healer | 5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1

Analysis

max time kernel
144s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 07:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1.exe
Size

694KB
MD5

bc187fda2d5e9b83e4093d0d51bddf54
SHA1

309e1dbf9207aa571e5101693eeb6d3d2652df25
SHA256

5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1
SHA512

4e692ffcf0b0ccb9c424778e718f889fcdfcdb5d3588e7b5ed05fb5dee50afda3764296f6d141a2cacce6517009dbc7f19b7bce154e44e99e4f18876b0ac4dc5
SSDEEP

12288:ZMrHy90hEPG25QTyOdBoAUm2qu2JpA7eh09L3iaDzB2wyyEBq6DNbbxVPsOZkIP0:qykbYI+15q2Sh83iOVAyE/ZFyOeY0K1K

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2696-18-0x0000000004820000-0x000000000483A000-memory.dmp	healer
behavioral1/memory/2696-20-0x0000000004BA0000-0x0000000004BB8000-memory.dmp	healer
behavioral1/memory/2696-47-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-48-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-44-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-42-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-41-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-38-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-36-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-34-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-32-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-31-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-28-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-26-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-24-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-21-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer
behavioral1/memory/2696-23-0x0000000004BA0000-0x0000000004BB2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro4687.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4687.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/920-60-0x0000000004B10000-0x0000000004B56000-memory.dmp	family_redline
behavioral1/memory/920-61-0x0000000004E50000-0x0000000004E94000-memory.dmp	family_redline
behavioral1/memory/920-69-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-71-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-67-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-65-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-63-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-85-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-62-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-95-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-93-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-91-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-89-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-87-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-83-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-81-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-79-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-77-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-75-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/920-73-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un485946.exepro4687.exequ1442.exe

pid process

1856 un485946.exe
2696 pro4687.exe
920 qu1442.exe

pid	process
1856	un485946.exe
2696	pro4687.exe
920	qu1442.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro4687.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4687.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4687.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1.exeun485946.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un485946.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4536 2696 WerFault.exe pro4687.exe

pid	pid_target	process	target process
4536	2696	WerFault.exe	pro4687.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1.exeun485946.exepro4687.exequ1442.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un485946.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro4687.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu1442.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro4687.exe

pid process

2696 pro4687.exe
2696 pro4687.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro4687.exequ1442.exe

description pid process

Token: SeDebugPrivilege 2696 pro4687.exe
Token: SeDebugPrivilege 920 qu1442.exe

pid	process
2696	pro4687.exe
2696	pro4687.exe

description	pid	process
Token: SeDebugPrivilege	2696	pro4687.exe
Token: SeDebugPrivilege	920	qu1442.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1.exeun485946.exe

description	pid	process	target process
PID 1428 wrote to memory of 1856	1428	5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1.exe	un485946.exe
PID 1428 wrote to memory of 1856	1428	5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1.exe	un485946.exe
PID 1428 wrote to memory of 1856	1428	5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1.exe	un485946.exe
PID 1856 wrote to memory of 2696	1856	un485946.exe	pro4687.exe
PID 1856 wrote to memory of 2696	1856	un485946.exe	pro4687.exe
PID 1856 wrote to memory of 2696	1856	un485946.exe	pro4687.exe
PID 1856 wrote to memory of 920	1856	un485946.exe	qu1442.exe
PID 1856 wrote to memory of 920	1856	un485946.exe	qu1442.exe
PID 1856 wrote to memory of 920	1856	un485946.exe	qu1442.exe

C:\Users\Admin\AppData\Local\Temp\5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1.exe
"C:\Users\Admin\AppData\Local\Temp\5e384994e1be70b929701d3f23871e4bc5ccf44966dad3fd36b92673aa8ad6f1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un485946.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un485946.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4687.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4687.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 1080
4⤵
- Program crash
PID:4536

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1442.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1442.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2696 -ip 2696
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un485946.exe

Filesize
552KB

MD5
e6b3930f80e3d9c2e0b1d00513d478dd

SHA1
7baf45b882649ddde98e8d55e707229491b2bab5

SHA256
14f4be500636ac5aab86cdd61190aa44bb25dc813552c10fe96373c76da78e5f

SHA512
233441234c7133555c79e360484d477d7d87327b96f2115ae83ea46e753b3e2d15ce3e5bf1c081a9113f9a3ed5453b9e33987f8a3bd35e712f32f2a0717160e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4687.exe

Filesize
347KB

MD5
14882a2f9b366ebd1530281d74ae2750

SHA1
54835dac26001c0f508e39e332f227e00f89a419

SHA256
87a11a857545596404af31abfa9e16b3aebe53ad9a6b7ccc0261eb7fc74a2fdb

SHA512
294f9ee710900129991ebdfd619d941c7363ee88d70a790245bedaf73c62ac8d8538556dbee0d5d7d10eeae07fa222c5f2a6a7dfdf61ff9e73c6bece70959afc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu1442.exe

Filesize
405KB

MD5
59d6d40eedaf754400f5d1aecc91ebdd

SHA1
441d659c3b00b5812601f1e732d1a979be030604

SHA256
37cc165fe5463d3e06e63cc46861a9302e34614f4ded5f5c4531de321726c14e

SHA512
ca1a2cc110c7036469589d1aec2516d40ff02959ab8056d636f02e0df537167bb4e74431e03a06b563809cbfc4655b9d02050e43cfa07a395eba825de0a5f196

Download Submit
memory/920-87-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-91-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-969-0x0000000007290000-0x000000000739A000-memory.dmp

Filesize
1.0MB

Download
memory/920-968-0x0000000007A10000-0x0000000008028000-memory.dmp

Filesize
6.1MB

Download
memory/920-73-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-75-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-77-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-79-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-81-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-83-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-971-0x00000000073F0000-0x000000000742C000-memory.dmp

Filesize
240KB

Download
memory/920-972-0x0000000008130000-0x000000000817C000-memory.dmp

Filesize
304KB

Download
memory/920-89-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-970-0x00000000073D0000-0x00000000073E2000-memory.dmp

Filesize
72KB

Download
memory/920-93-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-95-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-62-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-85-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-63-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-65-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-67-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-71-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-69-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/920-61-0x0000000004E50000-0x0000000004E94000-memory.dmp

Filesize
272KB

Download
memory/920-60-0x0000000004B10000-0x0000000004B56000-memory.dmp

Filesize
280KB

Download
memory/2696-38-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-54-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/2696-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2696-51-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/2696-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2696-50-0x0000000002C60000-0x0000000002C8D000-memory.dmp

Filesize
180KB

Download
memory/2696-49-0x0000000002D80000-0x0000000002E80000-memory.dmp

Filesize
1024KB

Download
memory/2696-23-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-21-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-24-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-26-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-28-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-31-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-32-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-34-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-36-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-41-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-42-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-44-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-48-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-47-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/2696-20-0x0000000004BA0000-0x0000000004BB8000-memory.dmp

Filesize
96KB

Download
memory/2696-19-0x00000000072F0000-0x0000000007894000-memory.dmp

Filesize
5.6MB

Download
memory/2696-18-0x0000000004820000-0x000000000483A000-memory.dmp

Filesize
104KB

Download
memory/2696-16-0x0000000002C60000-0x0000000002C8D000-memory.dmp

Filesize
180KB

Download
memory/2696-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2696-15-0x0000000002D80000-0x0000000002E80000-memory.dmp

Filesize
1024KB

Download