healer | ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f.exe
Size

658KB
MD5

2fb817464346d0207bfd2a6334c191f7
SHA1

dcd2b51f4ed2a24cd56a0df319e771b2e9ed0966
SHA256

ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f
SHA512

b5be2bf2fa4825fcba39333f29d0d0a289042af028109b6d6e42b532bb3604a9b3ae427dc12dcdb5d0a49d9ebeea4a8d12de8eac30caf9a9edcc076ac62a3c58
SSDEEP

12288:KMrLy90C8FlEDsfYRnwapdCPGqcfc6LU9kth+E5ZxV/WnVXIGOq:NyKO1RbpddflUMh+E5zu4q

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2756-18-0x0000000004950000-0x000000000496A000-memory.dmp	healer
behavioral1/memory/2756-20-0x0000000004D00000-0x0000000004D18000-memory.dmp	healer
behavioral1/memory/2756-48-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-46-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-44-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-42-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-40-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-38-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-37-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-34-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-32-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-30-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-28-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-26-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-24-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-22-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer
behavioral1/memory/2756-21-0x0000000004D00000-0x0000000004D12000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro5266.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5266.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5266.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5266.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5266.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5266.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro5266.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2824-60-0x00000000070C0000-0x0000000007106000-memory.dmp	family_redline
behavioral1/memory/2824-61-0x0000000007180000-0x00000000071C4000-memory.dmp	family_redline
behavioral1/memory/2824-91-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-95-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-93-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-89-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-87-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-85-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-83-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-81-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-79-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-77-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-75-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-73-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-71-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-69-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-67-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-65-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-63-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline
behavioral1/memory/2824-62-0x0000000007180000-0x00000000071BF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un904607.exepro5266.exequ0487.exe

pid process

2232 un904607.exe
2756 pro5266.exe
2824 qu0487.exe

pid	process
2232	un904607.exe
2756	pro5266.exe
2824	qu0487.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro5266.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5266.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5266.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f.exeun904607.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un904607.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4660 2756 WerFault.exe pro5266.exe

pid	pid_target	process	target process
4660	2756	WerFault.exe	pro5266.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f.exeun904607.exepro5266.exequ0487.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un904607.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro5266.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu0487.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro5266.exe

pid process

2756 pro5266.exe
2756 pro5266.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro5266.exequ0487.exe

description pid process

Token: SeDebugPrivilege 2756 pro5266.exe
Token: SeDebugPrivilege 2824 qu0487.exe

pid	process
2756	pro5266.exe
2756	pro5266.exe

description	pid	process
Token: SeDebugPrivilege	2756	pro5266.exe
Token: SeDebugPrivilege	2824	qu0487.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f.exeun904607.exe

description	pid	process	target process
PID 2028 wrote to memory of 2232	2028	ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f.exe	un904607.exe
PID 2028 wrote to memory of 2232	2028	ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f.exe	un904607.exe
PID 2028 wrote to memory of 2232	2028	ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f.exe	un904607.exe
PID 2232 wrote to memory of 2756	2232	un904607.exe	pro5266.exe
PID 2232 wrote to memory of 2756	2232	un904607.exe	pro5266.exe
PID 2232 wrote to memory of 2756	2232	un904607.exe	pro5266.exe
PID 2232 wrote to memory of 2824	2232	un904607.exe	qu0487.exe
PID 2232 wrote to memory of 2824	2232	un904607.exe	qu0487.exe
PID 2232 wrote to memory of 2824	2232	un904607.exe	qu0487.exe

C:\Users\Admin\AppData\Local\Temp\ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f.exe
"C:\Users\Admin\AppData\Local\Temp\ef8bd3586737b3e626e80006104014ca517b110e86487f09b179a257ac91d12f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un904607.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un904607.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5266.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5266.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 1096
4⤵
- Program crash
PID:4660

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0487.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0487.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2756 -ip 2756
1⤵
PID:1160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un904607.exe

Filesize
516KB

MD5
88cf6d75feccdcd78243d4b7d4703bb8

SHA1
ad8db5ea25da287638e5aa668388e0a98c9a5a68

SHA256
46eecd84a6de3ce0aec6f0d6a5d85611324da3b5bb9be0a7f679408b5cd1b910

SHA512
c0a733a35a35404f0d27c14e196b96d315eb64cecad7004d9ccdd4dee37cf6cbcc0c8c9889c2e93c8259ff9c23559b3a4946f2250926d3ade41e8e6a3b4a2fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5266.exe

Filesize
295KB

MD5
35c099ee180ab3d48278cfa7c4ca5ab2

SHA1
f70a0085389f1511d5a00edbbfa676c6457e10dc

SHA256
b9da4286d9d79c4ee0afc502e31140857726a45e499619149aca3ed65789ea20

SHA512
bd681bb83b80c9b75aeacc1d689600359946aadbd5c40bd3a9a5a1998d7a850727c294b5e25485a1875b34b3451d55566341628ca906e6d9533b1d96280ee543

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0487.exe

Filesize
354KB

MD5
f4e86c96bbeb8f0e099a5fb52f48b525

SHA1
a8ad956f1e4f2ee53e067609fc39b081df32f995

SHA256
7e2b456598e8887a0ab2c4aba0960c839a6ffd78715ef9c3654aeaf1e887a39a

SHA512
b95f0a10b3ac548cbf6822695ad9bc2957840fba5de917d99bd76fe729b4e6f9fd993a945df7676ad83a02dac494f385ce67b981b971e5de5e9c2d70adb70e29

Download Submit
memory/2756-15-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download
memory/2756-16-0x00000000047E0000-0x000000000480D000-memory.dmp

Filesize
180KB

Download
memory/2756-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2756-18-0x0000000004950000-0x000000000496A000-memory.dmp

Filesize
104KB

Download
memory/2756-19-0x00000000074F0000-0x0000000007A94000-memory.dmp

Filesize
5.6MB

Download
memory/2756-20-0x0000000004D00000-0x0000000004D18000-memory.dmp

Filesize
96KB

Download
memory/2756-48-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-46-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-44-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-42-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-40-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-38-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-37-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-34-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-32-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-30-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-28-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-26-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-24-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-22-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-21-0x0000000004D00000-0x0000000004D12000-memory.dmp

Filesize
72KB

Download
memory/2756-49-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download
memory/2756-50-0x00000000047E0000-0x000000000480D000-memory.dmp

Filesize
180KB

Download
memory/2756-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2756-51-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download
memory/2756-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2756-54-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download
memory/2824-60-0x00000000070C0000-0x0000000007106000-memory.dmp

Filesize
280KB

Download
memory/2824-61-0x0000000007180000-0x00000000071C4000-memory.dmp

Filesize
272KB

Download
memory/2824-91-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-95-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-93-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-89-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-87-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-85-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-83-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-81-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-79-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-77-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-75-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-73-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-71-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-69-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-67-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-65-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-63-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-62-0x0000000007180000-0x00000000071BF000-memory.dmp

Filesize
252KB

Download
memory/2824-968-0x0000000007800000-0x0000000007E18000-memory.dmp

Filesize
6.1MB

Download
memory/2824-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

Filesize
1.0MB

Download
memory/2824-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

Filesize
72KB

Download
memory/2824-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

Filesize
240KB

Download
memory/2824-972-0x0000000008110000-0x000000000815C000-memory.dmp

Filesize
304KB

Download