healer | d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879.exe
Size

659KB
MD5

b6bd364d778d37a1e9dfa5ba15edb1ee
SHA1

e0287e29efb294d305d581ed200d437702f6f1c2
SHA256

d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879
SHA512

30d1ae67724acbebfdfdcd0b137a46f5f29f489c3723ee5a4244a6a1d2c0371fcf8bc37586dd97be33b0d7f7f1b68593499d5534244a7121422fb764f1e14b18
SSDEEP

12288:PMrQy90Q348oXefys6s7GJUAQyCZSqcoIHz6TnoUM:nysBOAJl3qcFuTnoB

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3888-27-0x00000000022A0000-0x00000000022BA000-memory.dmp	healer
behavioral1/memory/3888-29-0x0000000004970000-0x0000000004988000-memory.dmp	healer
behavioral1/memory/3888-35-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-55-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-53-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-51-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-49-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-48-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-57-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-39-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-33-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-31-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-30-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-45-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-43-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-41-0x0000000004970000-0x0000000004982000-memory.dmp	healer
behavioral1/memory/3888-37-0x0000000004970000-0x0000000004982000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

pro4433.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4433.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 18 IoCs

Processes:

resource	yara_rule
behavioral1/memory/820-58-0x00000000022C0000-0x0000000002306000-memory.dmp	family_redline
behavioral1/memory/820-59-0x0000000002750000-0x0000000002794000-memory.dmp	family_redline
behavioral1/memory/820-89-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-87-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-85-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-83-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-81-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-79-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-77-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-75-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-71-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-69-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-67-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-65-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-63-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-60-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-61-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline
behavioral1/memory/820-73-0x0000000002750000-0x000000000278F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 4 IoCs

Processes:

un499077.exepro4433.exepro4433.exequ7598.exe

pid process

208 un499077.exe
1096 pro4433.exe
3888 pro4433.exe
820 qu7598.exe

pid	process
208	un499077.exe
1096	pro4433.exe
3888	pro4433.exe
820	qu7598.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

pro4433.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4433.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4433.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879.exeun499077.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un499077.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

pro4433.exe

description pid process target process

PID 1096 set thread context of 3888 1096 pro4433.exe pro4433.exe

description	pid	process	target process
PID 1096 set thread context of 3888	1096	pro4433.exe	pro4433.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879.exeun499077.exepro4433.exepro4433.exequ7598.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un499077.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro4433.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro4433.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu7598.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

pro4433.exe

pid process

3888 pro4433.exe
3888 pro4433.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pro4433.exequ7598.exe

description pid process

Token: SeDebugPrivilege 3888 pro4433.exe
Token: SeDebugPrivilege 820 qu7598.exe

pid	process
3888	pro4433.exe
3888	pro4433.exe

description	pid	process
Token: SeDebugPrivilege	3888	pro4433.exe
Token: SeDebugPrivilege	820	qu7598.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879.exeun499077.exepro4433.exe

description	pid	process	target process
PID 4928 wrote to memory of 208	4928	d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879.exe	un499077.exe
PID 4928 wrote to memory of 208	4928	d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879.exe	un499077.exe
PID 4928 wrote to memory of 208	4928	d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879.exe	un499077.exe
PID 208 wrote to memory of 1096	208	un499077.exe	pro4433.exe
PID 208 wrote to memory of 1096	208	un499077.exe	pro4433.exe
PID 208 wrote to memory of 1096	208	un499077.exe	pro4433.exe
PID 1096 wrote to memory of 3888	1096	pro4433.exe	pro4433.exe
PID 1096 wrote to memory of 3888	1096	pro4433.exe	pro4433.exe
PID 1096 wrote to memory of 3888	1096	pro4433.exe	pro4433.exe
PID 1096 wrote to memory of 3888	1096	pro4433.exe	pro4433.exe
PID 1096 wrote to memory of 3888	1096	pro4433.exe	pro4433.exe
PID 1096 wrote to memory of 3888	1096	pro4433.exe	pro4433.exe
PID 1096 wrote to memory of 3888	1096	pro4433.exe	pro4433.exe
PID 1096 wrote to memory of 3888	1096	pro4433.exe	pro4433.exe
PID 1096 wrote to memory of 3888	1096	pro4433.exe	pro4433.exe
PID 208 wrote to memory of 820	208	un499077.exe	qu7598.exe
PID 208 wrote to memory of 820	208	un499077.exe	qu7598.exe
PID 208 wrote to memory of 820	208	un499077.exe	qu7598.exe

C:\Users\Admin\AppData\Local\Temp\d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879.exe
"C:\Users\Admin\AppData\Local\Temp\d30623788772774aa4f9979c49dcc24bd9d35cfc9b32a969e53d6c30901d9879.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un499077.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un499077.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4433.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4433.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4433.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4433.exe
4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7598.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7598.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un499077.exe

Filesize
517KB

MD5
6556d4b6d7cabf37d0af2ccc3e3c472c

SHA1
612efeee15efb32bc4e961c3a8ed8b7c97bc080c

SHA256
ba8d9f828df0c4fe4deadfd239c40680de21310a94a59ed41d0c2dfe9735c95f

SHA512
703fe47a205c6c07b91e159ad79c306c27beb8bba1097415240053d248cd6f013ef1c0505ddf3d6206f34199a08e43a1b02198b53b5385a616b739f3d9786d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4433.exe

Filesize
237KB

MD5
945191ba680069140d9308a3782fbb40

SHA1
d1ec491f67a9fe6fddd33499921101840701ec9f

SHA256
ffba94eb8129e1a25d920f37ca0b6417e5f9a8d887cc719f97e2aad56a672aa1

SHA512
a351724a27f95191ca81e30c9500db978086ea18d562ece7d2c152fe730a59712b37d0393cf9adba0bf2037c45f0d2e9a9103f7e994dc75cec2ebed4f7376d5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7598.exe

Filesize
294KB

MD5
fb79bb3188461776b52ea1ad27bac736

SHA1
801aaffcee04ec9dcf5a7cdc3b3509dabcd7431d

SHA256
e8a54a1332641193d6ac667ed5cce9e350e2486bd0709e69557749f6982ba5be

SHA512
81be77cf5f4b9e4baecf05051103b6051e87fdad3863279adcde5a72a8901647e550718c6b2fd066ac9386450f368ae81b15c923cc3dff959f82823813dfc4f3

Download Submit
memory/820-63-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-58-0x00000000022C0000-0x0000000002306000-memory.dmp

Filesize
280KB

Download
memory/820-969-0x0000000005A30000-0x0000000005A6C000-memory.dmp

Filesize
240KB

Download
memory/820-968-0x0000000005A10000-0x0000000005A22000-memory.dmp

Filesize
72KB

Download
memory/820-967-0x00000000058D0000-0x00000000059DA000-memory.dmp

Filesize
1.0MB

Download
memory/820-87-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-966-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/820-73-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-61-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-89-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-60-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-85-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-65-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-970-0x0000000005B80000-0x0000000005BCC000-memory.dmp

Filesize
304KB

Download
memory/820-59-0x0000000002750000-0x0000000002794000-memory.dmp

Filesize
272KB

Download
memory/820-67-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-69-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-71-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-75-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-77-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-79-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-81-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/820-83-0x0000000002750000-0x000000000278F000-memory.dmp

Filesize
252KB

Download
memory/1096-15-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/1096-16-0x0000000000530000-0x000000000055E000-memory.dmp

Filesize
184KB

Download
memory/3888-35-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-45-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-30-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-31-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-33-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-39-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-57-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-48-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-49-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-51-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-53-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-55-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-29-0x0000000004970000-0x0000000004988000-memory.dmp

Filesize
96KB

Download
memory/3888-28-0x00000000049F0000-0x0000000004F94000-memory.dmp

Filesize
5.6MB

Download
memory/3888-43-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-41-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-37-0x0000000004970000-0x0000000004982000-memory.dmp

Filesize
72KB

Download
memory/3888-27-0x00000000022A0000-0x00000000022BA000-memory.dmp

Filesize
104KB

Download
memory/3888-20-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3888-22-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3888-19-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3888-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download