healer | 3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603.exe
Size

522KB
MD5

fc97f75ab0acef1dbd4ab2306c433edf
SHA1

f7b4014295da7f4cc231c423c70bdde769d6920e
SHA256

3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603
SHA512

6fe55ff5ece36f1ad4e91f63f4d39f069661caea99717f6d2d90c163e6d17a19659e44a05795bcf3b0c4e266734877ef3ea7eaa5667a9b46a3b2f9aeffd379d8
SSDEEP

12288:iMrzy90b/u2H7L7ytBKA6nzihnCqtjaTDqCNYGnDC1c:xyaNumA69qtjanNNYGnh

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr288354.exe	healer
behavioral1/memory/3292-15-0x0000000000D90000-0x0000000000D9A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr288354.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr288354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr288354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr288354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr288354.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr288354.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr288354.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1280-22-0x00000000023C0000-0x0000000002406000-memory.dmp	family_redline
behavioral1/memory/1280-24-0x0000000002580000-0x00000000025C4000-memory.dmp	family_redline
behavioral1/memory/1280-72-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-89-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-86-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-84-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-82-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-80-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-78-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-76-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-74-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-70-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-68-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-66-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-64-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-62-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-60-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-58-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-54-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-52-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-50-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-48-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-46-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-44-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-42-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-38-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-36-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-34-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-33-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-28-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-56-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-40-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-30-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-26-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline
behavioral1/memory/1280-25-0x0000000002580000-0x00000000025BF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

zisu9275.exejr288354.exeku896685.exe

pid process

2760 zisu9275.exe
3292 jr288354.exe
1280 ku896685.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr288354.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr288354.exe

pid	process
2760	zisu9275.exe
3292	jr288354.exe
1280	ku896685.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr288354.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603.exezisu9275.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zisu9275.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603.exezisu9275.exeku896685.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zisu9275.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku896685.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr288354.exe

pid process

3292 jr288354.exe
3292 jr288354.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr288354.exeku896685.exe

description pid process

Token: SeDebugPrivilege 3292 jr288354.exe
Token: SeDebugPrivilege 1280 ku896685.exe

pid	process
3292	jr288354.exe
3292	jr288354.exe

description	pid	process
Token: SeDebugPrivilege	3292	jr288354.exe
Token: SeDebugPrivilege	1280	ku896685.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603.exezisu9275.exe

description	pid	process	target process
PID 3636 wrote to memory of 2760	3636	3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603.exe	zisu9275.exe
PID 3636 wrote to memory of 2760	3636	3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603.exe	zisu9275.exe
PID 3636 wrote to memory of 2760	3636	3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603.exe	zisu9275.exe
PID 2760 wrote to memory of 3292	2760	zisu9275.exe	jr288354.exe
PID 2760 wrote to memory of 3292	2760	zisu9275.exe	jr288354.exe
PID 2760 wrote to memory of 1280	2760	zisu9275.exe	ku896685.exe
PID 2760 wrote to memory of 1280	2760	zisu9275.exe	ku896685.exe
PID 2760 wrote to memory of 1280	2760	zisu9275.exe	ku896685.exe

C:\Users\Admin\AppData\Local\Temp\3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603.exe
"C:\Users\Admin\AppData\Local\Temp\3f341c6a8f15957c9412d41531c4a75f31ed91ef5ba831b9529b8021dfb1c603.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisu9275.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisu9275.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2760

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr288354.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr288354.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku896685.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku896685.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zisu9275.exe

Filesize
380KB

MD5
edc739b7b3bdf8539991d25f504bb0e0

SHA1
0bb482dce342cb36ef472a0bc408e1d02978a7ed

SHA256
d47378b9ffb4d6cf0de78d4de16734d019dab5e46a3e37f520f8a261e4624f9e

SHA512
17d332ba36af2ee2d7bc1544ac744bbb11187cd4efcecf77f2010e0e40b9882a4eb7e617d6f5b013d2a1ab01320caa5fe61b7d577b2aa855f3ede686f6bcec6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr288354.exe

Filesize
14KB

MD5
6df0af5cd7fd622a4d622b004f857a12

SHA1
4a6fa32cb92ca1d2c7e587fa51e646abe48fd7af

SHA256
94464008fd7924ad3c6aba74dd72d0fa1f5bb5ccb6c02f06c25c65c097747a99

SHA512
10c76fdfaa7287742a30e16def1569d1d612aa622d9e6029e2ac8403ebb52b4ca4302a6a9017994d7dce1114f47ed04ade74871bb33f6148cbb06e6b401bb4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku896685.exe

Filesize
295KB

MD5
780eff974c06d522d1d2900c9162153e

SHA1
5e2e565d7103ef11752386de0a03e03aa9d69988

SHA256
f46541e785267c50f7e68db66ebd261866dee9e11ac5091eb88e614d117d6fa2

SHA512
1baaf97e947c86a806b91d06cd52fb838a1158c1b2dbaaef97785b264b04cdb853aa3bdc9c04681d6b02198c54ad3add2de6e536b3bfed3255e0e6d8e003d6ed

Download Submit
memory/1280-62-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-22-0x00000000023C0000-0x0000000002406000-memory.dmp

Filesize
280KB

Download
memory/1280-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download
memory/1280-58-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-23-0x0000000004B80000-0x0000000005124000-memory.dmp

Filesize
5.6MB

Download
memory/1280-24-0x0000000002580000-0x00000000025C4000-memory.dmp

Filesize
272KB

Download
memory/1280-72-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-89-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-86-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-84-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-60-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-80-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-54-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-76-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-74-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-70-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-68-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-66-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-64-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-934-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/1280-82-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-933-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/1280-78-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-52-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-50-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-48-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-46-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-44-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-42-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-38-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-36-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-34-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-33-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-28-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-56-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-40-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-30-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-26-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-25-0x0000000002580000-0x00000000025BF000-memory.dmp

Filesize
252KB

Download
memory/1280-931-0x0000000005130000-0x0000000005748000-memory.dmp

Filesize
6.1MB

Download
memory/1280-932-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/3292-16-0x00007FFE00A93000-0x00007FFE00A95000-memory.dmp

Filesize
8KB

Download
memory/3292-14-0x00007FFE00A93000-0x00007FFE00A95000-memory.dmp

Filesize
8KB

Download
memory/3292-15-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download