404-31-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-41-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-85-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-83-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-81-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-79-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-77-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-75-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-73-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-71-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-53-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-65-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-63-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-61-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-934-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

Filesize
304KB

Download
memory/404-933-0x0000000005D80000-0x0000000005DBC000-memory.dmp

Filesize
240KB

Download
memory/404-58-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-67-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-51-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-49-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-47-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-43-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-39-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-37-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-35-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-33-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-87-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-69-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-45-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-29-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-27-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-25-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-24-0x0000000005500000-0x000000000553F000-memory.dmp

Filesize
252KB

Download
memory/404-930-0x0000000005580000-0x0000000005B98000-memory.dmp

Filesize
6.1MB

Download
memory/404-931-0x0000000005C20000-0x0000000005D2A000-memory.dmp

Filesize
1.0MB

Download
memory/404-932-0x0000000005D60000-0x0000000005D72000-memory.dmp

Filesize
72KB

Download
memory/3632-15-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/3632-14-0x00007FF9DE053000-0x00007FF9DE055000-memory.dmp

Filesize
8KB

Download