healer | 80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376.exe
Size

658KB
MD5

5a7e7927a0a6a6cfff839021df97f094
SHA1

d1bdbdbb66b0ea33123bb67fd9803345683656d5
SHA256

80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376
SHA512

ef4148ea3c3f9b1d2be334605e7f59a204819f44a22fdde107d25d759a4abb4e30a2f5bcabb8df99c7c40aeb6cece7a4396c1f64ebd08031be7eb70ab08f950c
SSDEEP

12288:7Mray90II/7ba2WoutyhoQToGuYjrYWMSKpUQ44QzWKjE8vSvK:ZyKnYltiVkdYjECyU54ZKL

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4280-19-0x00000000022E0000-0x00000000022FA000-memory.dmp	healer
behavioral1/memory/4280-21-0x00000000025D0000-0x00000000025E8000-memory.dmp	healer
behavioral1/memory/4280-49-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-48-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-45-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-43-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-41-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-40-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-37-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-35-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-33-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-31-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-29-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-27-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-25-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-24-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer
behavioral1/memory/4280-22-0x00000000025D0000-0x00000000025E2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro7677.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7677.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro7677.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3588-60-0x00000000024E0000-0x0000000002526000-memory.dmp	family_redline
behavioral1/memory/3588-61-0x0000000002560000-0x00000000025A4000-memory.dmp	family_redline
behavioral1/memory/3588-65-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-77-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-95-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-93-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-91-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-89-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-87-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-85-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-83-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-81-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-75-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-73-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-71-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-69-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-67-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-79-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-63-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline
behavioral1/memory/3588-62-0x0000000002560000-0x000000000259F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un128585.exepro7677.exequ8416.exe

pid process

3100 un128585.exe
4280 pro7677.exe
3588 qu8416.exe

pid	process
3100	un128585.exe
4280	pro7677.exe
3588	qu8416.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro7677.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7677.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7677.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

un128585.exe80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un128585.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1896 4280 WerFault.exe pro7677.exe

pid	pid_target	process	target process
1896	4280	WerFault.exe	pro7677.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376.exeun128585.exepro7677.exequ8416.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un128585.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro7677.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu8416.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro7677.exe

pid process

4280 pro7677.exe
4280 pro7677.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro7677.exequ8416.exe

description pid process

Token: SeDebugPrivilege 4280 pro7677.exe
Token: SeDebugPrivilege 3588 qu8416.exe

pid	process
4280	pro7677.exe
4280	pro7677.exe

description	pid	process
Token: SeDebugPrivilege	4280	pro7677.exe
Token: SeDebugPrivilege	3588	qu8416.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376.exeun128585.exe

description	pid	process	target process
PID 4640 wrote to memory of 3100	4640	80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376.exe	un128585.exe
PID 4640 wrote to memory of 3100	4640	80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376.exe	un128585.exe
PID 4640 wrote to memory of 3100	4640	80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376.exe	un128585.exe
PID 3100 wrote to memory of 4280	3100	un128585.exe	pro7677.exe
PID 3100 wrote to memory of 4280	3100	un128585.exe	pro7677.exe
PID 3100 wrote to memory of 4280	3100	un128585.exe	pro7677.exe
PID 3100 wrote to memory of 3588	3100	un128585.exe	qu8416.exe
PID 3100 wrote to memory of 3588	3100	un128585.exe	qu8416.exe
PID 3100 wrote to memory of 3588	3100	un128585.exe	qu8416.exe

C:\Users\Admin\AppData\Local\Temp\80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376.exe
"C:\Users\Admin\AppData\Local\Temp\80d6e302066d3efe86cb299efbbd44e840799e20c93ca2a0ee79b809c58f1376.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un128585.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un128585.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7677.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7677.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1080
4⤵
- Program crash
PID:1896

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8416.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8416.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4280 -ip 4280
1⤵
PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un128585.exe

Filesize
516KB

MD5
369225b3319046ac85383166ff3d2f3c

SHA1
d8b1d56243e4f77a6d69bad4df05b7470bd716f7

SHA256
06de37257c100eeba6ec3ce0eaeccf8545bb688e4085978b77f4317378b5d3c4

SHA512
715f4198510973ca39544c10d1a004d433852765bdd51dae0a1333de83259ca8b6e17980167d778941c7fecf89c849102c70846569baba5aab477497a20701ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7677.exe

Filesize
235KB

MD5
454c563d62a6fdb724c89285cc611eac

SHA1
3de5fac98cf7b49032eca19c4075b9238bfa6153

SHA256
f20706bb27b07e60755556561d8b0625f06ec3f57c59050c06c9f124b2b28428

SHA512
7efa98a447f5d4b3d54c318f5d9a6a22b2a9d775adb907a255a4bdabea946431655734dcdc34001a2f83b03c419ae01fe1db4852c7630ffc2e761621de94fd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8416.exe

Filesize
294KB

MD5
9c3b94f414172368c499dc8cf2b1742b

SHA1
9f5ae87ef656ebccc2545ef04027b01bd9beaffe

SHA256
f9af438725a8a59d0513d81ed1e19e36de06dcd8d80d33cb55e05e1d619bb3ed

SHA512
4d0547008566c5b6f71aaa7fb21248702f16c6f5119fad454a636f79c3b28fe0d0334f6555b5251b8f5fe4fb84145665f0897da12895aba2051f32a9aa14c21d

Download Submit
memory/3588-73-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-81-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-969-0x00000000058D0000-0x00000000059DA000-memory.dmp

Filesize
1.0MB

Download
memory/3588-968-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/3588-62-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-63-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-79-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-67-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-69-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-71-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-971-0x0000000005A30000-0x0000000005A6C000-memory.dmp

Filesize
240KB

Download
memory/3588-972-0x0000000005B80000-0x0000000005BCC000-memory.dmp

Filesize
304KB

Download
memory/3588-75-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-970-0x0000000005A10000-0x0000000005A22000-memory.dmp

Filesize
72KB

Download
memory/3588-83-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-85-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-87-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-89-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-91-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-93-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-95-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-77-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-65-0x0000000002560000-0x000000000259F000-memory.dmp

Filesize
252KB

Download
memory/3588-61-0x0000000002560000-0x00000000025A4000-memory.dmp

Filesize
272KB

Download
memory/3588-60-0x00000000024E0000-0x0000000002526000-memory.dmp

Filesize
280KB

Download
memory/4280-41-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4280-54-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4280-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4280-50-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download
memory/4280-22-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-24-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-25-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-27-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-29-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-31-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-33-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-35-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-37-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-40-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-43-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-45-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-48-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-49-0x00000000025D0000-0x00000000025E2000-memory.dmp

Filesize
72KB

Download
memory/4280-21-0x00000000025D0000-0x00000000025E8000-memory.dmp

Filesize
96KB

Download
memory/4280-20-0x0000000004D70000-0x0000000005314000-memory.dmp

Filesize
5.6MB

Download
memory/4280-19-0x00000000022E0000-0x00000000022FA000-memory.dmp

Filesize
104KB

Download
memory/4280-18-0x0000000000400000-0x00000000004A9000-memory.dmp

Filesize
676KB

Download
memory/4280-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4280-16-0x0000000000720000-0x000000000074D000-memory.dmp

Filesize
180KB

Download
memory/4280-15-0x0000000000760000-0x0000000000860000-memory.dmp

Filesize
1024KB

Download