healer | fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279.exe
Size

667KB
MD5

bea35a0d2411bd66bb13ab89487aebad
SHA1

078b8865c271fd32a8b50004ac0be3baf05a524a
SHA256

fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279
SHA512

fc52f447dfd4d3f4ca6a23db8a0ad3d819b3ba7307cddb3af994a5f5fc9b4eaedd3a23a11ebb4fc96d1efba59c3d61d2ff1acf225b84b824e0a133160cc3dd1e
SSDEEP

12288:nMrky90eDyLx0Yp6LLXkOmCzrXr0h7xmITZX+hw4KrUrKH/wPdbaNlge3W:nyJyN0O6XXm0ohYIT9+W4KrnfwNaNeH

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1116-19-0x0000000002450000-0x000000000246A000-memory.dmp	healer
behavioral1/memory/1116-21-0x0000000004D90000-0x0000000004DA8000-memory.dmp	healer
behavioral1/memory/1116-49-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-47-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-45-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-43-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-41-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-39-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-31-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-37-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-35-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-33-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-29-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-27-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-25-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-23-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/1116-22-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro5206.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro5206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5206.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3764-61-0x00000000029C0000-0x0000000002A06000-memory.dmp	family_redline
behavioral1/memory/3764-62-0x0000000004DF0000-0x0000000004E34000-memory.dmp	family_redline
behavioral1/memory/3764-72-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-78-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-96-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-92-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-90-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-88-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-86-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-84-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-82-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-80-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-76-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-74-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-70-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-68-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-94-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-66-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-64-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3764-63-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un859042.exepro5206.exequ8869.exe

pid process

4448 un859042.exe
1116 pro5206.exe
3764 qu8869.exe

pid	process
4448	un859042.exe
1116	pro5206.exe
3764	qu8869.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro5206.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5206.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5206.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279.exeun859042.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un859042.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3736 1116 WerFault.exe pro5206.exe

pid	pid_target	process	target process
3736	1116	WerFault.exe	pro5206.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279.exeun859042.exepro5206.exequ8869.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un859042.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro5206.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu8869.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro5206.exe

pid process

1116 pro5206.exe
1116 pro5206.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro5206.exequ8869.exe

description pid process

Token: SeDebugPrivilege 1116 pro5206.exe
Token: SeDebugPrivilege 3764 qu8869.exe

pid	process
1116	pro5206.exe
1116	pro5206.exe

description	pid	process
Token: SeDebugPrivilege	1116	pro5206.exe
Token: SeDebugPrivilege	3764	qu8869.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279.exeun859042.exe

description	pid	process	target process
PID 4580 wrote to memory of 4448	4580	fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279.exe	un859042.exe
PID 4580 wrote to memory of 4448	4580	fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279.exe	un859042.exe
PID 4580 wrote to memory of 4448	4580	fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279.exe	un859042.exe
PID 4448 wrote to memory of 1116	4448	un859042.exe	pro5206.exe
PID 4448 wrote to memory of 1116	4448	un859042.exe	pro5206.exe
PID 4448 wrote to memory of 1116	4448	un859042.exe	pro5206.exe
PID 4448 wrote to memory of 3764	4448	un859042.exe	qu8869.exe
PID 4448 wrote to memory of 3764	4448	un859042.exe	qu8869.exe
PID 4448 wrote to memory of 3764	4448	un859042.exe	qu8869.exe

C:\Users\Admin\AppData\Local\Temp\fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279.exe
"C:\Users\Admin\AppData\Local\Temp\fe7cbe4df237145965fba2dfb1977040e10e9ee9b496c724e4e32c053a42e279.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un859042.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un859042.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5206.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5206.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 1080
4⤵
- Program crash
PID:3736

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8869.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8869.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1116 -ip 1116
1⤵
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un859042.exe

Filesize
525KB

MD5
254bf5524b7efa7f83f7237c73131ee2

SHA1
b54cd45b10404989b395be578bb85e1cbaff9e77

SHA256
3c9679fd0623f823e1fca0e36b52e6a833e0f922c223f771497d6a718ba547aa

SHA512
f7718cf8b0ac59df16dbe104a3b0429cd3cda758d664bf1089d580bb79767a0d9216e9683ea868fb31b50d9a38c61c11ce2ee5339a18932c21c5df5ca21959fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5206.exe

Filesize
294KB

MD5
d7c87bffd00ffb26e28a25eab1e60366

SHA1
bbfb9df380c030cb155e3ad68776071dbd29b407

SHA256
ded34f40f111764bba4074930c962c395d71e5c51c0194a854ff5341f06aba3f

SHA512
159f7b9869066fd827bd574158e12da5e2516bf98a5f7aac6c1e5963667b72b21538954723459409e73ef15c4d59660bc03cb4f951bf6ff236268c282c1ea961

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8869.exe

Filesize
352KB

MD5
ec9d13bb06393fc481ba338b10fe8231

SHA1
f2eecec65fafece18df8827ba3a01c67f99f67c0

SHA256
85be2641c0e3f3e5fcb826c92df865080585f21dc189595dd8d2e8ca3b71ea16

SHA512
ed67506df558f6efdb73f2d04422596f63ce0fb1351ec27d295dba6fcb0cafc770a1ede7d7bf2f876fa024b7d1674c0667f21bdd58586aa65a6e80b8c13ed7c3

Download Submit
memory/1116-16-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/1116-15-0x0000000000A10000-0x0000000000B10000-memory.dmp

Filesize
1024KB

Download
memory/1116-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1116-18-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1116-19-0x0000000002450000-0x000000000246A000-memory.dmp

Filesize
104KB

Download
memory/1116-20-0x0000000004E50000-0x00000000053F4000-memory.dmp

Filesize
5.6MB

Download
memory/1116-21-0x0000000004D90000-0x0000000004DA8000-memory.dmp

Filesize
96KB

Download
memory/1116-49-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-47-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-45-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-43-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-41-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-39-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-31-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-37-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-35-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-33-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-29-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-27-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-25-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-23-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-22-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/1116-50-0x0000000000A10000-0x0000000000B10000-memory.dmp

Filesize
1024KB

Download
memory/1116-51-0x0000000000960000-0x000000000098D000-memory.dmp

Filesize
180KB

Download
memory/1116-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1116-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1116-55-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3764-61-0x00000000029C0000-0x0000000002A06000-memory.dmp

Filesize
280KB

Download
memory/3764-62-0x0000000004DF0000-0x0000000004E34000-memory.dmp

Filesize
272KB

Download
memory/3764-72-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-78-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-96-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-92-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-90-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-88-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-86-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-84-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-82-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-80-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-76-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-74-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-70-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-68-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-94-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-66-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-64-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-63-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3764-969-0x0000000005490000-0x0000000005AA8000-memory.dmp

Filesize
6.1MB

Download
memory/3764-970-0x0000000005AD0000-0x0000000005BDA000-memory.dmp

Filesize
1.0MB

Download
memory/3764-971-0x0000000005C10000-0x0000000005C22000-memory.dmp

Filesize
72KB

Download
memory/3764-972-0x0000000005C30000-0x0000000005C6C000-memory.dmp

Filesize
240KB

Download
memory/3764-973-0x0000000005D80000-0x0000000005DCC000-memory.dmp

Filesize
304KB

Download