healer | 09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad.exe
Size

673KB
MD5

817111ba05979ab9dd7ced975be4c9f8
SHA1

af8cd68310a8a01c009564723c3987a1f51d8e0c
SHA256

09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad
SHA512

9ba1d18987064a4ab81181e9db2b63b85fc39d60c5f5af6ea03060ed63faae30047b6fe210c4cc3f90a213d7b5ca59209924c82744cf5fa3c587766197e163d6
SSDEEP

12288:LMrgy90Cj2Q6FCzgwJZoyxq8H74fWgJPyXiJ1A61GW/F8jB:7y76rFC57tzHY5JyqAup/2jB

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3040-19-0x00000000023B0000-0x00000000023CA000-memory.dmp	healer
behavioral1/memory/3040-21-0x0000000004A40000-0x0000000004A58000-memory.dmp	healer
behavioral1/memory/3040-45-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-49-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-47-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-43-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-41-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-39-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-37-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-35-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-33-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-31-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-27-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-25-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-23-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-22-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer
behavioral1/memory/3040-29-0x0000000004A40000-0x0000000004A52000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro0765.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro0765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0765.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4476-61-0x00000000025C0000-0x0000000002606000-memory.dmp	family_redline
behavioral1/memory/4476-62-0x0000000002670000-0x00000000026B4000-memory.dmp	family_redline
behavioral1/memory/4476-66-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-74-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-96-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-94-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-92-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-91-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-86-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-84-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-82-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-80-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-79-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-77-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-72-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-70-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-68-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-88-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-64-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/4476-63-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un396688.exepro0765.exequ9796.exe

pid process

2100 un396688.exe
3040 pro0765.exe
4476 qu9796.exe

pid	process
2100	un396688.exe
3040	pro0765.exe
4476	qu9796.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro0765.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0765.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad.exeun396688.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un396688.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1260 3040 WerFault.exe pro0765.exe

pid	pid_target	process	target process
1260	3040	WerFault.exe	pro0765.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad.exeun396688.exepro0765.exequ9796.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un396688.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro0765.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu9796.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro0765.exe

pid process

3040 pro0765.exe
3040 pro0765.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro0765.exequ9796.exe

description pid process

Token: SeDebugPrivilege 3040 pro0765.exe
Token: SeDebugPrivilege 4476 qu9796.exe

pid	process
3040	pro0765.exe
3040	pro0765.exe

description	pid	process
Token: SeDebugPrivilege	3040	pro0765.exe
Token: SeDebugPrivilege	4476	qu9796.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad.exeun396688.exe

description	pid	process	target process
PID 3648 wrote to memory of 2100	3648	09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad.exe	un396688.exe
PID 3648 wrote to memory of 2100	3648	09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad.exe	un396688.exe
PID 3648 wrote to memory of 2100	3648	09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad.exe	un396688.exe
PID 2100 wrote to memory of 3040	2100	un396688.exe	pro0765.exe
PID 2100 wrote to memory of 3040	2100	un396688.exe	pro0765.exe
PID 2100 wrote to memory of 3040	2100	un396688.exe	pro0765.exe
PID 2100 wrote to memory of 4476	2100	un396688.exe	qu9796.exe
PID 2100 wrote to memory of 4476	2100	un396688.exe	qu9796.exe
PID 2100 wrote to memory of 4476	2100	un396688.exe	qu9796.exe

C:\Users\Admin\AppData\Local\Temp\09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad.exe
"C:\Users\Admin\AppData\Local\Temp\09ac2a8ccd0e3bbe935e2b6819927dc89257041d1db3ee565eb98b869ed97cad.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un396688.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un396688.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0765.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0765.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 964
4⤵
- Program crash
PID:1260

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9796.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9796.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3040 -ip 3040
1⤵
PID:3532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un396688.exe

Filesize
520KB

MD5
6157451cb832a54f468819fac620a67d

SHA1
65898cefd90e5c65516393069b6d89904e1712d9

SHA256
f51c7e37e97ae6b6cc8579af980f569289af1de2a126498cafe07c626d8609d2

SHA512
11a1296e27d7dea89ca521f9259ee2e082872c31c8370551ea09579f1861251e732880ece59698391ba27303523dfd7882b511267fb8cb3f1b59765697a2aa07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0765.exe

Filesize
253KB

MD5
7ce8cdd241a64957504d71667f012c43

SHA1
3415c1cd5c43c3c17d8fabd443063bb9f7d7a9ad

SHA256
030fc9f9c0c53d70cf54806ed870a2afcd40855b41c3d747081985b1925b7547

SHA512
30e06c8a923249f00ea865790a9a6eb51fca249a809aed101b32558bff2c66c14a69e961960d2d99e12e696c8f73556f0f2902fff526b576d84e7b53d9e4ab5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9796.exe

Filesize
311KB

MD5
1b50a5fffc5d877dc520a50be6e2a91c

SHA1
aba24cbb040c0e4ed54f7516ca5d6bdf240f4eb9

SHA256
b77fc6d854b9fa867d9568cb43a404caa5d62e3c459648d849ba1c678d3eb9fe

SHA512
f1c163b6640f302d5160c4cfe364a96fc561eaee3bb6ee7cc4945fa0967f71f246dd0dbcd374a306985b051bc21e225d872ac5f1a17b8f6097e6c67c44357282

Download Submit
memory/3040-16-0x0000000000740000-0x000000000076D000-memory.dmp

Filesize
180KB

Download
memory/3040-15-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/3040-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3040-18-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3040-19-0x00000000023B0000-0x00000000023CA000-memory.dmp

Filesize
104KB

Download
memory/3040-20-0x0000000004B80000-0x0000000005124000-memory.dmp

Filesize
5.6MB

Download
memory/3040-21-0x0000000004A40000-0x0000000004A58000-memory.dmp

Filesize
96KB

Download
memory/3040-45-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-49-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-47-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-43-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-41-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-39-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-37-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-35-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-33-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-31-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-27-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-25-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-23-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-22-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-29-0x0000000004A40000-0x0000000004A52000-memory.dmp

Filesize
72KB

Download
memory/3040-50-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/3040-51-0x0000000000740000-0x000000000076D000-memory.dmp

Filesize
180KB

Download
memory/3040-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3040-55-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/3040-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4476-61-0x00000000025C0000-0x0000000002606000-memory.dmp

Filesize
280KB

Download
memory/4476-62-0x0000000002670000-0x00000000026B4000-memory.dmp

Filesize
272KB

Download
memory/4476-66-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-74-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-96-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-94-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-92-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-91-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-86-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-84-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-82-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-80-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-79-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-77-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-72-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-70-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-68-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-88-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-64-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-63-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/4476-969-0x00000000050F0000-0x0000000005708000-memory.dmp

Filesize
6.1MB

Download
memory/4476-970-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/4476-971-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/4476-972-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/4476-973-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download