healer | 563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7.exe
Size

522KB
MD5

9c03b97527070f1c61263b7ca2a94c06
SHA1

d92f055fbb07999ae7d4e14a6526d26f6c9b9271
SHA256

563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7
SHA512

623d0a3b369cd32b566246062c9fe9251a6b19d869a94ee5551ec76ddd72bf34d778e7ee43089f641ee602af23063dbb6f5495fa6d209b12e037a4fba93ee4e2
SSDEEP

6144:Kny+bnr+vp0yN90QE6NIKcqRqMk13Cdnk9y6l3yO25wuN2rgv2kt0GtzbdvsCdKe:1MrLy90UIKcSqz+nkH3ycH4t5I0kCR

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr948657.exe	healer
behavioral1/memory/3660-15-0x00000000001C0000-0x00000000001CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

jr948657.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr948657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr948657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr948657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr948657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr948657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr948657.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2464-22-0x00000000024C0000-0x0000000002506000-memory.dmp	family_redline
behavioral1/memory/2464-24-0x0000000002660000-0x00000000026A4000-memory.dmp	family_redline
behavioral1/memory/2464-36-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-38-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-88-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-86-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-84-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-82-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-78-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-76-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-74-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-72-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-70-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-68-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-66-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-64-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-62-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-60-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-56-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-54-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-53-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-50-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-48-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-46-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-44-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-42-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-40-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-34-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-32-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-30-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-80-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-58-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-28-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-26-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline
behavioral1/memory/2464-25-0x0000000002660000-0x000000000269F000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 3 IoCs

Processes:

ziYe2573.exejr948657.exeku096089.exe

pid process

4580 ziYe2573.exe
3660 jr948657.exe
2464 ku096089.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

jr948657.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr948657.exe

pid	process
4580	ziYe2573.exe
3660	jr948657.exe
2464	ku096089.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr948657.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7.exeziYe2573.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziYe2573.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7.exeziYe2573.exeku096089.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziYe2573.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku096089.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

jr948657.exe

pid process

3660 jr948657.exe
3660 jr948657.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

jr948657.exeku096089.exe

description pid process

Token: SeDebugPrivilege 3660 jr948657.exe
Token: SeDebugPrivilege 2464 ku096089.exe

pid	process
3660	jr948657.exe
3660	jr948657.exe

description	pid	process
Token: SeDebugPrivilege	3660	jr948657.exe
Token: SeDebugPrivilege	2464	ku096089.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7.exeziYe2573.exe

description	pid	process	target process
PID 392 wrote to memory of 4580	392	563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7.exe	ziYe2573.exe
PID 392 wrote to memory of 4580	392	563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7.exe	ziYe2573.exe
PID 392 wrote to memory of 4580	392	563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7.exe	ziYe2573.exe
PID 4580 wrote to memory of 3660	4580	ziYe2573.exe	jr948657.exe
PID 4580 wrote to memory of 3660	4580	ziYe2573.exe	jr948657.exe
PID 4580 wrote to memory of 2464	4580	ziYe2573.exe	ku096089.exe
PID 4580 wrote to memory of 2464	4580	ziYe2573.exe	ku096089.exe
PID 4580 wrote to memory of 2464	4580	ziYe2573.exe	ku096089.exe

C:\Users\Admin\AppData\Local\Temp\563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7.exe
"C:\Users\Admin\AppData\Local\Temp\563bb4a25195c31f7972e57677fb17f97398877d7f0871b947fcf5d891d2d4c7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYe2573.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYe2573.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr948657.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr948657.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku096089.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku096089.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYe2573.exe

Filesize
380KB

MD5
5f04c18074975d4160a2baa4d69b4b4b

SHA1
b6b36e9cd938ab70c02615803d0a9997b7d28278

SHA256
898c719a9489fbefc260bb504035378b590400668fdcc8538e942a57d982ef06

SHA512
a80daadb6320bc4721798f25ea50dca185578d4b195e122eb2374ca7e3ae64f2788d1d9b8ce3e7e5a43b413f03ae3566eb7bb89168cfcb5109cdb7b1a1b24663

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr948657.exe

Filesize
14KB

MD5
b5aa716d16bb4471684da6ee2e75bc27

SHA1
7f1ef8de25c485fefe32d80f0b3efc23b0a20b1c

SHA256
4aa332d0ea96ed090ef88124d5ce64fabe2a95008a0da1bbfaca5bf2be3e068b

SHA512
99e88828a0e445b4c0d2185a9f762e5dddd2a7562d0e1aaa82a97ea4c92bee986c273469fd346f1645b00e16283f417f243e5cad11fd0bbb418e7747221bcc71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku096089.exe

Filesize
295KB

MD5
7cfebe082ba926cb057dbb8ad9390a3c

SHA1
1d14760597036f6d00b552fb81685d3bbb4c7cb6

SHA256
f0469dd849b925a8256575e19c5ae43238135123a0b2645d3de087ebf9932728

SHA512
3959024c52894b80b810be2397e3a82d6bc6735baa708a0bb56de3e6df49540654bca55407955f6b6d1a1656867c16c8f4a6de6d8590d43a88caadcf63a02ce6

Download Submit
memory/2464-64-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-22-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/2464-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download
memory/2464-60-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-23-0x0000000004BB0000-0x0000000005154000-memory.dmp

Filesize
5.6MB

Download
memory/2464-24-0x0000000002660000-0x00000000026A4000-memory.dmp

Filesize
272KB

Download
memory/2464-36-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-38-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-88-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-86-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-62-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-82-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-56-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-76-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-74-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-72-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-70-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-68-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-66-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-934-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/2464-84-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-933-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/2464-78-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-54-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-53-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-50-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-48-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-46-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-44-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-42-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-40-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-34-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-32-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-30-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-80-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-58-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-28-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-26-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-25-0x0000000002660000-0x000000000269F000-memory.dmp

Filesize
252KB

Download
memory/2464-931-0x0000000005160000-0x0000000005778000-memory.dmp

Filesize
6.1MB

Download
memory/2464-932-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/3660-16-0x00007FFF60983000-0x00007FFF60985000-memory.dmp

Filesize
8KB

Download
memory/3660-14-0x00007FFF60983000-0x00007FFF60985000-memory.dmp

Filesize
8KB

Download
memory/3660-15-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download