healer | 908cacdf9847471c19e02468bf6f9de5db7690dbc8f180244f1eb3dacb66dfae

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

908cacdf9847471c19e02468bf6f9de5db7690dbc8f180244f1eb3dacb66dfae.exe
Size

965KB
MD5

82434c52cb9347b02a811be716aa87ce
SHA1

d33b78fee5b199dcdb55d10627bee1071877ff06
SHA256

908cacdf9847471c19e02468bf6f9de5db7690dbc8f180244f1eb3dacb66dfae
SHA512

b6a2327b6911f434280a2a1c25a7193b08cda2d26024a020c9c7cc67ecdaad0a21998521e749d6143de0b614e8df5fb516a2c4514bb6247a1e63c7f78687063d
SSDEEP

24576:Ty0W1K8OVMGhq9eEegpdPY5IY+mHuC4LePNbx:m91kVRapdw5IY+VC4Le

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4268-22-0x0000000004990000-0x00000000049AA000-memory.dmp	healer
behavioral1/memory/4268-24-0x0000000004B50000-0x0000000004B68000-memory.dmp	healer
behavioral1/memory/4268-32-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-50-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-48-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-46-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-44-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-42-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-41-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-38-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-52-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-37-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-34-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-30-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-28-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-26-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4268-25-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr502510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr502510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr502510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr502510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr502510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr502510.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/3200-60-0x00000000049C0000-0x00000000049FC000-memory.dmp	family_redline
behavioral1/memory/3200-61-0x00000000070C0000-0x00000000070FA000-memory.dmp	family_redline
behavioral1/memory/3200-69-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-71-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-95-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-91-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-89-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-87-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-85-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-83-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-81-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-79-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-77-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-73-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-93-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-75-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-67-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-65-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-63-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline
behavioral1/memory/3200-62-0x00000000070C0000-0x00000000070F5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
4512	un308840.exe
5056	un744038.exe
4268	pr502510.exe
3200	qu803150.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr502510.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr502510.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	908cacdf9847471c19e02468bf6f9de5db7690dbc8f180244f1eb3dacb66dfae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un308840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un744038.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1692	4268	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un308840.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un744038.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr502510.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu803150.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	908cacdf9847471c19e02468bf6f9de5db7690dbc8f180244f1eb3dacb66dfae.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4268	pr502510.exe
4268	pr502510.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	pr502510.exe
Token: SeDebugPrivilege	3200	qu803150.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 4512	3572	908cacdf9847471c19e02468bf6f9de5db7690dbc8f180244f1eb3dacb66dfae.exe	84
PID 3572 wrote to memory of 4512	3572	908cacdf9847471c19e02468bf6f9de5db7690dbc8f180244f1eb3dacb66dfae.exe	84
PID 3572 wrote to memory of 4512	3572	908cacdf9847471c19e02468bf6f9de5db7690dbc8f180244f1eb3dacb66dfae.exe	84
PID 4512 wrote to memory of 5056	4512	un308840.exe	85
PID 4512 wrote to memory of 5056	4512	un308840.exe	85
PID 4512 wrote to memory of 5056	4512	un308840.exe	85
PID 5056 wrote to memory of 4268	5056	un744038.exe	86
PID 5056 wrote to memory of 4268	5056	un744038.exe	86
PID 5056 wrote to memory of 4268	5056	un744038.exe	86
PID 5056 wrote to memory of 3200	5056	un744038.exe	98
PID 5056 wrote to memory of 3200	5056	un744038.exe	98
PID 5056 wrote to memory of 3200	5056	un744038.exe	98

C:\Users\Admin\AppData\Local\Temp\908cacdf9847471c19e02468bf6f9de5db7690dbc8f180244f1eb3dacb66dfae.exe
"C:\Users\Admin\AppData\Local\Temp\908cacdf9847471c19e02468bf6f9de5db7690dbc8f180244f1eb3dacb66dfae.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un308840.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un308840.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un744038.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un744038.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr502510.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr502510.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4268
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 1064
        5⤵
        Program crash
        
        PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu803150.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu803150.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4268 -ip 4268
1⤵
PID:3652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un308840.exe

Filesize
706KB

MD5
77ece3ca75ebb2e6a6aee6d91f2e2270

SHA1
60cc4ed2a6b4a709649ab8e82110ae2cc3477e58

SHA256
ca175ec69e9c33b9685d843f5dbf3ec03cad196bbe33467f6b85bd423fe169d3

SHA512
e80e67e2aa19794f82c5926336e1267ab2bda8df5cb63f46b99bb660a7de18133525c6e0769e210610943e46ab513f567cc6c689e4a06b6f38f37e6e274bf63e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un744038.exe

Filesize
551KB

MD5
2891b23a063fb6657de330bc7c16b255

SHA1
38d7c9ca6eda239dd9c932495a1502af8ec2118b

SHA256
131fd14ad7a847285f7b63ade5355c2f62889929423ab3ddfb54b64b5f0b257d

SHA512
0f89fb978e37d204319f4eff265081b288888107b1832dbe4299fc6557a66349f1fc97ff3f81b07f315370e0feb13b9b89b5eac6bfb3bacd3a1a2d02ad7a8b37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr502510.exe

Filesize
279KB

MD5
0de14a667be56772f8ea063f31e15675

SHA1
f7c568912d167746c6f7eef46790fca90a1a7345

SHA256
3c7f0dfd18dec661f76fbd7bc41866af90e3af67c6fdd2751a9aac983216bec8

SHA512
caf82c041f683d0b8563f16c42b90d10922cc3ca956b68281f117f3e433a162abb39cb6db9a9829f40eafef133601250f9c1d366c76bac35215a6e8211628a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu803150.exe

Filesize
362KB

MD5
0b5f35d222d1e15bec21f13f6ea91c6f

SHA1
3d4c04cb0ae765ac0455bf0acdf4360bafd84ff2

SHA256
6d0015870e5e893cbef9539089511ce256641b082b59db97654ab30397b4f1ba

SHA512
152dc54fda5db11ce7c3bd014c3031b473a7c952746bd81180d1e939abf2f3c6be3c5ef5c16580f20ae3f2fa47a80b1904041d4c5518b08c94879e21d267c358

Download Submit
memory/3200-77-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-93-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-858-0x0000000006BF0000-0x0000000006C3C000-memory.dmp

Filesize
304KB

Download
memory/3200-69-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-71-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-856-0x000000000A370000-0x000000000A47A000-memory.dmp

Filesize
1.0MB

Download
memory/3200-855-0x000000000A350000-0x000000000A362000-memory.dmp

Filesize
72KB

Download
memory/3200-854-0x0000000009CF0000-0x000000000A308000-memory.dmp

Filesize
6.1MB

Download
memory/3200-62-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-63-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-65-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-67-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-75-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-73-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-79-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-81-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-83-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-95-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-85-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-87-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-60-0x00000000049C0000-0x00000000049FC000-memory.dmp

Filesize
240KB

Download
memory/3200-61-0x00000000070C0000-0x00000000070FA000-memory.dmp

Filesize
232KB

Download
memory/3200-89-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/3200-857-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

Filesize
240KB

Download
memory/3200-91-0x00000000070C0000-0x00000000070F5000-memory.dmp

Filesize
212KB

Download
memory/4268-24-0x0000000004B50000-0x0000000004B68000-memory.dmp

Filesize
96KB

Download
memory/4268-46-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-37-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-34-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-25-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-26-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-28-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-53-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/4268-32-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-23-0x00000000071D0000-0x0000000007774000-memory.dmp

Filesize
5.6MB

Download
memory/4268-22-0x0000000004990000-0x00000000049AA000-memory.dmp

Filesize
104KB

Download
memory/4268-55-0x0000000000400000-0x0000000002BAF000-memory.dmp

Filesize
39.7MB

Download
memory/4268-52-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-38-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-41-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-42-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-44-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-50-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-48-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4268-30-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download