healer | a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365.exe
Size

668KB
MD5

387e1296304f1abd8525970aa8d402c1
SHA1

28b60283a3cb47757304dffaf607837c7839a7a8
SHA256

a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365
SHA512

b3a2db0ce13cc27036a2b8cd578020ec29eca72846a547682d23375f158ef822c9519e195bc0f276412c317632c6549a86b1bd08d855175da9ed555086f447f7
SSDEEP

12288:KMr9y90rD8JBvvZoZ+hDRx8oIS+47Y2XTOp3DYHy9PKxylyohM/0ONq0ov:7ypTWZ+9A4+SYfp38uixylpMsO3ov

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/816-19-0x00000000027A0000-0x00000000027BA000-memory.dmp	healer
behavioral1/memory/816-21-0x0000000002AA0000-0x0000000002AB8000-memory.dmp	healer
behavioral1/memory/816-23-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-49-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-47-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-46-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-43-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-41-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-39-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-37-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-35-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-33-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-31-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-29-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-27-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-25-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer
behavioral1/memory/816-22-0x0000000002AA0000-0x0000000002AB2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro6065.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro6065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro6065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro6065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro6065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro6065.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro6065.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3016-61-0x0000000002770000-0x00000000027B6000-memory.dmp	family_redline
behavioral1/memory/3016-62-0x0000000004DF0000-0x0000000004E34000-memory.dmp	family_redline
behavioral1/memory/3016-64-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-63-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-90-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-94-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-92-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-88-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-86-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-85-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-82-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-80-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-78-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-76-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-74-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-72-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-70-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-68-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-66-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/3016-96-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un890611.exepro6065.exequ2935.exe

pid process

2876 un890611.exe
816 pro6065.exe
3016 qu2935.exe

pid	process
2876	un890611.exe
816	pro6065.exe
3016	qu2935.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro6065.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro6065.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro6065.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365.exeun890611.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un890611.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3900 816 WerFault.exe pro6065.exe

pid	pid_target	process	target process
3900	816	WerFault.exe	pro6065.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365.exeun890611.exepro6065.exequ2935.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un890611.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro6065.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu2935.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro6065.exe

pid process

816 pro6065.exe
816 pro6065.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro6065.exequ2935.exe

description pid process

Token: SeDebugPrivilege 816 pro6065.exe
Token: SeDebugPrivilege 3016 qu2935.exe

pid	process
816	pro6065.exe
816	pro6065.exe

description	pid	process
Token: SeDebugPrivilege	816	pro6065.exe
Token: SeDebugPrivilege	3016	qu2935.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365.exeun890611.exe

description	pid	process	target process
PID 3972 wrote to memory of 2876	3972	a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365.exe	un890611.exe
PID 3972 wrote to memory of 2876	3972	a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365.exe	un890611.exe
PID 3972 wrote to memory of 2876	3972	a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365.exe	un890611.exe
PID 2876 wrote to memory of 816	2876	un890611.exe	pro6065.exe
PID 2876 wrote to memory of 816	2876	un890611.exe	pro6065.exe
PID 2876 wrote to memory of 816	2876	un890611.exe	pro6065.exe
PID 2876 wrote to memory of 3016	2876	un890611.exe	qu2935.exe
PID 2876 wrote to memory of 3016	2876	un890611.exe	qu2935.exe
PID 2876 wrote to memory of 3016	2876	un890611.exe	qu2935.exe

C:\Users\Admin\AppData\Local\Temp\a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365.exe
"C:\Users\Admin\AppData\Local\Temp\a1f467b7815531bc7762620035421b768c01c0e724604e1043212b2202c79365.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890611.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890611.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6065.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6065.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 1080
4⤵
- Program crash
PID:3900

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2935.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2935.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 816 -ip 816
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un890611.exe

Filesize
525KB

MD5
f74307f72a3c01619f8ced485ffd6286

SHA1
0cb3eab278bb619ec0d6bd527f906250f8d60e30

SHA256
8a45979b6c07c1ca96a47179b92a3b11d2d2b9c3e86c8f01596f2f78bb813279

SHA512
9749452cbc42ccba2c598adc57ca3e405d0b7a224debf15563a3cb97403d8c6be921ae94b8ad534ed5a0dcb9a45e6f128419c00fefaad0fe5c2af1bc3ab25e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6065.exe

Filesize
295KB

MD5
c1862da3dcab652a4c1fcb5556360948

SHA1
7ba9319a9fe48f69e77cb29c21ae70eccec452f3

SHA256
11d14aeba0b1768ed001c82a05488b94c30f93f56116985750c8fc5746ce9c8f

SHA512
4a1a4633295f9bf7b18c08c81dc93d218757dfaee7dbeed4c782886446dc9771e7507e8093125e9c8fc68f0758ba85392dcd5eb255b34ac60590fe1a6f632c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2935.exe

Filesize
353KB

MD5
8ea63fe8f45bfb388cb7272d54447f5e

SHA1
df84299ed232a4e1ca3b51536aa02d8f0a5f99fd

SHA256
198851498136dbf40fa6dc67e720c73fa7e824ef89ebae29550b2e418e1099ba

SHA512
1749e22cfc2ebc28ef79409dc77735965b3e7b6f268ab569bb40a64d33fea704891af098ffc192f947aa417d6148dc40fb7e4e545f7e6536ab981874fddccf6a

Download Submit
memory/816-15-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/816-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/816-17-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/816-18-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/816-19-0x00000000027A0000-0x00000000027BA000-memory.dmp

Filesize
104KB

Download
memory/816-20-0x0000000004F30000-0x00000000054D4000-memory.dmp

Filesize
5.6MB

Download
memory/816-21-0x0000000002AA0000-0x0000000002AB8000-memory.dmp

Filesize
96KB

Download
memory/816-23-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-49-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-47-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-46-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-43-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-41-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-39-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-37-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-35-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-33-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-31-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-29-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-27-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-25-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-22-0x0000000002AA0000-0x0000000002AB2000-memory.dmp

Filesize
72KB

Download
memory/816-50-0x00000000008D0000-0x00000000009D0000-memory.dmp

Filesize
1024KB

Download
memory/816-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/816-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/816-55-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/3016-61-0x0000000002770000-0x00000000027B6000-memory.dmp

Filesize
280KB

Download
memory/3016-62-0x0000000004DF0000-0x0000000004E34000-memory.dmp

Filesize
272KB

Download
memory/3016-64-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-63-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-90-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-94-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-92-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-88-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-86-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-85-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-82-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-80-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-78-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-76-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-74-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-72-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-70-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-68-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-66-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-96-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/3016-969-0x0000000005540000-0x0000000005B58000-memory.dmp

Filesize
6.1MB

Download
memory/3016-970-0x0000000005B60000-0x0000000005C6A000-memory.dmp

Filesize
1.0MB

Download
memory/3016-971-0x0000000004F30000-0x0000000004F42000-memory.dmp

Filesize
72KB

Download
memory/3016-972-0x0000000005C70000-0x0000000005CAC000-memory.dmp

Filesize
240KB

Download
memory/3016-973-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

Filesize
304KB

Download