healer | 723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe
Size

534KB
MD5

4bbdbbdb555203d13f5b6094b446953c
SHA1

ee1dd1f69f7c0ccdd500867fe7ab15c0f19caf99
SHA256

723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09
SHA512

0dc44316b0de09c1c24c7909c9858998c62233da670fbfe162712211b34a14110c408baf127fac6a4732825e0d16f4006d1569173eff4da4b47c12809693aa8c
SSDEEP

12288:SMrEy90UYsIl+YDAA7gaUb4HNpeRa3melpmu0mX:iyDldFa84tMRalbm2X

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr530245.exe	healer
behavioral1/memory/4044-15-0x0000000000800000-0x000000000080A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr530245.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr530245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr530245.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr530245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr530245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr530245.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr530245.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1384-22-0x00000000024A0000-0x00000000024E6000-memory.dmp	family_redline
behavioral1/memory/1384-24-0x0000000002520000-0x0000000002564000-memory.dmp	family_redline
behavioral1/memory/1384-28-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-26-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-25-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-36-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-88-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-86-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-84-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-82-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-78-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-76-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-74-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-72-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-70-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-68-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-66-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-64-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-62-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-58-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-56-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-54-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-52-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-50-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-48-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-46-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-44-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-40-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-38-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-34-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-32-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-30-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-80-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-60-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline
behavioral1/memory/1384-42-0x0000000002520000-0x000000000255F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

zisM3761.exejr530245.exeku088731.exe

pid process

2784 zisM3761.exe
4044 jr530245.exe
1384 ku088731.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr530245.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr530245.exe

pid	process
2784	zisM3761.exe
4044	jr530245.exe
1384	ku088731.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr530245.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exezisM3761.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zisM3761.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exezisM3761.exeku088731.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zisM3761.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku088731.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr530245.exe

pid process

4044 jr530245.exe
4044 jr530245.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr530245.exeku088731.exe

description pid process

Token: SeDebugPrivilege 4044 jr530245.exe
Token: SeDebugPrivilege 1384 ku088731.exe

pid	process
4044	jr530245.exe
4044	jr530245.exe

description	pid	process
Token: SeDebugPrivilege	4044	jr530245.exe
Token: SeDebugPrivilege	1384	ku088731.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exezisM3761.exe

description	pid	process	target process
PID 4364 wrote to memory of 2784	4364	723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe	zisM3761.exe
PID 4364 wrote to memory of 2784	4364	723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe	zisM3761.exe
PID 4364 wrote to memory of 2784	4364	723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe	zisM3761.exe
PID 2784 wrote to memory of 4044	2784	zisM3761.exe	jr530245.exe
PID 2784 wrote to memory of 4044	2784	zisM3761.exe	jr530245.exe
PID 2784 wrote to memory of 1384	2784	zisM3761.exe	ku088731.exe
PID 2784 wrote to memory of 1384	2784	zisM3761.exe	ku088731.exe
PID 2784 wrote to memory of 1384	2784	zisM3761.exe	ku088731.exe

C:\Users\Admin\AppData\Local\Temp\723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe
"C:\Users\Admin\AppData\Local\Temp\723955a5723d44e3c6635905be1acda8990dd1a3782be9c782b5519d26c7cf09.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisM3761.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisM3761.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr530245.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr530245.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku088731.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku088731.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisM3761.exe

Filesize
392KB

MD5
76546d2dcad1b0bd0fea447654727999

SHA1
272347c11dc4cda9f177d7147674cb399fcc195f

SHA256
0ad481902500e41ffc8a69a2c79c297ad240c969c02bcdacea86b3a1b84997c5

SHA512
679d847ae2c8a7c8c9bfb2524a4f2b7578a3dba01e4002a50635877580b15caeb9d067f45a0b3bafd6e1a3d409b0fc16b4e9a7ca06c3e71a83ec4e0e7b81ecac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr530245.exe

Filesize
12KB

MD5
575e5a5dbc3b0d3ea4ada58d7fc675ee

SHA1
20d4a3476842bdea29b2df1abc7867e520a5ba69

SHA256
59250c57ba96a2d74d871a7a2d86d2240f24f19312c0836841aec4336ec2c96b

SHA512
714f0c723c9dcd6809493b15f9eed7791949f13b77433c97a10ffe76fdd101282f4d6316f417d296f3b4a961635780024200d83de7e45fc5865d9a55b623b38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku088731.exe

Filesize
319KB

MD5
cc6bc3bb30f28ae8410e2779c2a8de6c

SHA1
b187906d9bd4551088516078a84b0ad58c611756

SHA256
30e1fb4f825608dc3b344e43e6f8870432e667af52c240e0ef44ea747aa1e83c

SHA512
f4ea0ebd749812a6db3b14f14bbebe257fa3863c2e95bc1ccf32668f173d82ab2a31c4c81bb898ab50b44dfd2eedfd67a2d276eb7bf4fc84dafdcf2207888aa2

Download Submit
memory/1384-68-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-22-0x00000000024A0000-0x00000000024E6000-memory.dmp

Filesize
280KB

Download
memory/1384-935-0x0000000004DB0000-0x0000000004DFC000-memory.dmp

Filesize
304KB

Download
memory/1384-64-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-23-0x0000000004E60000-0x0000000005404000-memory.dmp

Filesize
5.6MB

Download
memory/1384-24-0x0000000002520000-0x0000000002564000-memory.dmp

Filesize
272KB

Download
memory/1384-28-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-26-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-25-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-36-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-66-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-86-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-62-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-82-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-78-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-76-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-74-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-72-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-70-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-934-0x00000000027E0000-0x000000000281C000-memory.dmp

Filesize
240KB

Download
memory/1384-88-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-933-0x00000000027C0000-0x00000000027D2000-memory.dmp

Filesize
72KB

Download
memory/1384-84-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-58-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-56-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-54-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-52-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-50-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-48-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-46-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-44-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-40-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-38-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-34-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-32-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-30-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-80-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-60-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-42-0x0000000002520000-0x000000000255F000-memory.dmp

Filesize
252KB

Download
memory/1384-931-0x0000000005410000-0x0000000005A28000-memory.dmp

Filesize
6.1MB

Download
memory/1384-932-0x0000000005A30000-0x0000000005B3A000-memory.dmp

Filesize
1.0MB

Download
memory/4044-16-0x00007FF901E03000-0x00007FF901E05000-memory.dmp

Filesize
8KB

Download
memory/4044-14-0x00007FF901E03000-0x00007FF901E05000-memory.dmp

Filesize
8KB

Download
memory/4044-15-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download