healer | d091876f89ec9ac3e8ea89905e8233f952137289d8ec97d9d19cc608b61f01ac

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d091876f89ec9ac3e8ea89905e8233f952137289d8ec97d9d19cc608b61f01ac.exe
Size

1.0MB
MD5

da37f484567f028fbee862951bbe7d8e
SHA1

55a920f4348a864832135552930f32bd9b52f5b7
SHA256

d091876f89ec9ac3e8ea89905e8233f952137289d8ec97d9d19cc608b61f01ac
SHA512

ae4a097ec2e02229586e0ae7d87fee495443875ab419f0b2e88fa8ff17d0ce00f6453c44e2f52c8bd024f9f22f30dcbf6ba33c7e259d2b14d8c345228d5dbc6d
SSDEEP

24576:my8XCBW1jXZTrhX2LdI3LHMwxVdrYtqpxGsNbqjjo:1gTrNoOM+dEgp7bqjj

Score

10^/10

healer redline ronur discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

ronur

193.233.20.20:4134

Attributes

auth_value
f88f86755a528d4b25f6f3628c460965

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/5040-29-0x00000000026E0000-0x00000000026FA000-memory.dmp	healer
behavioral1/memory/5040-31-0x0000000005210000-0x0000000005228000-memory.dmp	healer
behavioral1/memory/5040-43-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-59-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-57-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-55-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-53-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-51-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-49-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-47-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-45-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-41-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-39-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-37-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-35-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-33-0x0000000005210000-0x0000000005222000-memory.dmp	healer
behavioral1/memory/5040-32-0x0000000005210000-0x0000000005222000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	aOT08YG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	aOT08YG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	aOT08YG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	aOT08YG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	aOT08YG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	aOT08YG.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4972-67-0x0000000002560000-0x00000000025A6000-memory.dmp	family_redline
behavioral1/memory/4972-68-0x0000000002610000-0x0000000002654000-memory.dmp	family_redline
behavioral1/memory/4972-72-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-70-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-69-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-90-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-102-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-100-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-98-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-94-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-92-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-88-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-86-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-85-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-82-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-80-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-79-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-76-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-74-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline
behavioral1/memory/4972-96-0x0000000002610000-0x000000000264E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
3696	nqS72uf.exe
1536	nFd93lV.exe
1140	nQm14kp.exe
5040	aOT08YG.exe
4972	byQ93wr.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	aOT08YG.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	aOT08YG.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d091876f89ec9ac3e8ea89905e8233f952137289d8ec97d9d19cc608b61f01ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nqS72uf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	nFd93lV.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	nQm14kp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2548	5040	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byQ93wr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d091876f89ec9ac3e8ea89905e8233f952137289d8ec97d9d19cc608b61f01ac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nqS72uf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nFd93lV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nQm14kp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aOT08YG.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5040	aOT08YG.exe
5040	aOT08YG.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	aOT08YG.exe
Token: SeDebugPrivilege	4972	byQ93wr.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 3696	2760	d091876f89ec9ac3e8ea89905e8233f952137289d8ec97d9d19cc608b61f01ac.exe	84
PID 2760 wrote to memory of 3696	2760	d091876f89ec9ac3e8ea89905e8233f952137289d8ec97d9d19cc608b61f01ac.exe	84
PID 2760 wrote to memory of 3696	2760	d091876f89ec9ac3e8ea89905e8233f952137289d8ec97d9d19cc608b61f01ac.exe	84
PID 3696 wrote to memory of 1536	3696	nqS72uf.exe	85
PID 3696 wrote to memory of 1536	3696	nqS72uf.exe	85
PID 3696 wrote to memory of 1536	3696	nqS72uf.exe	85
PID 1536 wrote to memory of 1140	1536	nFd93lV.exe	86
PID 1536 wrote to memory of 1140	1536	nFd93lV.exe	86
PID 1536 wrote to memory of 1140	1536	nFd93lV.exe	86
PID 1140 wrote to memory of 5040	1140	nQm14kp.exe	87
PID 1140 wrote to memory of 5040	1140	nQm14kp.exe	87
PID 1140 wrote to memory of 5040	1140	nQm14kp.exe	87
PID 1140 wrote to memory of 4972	1140	nQm14kp.exe	102
PID 1140 wrote to memory of 4972	1140	nQm14kp.exe	102
PID 1140 wrote to memory of 4972	1140	nQm14kp.exe	102

C:\Users\Admin\AppData\Local\Temp\d091876f89ec9ac3e8ea89905e8233f952137289d8ec97d9d19cc608b61f01ac.exe
"C:\Users\Admin\AppData\Local\Temp\d091876f89ec9ac3e8ea89905e8233f952137289d8ec97d9d19cc608b61f01ac.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nqS72uf.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nqS72uf.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nFd93lV.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nFd93lV.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nQm14kp.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nQm14kp.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1140
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aOT08YG.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aOT08YG.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1100
        6⤵
        Program crash
        
        PID:2548
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\byQ93wr.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\byQ93wr.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5040 -ip 5040
1⤵
PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nqS72uf.exe

Filesize
886KB

MD5
74deaf85a44901b1275c215ec9ddc5ba

SHA1
cf374bcc4c64318cc635f0983197dacf88847179

SHA256
b69ec3cce5e32297c4902e97166c34c6a52f7947556cf1e9bae92bc8a060baef

SHA512
277b6584a8bb87f3a8d53baef6ba9c9883acc5b3fb86f1ff8c5e4526c9785bd2b06d3e7ba0639e384dde5619bcafecc0ae353308aeb88631e3df489688c974e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nFd93lV.exe

Filesize
652KB

MD5
22a3cf3febcccbf196011b101f2fae65

SHA1
5cf38498ae14900b1173e0fab859cba47b26a855

SHA256
fa708c740750c5ffd2aaf8745dd2c6b31c24894fbf524ad26644792e6619acd7

SHA512
7c716971aa765955ea27beb325fc1765cf739a96c35275606c0dc7340f2c7b9de8ba2e4ff15106f34b401ac11052543af832e090689bb86ceaa0514465a4c738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nQm14kp.exe

Filesize
507KB

MD5
352bba05c2eb4611940fc400e16a7ec4

SHA1
3e84383956f40672c1404d2e9e864a97752c248e

SHA256
5a483bc83b893082923842dba8d54144df9e9ece460d445f51e3fade2c921abb

SHA512
08e5cb2e8c2c5864f4ddf75317b76b0de4d8756c6747a8bb0847053f970fdb1e751a41d84afa5a773d665fb44f740a07faf4e109d79b08b32acdf7690d6ae271

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\aOT08YG.exe

Filesize
208KB

MD5
6d9ce22445ea63a84dfb10690ebc7ced

SHA1
f26d24cdb278ba5e102d990f996ccc380ed7970b

SHA256
4f4e5d9e73183407553c7e67288679bf83c80a2054a9c342e80489d7319c2a2c

SHA512
35f7189ae6aee1c4d11344bd94b8b6cf3933274140f6f37a32355b05b158f42bf3da5a0cf35ba5dcf62c09ccaa433f0e7da2f5da24ab1e5a7ab339cd6099b343

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\byQ93wr.exe

Filesize
267KB

MD5
5c95e1356b158b8f7101c1ed0b5ca0c3

SHA1
fa5bd1e797078ef3ad094879657aab80d4d339bc

SHA256
e5642d5842867e0544eb5cf2d31b8970ad464fe431b40b598b69bb5386b19a1f

SHA512
60e90dadd79dc9a8311d4311c39e289bc3a1a6029eeab918d8a0f160672a6343e6bfd95bdcd5747551c7525d1ebbd4b3a39fd8ee8ced6b723c0da28a4488e919

Download Submit
memory/4972-88-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-82-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-979-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/4972-72-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-70-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-977-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/4972-976-0x0000000005860000-0x000000000596A000-memory.dmp

Filesize
1.0MB

Download
memory/4972-975-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/4972-96-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-74-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-76-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-79-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-80-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-85-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-86-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-92-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-94-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-69-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-98-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-100-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-67-0x0000000002560000-0x00000000025A6000-memory.dmp

Filesize
280KB

Download
memory/4972-68-0x0000000002610000-0x0000000002654000-memory.dmp

Filesize
272KB

Download
memory/4972-102-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/4972-978-0x00000000059C0000-0x00000000059FC000-memory.dmp

Filesize
240KB

Download
memory/4972-90-0x0000000002610000-0x000000000264E000-memory.dmp

Filesize
248KB

Download
memory/5040-62-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/5040-55-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-41-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-39-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-32-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-33-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-29-0x00000000026E0000-0x00000000026FA000-memory.dmp

Filesize
104KB

Download
memory/5040-60-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/5040-43-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-31-0x0000000005210000-0x0000000005228000-memory.dmp

Filesize
96KB

Download
memory/5040-35-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-30-0x0000000004C20000-0x00000000051C4000-memory.dmp

Filesize
5.6MB

Download
memory/5040-45-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-47-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-49-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-51-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-53-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-59-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-57-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/5040-37-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download