healer | 39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c.exe
Size

659KB
MD5

71ddae6bb077d949eca3155e7f246c72
SHA1

6e1b1f8ee9bf73b7ad325c49f88c4f6fc2c630ec
SHA256

39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c
SHA512

2157260ea48f5108233d014810e82d88d45b9efcd2705c492ace06b28fb00be2e6693b9cb8df8216c7733e972f143ba3c370af3afec28e88ee255dc845e0eb23
SSDEEP

12288:gMrGy90aK78HadI33MAj0nXniW0QE2YZ09sWrLi0iJaWPt0:2yC4mu3MrnXn/0ZRZksW60iJ5t0

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2872-19-0x0000000004AF0000-0x0000000004B0A000-memory.dmp	healer
behavioral1/memory/2872-21-0x0000000004B80000-0x0000000004B98000-memory.dmp	healer
behavioral1/memory/2872-35-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-37-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-49-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-47-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-46-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-43-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-41-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-39-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-33-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-32-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-29-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-27-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-26-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-24-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer
behavioral1/memory/2872-22-0x0000000004B80000-0x0000000004B92000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro8337.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8337.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8337.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4864-61-0x00000000025F0000-0x0000000002636000-memory.dmp	family_redline
behavioral1/memory/4864-62-0x00000000050C0000-0x0000000005104000-memory.dmp	family_redline
behavioral1/memory/4864-66-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-78-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-96-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-94-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-90-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-88-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-86-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-84-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-80-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-76-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-74-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-72-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-70-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-68-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-92-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-82-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-64-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline
behavioral1/memory/4864-63-0x00000000050C0000-0x00000000050FF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un924945.exepro8337.exequ9705.exe

pid process

1720 un924945.exe
2872 pro8337.exe
4864 qu9705.exe

pid	process
1720	un924945.exe
2872	pro8337.exe
4864	qu9705.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro8337.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8337.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

un924945.exe39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un924945.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3540 2872 WerFault.exe pro8337.exe

pid	pid_target	process	target process
3540	2872	WerFault.exe	pro8337.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

un924945.exepro8337.exequ9705.exe39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un924945.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro8337.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu9705.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro8337.exe

pid process

2872 pro8337.exe
2872 pro8337.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro8337.exequ9705.exe

description pid process

Token: SeDebugPrivilege 2872 pro8337.exe
Token: SeDebugPrivilege 4864 qu9705.exe

pid	process
2872	pro8337.exe
2872	pro8337.exe

description	pid	process
Token: SeDebugPrivilege	2872	pro8337.exe
Token: SeDebugPrivilege	4864	qu9705.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c.exeun924945.exe

description	pid	process	target process
PID 4880 wrote to memory of 1720	4880	39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c.exe	un924945.exe
PID 4880 wrote to memory of 1720	4880	39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c.exe	un924945.exe
PID 4880 wrote to memory of 1720	4880	39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c.exe	un924945.exe
PID 1720 wrote to memory of 2872	1720	un924945.exe	pro8337.exe
PID 1720 wrote to memory of 2872	1720	un924945.exe	pro8337.exe
PID 1720 wrote to memory of 2872	1720	un924945.exe	pro8337.exe
PID 1720 wrote to memory of 4864	1720	un924945.exe	qu9705.exe
PID 1720 wrote to memory of 4864	1720	un924945.exe	qu9705.exe
PID 1720 wrote to memory of 4864	1720	un924945.exe	qu9705.exe

C:\Users\Admin\AppData\Local\Temp\39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c.exe
"C:\Users\Admin\AppData\Local\Temp\39d8f8122b85219577819f7aae00937ba0aa0e00b1043499b00b8a4bcd473d5c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924945.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924945.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8337.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8337.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1084
4⤵
- Program crash
PID:3540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9705.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9705.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2872 -ip 2872
1⤵
PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un924945.exe

Filesize
517KB

MD5
aaf4877abc280129d3458046258290a1

SHA1
eeb7d225be754669bcb614e359b0846bfc84238f

SHA256
eddf9361c0e2a47dcdb8eee2b91e65bf4cf8965452174434da756875d1db0899

SHA512
f3304f8d7e6eab6af42aa74bf0b67b43f524b20d54fa6dc5bdb645b4a95b91d2c9ed6c4a20f8a3fb1f6a5f7cc024f42521dde7e67110ed3b0c8adc765bef471f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8337.exe

Filesize
236KB

MD5
6b6d2ee070feb2533342180ff722cb8f

SHA1
e98aa9905c49417162de98538a1311e4d259c24f

SHA256
a199d539a3e8e4caf4ac4f1068b3ab8dde212e7937864bdc324925f4610b0518

SHA512
cabfc85369b31cd606e10002b2e8c8ddb230f40143bbcda01fbbe4e6d306ff59e3ad0373e66bc43dba4b06a30907e5bba298381dc9901b4186ff5c4fc91ce509

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9705.exe

Filesize
295KB

MD5
7918732c3f6c2cb9b419bb759bc7db83

SHA1
e44ec0923e0fd357df241e20281cf253effa6dfc

SHA256
dcb8b3313be3114bea816fa21eb761cea2e7f4c3d79ef98a6d27a313eafffe14

SHA512
7566fe2acd28d23a95d54156cc41a54200ceb0c82d818219849d5473bb1305ca8acd341b02921bbe563aa9d43d7103dd39c7a1ee868fcf3578eac21704f88635

Download Submit
memory/2872-15-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/2872-16-0x00000000004F0000-0x000000000051D000-memory.dmp

Filesize
180KB

Download
memory/2872-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2872-18-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2872-19-0x0000000004AF0000-0x0000000004B0A000-memory.dmp

Filesize
104KB

Download
memory/2872-20-0x0000000004BF0000-0x0000000005194000-memory.dmp

Filesize
5.6MB

Download
memory/2872-21-0x0000000004B80000-0x0000000004B98000-memory.dmp

Filesize
96KB

Download
memory/2872-35-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-37-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-49-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-47-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-46-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-43-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-41-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-39-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-33-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-32-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-29-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-27-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-26-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-24-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-22-0x0000000004B80000-0x0000000004B92000-memory.dmp

Filesize
72KB

Download
memory/2872-50-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/2872-51-0x00000000004F0000-0x000000000051D000-memory.dmp

Filesize
180KB

Download
memory/2872-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2872-55-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2872-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4864-61-0x00000000025F0000-0x0000000002636000-memory.dmp

Filesize
280KB

Download
memory/4864-62-0x00000000050C0000-0x0000000005104000-memory.dmp

Filesize
272KB

Download
memory/4864-66-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-78-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-96-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-94-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-90-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-88-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-86-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-84-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-80-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-76-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-74-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-72-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-70-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-68-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-92-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-82-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-64-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-63-0x00000000050C0000-0x00000000050FF000-memory.dmp

Filesize
252KB

Download
memory/4864-969-0x0000000005100000-0x0000000005718000-memory.dmp

Filesize
6.1MB

Download
memory/4864-970-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/4864-971-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/4864-972-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/4864-973-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download