healer | ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe
Size

666KB
MD5

bdcea0bbc83f644859872c3ddcd08552
SHA1

1ed36bc946ba0df88ea902fec6aa392510bca77f
SHA256

ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00
SHA512

29d4f670b480b05e68b61064ddcd4447deee23ec0f84eef2b9caa34e5bf835168741a3055d8d3e2d5bf335a6e040126910596db22e5e1abdd14bb690386aee65
SSDEEP

12288:gMrGy90nWiu0A+CyYdUcS1Sjb9o8b+vHVsvtnRc4l2ZtLNcbXX2EpTBll//iiX:WyxiuWCxFq7VsvtnRc48ZlNc6EpPd/BX

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4020-19-0x0000000002880000-0x000000000289A000-memory.dmp	healer
behavioral1/memory/4020-21-0x0000000002A50000-0x0000000002A68000-memory.dmp	healer
behavioral1/memory/4020-47-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-46-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-43-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-41-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-40-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-37-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-35-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-33-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-31-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-49-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-29-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-27-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-25-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-23-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer
behavioral1/memory/4020-22-0x0000000002A50000-0x0000000002A62000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro1778.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1778.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1778.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1778.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1778.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1778.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro1778.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4052-61-0x0000000002600000-0x0000000002646000-memory.dmp	family_redline
behavioral1/memory/4052-62-0x0000000004EC0000-0x0000000004F04000-memory.dmp	family_redline
behavioral1/memory/4052-74-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-78-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-76-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-72-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-96-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-92-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-90-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-88-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-86-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-84-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-82-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-80-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-70-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-94-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-68-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-66-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-64-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline
behavioral1/memory/4052-63-0x0000000004EC0000-0x0000000004EFF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un828933.exepro1778.exequ6159.exe

pid process

3256 un828933.exe
4020 pro1778.exe
4052 qu6159.exe

pid	process
3256	un828933.exe
4020	pro1778.exe
4052	qu6159.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro1778.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1778.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1778.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

un828933.exeab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un828933.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

688 4020 WerFault.exe pro1778.exe

pid	pid_target	process	target process
688	4020	WerFault.exe	pro1778.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exeun828933.exepro1778.exequ6159.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un828933.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro1778.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu6159.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro1778.exe

pid process

4020 pro1778.exe
4020 pro1778.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro1778.exequ6159.exe

description pid process

Token: SeDebugPrivilege 4020 pro1778.exe
Token: SeDebugPrivilege 4052 qu6159.exe

pid	process
4020	pro1778.exe
4020	pro1778.exe

description	pid	process
Token: SeDebugPrivilege	4020	pro1778.exe
Token: SeDebugPrivilege	4052	qu6159.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exeun828933.exe

description	pid	process	target process
PID 3416 wrote to memory of 3256	3416	ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe	un828933.exe
PID 3416 wrote to memory of 3256	3416	ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe	un828933.exe
PID 3416 wrote to memory of 3256	3416	ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe	un828933.exe
PID 3256 wrote to memory of 4020	3256	un828933.exe	pro1778.exe
PID 3256 wrote to memory of 4020	3256	un828933.exe	pro1778.exe
PID 3256 wrote to memory of 4020	3256	un828933.exe	pro1778.exe
PID 3256 wrote to memory of 4052	3256	un828933.exe	qu6159.exe
PID 3256 wrote to memory of 4052	3256	un828933.exe	qu6159.exe
PID 3256 wrote to memory of 4052	3256	un828933.exe	qu6159.exe

C:\Users\Admin\AppData\Local\Temp\ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe
"C:\Users\Admin\AppData\Local\Temp\ab02b8b4eb13b9652a7261145ed134c76fd5017b3e1f556d03dda4aaaffc9e00.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3416

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828933.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828933.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1778.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1778.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 1096
4⤵
- Program crash
PID:688

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6159.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6159.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4020 -ip 4020
1⤵
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un828933.exe

Filesize
524KB

MD5
c43d7980df354cda3ec2468aefad012c

SHA1
e859085c0042dbf404270010f1fc40535dbf8f40

SHA256
b8f1393baf323d9829e51ec8877a955f3e638ba10dd20e055433e1de5f40cc7e

SHA512
9e34cfc869742807a318754c96f6031928fe8735fac15fb109271593d9a26b6b54858d01e81ec471eec0c98570e124503c57188ef99c2b97104d5252fe58a528

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1778.exe

Filesize
294KB

MD5
337e0a96a10ff2b2980fc4341b2b94a1

SHA1
5289794c7497db7e15198391043b0e26ff4fda80

SHA256
c850430fedb6617afc59f6be7922ad74b3c8ea8ec6bface357fa2b43c45967a6

SHA512
84afa48f5af666dc37aa1e77dd96bf4309f0a31a09f1f5ac0dadd175e0c74582aa73397c20da3da63b46045585dd4ac6e66750477a8fbd2d2da268ce8970c396

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6159.exe

Filesize
353KB

MD5
61d114b56c1163d4ff213151b2910246

SHA1
009428b2b2ab030a28e85bac6e47421bf37804d1

SHA256
20b1a7e09076d559fd66456a4cefe46d9febee9155a3d569df68afb08903220f

SHA512
6c38693eb093debb66fbab5358d0a8eb6f8550d70aff31d118c79b8c2798cd1e7e89ac1e202c4552be61e4d9da90a66dc39b1f1d5be44d08be2fd31d6af154b0

Download Submit
memory/4020-15-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/4020-16-0x0000000002440000-0x000000000246D000-memory.dmp

Filesize
180KB

Download
memory/4020-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4020-18-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4020-19-0x0000000002880000-0x000000000289A000-memory.dmp

Filesize
104KB

Download
memory/4020-20-0x0000000004F20000-0x00000000054C4000-memory.dmp

Filesize
5.6MB

Download
memory/4020-21-0x0000000002A50000-0x0000000002A68000-memory.dmp

Filesize
96KB

Download
memory/4020-47-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-46-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-43-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-41-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-40-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-37-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-35-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-33-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-31-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-49-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-29-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-27-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-25-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-23-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-22-0x0000000002A50000-0x0000000002A62000-memory.dmp

Filesize
72KB

Download
memory/4020-50-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/4020-51-0x0000000002440000-0x000000000246D000-memory.dmp

Filesize
180KB

Download
memory/4020-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4020-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4020-55-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4052-61-0x0000000002600000-0x0000000002646000-memory.dmp

Filesize
280KB

Download
memory/4052-62-0x0000000004EC0000-0x0000000004F04000-memory.dmp

Filesize
272KB

Download
memory/4052-74-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-78-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-76-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-72-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-96-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-92-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-90-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-88-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-86-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-84-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-82-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-80-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-70-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-94-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-68-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-66-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-64-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-63-0x0000000004EC0000-0x0000000004EFF000-memory.dmp

Filesize
252KB

Download
memory/4052-969-0x00000000054D0000-0x0000000005AE8000-memory.dmp

Filesize
6.1MB

Download
memory/4052-970-0x0000000005B30000-0x0000000005C3A000-memory.dmp

Filesize
1.0MB

Download
memory/4052-971-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/4052-972-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/4052-973-0x0000000005DA0000-0x0000000005DEC000-memory.dmp

Filesize
304KB

Download