healer | a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d.exe
Size

677KB
MD5

23e5a1909d2f21d74951b727114c2885
SHA1

c6e25fa94764cc3ca67a61da8ef2201781db50f9
SHA256

a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d
SHA512

c614fb894d4daa3007ab4c3e1aed094980d4d57529438640fa67879ac72f6a2beab5b316eb7ce2a3ea2ee7ce34681d2773f0c24c3d9ecae421c6b00f572cd30e
SSDEEP

12288:KMrsy90qKFINNgiqIrjWt8wWjMlFvwpJLbH+4uz33EN/M6j:ayWiIqS8r6FINT+1z30Npj

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/32-19-0x0000000002460000-0x000000000247A000-memory.dmp	healer
behavioral1/memory/32-21-0x00000000024E0000-0x00000000024F8000-memory.dmp	healer
behavioral1/memory/32-49-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-48-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-45-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-43-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-41-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-39-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-37-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-35-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-33-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-31-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-29-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-27-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-25-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-23-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/32-22-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro9227.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9227.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9227.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9227.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9227.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9227.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9227.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3048-61-0x00000000022A0000-0x00000000022E6000-memory.dmp	family_redline
behavioral1/memory/3048-62-0x00000000024A0000-0x00000000024E4000-memory.dmp	family_redline
behavioral1/memory/3048-78-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-96-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-94-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-92-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-91-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-88-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-86-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-84-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-82-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-80-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-76-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-74-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-72-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-70-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-68-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-66-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-64-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline
behavioral1/memory/3048-63-0x00000000024A0000-0x00000000024DF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un759379.exepro9227.exequ0987.exe

pid process

5064 un759379.exe
32 pro9227.exe
3048 qu0987.exe

pid	process
5064	un759379.exe
32	pro9227.exe
3048	qu0987.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro9227.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro9227.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9227.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d.exeun759379.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un759379.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1488 32 WerFault.exe pro9227.exe

pid	pid_target	process	target process
1488	32	WerFault.exe	pro9227.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d.exeun759379.exepro9227.exequ0987.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un759379.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro9227.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu0987.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro9227.exe

pid process

32 pro9227.exe
32 pro9227.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro9227.exequ0987.exe

description pid process

Token: SeDebugPrivilege 32 pro9227.exe
Token: SeDebugPrivilege 3048 qu0987.exe

pid	process
32	pro9227.exe
32	pro9227.exe

description	pid	process
Token: SeDebugPrivilege	32	pro9227.exe
Token: SeDebugPrivilege	3048	qu0987.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d.exeun759379.exe

description	pid	process	target process
PID 4804 wrote to memory of 5064	4804	a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d.exe	un759379.exe
PID 4804 wrote to memory of 5064	4804	a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d.exe	un759379.exe
PID 4804 wrote to memory of 5064	4804	a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d.exe	un759379.exe
PID 5064 wrote to memory of 32	5064	un759379.exe	pro9227.exe
PID 5064 wrote to memory of 32	5064	un759379.exe	pro9227.exe
PID 5064 wrote to memory of 32	5064	un759379.exe	pro9227.exe
PID 5064 wrote to memory of 3048	5064	un759379.exe	qu0987.exe
PID 5064 wrote to memory of 3048	5064	un759379.exe	qu0987.exe
PID 5064 wrote to memory of 3048	5064	un759379.exe	qu0987.exe

C:\Users\Admin\AppData\Local\Temp\a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d.exe
"C:\Users\Admin\AppData\Local\Temp\a8d54a44774b48afb6f3d2311cf24e8c9bd2f07e68dac82fa5faeb47cea6d61d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un759379.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un759379.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9227.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9227.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 32 -s 1084
4⤵
- Program crash
PID:1488

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0987.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0987.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 32 -ip 32
1⤵
PID:4732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un759379.exe

Filesize
523KB

MD5
71397e731abf8fe3baa7d98ee9e98a71

SHA1
12ea8f5096ebecf225723e3a6fd6912c185c9a06

SHA256
36b077a5b8062a3daaf6fadb8190aca8181f1495b504d160cc787885a9c8e34c

SHA512
397fcd25899af00e7f7e06dfae31483ae0a5261da545786395856e72fcb7b33814dc2f540e1fec119ed884647703d98dc30d0ed13bb4c7dd6f554f08f0f00917

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9227.exe

Filesize
253KB

MD5
5818f4eded02b822bfacf8f65e7bca12

SHA1
44ba47e02e57da84a4a2acbb5fbfedac49d3716d

SHA256
838b971121e167d9834140fba63b01e21cf027bb1ca009b5b54c427ed624c81d

SHA512
3d722783c1d0835fc41d7a538df95312a06d5534f98d1676a7d30c9f5920c81ea140fc03ddab25d200f8772282ef6a491bab3da432ac5f46b42b0414313f7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0987.exe

Filesize
311KB

MD5
d6b5710b031b6e76204ef9a2385a4dff

SHA1
99c483f411b83c800c61ff001ec46d07b7c986ac

SHA256
6f5c35e01015d56648649bfa92f02ed199c94a2995b3e7bfee804d702905e8f1

SHA512
3ed2e54940566e883270527b0f769c572e2cdbce8f6cb4436c523d74f86ac4b084341462dfd76a9e1b296f54bbd009786d7820bdb07e8e49b380430c6f8b77a1

Download Submit
memory/32-15-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/32-16-0x0000000000720000-0x000000000074D000-memory.dmp

Filesize
180KB

Download
memory/32-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/32-18-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/32-19-0x0000000002460000-0x000000000247A000-memory.dmp

Filesize
104KB

Download
memory/32-20-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/32-21-0x00000000024E0000-0x00000000024F8000-memory.dmp

Filesize
96KB

Download
memory/32-49-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-48-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-45-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-43-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-41-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-39-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-37-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-35-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-33-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-31-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-29-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-27-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-25-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-23-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-22-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/32-50-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/32-51-0x0000000000720000-0x000000000074D000-memory.dmp

Filesize
180KB

Download
memory/32-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/32-55-0x0000000000400000-0x00000000004AE000-memory.dmp

Filesize
696KB

Download
memory/32-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3048-61-0x00000000022A0000-0x00000000022E6000-memory.dmp

Filesize
280KB

Download
memory/3048-62-0x00000000024A0000-0x00000000024E4000-memory.dmp

Filesize
272KB

Download
memory/3048-78-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-96-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-94-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-92-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-91-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-88-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-86-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-84-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-82-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-80-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-76-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-74-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-72-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-70-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-68-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-66-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-64-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-63-0x00000000024A0000-0x00000000024DF000-memory.dmp

Filesize
252KB

Download
memory/3048-969-0x00000000051E0000-0x00000000057F8000-memory.dmp

Filesize
6.1MB

Download
memory/3048-970-0x0000000005800000-0x000000000590A000-memory.dmp

Filesize
1.0MB

Download
memory/3048-971-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

Filesize
72KB

Download
memory/3048-972-0x0000000005910000-0x000000000594C000-memory.dmp

Filesize
240KB

Download
memory/3048-973-0x0000000005A50000-0x0000000005A9C000-memory.dmp

Filesize
304KB

Download