healer | dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858

Analysis

max time kernel
145s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858.exe
Size

689KB
MD5

f831dac2152cc6efcee0de3df17136f7
SHA1

d5974a89207a13579d6c3d9ed96c9247a3645e1a
SHA256

dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858
SHA512

6c336a887147624522eac7b7bcddc27188cc4930f8231a72e0a78f4120bb3c2a5c21168be9fff5f045e53a9e4297c5caed331b36747c45135752f0a570bba9eb
SSDEEP

12288:1Mrcy9075WkMnFc0OBUI1e14H2KcOpfWoxtWJhXRMk5m742:Vy4ZAcxNA1sfhIS8JxSEY

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/216-19-0x0000000002720000-0x000000000273A000-memory.dmp	healer
behavioral1/memory/216-21-0x00000000054A0000-0x00000000054B8000-memory.dmp	healer
behavioral1/memory/216-39-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-49-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-47-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-45-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-44-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-41-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-37-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-35-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-33-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-31-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-29-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-27-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-25-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-23-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer
behavioral1/memory/216-22-0x00000000054A0000-0x00000000054B2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro6232.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro6232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro6232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro6232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro6232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro6232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro6232.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4352-61-0x0000000002770000-0x00000000027B6000-memory.dmp	family_redline
behavioral1/memory/4352-62-0x0000000005410000-0x0000000005454000-memory.dmp	family_redline
behavioral1/memory/4352-74-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-78-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-96-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-94-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-92-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-90-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-88-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-86-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-84-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-82-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-80-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-76-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-72-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-70-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-68-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-66-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-64-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline
behavioral1/memory/4352-63-0x0000000005410000-0x000000000544F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un894814.exepro6232.exequ3495.exe

pid process

4256 un894814.exe
216 pro6232.exe
4352 qu3495.exe

pid	process
4256	un894814.exe
216	pro6232.exe
4352	qu3495.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro6232.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro6232.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro6232.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858.exeun894814.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un894814.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1080 216 WerFault.exe pro6232.exe

pid	pid_target	process	target process
1080	216	WerFault.exe	pro6232.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858.exeun894814.exepro6232.exequ3495.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un894814.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro6232.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu3495.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro6232.exe

pid process

216 pro6232.exe
216 pro6232.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro6232.exequ3495.exe

description pid process

Token: SeDebugPrivilege 216 pro6232.exe
Token: SeDebugPrivilege 4352 qu3495.exe

pid	process
216	pro6232.exe
216	pro6232.exe

description	pid	process
Token: SeDebugPrivilege	216	pro6232.exe
Token: SeDebugPrivilege	4352	qu3495.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858.exeun894814.exe

description	pid	process	target process
PID 964 wrote to memory of 4256	964	dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858.exe	un894814.exe
PID 964 wrote to memory of 4256	964	dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858.exe	un894814.exe
PID 964 wrote to memory of 4256	964	dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858.exe	un894814.exe
PID 4256 wrote to memory of 216	4256	un894814.exe	pro6232.exe
PID 4256 wrote to memory of 216	4256	un894814.exe	pro6232.exe
PID 4256 wrote to memory of 216	4256	un894814.exe	pro6232.exe
PID 4256 wrote to memory of 4352	4256	un894814.exe	qu3495.exe
PID 4256 wrote to memory of 4352	4256	un894814.exe	qu3495.exe
PID 4256 wrote to memory of 4352	4256	un894814.exe	qu3495.exe

C:\Users\Admin\AppData\Local\Temp\dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858.exe
"C:\Users\Admin\AppData\Local\Temp\dac0700e6d672a77a8377cd6adbebc79045f4b9e108a6c27ab07bab7df1e3858.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un894814.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un894814.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4256

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6232.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6232.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 1080
4⤵
- Program crash
PID:1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3495.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3495.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 216 -ip 216
1⤵
PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un894814.exe

Filesize
536KB

MD5
0bdf7f6b65f560c62a07d4729a3c98fb

SHA1
3864ac92bc2febae73ce535a5f097780d47eb578

SHA256
b245408bb4378d820bcd67b37ea76e943bfecdef56f903ee569ecf1017b93dcd

SHA512
67bc93adba6bd48370ee65ebe3cc4d956e5844eca45e9ac051f60ecb5becfdfbe95d2c9ecf68bc8332c89234e8c36baed5efbe5551ae146cf663ac058fd8e557

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6232.exe

Filesize
314KB

MD5
801e698739ce161ec17701388d1659a4

SHA1
127f9f6e89ba3d8f51e499cb5dc72654b47f3859

SHA256
4f3034797ee261e6c2c4d829b3e778f158d3d237faa6be9012c6fcb06c5778b2

SHA512
ce113e202f58929e124e952e475f9a26ffaea2b92896236735a30c5ae716ada24f060b4f51328e8dd38b792960d1b9641b92e602cc494919e4f241ffcae9b41e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3495.exe

Filesize
372KB

MD5
a71af578c8b60ef2dd06a804117ed8d2

SHA1
75614df6e04bc45613cb0c664b19ae79cd2c0d95

SHA256
ffa7d04a3d3ed01b12536b0d1b0f9009893e260b69333c1cc338558e185dfa6c

SHA512
89e381e679e43dd964b64e610e109f3872af0cc4a248e83e9f4c6dd69931dfa075970ca76c0ff22b82edb7659efd0b0f25c4dc21e0927444853a64a1aa2b0dc1

Download Submit
memory/216-15-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/216-16-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/216-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/216-18-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/216-19-0x0000000002720000-0x000000000273A000-memory.dmp

Filesize
104KB

Download
memory/216-20-0x0000000004E90000-0x0000000005434000-memory.dmp

Filesize
5.6MB

Download
memory/216-21-0x00000000054A0000-0x00000000054B8000-memory.dmp

Filesize
96KB

Download
memory/216-39-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-49-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-47-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-45-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-44-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-41-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-37-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-35-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-33-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-31-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-29-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-27-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-25-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-23-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-22-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/216-50-0x00000000009C0000-0x0000000000AC0000-memory.dmp

Filesize
1024KB

Download
memory/216-51-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/216-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/216-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/216-55-0x0000000000400000-0x0000000000802000-memory.dmp

Filesize
4.0MB

Download
memory/4352-61-0x0000000002770000-0x00000000027B6000-memory.dmp

Filesize
280KB

Download
memory/4352-62-0x0000000005410000-0x0000000005454000-memory.dmp

Filesize
272KB

Download
memory/4352-74-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-78-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-96-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-94-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-92-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-90-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-88-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-86-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-84-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-82-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-80-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-76-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-72-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-70-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-68-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-66-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-64-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-63-0x0000000005410000-0x000000000544F000-memory.dmp

Filesize
252KB

Download
memory/4352-969-0x0000000005590000-0x0000000005BA8000-memory.dmp

Filesize
6.1MB

Download
memory/4352-970-0x0000000005C30000-0x0000000005D3A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-971-0x0000000005D70000-0x0000000005D82000-memory.dmp

Filesize
72KB

Download
memory/4352-972-0x0000000005D90000-0x0000000005DCC000-memory.dmp

Filesize
240KB

Download
memory/4352-973-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

Filesize
304KB

Download