healer | 3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d.exe
Size

697KB
MD5

a87733f3ce7e4e4b35d7b241d0bfb745
SHA1

6d03f8323768c740afe097d19caaf6581695a7f9
SHA256

3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d
SHA512

59e523a08eb61d286b294c3636e2cbede489dcae18b048dfab56044d17748922dca531ac0bbf6d238fb0833b3559605ea9e2dfa824a2474b18c26e0abda54bde
SSDEEP

12288:7Mrty90oxnVgoiiTOMk/WVhknKOiGGHv8Ikp8HOMJbL6nbGjTAxI9gTB9igz6eN6:uyXJVgfim/9nKONsv8RcOqGGjwI92r6r

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/816-17-0x0000000004840000-0x000000000485A000-memory.dmp	healer
behavioral1/memory/816-20-0x0000000004D60000-0x0000000004D78000-memory.dmp	healer
behavioral1/memory/816-48-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-46-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-44-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-42-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-40-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-38-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-36-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-34-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-32-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-30-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-28-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-26-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-24-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-22-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer
behavioral1/memory/816-21-0x0000000004D60000-0x0000000004D72000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro3650.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro3650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro3650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro3650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro3650.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro3650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro3650.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1132-59-0x00000000070E0000-0x0000000007126000-memory.dmp	family_redline
behavioral1/memory/1132-60-0x0000000007780000-0x00000000077C4000-memory.dmp	family_redline
behavioral1/memory/1132-80-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-94-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-93-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-90-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-88-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-86-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-84-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-82-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-78-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-76-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-72-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-70-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-68-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-66-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-64-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-62-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-61-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline
behavioral1/memory/1132-74-0x0000000007780000-0x00000000077BF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un453041.exepro3650.exequ8171.exe

pid process

5084 un453041.exe
816 pro3650.exe
1132 qu8171.exe

pid	process
5084	un453041.exe
816	pro3650.exe
1132	qu8171.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro3650.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro3650.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro3650.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d.exeun453041.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un453041.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4584 816 WerFault.exe pro3650.exe

pid	pid_target	process	target process
4584	816	WerFault.exe	pro3650.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d.exeun453041.exepro3650.exequ8171.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un453041.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro3650.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu8171.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro3650.exe

pid process

816 pro3650.exe
816 pro3650.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro3650.exequ8171.exe

description pid process

Token: SeDebugPrivilege 816 pro3650.exe
Token: SeDebugPrivilege 1132 qu8171.exe

pid	process
816	pro3650.exe
816	pro3650.exe

description	pid	process
Token: SeDebugPrivilege	816	pro3650.exe
Token: SeDebugPrivilege	1132	qu8171.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d.exeun453041.exe

description	pid	process	target process
PID 4944 wrote to memory of 5084	4944	3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d.exe	un453041.exe
PID 4944 wrote to memory of 5084	4944	3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d.exe	un453041.exe
PID 4944 wrote to memory of 5084	4944	3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d.exe	un453041.exe
PID 5084 wrote to memory of 816	5084	un453041.exe	pro3650.exe
PID 5084 wrote to memory of 816	5084	un453041.exe	pro3650.exe
PID 5084 wrote to memory of 816	5084	un453041.exe	pro3650.exe
PID 5084 wrote to memory of 1132	5084	un453041.exe	qu8171.exe
PID 5084 wrote to memory of 1132	5084	un453041.exe	qu8171.exe
PID 5084 wrote to memory of 1132	5084	un453041.exe	qu8171.exe

C:\Users\Admin\AppData\Local\Temp\3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d.exe
"C:\Users\Admin\AppData\Local\Temp\3cf01f23cb97d067b3478786361671d55ec219c1c1e20e4205d94c2a12a0ed3d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4944

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un453041.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un453041.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3650.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3650.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1012
4⤵
- Program crash
PID:4584

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8171.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8171.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 816 -ip 816
1⤵
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un453041.exe

Filesize
555KB

MD5
f5d093bd6319bffd16285c668ef67853

SHA1
ad5370b873cbc8ee9ea2873ffe00364867bc52b8

SHA256
1b86bbcb1b28487b39bf3b8843a39727f6cbc32f21a68582c84c577db9ed58d5

SHA512
f745355c191712abfc86062cb7f5f4db921e6aa5bcb9b43362169784e1c9b6af59cb762a3aed2ae69b221a80fce6751fa0e0d4b2f42404272064f233c1cdabba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3650.exe

Filesize
347KB

MD5
9dfbb3893368b5089036af7e6625ab80

SHA1
f2edbd6007b5f7be07094a9384a85081c7d4887f

SHA256
b22532c1e13e483cf21701c3198eb02407546de62fc5bc6c32e50347aaf58042

SHA512
4ba479ea0c83522c9367c27dcbfe559809f765ed790cf6e10081d10ed8de1a8fd6dc4200c73a4ea897dbd36ff9d68c8e104b3d5be545d5040b6502828a642035

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8171.exe

Filesize
406KB

MD5
e8a7197f17b06297bc01095609f07a1a

SHA1
7bfae2ddc6144d41f6271e50211d231eddb360e0

SHA256
ba6b5572c32b2797ab17e605f8dd4a566da51d051a32706624ef35c0008170ab

SHA512
789ba62ed617750d57337045245b74e05eb8eb27601d968a962960800d1b51aa724d5168f6e819aec44ac30c072ff593f668ecb63cf7f8a07516a424e2b64cc7

Download Submit
memory/816-15-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

Filesize
1024KB

Download
memory/816-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/816-17-0x0000000004840000-0x000000000485A000-memory.dmp

Filesize
104KB

Download
memory/816-18-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/816-19-0x0000000007360000-0x0000000007904000-memory.dmp

Filesize
5.6MB

Download
memory/816-20-0x0000000004D60000-0x0000000004D78000-memory.dmp

Filesize
96KB

Download
memory/816-48-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-46-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-44-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-42-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-40-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-38-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-36-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-34-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-32-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-30-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-28-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-26-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-24-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-22-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-21-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/816-49-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

Filesize
1024KB

Download
memory/816-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/816-51-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/816-53-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/816-54-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1132-59-0x00000000070E0000-0x0000000007126000-memory.dmp

Filesize
280KB

Download
memory/1132-60-0x0000000007780000-0x00000000077C4000-memory.dmp

Filesize
272KB

Download
memory/1132-80-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-94-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-93-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-90-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-88-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-86-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-84-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-82-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-78-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-76-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-72-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-70-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-68-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-66-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-64-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-62-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-61-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-74-0x0000000007780000-0x00000000077BF000-memory.dmp

Filesize
252KB

Download
memory/1132-967-0x00000000077D0000-0x0000000007DE8000-memory.dmp

Filesize
6.1MB

Download
memory/1132-968-0x0000000007E70000-0x0000000007F7A000-memory.dmp

Filesize
1.0MB

Download
memory/1132-969-0x0000000007FB0000-0x0000000007FC2000-memory.dmp

Filesize
72KB

Download
memory/1132-970-0x0000000007FD0000-0x000000000800C000-memory.dmp

Filesize
240KB

Download
memory/1132-971-0x0000000008120000-0x000000000816C000-memory.dmp

Filesize
304KB

Download