healer | 4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe
Size

518KB
MD5

1a86b112df7dbd1a210d5cf5ec4319bb
SHA1

bc1c900a92746788fb89b50e9812726953892b58
SHA256

4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8
SHA512

3ae8cf98fa8cb136ac23421a5e2beab1dd799101d6c95dda8b4fd1cb633f30ba57c6525c904da4a92a199dc29fffc58368f6a7384cd55db6d4a7e2fdce9b48ab
SSDEEP

12288:AMrRy90HlBzyssq5jd1DiKOMdo5qdqPMtQorN2z:hySlRys/5WKOMhWMtQo5c

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2176-12-0x00000000023C0000-0x00000000023DA000-memory.dmp	healer
behavioral1/memory/2176-14-0x0000000004A50000-0x0000000004A68000-memory.dmp	healer
behavioral1/memory/2176-15-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-42-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-40-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-38-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-36-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-34-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-32-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-30-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-28-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-26-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-24-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-22-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-20-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-18-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer
behavioral1/memory/2176-16-0x0000000004A50000-0x0000000004A62000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro8658.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8658.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1388-57-0x0000000002480000-0x00000000024C6000-memory.dmp	family_redline
behavioral1/memory/1388-58-0x0000000002560000-0x00000000025A4000-memory.dmp	family_redline
behavioral1/memory/1388-62-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-70-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-92-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-91-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-86-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-84-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-82-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-80-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-78-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-76-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-74-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-72-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-68-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-66-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-64-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-88-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-60-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/1388-59-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 2 IoCs

Processes:

pro8658.exequ6282.exe

pid process

2176 pro8658.exe
1388 qu6282.exe

pid	process
2176	pro8658.exe
1388	qu6282.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro8658.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8658.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8658.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4768 2176 WerFault.exe pro8658.exe

pid	pid_target	process	target process
4768	2176	WerFault.exe	pro8658.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exepro8658.exequ6282.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro8658.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu6282.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro8658.exe

pid process

2176 pro8658.exe
2176 pro8658.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro8658.exequ6282.exe

description pid process

Token: SeDebugPrivilege 2176 pro8658.exe
Token: SeDebugPrivilege 1388 qu6282.exe

pid	process
2176	pro8658.exe
2176	pro8658.exe

description	pid	process
Token: SeDebugPrivilege	2176	pro8658.exe
Token: SeDebugPrivilege	1388	qu6282.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe

description	pid	process	target process
PID 380 wrote to memory of 2176	380	4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe	pro8658.exe
PID 380 wrote to memory of 2176	380	4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe	pro8658.exe
PID 380 wrote to memory of 2176	380	4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe	pro8658.exe
PID 380 wrote to memory of 1388	380	4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe	qu6282.exe
PID 380 wrote to memory of 1388	380	4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe	qu6282.exe
PID 380 wrote to memory of 1388	380	4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe	qu6282.exe

C:\Users\Admin\AppData\Local\Temp\4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe
"C:\Users\Admin\AppData\Local\Temp\4dc2512d6807f8f7cd927cc2f5387b621d9719e2191bed2b373c25f90d5409e8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro8658.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro8658.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 1080
3⤵
- Program crash
PID:4768

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu6282.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu6282.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2176 -ip 2176
1⤵
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro8658.exe

Filesize
237KB

MD5
eb5320b78f4e24646dc605fff022635b

SHA1
df8a699d6af5e8e358e81ca5ace00cdd10027790

SHA256
e3132cfb6127772f41eed0bfd1ab8208f1eaccae7655de0d3305840d29d2b281

SHA512
5e218b777ee732da95261a216cb7fbf19e5a182d79c06dc99f1490809a69cded1a690dd044573094fcf4a2b2b99dc54ba7a88f57273885dd62c36fba8ed5b50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu6282.exe

Filesize
295KB

MD5
2b42198f4422780ecbdd8963037727cd

SHA1
b0060adc70a374b9bf98cfa349fa0e9538c4ce96

SHA256
5a9dd63a2b59caf12dd464bb0dc267a6728e21f6ca2ad77b67d8684476a25e3f

SHA512
cedc078776f9d2c9d2049bf195311ea730549f42fc2766417a4f91517188c664f8a8db28e7406255bc7140670c84745c8daf26a26a978c91fe46b64dfba5c68c

Download Submit
memory/1388-78-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-76-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-969-0x0000000004D60000-0x0000000004DAC000-memory.dmp

Filesize
304KB

Download
memory/1388-968-0x00000000027B0000-0x00000000027EC000-memory.dmp

Filesize
240KB

Download
memory/1388-54-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1388-966-0x0000000004C40000-0x0000000004D4A000-memory.dmp

Filesize
1.0MB

Download
memory/1388-965-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/1388-59-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-60-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-88-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-64-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-66-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-68-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-72-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-74-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-80-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-82-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-55-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1388-86-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-91-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-92-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-70-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-62-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-58-0x0000000002560000-0x00000000025A4000-memory.dmp

Filesize
272KB

Download
memory/1388-57-0x0000000002480000-0x00000000024C6000-memory.dmp

Filesize
280KB

Download
memory/1388-56-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/1388-84-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/1388-967-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2176-13-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/2176-26-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-44-0x0000000000850000-0x000000000087D000-memory.dmp

Filesize
180KB

Download
memory/2176-45-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2176-10-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2176-43-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/2176-16-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-18-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-20-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-22-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-24-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-11-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2176-48-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2176-49-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2176-42-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-30-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-32-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-9-0x0000000000850000-0x000000000087D000-memory.dmp

Filesize
180KB

Download
memory/2176-36-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-38-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-40-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-28-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-15-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download
memory/2176-14-0x0000000004A50000-0x0000000004A68000-memory.dmp

Filesize
96KB

Download
memory/2176-8-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/2176-12-0x00000000023C0000-0x00000000023DA000-memory.dmp

Filesize
104KB

Download
memory/2176-34-0x0000000004A50000-0x0000000004A62000-memory.dmp

Filesize
72KB

Download