healer | 570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09.exe
Size

662KB
MD5

0c62bda555b9ab922a264b6903d471db
SHA1

5ecc65019b94a04ab6817129892e91b6e6bc407f
SHA256

570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09
SHA512

1127f8e7b5becd5a42e339c7bf5a1715305e5cfd59a0ae4d14b73b9655c772d4de36aae7f2cd45ce1b7e24481cfad898f3d61b236354bc411629d59783d05b0a
SSDEEP

12288:MMr6y90G1XNszjlrpyWWQo1XCW7vEJUxB3BKLzX2qVuVYlShHfZ5II:GyYrpsQ4C0ILzX2qVsYlShHTN

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/760-19-0x0000000002270000-0x000000000228A000-memory.dmp	healer
behavioral1/memory/760-21-0x00000000024B0000-0x00000000024C8000-memory.dmp	healer
behavioral1/memory/760-49-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-47-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-45-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-43-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-41-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-39-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-37-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-35-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-33-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-31-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-29-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-27-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-25-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-23-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/760-22-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro3113.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro3113.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro3113.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro3113.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro3113.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro3113.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro3113.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4848-61-0x0000000002480000-0x00000000024C6000-memory.dmp	family_redline
behavioral1/memory/4848-62-0x0000000002530000-0x0000000002574000-memory.dmp	family_redline
behavioral1/memory/4848-64-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-76-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-96-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-94-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-92-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-90-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-88-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-86-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-84-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-80-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-78-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-74-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-72-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-70-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-68-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-66-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-82-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline
behavioral1/memory/4848-63-0x0000000002530000-0x000000000256F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un121595.exepro3113.exequ6819.exe

pid process

1292 un121595.exe
760 pro3113.exe
4848 qu6819.exe

pid	process
1292	un121595.exe
760	pro3113.exe
4848	qu6819.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro3113.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro3113.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro3113.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09.exeun121595.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un121595.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

qu6819.exe570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09.exeun121595.exepro3113.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu6819.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un121595.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro3113.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro3113.exe

pid process

760 pro3113.exe
760 pro3113.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro3113.exequ6819.exe

description pid process

Token: SeDebugPrivilege 760 pro3113.exe
Token: SeDebugPrivilege 4848 qu6819.exe

pid	process
760	pro3113.exe
760	pro3113.exe

description	pid	process
Token: SeDebugPrivilege	760	pro3113.exe
Token: SeDebugPrivilege	4848	qu6819.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09.exeun121595.exe

description	pid	process	target process
PID 3648 wrote to memory of 1292	3648	570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09.exe	un121595.exe
PID 3648 wrote to memory of 1292	3648	570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09.exe	un121595.exe
PID 3648 wrote to memory of 1292	3648	570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09.exe	un121595.exe
PID 1292 wrote to memory of 760	1292	un121595.exe	pro3113.exe
PID 1292 wrote to memory of 760	1292	un121595.exe	pro3113.exe
PID 1292 wrote to memory of 760	1292	un121595.exe	pro3113.exe
PID 1292 wrote to memory of 4848	1292	un121595.exe	qu6819.exe
PID 1292 wrote to memory of 4848	1292	un121595.exe	qu6819.exe
PID 1292 wrote to memory of 4848	1292	un121595.exe	qu6819.exe

C:\Users\Admin\AppData\Local\Temp\570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09.exe
"C:\Users\Admin\AppData\Local\Temp\570f60f8d5f1ca4cf99e3ec7cfa1e32029a7b4d06341dcca7b447dcbc2a21e09.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un121595.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un121595.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3113.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3113.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6819.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6819.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un121595.exe

Filesize
520KB

MD5
910538e827ed6e2a44ed5a338e56afd8

SHA1
3356684f5868fd550923553700aff0587ec58d28

SHA256
79b9708104ee83439bea507850559c1750a20ab7a014240896c11cda61c1b61b

SHA512
9d6472bbc3e954301859f72055accc0c1bc40d1d3fe1791edadaa6cfafdd633545423f7ef4d388240f4128e2d920aeffb924cb4a509a04e286d1cecdf9fb2258

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3113.exe

Filesize
236KB

MD5
fdc607a8c0e11c6ed76a4fcd071e8f68

SHA1
12fde5e03e9c67b6e5fe3c9159b02d5ccb8fc8fe

SHA256
4612223ad6068f9a85a7d9a8ec51410a85d8916256cfe6c0a89965f1b66d33c0

SHA512
308b387e3e8ed9ae12ffa8fcc0eb188aa432af3634f83432e8893b5ae169fbf4b5a8063c7d62384320589a444ca282d5c15ca459332874c9caaf77ff444b9c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6819.exe

Filesize
295KB

MD5
6b46c3007e5b5e4f5850a08209ccc92c

SHA1
0e3745157496d79633d0742b35af39d21d9535aa

SHA256
57acb50322381912ca108c789a2766b14d04b78a47ca44ed94f9a891921e86a2

SHA512
abd7403a954c4d7af4c41952f34b95b2682ac5ca8d781d567cb0f2a5856bbfce361ac0bf9b33a73d24fd1dfcd63ee6e0a7b1edaa4b6c2458ee500970352902b7

Download Submit
memory/760-15-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/760-16-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/760-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/760-18-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/760-19-0x0000000002270000-0x000000000228A000-memory.dmp

Filesize
104KB

Download
memory/760-20-0x0000000004B40000-0x00000000050E4000-memory.dmp

Filesize
5.6MB

Download
memory/760-21-0x00000000024B0000-0x00000000024C8000-memory.dmp

Filesize
96KB

Download
memory/760-49-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-47-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-45-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-43-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-41-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-39-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-37-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-35-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-33-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-31-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-29-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-27-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-25-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-23-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-22-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/760-50-0x00000000007B0000-0x00000000008B0000-memory.dmp

Filesize
1024KB

Download
memory/760-51-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/760-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/760-55-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/760-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4848-61-0x0000000002480000-0x00000000024C6000-memory.dmp

Filesize
280KB

Download
memory/4848-62-0x0000000002530000-0x0000000002574000-memory.dmp

Filesize
272KB

Download
memory/4848-64-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-76-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-96-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-94-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-92-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-90-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-88-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-86-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-84-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-80-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-78-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-74-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-72-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-70-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-68-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-66-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-82-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-63-0x0000000002530000-0x000000000256F000-memory.dmp

Filesize
252KB

Download
memory/4848-969-0x0000000005350000-0x0000000005968000-memory.dmp

Filesize
6.1MB

Download
memory/4848-970-0x0000000004C30000-0x0000000004D3A000-memory.dmp

Filesize
1.0MB

Download
memory/4848-971-0x0000000002680000-0x0000000002692000-memory.dmp

Filesize
72KB

Download
memory/4848-972-0x0000000004D40000-0x0000000004D7C000-memory.dmp

Filesize
240KB

Download
memory/4848-973-0x0000000005A70000-0x0000000005ABC000-memory.dmp

Filesize
304KB

Download