healer | 3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 21:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd.exe
Size

689KB
MD5

565989d9643831e5d78d7a84d9b6a73a
SHA1

e7ba1942d15a65a9700c21896b1f81fb2f1fa46a
SHA256

3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd
SHA512

45bfe3efc55097d732413594b7d72ac44db549930f5b330d9bd7b25383004b7aac1c7ec570645a9a9fcdf172812e20ca999b7c001cc052c3803a6bea6320b174
SSDEEP

12288:KMrYy907BjiAJtszxhIywIITdu3tkt/bJpMlGWCE8EdxJHbtKhChHEOX:Oywtio8xOyhIt/QFj8Edjb0dw

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2216-19-0x00000000026B0000-0x00000000026CA000-memory.dmp	healer
behavioral1/memory/2216-21-0x00000000028C0000-0x00000000028D8000-memory.dmp	healer
behavioral1/memory/2216-45-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-49-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-47-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-43-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-41-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-39-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-37-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-36-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-33-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-31-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-30-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-27-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-25-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-23-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer
behavioral1/memory/2216-22-0x00000000028C0000-0x00000000028D2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro6732.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro6732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro6732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro6732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro6732.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro6732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro6732.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5116-61-0x00000000026C0000-0x0000000002706000-memory.dmp	family_redline
behavioral1/memory/5116-62-0x00000000053B0000-0x00000000053F4000-memory.dmp	family_redline
behavioral1/memory/5116-66-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-80-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-96-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-94-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-93-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-89-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-86-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-84-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-82-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-78-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-76-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-74-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-72-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-70-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-68-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-90-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-64-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline
behavioral1/memory/5116-63-0x00000000053B0000-0x00000000053EF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un895374.exepro6732.exequ0986.exe

pid process

5076 un895374.exe
2216 pro6732.exe
5116 qu0986.exe

pid	process
5076	un895374.exe
2216	pro6732.exe
5116	qu0986.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro6732.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro6732.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro6732.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd.exeun895374.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un895374.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2052 2216 WerFault.exe pro6732.exe

pid	pid_target	process	target process
2052	2216	WerFault.exe	pro6732.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd.exeun895374.exepro6732.exequ0986.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un895374.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro6732.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu0986.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro6732.exe

pid process

2216 pro6732.exe
2216 pro6732.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro6732.exequ0986.exe

description pid process

Token: SeDebugPrivilege 2216 pro6732.exe
Token: SeDebugPrivilege 5116 qu0986.exe

pid	process
2216	pro6732.exe
2216	pro6732.exe

description	pid	process
Token: SeDebugPrivilege	2216	pro6732.exe
Token: SeDebugPrivilege	5116	qu0986.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd.exeun895374.exe

description	pid	process	target process
PID 452 wrote to memory of 5076	452	3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd.exe	un895374.exe
PID 452 wrote to memory of 5076	452	3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd.exe	un895374.exe
PID 452 wrote to memory of 5076	452	3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd.exe	un895374.exe
PID 5076 wrote to memory of 2216	5076	un895374.exe	pro6732.exe
PID 5076 wrote to memory of 2216	5076	un895374.exe	pro6732.exe
PID 5076 wrote to memory of 2216	5076	un895374.exe	pro6732.exe
PID 5076 wrote to memory of 5116	5076	un895374.exe	qu0986.exe
PID 5076 wrote to memory of 5116	5076	un895374.exe	qu0986.exe
PID 5076 wrote to memory of 5116	5076	un895374.exe	qu0986.exe

C:\Users\Admin\AppData\Local\Temp\3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd.exe
"C:\Users\Admin\AppData\Local\Temp\3d14aed5ae97a1936daa392969f4ef1092c0e61e71ac65c9b1a8c292da4832dd.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un895374.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un895374.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6732.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6732.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 1096
4⤵
- Program crash
PID:2052

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0986.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0986.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2216 -ip 2216
1⤵
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un895374.exe

Filesize
536KB

MD5
da8be95379904a110ef61087da15f0c6

SHA1
6cf2b36a3b3fdddad0780c55a62908f467ecaa16

SHA256
f323018d7fdd9104b47819747786139bb1de18d8903c49a2024ef4dd51adef70

SHA512
355d98bb82892cfe2f28311022b0c379d9d54b327ac15f02b0bf52e16b3cc9a8dadc62a32a5e8cbc55e063fdbb19373ac587f3dd29bf9c5500ed671dfc54234d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6732.exe

Filesize
314KB

MD5
004b06aa507a20a21c38f74fcd783efc

SHA1
4c1f5095a4b62640ad512de5bbc4658f2f82c388

SHA256
c7343fbd4e9e1192945896bfd6405217f280786131ba5f1dbdddab090c348bd8

SHA512
fc377600ca9d6969c73759b58a4954e3d58da6d7815ccfc85af26b80cdd656bded2855ad76239e0382113837b27f1221351a64741d2da71030346b8d8ff0ad55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0986.exe

Filesize
372KB

MD5
6c4756af28f16a59e9fe591a1ae8d8c4

SHA1
b5bcc25f5338f0f06f61278c41440a6fdfa8bc31

SHA256
dbfee061437978f2dd003434e5d9a0d41ebcb8af058e0f8dc3483cf9d62f85bc

SHA512
3c624d8cc087bd524c659e5981dc9ee7eca965a2ab16223a82cc589bd32f06354514efcb9d1ff4dc5ead11c9825ca13529f62a5fde61fea1b3f6b50e634185c2

Download Submit
memory/2216-15-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/2216-16-0x00000000008F0000-0x000000000091D000-memory.dmp

Filesize
180KB

Download
memory/2216-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-18-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/2216-19-0x00000000026B0000-0x00000000026CA000-memory.dmp

Filesize
104KB

Download
memory/2216-20-0x0000000004EA0000-0x0000000005444000-memory.dmp

Filesize
5.6MB

Download
memory/2216-21-0x00000000028C0000-0x00000000028D8000-memory.dmp

Filesize
96KB

Download
memory/2216-45-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-49-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-47-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-43-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-41-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-39-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-37-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-36-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-33-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-31-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-30-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-27-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-25-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-23-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-22-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/2216-50-0x0000000000940000-0x0000000000A40000-memory.dmp

Filesize
1024KB

Download
memory/2216-51-0x00000000008F0000-0x000000000091D000-memory.dmp

Filesize
180KB

Download
memory/2216-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-55-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/5116-61-0x00000000026C0000-0x0000000002706000-memory.dmp

Filesize
280KB

Download
memory/5116-62-0x00000000053B0000-0x00000000053F4000-memory.dmp

Filesize
272KB

Download
memory/5116-66-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-80-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-96-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-94-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-93-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-89-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-86-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-84-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-82-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-78-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-76-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-74-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-72-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-70-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-68-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-90-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-64-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-63-0x00000000053B0000-0x00000000053EF000-memory.dmp

Filesize
252KB

Download
memory/5116-969-0x0000000005450000-0x0000000005A68000-memory.dmp

Filesize
6.1MB

Download
memory/5116-970-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

Filesize
1.0MB

Download
memory/5116-971-0x0000000005C30000-0x0000000005C42000-memory.dmp

Filesize
72KB

Download
memory/5116-972-0x0000000005C50000-0x0000000005C8C000-memory.dmp

Filesize
240KB

Download
memory/5116-973-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

Filesize
304KB

Download