healer | 2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0

Analysis

max time kernel
144s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0.exe
Size

660KB
MD5

8822afb1b82bd40210df55f2d63fed8b
SHA1

455fa0050ba2ca85d74c4086ab297defebbf04f2
SHA256

2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0
SHA512

a8b6e6a7b86781a08d787bb38c9fd6d17893f3a83668380bf0b6e25d65c77cc286d32ffdb72a8853a8bd5233f64f7b0e2a2c798c459e83b60a7e159308e48343
SSDEEP

12288:PMrSy90XgyvfPvjtbkqt1okxCzb6zO7gtXl6N2qrvhpr:Jy7ynPhbkq/CziCgtXlGhZpr

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1432-19-0x0000000002590000-0x00000000025AA000-memory.dmp	healer
behavioral1/memory/1432-21-0x0000000002730000-0x0000000002748000-memory.dmp	healer
behavioral1/memory/1432-35-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-22-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-49-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-47-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-23-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-45-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-43-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-41-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-39-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-37-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-33-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-31-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-29-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-27-0x0000000002730000-0x0000000002742000-memory.dmp	healer
behavioral1/memory/1432-25-0x0000000002730000-0x0000000002742000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro2353.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro2353.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro2353.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro2353.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro2353.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro2353.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro2353.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3544-60-0x00000000025C0000-0x0000000002606000-memory.dmp	family_redline
behavioral1/memory/3544-61-0x0000000004A90000-0x0000000004AD4000-memory.dmp	family_redline
behavioral1/memory/3544-67-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-75-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-93-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-91-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-90-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-85-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-83-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-81-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-79-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-77-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-73-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-71-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-69-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-95-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-87-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-65-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-63-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline
behavioral1/memory/3544-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un043850.exepro2353.exequ2663.exe

pid process

4948 un043850.exe
1432 pro2353.exe
3544 qu2663.exe

pid	process
4948	un043850.exe
1432	pro2353.exe
3544	qu2663.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro2353.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro2353.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro2353.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0.exeun043850.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un043850.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2804 1432 WerFault.exe pro2353.exe

pid	pid_target	process	target process
2804	1432	WerFault.exe	pro2353.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

qu2663.exe2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0.exeun043850.exepro2353.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu2663.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un043850.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro2353.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro2353.exe

pid process

1432 pro2353.exe
1432 pro2353.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro2353.exequ2663.exe

description pid process

Token: SeDebugPrivilege 1432 pro2353.exe
Token: SeDebugPrivilege 3544 qu2663.exe

pid	process
1432	pro2353.exe
1432	pro2353.exe

description	pid	process
Token: SeDebugPrivilege	1432	pro2353.exe
Token: SeDebugPrivilege	3544	qu2663.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0.exeun043850.exe

description	pid	process	target process
PID 3108 wrote to memory of 4948	3108	2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0.exe	un043850.exe
PID 3108 wrote to memory of 4948	3108	2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0.exe	un043850.exe
PID 3108 wrote to memory of 4948	3108	2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0.exe	un043850.exe
PID 4948 wrote to memory of 1432	4948	un043850.exe	pro2353.exe
PID 4948 wrote to memory of 1432	4948	un043850.exe	pro2353.exe
PID 4948 wrote to memory of 1432	4948	un043850.exe	pro2353.exe
PID 4948 wrote to memory of 3544	4948	un043850.exe	qu2663.exe
PID 4948 wrote to memory of 3544	4948	un043850.exe	qu2663.exe
PID 4948 wrote to memory of 3544	4948	un043850.exe	qu2663.exe

C:\Users\Admin\AppData\Local\Temp\2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0.exe
"C:\Users\Admin\AppData\Local\Temp\2dbbef80830ab00a9d58db40ce97c8c27c746c5cf98953a2913deac92e9552e0.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3108

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un043850.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un043850.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2353.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2353.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1100
4⤵
- Program crash
PID:2804

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2663.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2663.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1432 -ip 1432
1⤵
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un043850.exe

Filesize
518KB

MD5
e81d3688f9af25ea8b810e798ca8b14d

SHA1
77dbadc3646d814d1fe5cfe88d335231c9ff17b8

SHA256
0fa823f70a8c3214d409ac882af4e08e97a1584ea62a4e85347e18ae1b90b6ad

SHA512
a2e41ea807468c904dbf8274c0f8f2d3ee47056edd6e812f15d2e31057f142493f5c5bb87406f43f87a02187bffdfb83fe225dd170a0fe4e51b6f762e92a0fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2353.exe

Filesize
237KB

MD5
56cd20f80fce42157c3e1d08e70304a4

SHA1
7caa0509b468019003ed77d2c1109dc88908c9bc

SHA256
e577b4819e868b9496f67431bd28969a7d9fbfb38d05ad43c5fe5fe1a6f861a3

SHA512
cfeee439435e5ca9449bde505e0a0d8896052c8c175ff18a093d9dd4706ea90af39565f8e221b610af2445d2f90f8aed4c5c2ee61cb521f163e2ced442719deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2663.exe

Filesize
295KB

MD5
5c5bd3888a4c7ed2c63eb7573d8bf32f

SHA1
afca93c25a32d79223da663c9735cab2fe69c9a4

SHA256
08829b273e67b11a7a7687eaba32a4f5537f03156453c6dd0baccc31017ce97b

SHA512
dd3f83c6d38e354b63819d42513a3b4e4dd6067db268b95daba452addb7f99d209f951dfa58a8394820e6e707898823210a516abd2155fc8f7629fb85d286221

Download Submit
memory/1432-15-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1432-17-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1432-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1432-18-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1432-19-0x0000000002590000-0x00000000025AA000-memory.dmp

Filesize
104KB

Download
memory/1432-20-0x0000000004D00000-0x00000000052A4000-memory.dmp

Filesize
5.6MB

Download
memory/1432-21-0x0000000002730000-0x0000000002748000-memory.dmp

Filesize
96KB

Download
memory/1432-35-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-22-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-49-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-47-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-23-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-45-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-43-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-41-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-39-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-37-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-33-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-31-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-29-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-27-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-25-0x0000000002730000-0x0000000002742000-memory.dmp

Filesize
72KB

Download
memory/1432-50-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/1432-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1432-54-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1432-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3544-60-0x00000000025C0000-0x0000000002606000-memory.dmp

Filesize
280KB

Download
memory/3544-61-0x0000000004A90000-0x0000000004AD4000-memory.dmp

Filesize
272KB

Download
memory/3544-67-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-75-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-93-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-91-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-90-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-85-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-83-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-81-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-79-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-77-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-73-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-71-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-69-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-95-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-87-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-65-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-63-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-62-0x0000000004A90000-0x0000000004ACF000-memory.dmp

Filesize
252KB

Download
memory/3544-968-0x00000000051B0000-0x00000000057C8000-memory.dmp

Filesize
6.1MB

Download
memory/3544-969-0x00000000057D0000-0x00000000058DA000-memory.dmp

Filesize
1.0MB

Download
memory/3544-970-0x00000000058E0000-0x00000000058F2000-memory.dmp

Filesize
72KB

Download
memory/3544-971-0x0000000005900000-0x000000000593C000-memory.dmp

Filesize
240KB

Download
memory/3544-972-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download