healer | ef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2024 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb.exe
Size

695KB
MD5

8c1fa9e27efb5c10230c22e6069467a8
SHA1

f727d07337c2b801fa19154a5f95737271ade6ac
SHA256

ef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb
SHA512

fc941de47fd9ee5cf577dca9b425cd65c6dc7d466f5f32f9806e032cf6e5adb240f2386a3dafb80431376164a41637ac402744b0e9d538513811c140b94b1e8e
SSDEEP

12288:8Mroy90ZqTV3c0GxPDtbKEcedudlrIzz38x0Gz+ZOJjzFS71qil:cyoqTV3sPxlcedclrIz2l+cNadl

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4724-19-0x00000000026E0000-0x00000000026FA000-memory.dmp	healer
behavioral1/memory/4724-21-0x0000000002940000-0x0000000002958000-memory.dmp	healer
behavioral1/memory/4724-22-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-49-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-47-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-45-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-43-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-41-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-39-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-37-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-35-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-33-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-31-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-29-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-27-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-25-0x0000000002940000-0x0000000002952000-memory.dmp	healer
behavioral1/memory/4724-23-0x0000000002940000-0x0000000002952000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro7711.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7711.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro7711.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7711.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7711.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7711.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7711.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1872-61-0x00000000027E0000-0x0000000002826000-memory.dmp	family_redline
behavioral1/memory/1872-62-0x00000000052D0000-0x0000000005314000-memory.dmp	family_redline
behavioral1/memory/1872-64-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-63-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-82-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-96-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-94-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-93-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-88-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-86-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-85-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-80-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-78-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-76-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-74-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-72-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-70-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-68-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-66-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline
behavioral1/memory/1872-90-0x00000000052D0000-0x000000000530F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un121966.exepro7711.exequ1599.exe

pid process

2188 un121966.exe
4724 pro7711.exe
1872 qu1599.exe

pid	process
2188	un121966.exe
4724	pro7711.exe
1872	qu1599.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro7711.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7711.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7711.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb.exeun121966.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un121966.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

pro7711.exequ1599.exeef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb.exeun121966.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro7711.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu1599.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un121966.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro7711.exe

pid process

4724 pro7711.exe
4724 pro7711.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro7711.exequ1599.exe

description pid process

Token: SeDebugPrivilege 4724 pro7711.exe
Token: SeDebugPrivilege 1872 qu1599.exe

pid	process
4724	pro7711.exe
4724	pro7711.exe

description	pid	process
Token: SeDebugPrivilege	4724	pro7711.exe
Token: SeDebugPrivilege	1872	qu1599.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

ef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb.exeun121966.exe

description	pid	process	target process
PID 4480 wrote to memory of 2188	4480	ef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb.exe	un121966.exe
PID 4480 wrote to memory of 2188	4480	ef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb.exe	un121966.exe
PID 4480 wrote to memory of 2188	4480	ef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb.exe	un121966.exe
PID 2188 wrote to memory of 4724	2188	un121966.exe	pro7711.exe
PID 2188 wrote to memory of 4724	2188	un121966.exe	pro7711.exe
PID 2188 wrote to memory of 4724	2188	un121966.exe	pro7711.exe
PID 2188 wrote to memory of 1872	2188	un121966.exe	qu1599.exe
PID 2188 wrote to memory of 1872	2188	un121966.exe	qu1599.exe
PID 2188 wrote to memory of 1872	2188	un121966.exe	qu1599.exe

C:\Users\Admin\AppData\Local\Temp\ef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb.exe
"C:\Users\Admin\AppData\Local\Temp\ef01eb4ecd06d55f3593168be1ba473809969e76ac65b89cf4e2782cb477a4fb.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un121966.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un121966.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7711.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7711.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1599.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1599.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un121966.exe

Filesize
553KB

MD5
6ae550f093743ac2fe687bf4467650e0

SHA1
4a200e1e5d816bd3e8f0f5e2ed04b95af1672118

SHA256
6d995fcfbba0134e6bddf9d2ab08b4615e7dd33df5d3666424742f1bbae76e73

SHA512
d5f6f733c958cea343eaa4352f5957520d576c8a4dbb94d0624bfa52a2a910fead0d0436241a43205351dca2c98f369f4e8749a29f0840b23a21369d5813b56c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7711.exe

Filesize
308KB

MD5
b5b6a09ec3fe9ed7a33aa69796fcacd5

SHA1
8f2ae289e0f73da2ac58c8c3cfaf5d9e90322ed1

SHA256
492eee5afaefb56e412d3b2cc73d6dc9b50d26e3e0147c659d0945254880c6fa

SHA512
9048395236b790864fd5a731039bd7bc383d93a0c86362ce61778e62d793e457df5a40c7aebc0381ec2a19ade790b850526a58eaf1090f6a5a4463971c153111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1599.exe

Filesize
366KB

MD5
e60d3d763d14ec343bc720cf09c96b6f

SHA1
a85bcc2262ead58c3a8a7d55dc1e5fe3475d555f

SHA256
ecae102bdf37d03884c239d8b49bd8772869cf9c1edd54324df513ca24188029

SHA512
1f29e26f987c9b88cf5145428828a46346d9ee4f14b8449a5930ac5eb315b305871a0f3dcb7de4803e9acc491bb2f6fc1a4445c73d34f29fdf9c4eb9e017eef2

Download Submit
memory/1872-76-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-80-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-970-0x00000000059F0000-0x0000000005AFA000-memory.dmp

Filesize
1.0MB

Download
memory/1872-969-0x0000000005350000-0x0000000005968000-memory.dmp

Filesize
6.1MB

Download
memory/1872-90-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-66-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-68-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-70-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-72-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-74-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-972-0x0000000005B50000-0x0000000005B8C000-memory.dmp

Filesize
240KB

Download
memory/1872-973-0x0000000005CA0000-0x0000000005CEC000-memory.dmp

Filesize
304KB

Download
memory/1872-78-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-971-0x0000000005B30000-0x0000000005B42000-memory.dmp

Filesize
72KB

Download
memory/1872-85-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-86-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-88-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-93-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-94-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-96-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-82-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-63-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-64-0x00000000052D0000-0x000000000530F000-memory.dmp

Filesize
252KB

Download
memory/1872-62-0x00000000052D0000-0x0000000005314000-memory.dmp

Filesize
272KB

Download
memory/1872-61-0x00000000027E0000-0x0000000002826000-memory.dmp

Filesize
280KB

Download
memory/4724-43-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-55-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4724-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4724-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4724-51-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/4724-50-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/4724-23-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-25-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-27-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-29-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-31-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-33-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-35-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-37-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-39-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-41-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-45-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-47-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-49-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-22-0x0000000002940000-0x0000000002952000-memory.dmp

Filesize
72KB

Download
memory/4724-21-0x0000000002940000-0x0000000002958000-memory.dmp

Filesize
96KB

Download
memory/4724-20-0x0000000004FF0000-0x0000000005594000-memory.dmp

Filesize
5.6MB

Download
memory/4724-19-0x00000000026E0000-0x00000000026FA000-memory.dmp

Filesize
104KB

Download
memory/4724-18-0x0000000000400000-0x000000000070F000-memory.dmp

Filesize
3.1MB

Download
memory/4724-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4724-16-0x00000000007E0000-0x000000000080D000-memory.dmp

Filesize
180KB

Download
memory/4724-15-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download