healer | f7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669.exe
Size

658KB
MD5

c6637cad71072dcd58d169d88f9f3302
SHA1

1fc79eac8edf17092be4e78601efeb4d2ff80b7f
SHA256

f7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669
SHA512

89a037a21bea5180607242e50dd1a9877f0a1d1694d04d054e6f6c09593e1099378a5bae077162bbda471857c1d84a9169785a5dd4ba4936756bf9292746b125
SSDEEP

12288:GMrMy90mI7y2w0x9WoDQIFSsntln1tonwborBmLt8QC6OmQ447zWKB68vl2uXvDb:uyahScbFBntt1mnhBmhK1m54mKkuXvP

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2752-19-0x00000000022F0000-0x000000000230A000-memory.dmp	healer
behavioral1/memory/2752-21-0x0000000002740000-0x0000000002758000-memory.dmp	healer
behavioral1/memory/2752-43-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-49-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-47-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-45-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-41-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-39-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-37-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-35-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-33-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-31-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-29-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-27-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-25-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-23-0x0000000002740000-0x0000000002752000-memory.dmp	healer
behavioral1/memory/2752-22-0x0000000002740000-0x0000000002752000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro9581.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9581.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9581.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9581.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9581.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9581.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9581.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/864-61-0x00000000025D0000-0x0000000002616000-memory.dmp	family_redline
behavioral1/memory/864-62-0x0000000002690000-0x00000000026D4000-memory.dmp	family_redline
behavioral1/memory/864-68-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-76-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-96-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-94-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-92-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-88-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-86-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-85-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-82-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-80-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-78-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-74-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-72-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-70-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-90-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-66-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-64-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline
behavioral1/memory/864-63-0x0000000002690000-0x00000000026CF000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un417903.exepro9581.exequ2843.exe

pid process

408 un417903.exe
2752 pro9581.exe
864 qu2843.exe

pid	process
408	un417903.exe
2752	pro9581.exe
864	qu2843.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro9581.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro9581.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9581.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669.exeun417903.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un417903.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2656 2752 WerFault.exe pro9581.exe

pid	pid_target	process	target process
2656	2752	WerFault.exe	pro9581.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

un417903.exepro9581.exequ2843.exef7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un417903.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro9581.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu2843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro9581.exe

pid process

2752 pro9581.exe
2752 pro9581.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro9581.exequ2843.exe

description pid process

Token: SeDebugPrivilege 2752 pro9581.exe
Token: SeDebugPrivilege 864 qu2843.exe

pid	process
2752	pro9581.exe
2752	pro9581.exe

description	pid	process
Token: SeDebugPrivilege	2752	pro9581.exe
Token: SeDebugPrivilege	864	qu2843.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

f7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669.exeun417903.exe

description	pid	process	target process
PID 2756 wrote to memory of 408	2756	f7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669.exe	un417903.exe
PID 2756 wrote to memory of 408	2756	f7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669.exe	un417903.exe
PID 2756 wrote to memory of 408	2756	f7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669.exe	un417903.exe
PID 408 wrote to memory of 2752	408	un417903.exe	pro9581.exe
PID 408 wrote to memory of 2752	408	un417903.exe	pro9581.exe
PID 408 wrote to memory of 2752	408	un417903.exe	pro9581.exe
PID 408 wrote to memory of 864	408	un417903.exe	qu2843.exe
PID 408 wrote to memory of 864	408	un417903.exe	qu2843.exe
PID 408 wrote to memory of 864	408	un417903.exe	qu2843.exe

C:\Users\Admin\AppData\Local\Temp\f7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669.exe
"C:\Users\Admin\AppData\Local\Temp\f7e791e18d73b82ff4311ed0e42631f1eae064adfa3885281b1580db2b02b669.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417903.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417903.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9581.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9581.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 1096
4⤵
- Program crash
PID:2656

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2843.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2843.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2752 -ip 2752
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un417903.exe

Filesize
516KB

MD5
668f1ffd60d2bb09121847873740c00a

SHA1
00bc5dde4e962c8aa1e50a04f9df119d0e834020

SHA256
85f89c496cdc2779e518f6aed204738e86f73ed1d324120b207c3eae20815525

SHA512
1ab11a1829a933622b6729309156902a55b168f9ca468f2ae85857d625286bdf14770383891dd0a62129a76276caf8dcc5e56177e1b4839f780e0ed083ff1bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9581.exe

Filesize
235KB

MD5
e5dfaf1ee07a1721f7ccdfc8f30cd52c

SHA1
3b234d4d402583eeb778c7a9dd837bfeb1cc180a

SHA256
a563eec6ce0985fb0fbd7983daaa3590d276458c32e436d1fb555382326df6f8

SHA512
dee4f88d0e9bfebbac5756d7039c26ab2ef1f234a1404f004a430940d51e9b53a998bd8c955aa688e303d2e021011aa58c70d746a6a4314a8dec830e69253672

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2843.exe

Filesize
294KB

MD5
8c35d8d2cf0ee2ac22f7add1a32c32db

SHA1
547a7ecf034008f29fdc822dcea863df75f7dc13

SHA256
90b2523f3fd82a5154820650aeb11573e45b5df00d4691e1c4651898328071c7

SHA512
bf488f396af47adecec4318b6cd991d36398ea136b3618047f9999b263b0afa0f68ec747886383e1e82233df401ff41920ea21a60f9dbc3d2a0f4e32df7c03be

Download Submit
memory/864-74-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-80-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-970-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/864-969-0x00000000050F0000-0x0000000005708000-memory.dmp

Filesize
6.1MB

Download
memory/864-63-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-64-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-66-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-90-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-70-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-72-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-972-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/864-973-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download
memory/864-78-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-971-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/864-82-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-85-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-86-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-88-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-92-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-94-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-96-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-76-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-68-0x0000000002690000-0x00000000026CF000-memory.dmp

Filesize
252KB

Download
memory/864-62-0x0000000002690000-0x00000000026D4000-memory.dmp

Filesize
272KB

Download
memory/864-61-0x00000000025D0000-0x0000000002616000-memory.dmp

Filesize
280KB

Download
memory/2752-41-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2752-55-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2752-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2752-51-0x0000000000660000-0x000000000068D000-memory.dmp

Filesize
180KB

Download
memory/2752-50-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/2752-22-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-23-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-25-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-27-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-29-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-31-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-33-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-35-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-37-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-39-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-45-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-47-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-49-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-43-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/2752-21-0x0000000002740000-0x0000000002758000-memory.dmp

Filesize
96KB

Download
memory/2752-20-0x0000000004DD0000-0x0000000005374000-memory.dmp

Filesize
5.6MB

Download
memory/2752-19-0x00000000022F0000-0x000000000230A000-memory.dmp

Filesize
104KB

Download
memory/2752-18-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/2752-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2752-16-0x0000000000660000-0x000000000068D000-memory.dmp

Filesize
180KB

Download
memory/2752-15-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download