healer | 90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a.exe
Size

750KB
MD5

e2f158f4b5243d75360b9080dd9de3bf
SHA1

6e9d66d176fb091215e458c7bd6562cbe559ddda
SHA256

90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a
SHA512

622a539a46386ca0c481a70cf16bd992d6cf41842e9e481424d2b23d761c2994f8c6476310d25ef4d10cb9c7506586065e9b86ac29d669f979d1c645a411b0c9
SSDEEP

12288:nDcLl+sdwaC23Fuzt+2S0RnVCHe8MWWg6jPPOVIdWt8GkKBoWkjH2OXFeazr4D:ol+sdwk38kHBWfmIDio7HvtQD

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr506801.exe	healer
behavioral2/memory/912-19-0x0000000000650000-0x000000000065A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr506801.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr506801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr506801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr506801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr506801.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr506801.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr506801.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1596-30-0x0000000004B30000-0x0000000004B76000-memory.dmp	family_redline
behavioral2/memory/1596-32-0x0000000007170000-0x00000000071B4000-memory.dmp	family_redline
behavioral2/memory/1596-46-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-48-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-92-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-90-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-88-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-86-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-84-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-82-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-80-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-78-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-76-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-74-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-70-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-68-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-66-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-64-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-62-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-60-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-56-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-54-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-52-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-50-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-44-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-42-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-40-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-94-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-72-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-58-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-38-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-36-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-34-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline
behavioral2/memory/1596-33-0x0000000007170000-0x00000000071AF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

zibT6056.exejr506801.exeku801740.exe

pid process

4860 zibT6056.exe
912 jr506801.exe
1596 ku801740.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr506801.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr506801.exe

pid	process
4860	zibT6056.exe
912	jr506801.exe
1596	ku801740.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr506801.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a.exezibT6056.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zibT6056.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

zibT6056.exeku801740.exe90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zibT6056.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku801740.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr506801.exe

pid process

912 jr506801.exe
912 jr506801.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr506801.exeku801740.exe

description pid process

Token: SeDebugPrivilege 912 jr506801.exe
Token: SeDebugPrivilege 1596 ku801740.exe

pid	process
912	jr506801.exe
912	jr506801.exe

description	pid	process
Token: SeDebugPrivilege	912	jr506801.exe
Token: SeDebugPrivilege	1596	ku801740.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a.exezibT6056.exe

description	pid	process	target process
PID 1084 wrote to memory of 4860	1084	90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a.exe	zibT6056.exe
PID 1084 wrote to memory of 4860	1084	90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a.exe	zibT6056.exe
PID 1084 wrote to memory of 4860	1084	90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a.exe	zibT6056.exe
PID 4860 wrote to memory of 912	4860	zibT6056.exe	jr506801.exe
PID 4860 wrote to memory of 912	4860	zibT6056.exe	jr506801.exe
PID 4860 wrote to memory of 1596	4860	zibT6056.exe	ku801740.exe
PID 4860 wrote to memory of 1596	4860	zibT6056.exe	ku801740.exe
PID 4860 wrote to memory of 1596	4860	zibT6056.exe	ku801740.exe

C:\Users\Admin\AppData\Local\Temp\90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a.exe
"C:\Users\Admin\AppData\Local\Temp\90b02058346aa247d49dd95c69837d76f5b7b128e3bd1e8ba2545df915631e7a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT6056.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT6056.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4860

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr506801.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr506801.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801740.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801740.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibT6056.exe

Filesize
420KB

MD5
f517375ea4dd5f0507ee819390fe2714

SHA1
1aec142e1954702e1665528d7c17e6302820050c

SHA256
ab0eb669a6ed078a5a7856a781f38cb24c098c56a5f55d2f87cda0590d98a1c2

SHA512
fef39f5033d38b4bee68a37870ce32f7deb7b4f16fa8a439b0102690c52125ccc8247b96174854efa830e0f7942e2466a84110c77a1dc6852bafcdd784fade7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr506801.exe

Filesize
12KB

MD5
f998e0d439e230e9a2328f6795673953

SHA1
62aca608da0970a759217a7dab8ebc22174f926a

SHA256
4c4d44de95191bbd13e0c6b8aeb6460dec13089dd54bc8f9601e1b31928e12f0

SHA512
456a4a3b77d2bdbdb0c20413330dd636f38309e2e41be0ed0e470968364f0d4a2c0775d8c9aef6e65646026cd8b7cd687ed3a8dbf0cffa810057454d3068ceb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku801740.exe

Filesize
403KB

MD5
e5f1eea0775d1300a4589e8e86260211

SHA1
cb5d660ecb593d89dddb5eac453f57a54275392a

SHA256
296a1be8d88090e0b0fcb73b7c4041e2414df0e2b1b5f7e7246166ed0d3e9ec2

SHA512
60050fb2cf3377fc0a8a45506103cf14329390f893e1bc24040c36f75e079c74ec7455408a3b83480d37efa3acee9668864308c87a1e36774ef964d13747f59d

Download Submit
memory/912-18-0x00007FF8E7EE3000-0x00007FF8E7EE5000-memory.dmp

Filesize
8KB

Download
memory/912-19-0x0000000000650000-0x000000000065A000-memory.dmp

Filesize
40KB

Download
memory/912-24-0x00007FF8E7EE3000-0x00007FF8E7EE5000-memory.dmp

Filesize
8KB

Download
memory/1084-1-0x0000000004850000-0x00000000048DF000-memory.dmp

Filesize
572KB

Download
memory/1084-2-0x00000000048E0000-0x000000000496E000-memory.dmp

Filesize
568KB

Download
memory/1084-3-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1084-20-0x0000000004850000-0x00000000048DF000-memory.dmp

Filesize
572KB

Download
memory/1084-21-0x00000000048E0000-0x000000000496E000-memory.dmp

Filesize
568KB

Download
memory/1084-22-0x0000000000400000-0x0000000000492000-memory.dmp

Filesize
584KB

Download
memory/1084-23-0x0000000000400000-0x0000000002BE9000-memory.dmp

Filesize
39.9MB

Download
memory/1596-76-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-62-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-32-0x0000000007170000-0x00000000071B4000-memory.dmp

Filesize
272KB

Download
memory/1596-46-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-48-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-92-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-90-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-88-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-86-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-84-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-82-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-80-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-78-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-30-0x0000000004B30000-0x0000000004B76000-memory.dmp

Filesize
280KB

Download
memory/1596-74-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-70-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-68-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-66-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-64-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-31-0x0000000007290000-0x0000000007834000-memory.dmp

Filesize
5.6MB

Download
memory/1596-60-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-56-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-54-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-52-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-50-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-44-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-42-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-40-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-94-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-72-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-58-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-38-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-36-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-34-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-33-0x0000000007170000-0x00000000071AF000-memory.dmp

Filesize
252KB

Download
memory/1596-939-0x0000000007840000-0x0000000007E58000-memory.dmp

Filesize
6.1MB

Download
memory/1596-940-0x0000000007E70000-0x0000000007F7A000-memory.dmp

Filesize
1.0MB

Download
memory/1596-941-0x0000000007FB0000-0x0000000007FC2000-memory.dmp

Filesize
72KB

Download
memory/1596-942-0x0000000007FD0000-0x000000000800C000-memory.dmp

Filesize
240KB

Download
memory/1596-943-0x0000000008120000-0x000000000816C000-memory.dmp

Filesize
304KB

Download