healer | 1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794.exe
Size

667KB
MD5

9e25447945e0d1083cbbf4b538f28ad7
SHA1

742a2b35edc8c73cfd899c3f14ab359d7011dfa3
SHA256

1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794
SHA512

ad7b1d21a5fd852cc235bd8f01e7cc6f890a7641ca5a1276ba6cc4bc33c43e612fb37c141fc2d242e812d6d40a3566100ac59e112e6c72a52e446dbc6912f59e
SSDEEP

12288:/Mrey901/y14o+oYDppnqS3KYOPTLFe3DhrUNQU/wtSjiVDsJK2:pyW/yGiYySrOPlwhrLiwtnVAK2

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1020-19-0x0000000002750000-0x000000000276A000-memory.dmp	healer
behavioral1/memory/1020-21-0x0000000002830000-0x0000000002848000-memory.dmp	healer
behavioral1/memory/1020-23-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-22-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-49-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-47-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-45-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-43-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-41-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-39-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-37-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-36-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-33-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-31-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-29-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-28-0x0000000002830000-0x0000000002842000-memory.dmp	healer
behavioral1/memory/1020-25-0x0000000002830000-0x0000000002842000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro4733.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4733.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4733.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4733.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4733.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4733.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4733.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4636-60-0x0000000002660000-0x00000000026A6000-memory.dmp	family_redline
behavioral1/memory/4636-61-0x0000000002AB0000-0x0000000002AF4000-memory.dmp	family_redline
behavioral1/memory/4636-70-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-71-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-95-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-93-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-89-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-87-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-85-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-84-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-81-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-77-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-75-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-73-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-67-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-91-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-79-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-65-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-63-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline
behavioral1/memory/4636-62-0x0000000002AB0000-0x0000000002AEF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un677965.exepro4733.exequ2970.exe

pid process

3264 un677965.exe
1020 pro4733.exe
4636 qu2970.exe

pid	process
3264	un677965.exe
1020	pro4733.exe
4636	qu2970.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro4733.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4733.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4733.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794.exeun677965.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un677965.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2256 1020 WerFault.exe pro4733.exe

pid	pid_target	process	target process
2256	1020	WerFault.exe	pro4733.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794.exeun677965.exepro4733.exequ2970.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un677965.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro4733.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu2970.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro4733.exe

pid process

1020 pro4733.exe
1020 pro4733.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro4733.exequ2970.exe

description pid process

Token: SeDebugPrivilege 1020 pro4733.exe
Token: SeDebugPrivilege 4636 qu2970.exe

pid	process
1020	pro4733.exe
1020	pro4733.exe

description	pid	process
Token: SeDebugPrivilege	1020	pro4733.exe
Token: SeDebugPrivilege	4636	qu2970.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794.exeun677965.exe

description	pid	process	target process
PID 3680 wrote to memory of 3264	3680	1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794.exe	un677965.exe
PID 3680 wrote to memory of 3264	3680	1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794.exe	un677965.exe
PID 3680 wrote to memory of 3264	3680	1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794.exe	un677965.exe
PID 3264 wrote to memory of 1020	3264	un677965.exe	pro4733.exe
PID 3264 wrote to memory of 1020	3264	un677965.exe	pro4733.exe
PID 3264 wrote to memory of 1020	3264	un677965.exe	pro4733.exe
PID 3264 wrote to memory of 4636	3264	un677965.exe	qu2970.exe
PID 3264 wrote to memory of 4636	3264	un677965.exe	qu2970.exe
PID 3264 wrote to memory of 4636	3264	un677965.exe	qu2970.exe

C:\Users\Admin\AppData\Local\Temp\1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794.exe
"C:\Users\Admin\AppData\Local\Temp\1f06421e9cf8e05fc66230f3b3acd9f4ac3fdd3c3bad043d4713692da8ddd794.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un677965.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un677965.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3264

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4733.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4733.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 1064
4⤵
- Program crash
PID:2256

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2970.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2970.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1020 -ip 1020
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un677965.exe

Filesize
524KB

MD5
1972222ed52f0eab78db790db56ab7c7

SHA1
2c7bb21fc9dfa9c8371c137aaed843e09bd4ebc7

SHA256
110b99225dc2e1851f28ca98459a31931c0fe9fd18f7de0f841320ad1a9fd50c

SHA512
9a54205cdafd6ceb317fa5c3c9f50474d74b35c9bae5141050e0d1a0247165e0185d1b3d42181ccc89200bec7ba4929e71c9d93f5315614988245df9322c5907

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4733.exe

Filesize
294KB

MD5
d27d7be5d60873ef7a9fbdb4413883b4

SHA1
b8b98cd8f663ee02210a978971da31343722f622

SHA256
a33c3c3f2498459335e83617ec11dd74a5fba139a98b1b655019bfe453355708

SHA512
77d9a2ffa3f3fc0d7d26a7c6cdb5c40afad8cf28454a7ceebfc537869f6813ce2bf85e125fabaf94331ae3ad447c801cdc61ba0afb9adb2fcadc35b2e3cd8ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2970.exe

Filesize
352KB

MD5
3941caa4ef155b2e62192af18f69dddc

SHA1
bb32a0b6bc971911d954d4dc75fa0311f82df062

SHA256
b34c2e0cd1d28955474d127d03315be1d78d38033b134da2084e5131695a50ae

SHA512
880a9aed1a3359c84da58eca3179487041296032d9d6b84b9d6c1a154b9385bc37f72df9640ffc8806468800933ccc0bc7f57a8c3cbffd9e225cc4bebf0edf7c

Download Submit
memory/1020-15-0x0000000000930000-0x0000000000A30000-memory.dmp

Filesize
1024KB

Download
memory/1020-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1020-17-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1020-18-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1020-19-0x0000000002750000-0x000000000276A000-memory.dmp

Filesize
104KB

Download
memory/1020-20-0x0000000005000000-0x00000000055A4000-memory.dmp

Filesize
5.6MB

Download
memory/1020-21-0x0000000002830000-0x0000000002848000-memory.dmp

Filesize
96KB

Download
memory/1020-23-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-22-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-49-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-47-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-45-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-43-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-41-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-39-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-37-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-36-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-33-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-31-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-29-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-28-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-25-0x0000000002830000-0x0000000002842000-memory.dmp

Filesize
72KB

Download
memory/1020-50-0x0000000000930000-0x0000000000A30000-memory.dmp

Filesize
1024KB

Download
memory/1020-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1020-54-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/1020-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4636-60-0x0000000002660000-0x00000000026A6000-memory.dmp

Filesize
280KB

Download
memory/4636-61-0x0000000002AB0000-0x0000000002AF4000-memory.dmp

Filesize
272KB

Download
memory/4636-70-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-71-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-95-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-93-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-89-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-87-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-85-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-84-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-81-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-77-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-75-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-73-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-67-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-91-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-79-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-65-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-63-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-62-0x0000000002AB0000-0x0000000002AEF000-memory.dmp

Filesize
252KB

Download
memory/4636-968-0x00000000054A0000-0x0000000005AB8000-memory.dmp

Filesize
6.1MB

Download
memory/4636-969-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

Filesize
1.0MB

Download
memory/4636-970-0x0000000005C20000-0x0000000005C32000-memory.dmp

Filesize
72KB

Download
memory/4636-971-0x0000000005C40000-0x0000000005C7C000-memory.dmp

Filesize
240KB

Download
memory/4636-972-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download