healer | 6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397.exe
Size

536KB
MD5

7cde4f9b3d5f7c93c5e9079ff553a579
SHA1

cab35a7ab1954f50f10e34864bbf61162abca4f3
SHA256

6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397
SHA512

b692f127773e830c958ae6c1d07353c68c1601615ab0d4014208a2dcd72cfb32e4fd1b6011ec4868b895d54437c97b7d682ce84bdf8c110c5e6d480ddaf4dba3
SSDEEP

12288:7Mrwy90BVmjgZ+cklqrW53HRyNBzA+RoLh55OMuPg4:7yGmjUW1QNBroAH

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr467781.exe	healer
behavioral1/memory/224-15-0x0000000000930000-0x000000000093A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr467781.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr467781.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr467781.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr467781.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr467781.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr467781.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr467781.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2516-21-0x0000000004D60000-0x0000000004DA6000-memory.dmp	family_redline
behavioral1/memory/2516-23-0x0000000004E20000-0x0000000004E64000-memory.dmp	family_redline
behavioral1/memory/2516-29-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-35-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-85-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-83-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-81-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-79-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-77-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-76-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-73-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-71-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-69-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-65-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-63-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-61-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-59-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-57-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-55-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-53-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-51-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-49-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-47-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-45-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-43-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-41-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-37-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-33-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-31-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-87-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-67-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-39-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-27-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-25-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline
behavioral1/memory/2516-24-0x0000000004E20000-0x0000000004E5F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

zitg3419.exejr467781.exeku725585.exe

pid process

1476 zitg3419.exe
224 jr467781.exe
2516 ku725585.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr467781.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr467781.exe

pid	process
1476	zitg3419.exe
224	jr467781.exe
2516	ku725585.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr467781.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397.exezitg3419.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zitg3419.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397.exezitg3419.exeku725585.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zitg3419.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku725585.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr467781.exe

pid process

224 jr467781.exe
224 jr467781.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr467781.exeku725585.exe

description pid process

Token: SeDebugPrivilege 224 jr467781.exe
Token: SeDebugPrivilege 2516 ku725585.exe

pid	process
224	jr467781.exe
224	jr467781.exe

description	pid	process
Token: SeDebugPrivilege	224	jr467781.exe
Token: SeDebugPrivilege	2516	ku725585.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397.exezitg3419.exe

description	pid	process	target process
PID 4088 wrote to memory of 1476	4088	6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397.exe	zitg3419.exe
PID 4088 wrote to memory of 1476	4088	6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397.exe	zitg3419.exe
PID 4088 wrote to memory of 1476	4088	6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397.exe	zitg3419.exe
PID 1476 wrote to memory of 224	1476	zitg3419.exe	jr467781.exe
PID 1476 wrote to memory of 224	1476	zitg3419.exe	jr467781.exe
PID 1476 wrote to memory of 2516	1476	zitg3419.exe	ku725585.exe
PID 1476 wrote to memory of 2516	1476	zitg3419.exe	ku725585.exe
PID 1476 wrote to memory of 2516	1476	zitg3419.exe	ku725585.exe

C:\Users\Admin\AppData\Local\Temp\6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397.exe
"C:\Users\Admin\AppData\Local\Temp\6ea07d0607b7bd4b86c28f6acb7f9a8f16ab0dc3208956dcde2b0680afcef397.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitg3419.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitg3419.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1476

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr467781.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr467781.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku725585.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku725585.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zitg3419.exe

Filesize
394KB

MD5
e522b8dbe3d5fc63c39b67e28b65eb33

SHA1
7d176a2bc63f439258c16f4ce18c819076cb8bd5

SHA256
b2fa42e239b4fe67476ec5a34935c6e7f14a650668e0ef5005fb1a5701db8432

SHA512
41e65c06a88fd0ce9dc75805d765b177891dabe68c02030809cb284011e5003ef5ec101d98e812ca4db4521144620c57291cc179112882229325ef905d6c9f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr467781.exe

Filesize
13KB

MD5
9b2413a5089ea3bf2b926f2bf78e14b4

SHA1
1864aaad95832ab8975e3902c5b02bab2eb9ce91

SHA256
7e73e67c454e99318811a66b1ea87620db6c6958de067e2ffcf3c631622eb8d8

SHA512
798cc525438983ad44ca7644bcaad67cc4a405120c9e409f4ae96878fe5fda4a93a62b60dd52906a8fa3f4a2c81d0b7495e887401a4b93d9692ec44c1de60e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku725585.exe

Filesize
353KB

MD5
5b445bad86d211dad4dea5acbc74e8b1

SHA1
d09d475f6f317d4d302d27cdea42286d30188939

SHA256
1ba9c5328ef6f57c1b0e7b84383f046000d80ff1878fcff37a24285c749b7ffd

SHA512
08929804e06c9ad872e674868d044f78e3f5dc9f82987aeeaabf68fb068e5bdbae4a2eced46ba41c316aa65cd2b21dbb2fcf185aeb5b461a3a7c498ceb359e1f

Download Submit
memory/224-14-0x00007FF92F2C3000-0x00007FF92F2C5000-memory.dmp

Filesize
8KB

Download
memory/224-15-0x0000000000930000-0x000000000093A000-memory.dmp

Filesize
40KB

Download
memory/2516-59-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-51-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-23-0x0000000004E20000-0x0000000004E64000-memory.dmp

Filesize
272KB

Download
memory/2516-29-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-35-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-85-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-83-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-81-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-79-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-77-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-76-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-73-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-71-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-69-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-65-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-63-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-61-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-21-0x0000000004D60000-0x0000000004DA6000-memory.dmp

Filesize
280KB

Download
memory/2516-57-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-55-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-53-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-22-0x0000000004E90000-0x0000000005434000-memory.dmp

Filesize
5.6MB

Download
memory/2516-49-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-47-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-45-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-43-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-41-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-37-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-33-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-31-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-87-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-67-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-39-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-27-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-25-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-24-0x0000000004E20000-0x0000000004E5F000-memory.dmp

Filesize
252KB

Download
memory/2516-933-0x0000000005C40000-0x0000000005C7C000-memory.dmp

Filesize
240KB

Download
memory/2516-932-0x0000000005C20000-0x0000000005C32000-memory.dmp

Filesize
72KB

Download
memory/2516-931-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

Filesize
1.0MB

Download
memory/2516-930-0x0000000005440000-0x0000000005A58000-memory.dmp

Filesize
6.1MB

Download
memory/2516-934-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download