healer | 273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f.exe
Size

673KB
MD5

0e5a59cf2ff7e2e615788b226fb8469e
SHA1

9e18a4ea1cb2b5d2eea48f81f6f9dd96830647ab
SHA256

273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f
SHA512

2edeb5939957b112e3001a2f159041e388a9f154a04c025b68fdda83749157019e7009ab53fce81424a54a553bff47bd617ae1588b012c5c6533d18bf4697f03
SSDEEP

12288:uMrey90i2U/L8MqxDBO3zUofEpHi00oKQbuWkMwfXYRcm:Uyj2UyxD03zjf6HaoK4uzRQcm

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/964-19-0x0000000002620000-0x000000000263A000-memory.dmp	healer
behavioral1/memory/964-21-0x0000000005160000-0x0000000005178000-memory.dmp	healer
behavioral1/memory/964-41-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-49-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-47-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-45-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-43-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-39-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-37-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-35-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-33-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-31-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-29-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-27-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-23-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-22-0x0000000005160000-0x0000000005172000-memory.dmp	healer
behavioral1/memory/964-25-0x0000000005160000-0x0000000005172000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro0842.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro0842.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0842.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0842.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0842.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0842.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0842.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3052-60-0x00000000049F0000-0x0000000004A36000-memory.dmp	family_redline
behavioral1/memory/3052-61-0x0000000004A90000-0x0000000004AD4000-memory.dmp	family_redline
behavioral1/memory/3052-73-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-75-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-95-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-93-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-91-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-87-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-85-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-81-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-79-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-77-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-71-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-69-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-67-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-89-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-83-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-65-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-63-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3052-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un371406.exepro0842.exequ0414.exe

pid process

1544 un371406.exe
964 pro0842.exe
3052 qu0414.exe

pid	process
1544	un371406.exe
964	pro0842.exe
3052	qu0414.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro0842.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0842.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0842.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

un371406.exe273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un371406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4352 964 WerFault.exe pro0842.exe

pid	pid_target	process	target process
4352	964	WerFault.exe	pro0842.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f.exeun371406.exepro0842.exequ0414.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un371406.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro0842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu0414.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro0842.exe

pid process

964 pro0842.exe
964 pro0842.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro0842.exequ0414.exe

description pid process

Token: SeDebugPrivilege 964 pro0842.exe
Token: SeDebugPrivilege 3052 qu0414.exe

pid	process
964	pro0842.exe
964	pro0842.exe

description	pid	process
Token: SeDebugPrivilege	964	pro0842.exe
Token: SeDebugPrivilege	3052	qu0414.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f.exeun371406.exe

description	pid	process	target process
PID 4212 wrote to memory of 1544	4212	273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f.exe	un371406.exe
PID 4212 wrote to memory of 1544	4212	273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f.exe	un371406.exe
PID 4212 wrote to memory of 1544	4212	273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f.exe	un371406.exe
PID 1544 wrote to memory of 964	1544	un371406.exe	pro0842.exe
PID 1544 wrote to memory of 964	1544	un371406.exe	pro0842.exe
PID 1544 wrote to memory of 964	1544	un371406.exe	pro0842.exe
PID 1544 wrote to memory of 3052	1544	un371406.exe	qu0414.exe
PID 1544 wrote to memory of 3052	1544	un371406.exe	qu0414.exe
PID 1544 wrote to memory of 3052	1544	un371406.exe	qu0414.exe

C:\Users\Admin\AppData\Local\Temp\273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f.exe
"C:\Users\Admin\AppData\Local\Temp\273bdf5848070d42baa1301ea546861753c5b987b1dc6a3e55d6daa2de9d553f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un371406.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un371406.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0842.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0842.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 1100
4⤵
- Program crash
PID:4352

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0414.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0414.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 964 -ip 964
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un371406.exe

Filesize
531KB

MD5
287ed939ce126d30e11d25b4fec00fe8

SHA1
b7bb733f9fc6a22a2887ca2388f1ebd82334715f

SHA256
3f24da91ff96bb19c4bf1c9bbdec83b87cb4571fc834af340d92925fbf433b78

SHA512
9d6b7df6167ca0b02f8c8dee70cea08392f8111340350dd325c29b29ac2f158dcbfa793bb7507379ea9fccbffe05294585c6dc681467d67462a9df86ccf4a450

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0842.exe

Filesize
260KB

MD5
9dc8b8c95b200dd105da3d4260edc54e

SHA1
1f5c7bcbea6d2a8054200ae55351af803780abe9

SHA256
263e414c92b7e3133f20b120578b45e40e3de2bd31279e4af191885a787631b7

SHA512
29d5f94dcd55602dee776c45ae7d6a12f5677ff5ac7949192ee338fe81ef27244c96c4d9a6917b824f7f5ef9549077978db8624d43b5c8ad053c1b46180f8851

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0414.exe

Filesize
319KB

MD5
212d71ea9239ef6454973e091b719d78

SHA1
a796f7f7505d471f7f7f49853871571a6386f1b8

SHA256
0f10741783649725dc06119e3a4df8c9a03963a2486ff38d2040afae48105050

SHA512
1c7db530c63832c1d34b74c0d296390f06040f2910f8672c0beda061d7980bf2b424f8d91083d9c507b805efbc5c29dff5773fd07ed9747e57d2fb8131f96044

Download Submit
memory/964-15-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/964-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/964-17-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/964-18-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/964-19-0x0000000002620000-0x000000000263A000-memory.dmp

Filesize
104KB

Download
memory/964-20-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/964-21-0x0000000005160000-0x0000000005178000-memory.dmp

Filesize
96KB

Download
memory/964-41-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-49-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-47-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-45-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-43-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-39-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-37-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-35-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-33-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-31-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-29-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-27-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-23-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-22-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-25-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/964-50-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/964-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/964-54-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/964-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3052-60-0x00000000049F0000-0x0000000004A36000-memory.dmp

Filesize
280KB

Download
memory/3052-61-0x0000000004A90000-0x0000000004AD4000-memory.dmp

Filesize
272KB

Download
memory/3052-73-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-75-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-95-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-93-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-91-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-87-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-85-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-81-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-79-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-77-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-71-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-69-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-67-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-89-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-83-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-65-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-63-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3052-968-0x0000000005250000-0x0000000005868000-memory.dmp

Filesize
6.1MB

Download
memory/3052-969-0x00000000058D0000-0x00000000059DA000-memory.dmp

Filesize
1.0MB

Download
memory/3052-970-0x0000000005A10000-0x0000000005A22000-memory.dmp

Filesize
72KB

Download
memory/3052-971-0x0000000005A30000-0x0000000005A6C000-memory.dmp

Filesize
240KB

Download
memory/3052-972-0x0000000005B80000-0x0000000005BCC000-memory.dmp

Filesize
304KB

Download