healer | 5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44.exe
Size

674KB
MD5

75cac358a522496a9149a2ec8c01d0f5
SHA1

0ab5f1b05e3a064dbdb0b2ae95d8d2e1f16dd1ad
SHA256

5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44
SHA512

2b7c34a5ca3b9385cbf14d5c9bd114de5aae7330386c7add85b8d9bccc8573b55ce7291fb9b057775f74d4fedd86c1329c9edbbc50aa93916d20f1bdd7c3a3d2
SSDEEP

12288:2Mrmy90mQOvOC8nyYK9KhrSBuXGy/0zjxPau2uX742wcha2+r7nSX:sy/vOCvYK9mGOnLu42wcha27

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4792-19-0x00000000024F0000-0x000000000250A000-memory.dmp	healer
behavioral1/memory/4792-21-0x0000000002800000-0x0000000002818000-memory.dmp	healer
behavioral1/memory/4792-44-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-49-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-48-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-45-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-41-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-39-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-37-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-35-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-33-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-32-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-29-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-27-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-25-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-23-0x0000000002800000-0x0000000002812000-memory.dmp	healer
behavioral1/memory/4792-22-0x0000000002800000-0x0000000002812000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro1158.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro1158.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro1158.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro1158.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro1158.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro1158.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro1158.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1944-60-0x00000000044A0000-0x00000000044E6000-memory.dmp	family_redline
behavioral1/memory/1944-61-0x00000000068E0000-0x0000000006924000-memory.dmp	family_redline
behavioral1/memory/1944-73-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-75-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-95-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-93-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-91-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-89-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-87-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-85-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-83-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-81-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-79-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-77-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-71-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-69-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-67-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-65-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-63-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline
behavioral1/memory/1944-62-0x00000000068E0000-0x000000000691F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

un773538.exepro1158.exequ0312.exe

pid process

2768 un773538.exe
4792 pro1158.exe
1944 qu0312.exe

pid	process
2768	un773538.exe
4792	pro1158.exe
1944	qu0312.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro1158.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro1158.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro1158.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44.exeun773538.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un773538.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3676 4792 WerFault.exe pro1158.exe

pid	pid_target	process	target process
3676	4792	WerFault.exe	pro1158.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44.exeun773538.exepro1158.exequ0312.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un773538.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro1158.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu0312.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro1158.exe

pid process

4792 pro1158.exe
4792 pro1158.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro1158.exequ0312.exe

description pid process

Token: SeDebugPrivilege 4792 pro1158.exe
Token: SeDebugPrivilege 1944 qu0312.exe

pid	process
4792	pro1158.exe
4792	pro1158.exe

description	pid	process
Token: SeDebugPrivilege	4792	pro1158.exe
Token: SeDebugPrivilege	1944	qu0312.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44.exeun773538.exe

description	pid	process	target process
PID 3312 wrote to memory of 2768	3312	5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44.exe	un773538.exe
PID 3312 wrote to memory of 2768	3312	5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44.exe	un773538.exe
PID 3312 wrote to memory of 2768	3312	5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44.exe	un773538.exe
PID 2768 wrote to memory of 4792	2768	un773538.exe	pro1158.exe
PID 2768 wrote to memory of 4792	2768	un773538.exe	pro1158.exe
PID 2768 wrote to memory of 4792	2768	un773538.exe	pro1158.exe
PID 2768 wrote to memory of 1944	2768	un773538.exe	qu0312.exe
PID 2768 wrote to memory of 1944	2768	un773538.exe	qu0312.exe
PID 2768 wrote to memory of 1944	2768	un773538.exe	qu0312.exe

C:\Users\Admin\AppData\Local\Temp\5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44.exe
"C:\Users\Admin\AppData\Local\Temp\5c4a5d2b56a2c95d0e450298071554941666d3a78d18f4a402429b96a322af44.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3312

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773538.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773538.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1158.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1158.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1084
4⤵
- Program crash
PID:3676

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0312.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0312.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4792 -ip 4792
1⤵
PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un773538.exe

Filesize
532KB

MD5
e0d2f52f7dbe9b5c43c5f5c2e8bb92e1

SHA1
1a396793276f2591ed5eb807c9214a0b96880f41

SHA256
1e3cc21de2f76ca2c02f7e88332e5bb951e15bbe5575c5becfcc09e15c3f127a

SHA512
fd2f887ded8c0f2eb08f1d6b6b746ef9649d89543b584e759fff0862e500c97731e753c902ff606fefd655e7b6dd7283e6237cfbf437e108ef3818166d4b6765

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1158.exe

Filesize
376KB

MD5
4a2c5d991c2033d052352bb06ab52a30

SHA1
ff7f52234f693478294f86be793dc79611a48dfb

SHA256
221f4906a0ef508e0a7b2f411449f7d8b9f7301cc519dd5e69bb87229ed15fd6

SHA512
7371c5f80b6d634ebd2785128a51e3bc2fa1c71dda6c03af94608c353b26f0b833a82568126464a02e4d25bb6dd6541d38a162ceecfdbcafe6f4dcdd48760ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0312.exe

Filesize
435KB

MD5
1f1ce7d98b3249703fcca49d377d5e17

SHA1
e97be7c28be9fe4316a2ae7a3f41547751764fd1

SHA256
54c982a272e8dfa62b86c4d64e43f5949c35cb2898c4cf48702f86513ab7c631

SHA512
4b70c10b28e76f20c5b59bce4ac0c7698d3ca8e5d1818039feb3166f1f509a8963741332a10fbbf6d7e835bafa80df21caad51f2204756a34e7e8122e8e4d109

Download Submit
memory/1944-77-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-81-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-969-0x00000000075B0000-0x00000000076BA000-memory.dmp

Filesize
1.0MB

Download
memory/1944-968-0x0000000006F80000-0x0000000007598000-memory.dmp

Filesize
6.1MB

Download
memory/1944-62-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-63-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-65-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-67-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-69-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-71-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-971-0x0000000007710000-0x000000000774C000-memory.dmp

Filesize
240KB

Download
memory/1944-972-0x0000000007860000-0x00000000078AC000-memory.dmp

Filesize
304KB

Download
memory/1944-79-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-970-0x00000000076F0000-0x0000000007702000-memory.dmp

Filesize
72KB

Download
memory/1944-83-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-85-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-87-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-89-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-91-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-93-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-95-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-75-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-73-0x00000000068E0000-0x000000000691F000-memory.dmp

Filesize
252KB

Download
memory/1944-61-0x00000000068E0000-0x0000000006924000-memory.dmp

Filesize
272KB

Download
memory/1944-60-0x00000000044A0000-0x00000000044E6000-memory.dmp

Filesize
280KB

Download
memory/4792-41-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4792-54-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/4792-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4792-50-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download
memory/4792-22-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-23-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-25-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-27-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-29-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-32-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-33-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-35-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-37-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-39-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-45-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-48-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-49-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-44-0x0000000002800000-0x0000000002812000-memory.dmp

Filesize
72KB

Download
memory/4792-21-0x0000000002800000-0x0000000002818000-memory.dmp

Filesize
96KB

Download
memory/4792-20-0x0000000004C20000-0x00000000051C4000-memory.dmp

Filesize
5.6MB

Download
memory/4792-19-0x00000000024F0000-0x000000000250A000-memory.dmp

Filesize
104KB

Download
memory/4792-18-0x0000000000400000-0x00000000005A3000-memory.dmp

Filesize
1.6MB

Download
memory/4792-16-0x00000000021F0000-0x000000000221D000-memory.dmp

Filesize
180KB

Download
memory/4792-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4792-15-0x0000000000850000-0x0000000000950000-memory.dmp

Filesize
1024KB

Download