healer | c2635fc6abb5efe4239e4475d445bae934b6ff2714ec146a8fc3c7163f6f96ba

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2635fc6abb5efe4239e4475d445bae934b6ff2714ec146a8fc3c7163f6f96ba.exe
Size

659KB
MD5

4ec4b39095f201ab363e742d68b8e6c5
SHA1

e81dc50339b4de567dd8056ce17f8e213d32d038
SHA256

c2635fc6abb5efe4239e4475d445bae934b6ff2714ec146a8fc3c7163f6f96ba
SHA512

2d131be09bef9cab4434da529710d977ca697ad617c525e48c29c796ad1c7693d2ee9583e1a71edbe0fa7fb0546ccb7a4ffd672de9fcfef7164966ae16e6d748
SSDEEP

12288:fMriy90oXieUny1orbEa/oG0w57Tw/m1wbf5Kwa/km/mEqqV6Rg:JyCeU3b7/oG0mo/m1cAumwg

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1476-19-0x0000000002360000-0x000000000237A000-memory.dmp	healer
behavioral1/memory/1476-21-0x0000000002390000-0x00000000023A8000-memory.dmp	healer
behavioral1/memory/1476-41-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-45-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-49-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-47-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-43-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-39-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-37-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-36-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-34-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-31-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-30-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-27-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-25-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-23-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1476-22-0x0000000002390000-0x00000000023A2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8306.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8306.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4584-60-0x00000000023B0000-0x00000000023F6000-memory.dmp	family_redline
behavioral1/memory/4584-61-0x0000000002860000-0x00000000028A4000-memory.dmp	family_redline
behavioral1/memory/4584-77-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-75-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-73-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-72-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-96-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-83-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-69-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-67-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-65-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-63-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-62-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-93-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-91-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-89-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-87-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-85-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-81-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline
behavioral1/memory/4584-80-0x0000000002860000-0x000000000289F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2980	un726192.exe
1476	pro8306.exe
4584	qu4228.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8306.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c2635fc6abb5efe4239e4475d445bae934b6ff2714ec146a8fc3c7163f6f96ba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un726192.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3992	1476	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2635fc6abb5efe4239e4475d445bae934b6ff2714ec146a8fc3c7163f6f96ba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un726192.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro8306.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu4228.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1476	pro8306.exe
1476	pro8306.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	pro8306.exe
Token: SeDebugPrivilege	4584	qu4228.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 2980	3140	c2635fc6abb5efe4239e4475d445bae934b6ff2714ec146a8fc3c7163f6f96ba.exe	86
PID 3140 wrote to memory of 2980	3140	c2635fc6abb5efe4239e4475d445bae934b6ff2714ec146a8fc3c7163f6f96ba.exe	86
PID 3140 wrote to memory of 2980	3140	c2635fc6abb5efe4239e4475d445bae934b6ff2714ec146a8fc3c7163f6f96ba.exe	86
PID 2980 wrote to memory of 1476	2980	un726192.exe	87
PID 2980 wrote to memory of 1476	2980	un726192.exe	87
PID 2980 wrote to memory of 1476	2980	un726192.exe	87
PID 2980 wrote to memory of 4584	2980	un726192.exe	101
PID 2980 wrote to memory of 4584	2980	un726192.exe	101
PID 2980 wrote to memory of 4584	2980	un726192.exe	101

C:\Users\Admin\AppData\Local\Temp\c2635fc6abb5efe4239e4475d445bae934b6ff2714ec146a8fc3c7163f6f96ba.exe
"C:\Users\Admin\AppData\Local\Temp\c2635fc6abb5efe4239e4475d445bae934b6ff2714ec146a8fc3c7163f6f96ba.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un726192.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un726192.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8306.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8306.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 1084
      4⤵
      Program crash
      PID:3992
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4228.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4228.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1476 -ip 1476
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un726192.exe

Filesize
518KB

MD5
99445cecccccc7f5902b9666b6d2dc44

SHA1
bd29cad94c0aa839d269395e183bbe788e8a7662

SHA256
fd6ff51c28ca1c2cf1bee251f5b0251f91c71bbb99a768a03c7ca484b2ea6ff5

SHA512
38af1980ddf43b008e887d76269cf33713932bc4fbd5052f71376246a0f3e0c0fe397950c8557d42a911745798649c5e770a2397d65bddda06e96faa788e8117

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8306.exe

Filesize
376KB

MD5
12c4b029038fe5bf2d66e36808b27c8a

SHA1
b0bd95576fd7d527324a55828eb5662cdb617478

SHA256
f04e3ce888bfbbbe2d0dd43bc210311e1d30b5327d14dc8df4c3694698943421

SHA512
186369831eb8648a97616f1efe4843de09f8e3d9f2c6474189fe4b2e394618eec6a4df77d096c0bcf2270e9a3b28d82d327e6dca0b5ce777cae6bff209cd4aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu4228.exe

Filesize
434KB

MD5
e3b5dbca98a0bea2623089ad6d061945

SHA1
d038281cee8b771d4603baed72c459959b20bca2

SHA256
c68be545cbad292e94892d3c13bd05f25781666ca7753d6e83aaa6563b53a348

SHA512
0303ffcced32bf5ec74ed2214980d9dc8d8c00644f90c6e596af8447539f71aff6f3dd40ab09c5cf5f37146cf27925de7ad0d5d377fc852b31f313142ecd4c26

Download Submit
memory/1476-15-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/1476-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1476-17-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/1476-18-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/1476-19-0x0000000002360000-0x000000000237A000-memory.dmp

Filesize
104KB

Download
memory/1476-20-0x0000000004DB0000-0x0000000005354000-memory.dmp

Filesize
5.6MB

Download
memory/1476-21-0x0000000002390000-0x00000000023A8000-memory.dmp

Filesize
96KB

Download
memory/1476-41-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-45-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-49-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-47-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-43-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-39-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-37-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-36-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-34-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-31-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-30-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-27-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-25-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-23-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-22-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1476-50-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/1476-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1476-54-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/1476-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4584-60-0x00000000023B0000-0x00000000023F6000-memory.dmp

Filesize
280KB

Download
memory/4584-61-0x0000000002860000-0x00000000028A4000-memory.dmp

Filesize
272KB

Download
memory/4584-77-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-75-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-73-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-72-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-96-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-83-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-69-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-67-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-65-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-63-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-62-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-93-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-91-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-89-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-87-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-85-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-81-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-80-0x0000000002860000-0x000000000289F000-memory.dmp

Filesize
252KB

Download
memory/4584-968-0x0000000005240000-0x0000000005858000-memory.dmp

Filesize
6.1MB

Download
memory/4584-969-0x0000000005890000-0x000000000599A000-memory.dmp

Filesize
1.0MB

Download
memory/4584-970-0x00000000059D0000-0x00000000059E2000-memory.dmp

Filesize
72KB

Download
memory/4584-971-0x0000000005A30000-0x0000000005A6C000-memory.dmp

Filesize
240KB

Download
memory/4584-972-0x0000000005B70000-0x0000000005BBC000-memory.dmp

Filesize
304KB

Download