healer | 989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 22:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d.exe
Size

658KB
MD5

7822807b57935376c42ba325b680a700
SHA1

3849c777461220138d0839cc40d7433de6750111
SHA256

989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d
SHA512

03c965df73482b21c82579032c1d91082825dd40b9630e515a2d7f7aa62f2d1bdb899956cfc9c04a355da0ca4a1104d493d749190e79698ed353dd01279ad2a0
SSDEEP

12288:bMrAy90+8FwVByuynl/Yp9ohU4hGcdxqTs7RVgnp9PB/ytkfJ5fs:Hyl8FwPQl/XnfdBFV0p9PB/YkxJs

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2144-19-0x0000000002210000-0x000000000222A000-memory.dmp	healer
behavioral1/memory/2144-21-0x00000000024D0000-0x00000000024E8000-memory.dmp	healer
behavioral1/memory/2144-26-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-49-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-47-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-45-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-43-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-41-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-39-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-37-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-35-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-33-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-31-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-29-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-27-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-23-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer
behavioral1/memory/2144-22-0x00000000024D0000-0x00000000024E2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro7218.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro7218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7218.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4556-61-0x0000000002410000-0x0000000002456000-memory.dmp	family_redline
behavioral1/memory/4556-62-0x0000000004A90000-0x0000000004AD4000-memory.dmp	family_redline
behavioral1/memory/4556-66-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-64-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-63-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-88-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-96-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-94-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-92-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-91-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-86-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-84-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-82-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-80-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-78-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-76-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-72-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-70-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/4556-68-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un722688.exepro7218.exequ3134.exe

pid process

3096 un722688.exe
2144 pro7218.exe
4556 qu3134.exe

pid	process
3096	un722688.exe
2144	pro7218.exe
4556	qu3134.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro7218.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7218.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7218.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d.exeun722688.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un722688.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

564 2144 WerFault.exe pro7218.exe

pid	pid_target	process	target process
564	2144	WerFault.exe	pro7218.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

un722688.exepro7218.exequ3134.exe989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un722688.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro7218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu3134.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro7218.exe

pid process

2144 pro7218.exe
2144 pro7218.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro7218.exequ3134.exe

description pid process

Token: SeDebugPrivilege 2144 pro7218.exe
Token: SeDebugPrivilege 4556 qu3134.exe

pid	process
2144	pro7218.exe
2144	pro7218.exe

description	pid	process
Token: SeDebugPrivilege	2144	pro7218.exe
Token: SeDebugPrivilege	4556	qu3134.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d.exeun722688.exe

description	pid	process	target process
PID 4848 wrote to memory of 3096	4848	989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d.exe	un722688.exe
PID 4848 wrote to memory of 3096	4848	989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d.exe	un722688.exe
PID 4848 wrote to memory of 3096	4848	989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d.exe	un722688.exe
PID 3096 wrote to memory of 2144	3096	un722688.exe	pro7218.exe
PID 3096 wrote to memory of 2144	3096	un722688.exe	pro7218.exe
PID 3096 wrote to memory of 2144	3096	un722688.exe	pro7218.exe
PID 3096 wrote to memory of 4556	3096	un722688.exe	qu3134.exe
PID 3096 wrote to memory of 4556	3096	un722688.exe	qu3134.exe
PID 3096 wrote to memory of 4556	3096	un722688.exe	qu3134.exe

C:\Users\Admin\AppData\Local\Temp\989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d.exe
"C:\Users\Admin\AppData\Local\Temp\989a2f0a7e09f335bdee2bb25a02ae692a3c0e860fce47df70b558ace79bac7d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4848

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un722688.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un722688.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3096

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7218.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7218.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 1028
4⤵
- Program crash
PID:564

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3134.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3134.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2144 -ip 2144
1⤵
PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un722688.exe

Filesize
516KB

MD5
2726e99239a89e0ab11074a0f04ea914

SHA1
d97a734d3364ba60db7a9b15aa8e55f5128efe11

SHA256
9830a65628c48ca08a209ae0428c6661256c64f4d00d4c82fec1215b420e2b6c

SHA512
6c1a3c6ee47b1e8354009d6e4291d4e77a2b017f8acbdc95916fd42aefc04479165cfff24ded7e81783bcbcd443c387f7d8f3380924effd4bb49b95233a71fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7218.exe

Filesize
236KB

MD5
1ba44856395c178385a300449dffea6a

SHA1
c72339f48c15dad0bd030b2f4d4e1a956b555268

SHA256
a1bbc66268889f195f78fdbb2aff55fd73e6ec45d908c5efe32986afb9217e4c

SHA512
44d26fb946d04dfe81afb626e12713c187c7d2f1309023dcc6104c744c105266bbaa94cde982d461d1dfd7f89da7d0a5e5d223ab75aaec13f32c1f7523bba50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3134.exe

Filesize
294KB

MD5
34a81dd3db57096ba4d75ce3b43d74c9

SHA1
2a93a6d824c05353fc27fa43b35f71a40ded643f

SHA256
e71470680ef056a237622552123688bc0623f0ca063eaa26434e367ccde23b60

SHA512
554ddf1594ef807b70a676887b3ca54ad8ce63625a87a6c600d7598e2eda99a2d64ef52e93a30b8dad03e7961d0d2e833620687e06e8d4198bcd77bd5a13a88b

Download Submit
memory/2144-15-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/2144-16-0x00000000020F0000-0x000000000211D000-memory.dmp

Filesize
180KB

Download
memory/2144-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2144-18-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2144-19-0x0000000002210000-0x000000000222A000-memory.dmp

Filesize
104KB

Download
memory/2144-20-0x0000000004B80000-0x0000000005124000-memory.dmp

Filesize
5.6MB

Download
memory/2144-21-0x00000000024D0000-0x00000000024E8000-memory.dmp

Filesize
96KB

Download
memory/2144-26-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-49-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-47-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-45-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-43-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-41-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-39-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-37-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-35-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-33-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-31-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-29-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-27-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-23-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-22-0x00000000024D0000-0x00000000024E2000-memory.dmp

Filesize
72KB

Download
memory/2144-50-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/2144-51-0x00000000020F0000-0x000000000211D000-memory.dmp

Filesize
180KB

Download
memory/2144-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2144-55-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2144-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4556-61-0x0000000002410000-0x0000000002456000-memory.dmp

Filesize
280KB

Download
memory/4556-62-0x0000000004A90000-0x0000000004AD4000-memory.dmp

Filesize
272KB

Download
memory/4556-66-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-64-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-63-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-88-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-96-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-94-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-92-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-91-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-86-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-84-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-82-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-80-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-78-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-76-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-74-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-72-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-70-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-68-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/4556-969-0x0000000005180000-0x0000000005798000-memory.dmp

Filesize
6.1MB

Download
memory/4556-970-0x00000000057A0000-0x00000000058AA000-memory.dmp

Filesize
1.0MB

Download
memory/4556-971-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/4556-972-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/4556-973-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download