healer | 870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7.exe
Size

659KB
MD5

63ecddcbf73d48c882b99242b018fe74
SHA1

99536862508f191deb8345ebac973aa5e16c1718
SHA256

870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7
SHA512

29e8056b9d9e882540608237bcc3ca6caa31beaede3db9df76a5a45e2b30b1486a21cf1e535e1a5a0e95a2d0540ff2e2469ee241d930fef0d35a1b384936fe74
SSDEEP

12288:UMrSy90zahNeKEVgWjuCAeHh6D56kXyqs6hlx:GykB/i2UDkw

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4084-19-0x0000000002610000-0x000000000262A000-memory.dmp	healer
behavioral1/memory/4084-21-0x0000000002870000-0x0000000002888000-memory.dmp	healer
behavioral1/memory/4084-49-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-47-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-45-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-43-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-41-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-39-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-37-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-35-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-34-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-31-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-29-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-27-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-25-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-23-0x0000000002870000-0x0000000002882000-memory.dmp	healer
behavioral1/memory/4084-22-0x0000000002870000-0x0000000002882000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro9509.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9509.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9509.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9509.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9509.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9509.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9509.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1676-60-0x0000000002620000-0x0000000002666000-memory.dmp	family_redline
behavioral1/memory/1676-61-0x0000000005400000-0x0000000005444000-memory.dmp	family_redline
behavioral1/memory/1676-75-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-67-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-65-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-63-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-62-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-85-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-95-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-93-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-89-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-87-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-83-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-81-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-79-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-77-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-73-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-71-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-69-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline
behavioral1/memory/1676-91-0x0000000005400000-0x000000000543F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un379922.exepro9509.exequ2101.exe

pid process

1724 un379922.exe
4084 pro9509.exe
1676 qu2101.exe

pid	process
1724	un379922.exe
4084	pro9509.exe
1676	qu2101.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro9509.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro9509.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9509.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

un379922.exe870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un379922.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4872 4084 WerFault.exe pro9509.exe

pid	pid_target	process	target process
4872	4084	WerFault.exe	pro9509.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7.exeun379922.exepro9509.exequ2101.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un379922.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro9509.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu2101.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro9509.exe

pid process

4084 pro9509.exe
4084 pro9509.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro9509.exequ2101.exe

description pid process

Token: SeDebugPrivilege 4084 pro9509.exe
Token: SeDebugPrivilege 1676 qu2101.exe

pid	process
4084	pro9509.exe
4084	pro9509.exe

description	pid	process
Token: SeDebugPrivilege	4084	pro9509.exe
Token: SeDebugPrivilege	1676	qu2101.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7.exeun379922.exe

description	pid	process	target process
PID 2388 wrote to memory of 1724	2388	870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7.exe	un379922.exe
PID 2388 wrote to memory of 1724	2388	870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7.exe	un379922.exe
PID 2388 wrote to memory of 1724	2388	870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7.exe	un379922.exe
PID 1724 wrote to memory of 4084	1724	un379922.exe	pro9509.exe
PID 1724 wrote to memory of 4084	1724	un379922.exe	pro9509.exe
PID 1724 wrote to memory of 4084	1724	un379922.exe	pro9509.exe
PID 1724 wrote to memory of 1676	1724	un379922.exe	qu2101.exe
PID 1724 wrote to memory of 1676	1724	un379922.exe	qu2101.exe
PID 1724 wrote to memory of 1676	1724	un379922.exe	qu2101.exe

C:\Users\Admin\AppData\Local\Temp\870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7.exe
"C:\Users\Admin\AppData\Local\Temp\870d8e2317eecbf0372f9e70b9e3a59776e24e77668b01a924cbff9b2be486c7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un379922.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un379922.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1724

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9509.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9509.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1076
4⤵
- Program crash
PID:4872

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2101.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2101.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4084 -ip 4084
1⤵
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un379922.exe

Filesize
518KB

MD5
ef6e3ca091ef690389501ce6dfa23f50

SHA1
8f4e8cba7e0f3b67788864b00e0ab1a56c419e9b

SHA256
32c9d5d0258dfbcae2a57ddc19570e7cf9cf182eb5bd98b351c910152bced94f

SHA512
027eee07be592420541c4f4aa5cf255044870793284534a126539622c8874df6515f766b0e477d4687b370b44e7f2995636f5fc1a6af3327d619405812877b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9509.exe

Filesize
376KB

MD5
e60eb4e04d907f7e6a09b791cc840f80

SHA1
62c083ca65b8984d4b7811a3e65af4a66082eee4

SHA256
d6aeee1143ae3dad24686e82d7bf052bd1c5f8afdfda99715836e71bca1d4a1e

SHA512
76f56721dd6a2a9f3b0ff331187898c865fdfa94fc37ecbd1ad73fd1de30404e6301ac9d7e62a1962dbfb8ad0e0941b643f9d425279f1b2545921d79a6b8240a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2101.exe

Filesize
434KB

MD5
ecb2ddc9b7ee59c5cfdef55fb37f2fda

SHA1
c0a83e3e758f34e5ef9bab85d89fbdc69bfd39e8

SHA256
74cf5f4e31bb2b8a96ff16ef6993f954aa1cb96fdbed7c95f4f3c312f308c47c

SHA512
3e27c2922b2856ad167d94b17e8529bfa5cacb758a2f1db205162a768b80e11ff4e3c33349364de8411e15c88ab4187df001e46dd85ad150043c9f54ed6a56ff

Download Submit
memory/1676-81-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-87-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-969-0x0000000005B00000-0x0000000005C0A000-memory.dmp

Filesize
1.0MB

Download
memory/1676-968-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/1676-91-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-69-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-71-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-73-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-77-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-79-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-971-0x0000000005C60000-0x0000000005C9C000-memory.dmp

Filesize
240KB

Download
memory/1676-972-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

Filesize
304KB

Download
memory/1676-83-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-970-0x0000000005C40000-0x0000000005C52000-memory.dmp

Filesize
72KB

Download
memory/1676-89-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-93-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-95-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-85-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-62-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-63-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-65-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-67-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-75-0x0000000005400000-0x000000000543F000-memory.dmp

Filesize
252KB

Download
memory/1676-61-0x0000000005400000-0x0000000005444000-memory.dmp

Filesize
272KB

Download
memory/1676-60-0x0000000002620000-0x0000000002666000-memory.dmp

Filesize
280KB

Download
memory/4084-41-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4084-54-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/4084-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4084-50-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/4084-22-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-23-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-25-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-27-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-29-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-31-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-34-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-35-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-37-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-39-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-43-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-45-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-47-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-49-0x0000000002870000-0x0000000002882000-memory.dmp

Filesize
72KB

Download
memory/4084-21-0x0000000002870000-0x0000000002888000-memory.dmp

Filesize
96KB

Download
memory/4084-20-0x0000000005080000-0x0000000005624000-memory.dmp

Filesize
5.6MB

Download
memory/4084-19-0x0000000002610000-0x000000000262A000-memory.dmp

Filesize
104KB

Download
memory/4084-18-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/4084-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4084-17-0x0000000000400000-0x0000000000813000-memory.dmp

Filesize
4.1MB

Download
memory/4084-15-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download