healer | ea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52.exe
Size

667KB
MD5

3a1a9e39424b756ef3277dacfcea1edb
SHA1

67bedbb597039553c8cfb670300acf62351f5736
SHA256

ea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52
SHA512

367372c3d55bfc85e7c4227f0460dc32e4eab4c8b752bbe8f83ae4446b0f8450454a0b9384a4dbd71c9c3b3c6672f00cf47a38549413a1b65c2749b43778655f
SSDEEP

12288:WMrJy90Vlvnj176RD10PkOmCNJXr0FLxmIYZ22ZmzrUjMH/w6sZYouGMDj:Lym5GZsmgoFoIYI20r5fw6sZYolo

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4284-19-0x0000000002790000-0x00000000027AA000-memory.dmp	healer
behavioral1/memory/4284-21-0x0000000004D90000-0x0000000004DA8000-memory.dmp	healer
behavioral1/memory/4284-22-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-47-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-49-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-45-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-43-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-41-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-39-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-37-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-35-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-33-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-31-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-29-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-27-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-25-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer
behavioral1/memory/4284-23-0x0000000004D90000-0x0000000004DA2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro0321.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro0321.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0321.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0321.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0321.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0321.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0321.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4588-60-0x0000000002770000-0x00000000027B6000-memory.dmp	family_redline
behavioral1/memory/4588-61-0x0000000002880000-0x00000000028C4000-memory.dmp	family_redline
behavioral1/memory/4588-65-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-75-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-95-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-93-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-91-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-89-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-87-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-85-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-81-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-79-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-77-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-73-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-71-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-69-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-67-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-83-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-63-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline
behavioral1/memory/4588-62-0x0000000002880000-0x00000000028BF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un406603.exepro0321.exequ5651.exe

pid process

4916 un406603.exe
4284 pro0321.exe
4588 qu5651.exe

pid	process
4916	un406603.exe
4284	pro0321.exe
4588	qu5651.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro0321.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0321.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0321.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

un406603.exeea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un406603.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4048 4284 WerFault.exe pro0321.exe

pid	pid_target	process	target process
4048	4284	WerFault.exe	pro0321.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52.exeun406603.exepro0321.exequ5651.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un406603.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro0321.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu5651.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro0321.exe

pid process

4284 pro0321.exe
4284 pro0321.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro0321.exequ5651.exe

description pid process

Token: SeDebugPrivilege 4284 pro0321.exe
Token: SeDebugPrivilege 4588 qu5651.exe

pid	process
4284	pro0321.exe
4284	pro0321.exe

description	pid	process
Token: SeDebugPrivilege	4284	pro0321.exe
Token: SeDebugPrivilege	4588	qu5651.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52.exeun406603.exe

description	pid	process	target process
PID 5116 wrote to memory of 4916	5116	ea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52.exe	un406603.exe
PID 5116 wrote to memory of 4916	5116	ea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52.exe	un406603.exe
PID 5116 wrote to memory of 4916	5116	ea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52.exe	un406603.exe
PID 4916 wrote to memory of 4284	4916	un406603.exe	pro0321.exe
PID 4916 wrote to memory of 4284	4916	un406603.exe	pro0321.exe
PID 4916 wrote to memory of 4284	4916	un406603.exe	pro0321.exe
PID 4916 wrote to memory of 4588	4916	un406603.exe	qu5651.exe
PID 4916 wrote to memory of 4588	4916	un406603.exe	qu5651.exe
PID 4916 wrote to memory of 4588	4916	un406603.exe	qu5651.exe

C:\Users\Admin\AppData\Local\Temp\ea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52.exe
"C:\Users\Admin\AppData\Local\Temp\ea3e19b4f87e50b5c87f12958b1cf7d6a707d324b36e9d67cea58f80ecc01e52.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un406603.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un406603.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0321.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0321.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 1084
4⤵
- Program crash
PID:4048

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5651.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5651.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4284 -ip 4284
1⤵
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un406603.exe

Filesize
525KB

MD5
8a43f1a2b91fa14b5584f695efe12ad4

SHA1
0b6160f27558ec971a4dfae5c87ab344e21f4b0a

SHA256
d34bb92f4b2967151b847010240e885e7667717d999b664aa3d33c67127ae01a

SHA512
b995b7eec581ee71bd3ae470f0770f22ce3ad56c55a0e0dcdeb3a5d3889ba8bac6941c2c519a0c2830435093e3b85de602a3285a08e0f335c25fd972ca609a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0321.exe

Filesize
294KB

MD5
e29c3516f325e60998bc1577f936b796

SHA1
df348a6ce3d3f08b2ed9c99dda9ff8b5232607d1

SHA256
785bd950203ebab11155ded65d624df669c66cf8dd5b683c9b2d4a3f6e8df206

SHA512
cbd7ce69adfe6bcc8a9928a85ce00801cbcb9c5552a1bff8ed05a739db3bf4f1af8de65a32f8f2d8816360674c1ee75330d1859fe1b700975b3601e672b39ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5651.exe

Filesize
352KB

MD5
0ccb354ff1af1ac1dcc2adaf8bbf8ac4

SHA1
b782b9882df2ec0dcd7e4533f91dcf4bbb2f0496

SHA256
8badca3a40d2947842a98e23a664edc1c0eae65866b9164cb3bdb19713a72640

SHA512
f14958d9b5ee92abc22695e3a1a34518515cc1e722df007cbfd005e9f6628a00550e38be5fc53616ff5e16e9889f1249c1bf0fd94bc719072d0ca341d8783c72

Download Submit
memory/4284-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4284-16-0x0000000000CE0000-0x0000000000D0D000-memory.dmp

Filesize
180KB

Download
memory/4284-15-0x0000000000A50000-0x0000000000B50000-memory.dmp

Filesize
1024KB

Download
memory/4284-18-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4284-19-0x0000000002790000-0x00000000027AA000-memory.dmp

Filesize
104KB

Download
memory/4284-20-0x0000000004F70000-0x0000000005514000-memory.dmp

Filesize
5.6MB

Download
memory/4284-21-0x0000000004D90000-0x0000000004DA8000-memory.dmp

Filesize
96KB

Download
memory/4284-22-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-47-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-49-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-45-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-43-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-41-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-39-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-37-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-35-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-33-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-31-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-29-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-27-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-25-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-23-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/4284-50-0x0000000000A50000-0x0000000000B50000-memory.dmp

Filesize
1024KB

Download
memory/4284-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4284-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4284-54-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/4588-60-0x0000000002770000-0x00000000027B6000-memory.dmp

Filesize
280KB

Download
memory/4588-61-0x0000000002880000-0x00000000028C4000-memory.dmp

Filesize
272KB

Download
memory/4588-65-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-75-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-95-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-93-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-91-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-89-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-87-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-85-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-81-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-79-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-77-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-73-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-71-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-69-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-67-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-83-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-63-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-62-0x0000000002880000-0x00000000028BF000-memory.dmp

Filesize
252KB

Download
memory/4588-968-0x00000000057A0000-0x0000000005DB8000-memory.dmp

Filesize
6.1MB

Download
memory/4588-969-0x0000000004FF0000-0x00000000050FA000-memory.dmp

Filesize
1.0MB

Download
memory/4588-970-0x00000000029E0000-0x00000000029F2000-memory.dmp

Filesize
72KB

Download
memory/4588-971-0x0000000002A00000-0x0000000002A3C000-memory.dmp

Filesize
240KB

Download
memory/4588-972-0x0000000002A50000-0x0000000002A9C000-memory.dmp

Filesize
304KB

Download