healer | e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe
Size

659KB
MD5

a5fd21fe91145a3f4816287d05f5b02f
SHA1

b58a87d84246718cab4d83bb1bb0bc33308df86d
SHA256

e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846
SHA512

87baae0748c6a83d34c296ddf9e7f4e93c9b2866e9d0ff1ab57febe8cf6d5a967e8be36380d1709ce0f936822a15be848d31e7ba8bd1724b270a4111d4dd8dad
SSDEEP

12288:lMr9y90j0MeXALzf1r//sOuYmz7EqAOdE02XLnKjlQoqBig/BN/c:QynlALL1j/MtUmRQDZBu

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1456-18-0x00000000048C0000-0x00000000048DA000-memory.dmp	healer
behavioral1/memory/1456-20-0x00000000049C0000-0x00000000049D8000-memory.dmp	healer
behavioral1/memory/1456-48-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-46-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-44-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-42-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-41-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-38-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-37-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-34-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-32-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-30-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-28-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-26-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-24-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-22-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer
behavioral1/memory/1456-21-0x00000000049C0000-0x00000000049D2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro8090.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8090.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8090.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8090.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8090.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8090.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8090.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4472-60-0x0000000004A90000-0x0000000004AD6000-memory.dmp	family_redline
behavioral1/memory/4472-61-0x0000000007730000-0x0000000007774000-memory.dmp	family_redline
behavioral1/memory/4472-75-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-95-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-93-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-91-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-89-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-87-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-85-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-83-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-81-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-79-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-77-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-73-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-71-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-69-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-67-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-65-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-63-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline
behavioral1/memory/4472-62-0x0000000007730000-0x000000000776F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un723417.exepro8090.exequ6015.exe

pid process

1684 un723417.exe
1456 pro8090.exe
4472 qu6015.exe

pid	process
1684	un723417.exe
1456	pro8090.exe
4472	qu6015.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro8090.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8090.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8090.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exeun723417.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un723417.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3520 1456 WerFault.exe pro8090.exe

pid	pid_target	process	target process
3520	1456	WerFault.exe	pro8090.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

qu6015.exee67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exeun723417.exepro8090.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu6015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un723417.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro8090.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro8090.exe

pid process

1456 pro8090.exe
1456 pro8090.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro8090.exequ6015.exe

description pid process

Token: SeDebugPrivilege 1456 pro8090.exe
Token: SeDebugPrivilege 4472 qu6015.exe

pid	process
1456	pro8090.exe
1456	pro8090.exe

description	pid	process
Token: SeDebugPrivilege	1456	pro8090.exe
Token: SeDebugPrivilege	4472	qu6015.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exeun723417.exe

description	pid	process	target process
PID 4232 wrote to memory of 1684	4232	e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe	un723417.exe
PID 4232 wrote to memory of 1684	4232	e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe	un723417.exe
PID 4232 wrote to memory of 1684	4232	e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe	un723417.exe
PID 1684 wrote to memory of 1456	1684	un723417.exe	pro8090.exe
PID 1684 wrote to memory of 1456	1684	un723417.exe	pro8090.exe
PID 1684 wrote to memory of 1456	1684	un723417.exe	pro8090.exe
PID 1684 wrote to memory of 4472	1684	un723417.exe	qu6015.exe
PID 1684 wrote to memory of 4472	1684	un723417.exe	qu6015.exe
PID 1684 wrote to memory of 4472	1684	un723417.exe	qu6015.exe

C:\Users\Admin\AppData\Local\Temp\e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe
"C:\Users\Admin\AppData\Local\Temp\e67367fdaa6d6903b9e49bd2dc042f1c55dd293086d2754df98c241ef95b6846.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un723417.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un723417.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8090.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8090.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 1004
4⤵
- Program crash
PID:3520

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6015.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6015.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1456 -ip 1456
1⤵
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un723417.exe

Filesize
517KB

MD5
0b24b5a014b629a7a81bced8d0b94283

SHA1
d019c19c30e94dae72f40135d1b2eb840f784e0f

SHA256
67a986ca913124145d501de33b17073460f7fb2dc70c8e8c06111c6cacb6e119

SHA512
d8f4ed967ba6ed80d4262cd260fd2b75162a70b4e5d0cbdddbf0611410532956c8c6384711b496da97f5214430ef94e0d3958276f01906c78cdfd59bac004d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8090.exe

Filesize
295KB

MD5
40709af349aa027ed9969a33f0c3ba14

SHA1
2adffca8bae8d3e94fa4d52768bf59592c468a8e

SHA256
4e0eb2382ed61af2d00396fc5eac71e7c62c0963e667e555bcbdf93f9829ed03

SHA512
b9a20b492cfd11a5b7caa9d658d748f67fbe1691ca70e9bfe02564859bb2590bd571293f0e611bf8d570bda2fdf4dc694b12da2f6797432888b2ddc42e343f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6015.exe

Filesize
354KB

MD5
d0e261d2412fb0f4c2fe70907075d010

SHA1
840e9b871c6b0b5cd054f1fbe28d58d40ca66d55

SHA256
19533431582a31e16ab1c3ff98960f66e5dd8ab9acee909a1e5fd1ffd69289fa

SHA512
2cac9d4f5d08ef343abd18b4f90e58a0ce433d54ada299ac0e80e1874ebb2f6ba3f56f4558c5acd4bc6d01d9d82fbd209cfb30e148979d02900b2511df4f82dc

Download Submit
memory/1456-15-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download
memory/1456-16-0x0000000002DF0000-0x0000000002E1D000-memory.dmp

Filesize
180KB

Download
memory/1456-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1456-18-0x00000000048C0000-0x00000000048DA000-memory.dmp

Filesize
104KB

Download
memory/1456-19-0x0000000007530000-0x0000000007AD4000-memory.dmp

Filesize
5.6MB

Download
memory/1456-20-0x00000000049C0000-0x00000000049D8000-memory.dmp

Filesize
96KB

Download
memory/1456-48-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-46-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-44-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-42-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-41-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-38-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-37-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-34-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-32-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-30-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-28-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-26-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-24-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-22-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-21-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/1456-49-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download
memory/1456-50-0x0000000002DF0000-0x0000000002E1D000-memory.dmp

Filesize
180KB

Download
memory/1456-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1456-51-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download
memory/1456-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1456-54-0x0000000000400000-0x0000000002B78000-memory.dmp

Filesize
39.5MB

Download
memory/4472-60-0x0000000004A90000-0x0000000004AD6000-memory.dmp

Filesize
280KB

Download
memory/4472-61-0x0000000007730000-0x0000000007774000-memory.dmp

Filesize
272KB

Download
memory/4472-75-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-95-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-93-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-91-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-89-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-87-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-85-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-83-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-81-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-79-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-77-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-73-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-71-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-69-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-67-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-65-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-63-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-62-0x0000000007730000-0x000000000776F000-memory.dmp

Filesize
252KB

Download
memory/4472-968-0x00000000077C0000-0x0000000007DD8000-memory.dmp

Filesize
6.1MB

Download
memory/4472-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

Filesize
1.0MB

Download
memory/4472-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

Filesize
72KB

Download
memory/4472-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

Filesize
240KB

Download
memory/4472-972-0x0000000008110000-0x000000000815C000-memory.dmp

Filesize
304KB

Download