healer | c0eae757a44627c85fea4e2dcefdddaa3bbbbeb285dac8552507d3bc1a0825ab

Analysis

max time kernel
117s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 23:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0eae757a44627c85fea4e2dcefdddaa3bbbbeb285dac8552507d3bc1a0825ab.exe
Size

534KB
MD5

88827c6e04b53ec49e7a7e6ebd151b69
SHA1

ff798ad1f28af52243eeda085b8462f892b78e44
SHA256

c0eae757a44627c85fea4e2dcefdddaa3bbbbeb285dac8552507d3bc1a0825ab
SHA512

6bdaee2464e996e93bb48e8ac0e8c5d331f074d3e806184df834db50e4838482c465a0db09423c2845c9a55c79ab0f4bf9d21ad83d6b2d41d37ce982fba70de9
SSDEEP

12288:WMrVy909T90oCNzV2erEP70iEygJmoyTTvdIb7dv7:XyTZztED7EygJmoWTlIp7

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cd3-12.dat	healer
behavioral1/memory/4632-15-0x0000000000F30000-0x0000000000F3A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr146718.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr146718.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr146718.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr146718.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr146718.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr146718.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3492-22-0x0000000002320000-0x0000000002366000-memory.dmp	family_redline
behavioral1/memory/3492-24-0x0000000005050000-0x0000000005094000-memory.dmp	family_redline
behavioral1/memory/3492-28-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-26-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-25-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-38-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-88-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-86-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-84-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-82-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-80-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-78-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-76-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-74-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-70-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-68-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-66-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-64-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-62-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-60-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-58-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-54-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-52-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-48-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-46-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-42-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-40-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-36-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-35-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-32-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-31-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-72-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-56-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-50-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline
behavioral1/memory/3492-44-0x0000000005050000-0x000000000508F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4340	zinJ5201.exe
4632	jr146718.exe
3492	ku087098.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr146718.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c0eae757a44627c85fea4e2dcefdddaa3bbbbeb285dac8552507d3bc1a0825ab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zinJ5201.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zinJ5201.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku087098.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c0eae757a44627c85fea4e2dcefdddaa3bbbbeb285dac8552507d3bc1a0825ab.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4632	jr146718.exe
4632	jr146718.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4632	jr146718.exe
Token: SeDebugPrivilege	3492	ku087098.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 4340	2348	c0eae757a44627c85fea4e2dcefdddaa3bbbbeb285dac8552507d3bc1a0825ab.exe	83
PID 2348 wrote to memory of 4340	2348	c0eae757a44627c85fea4e2dcefdddaa3bbbbeb285dac8552507d3bc1a0825ab.exe	83
PID 2348 wrote to memory of 4340	2348	c0eae757a44627c85fea4e2dcefdddaa3bbbbeb285dac8552507d3bc1a0825ab.exe	83
PID 4340 wrote to memory of 4632	4340	zinJ5201.exe	84
PID 4340 wrote to memory of 4632	4340	zinJ5201.exe	84
PID 4340 wrote to memory of 3492	4340	zinJ5201.exe	96
PID 4340 wrote to memory of 3492	4340	zinJ5201.exe	96
PID 4340 wrote to memory of 3492	4340	zinJ5201.exe	96

C:\Users\Admin\AppData\Local\Temp\c0eae757a44627c85fea4e2dcefdddaa3bbbbeb285dac8552507d3bc1a0825ab.exe
"C:\Users\Admin\AppData\Local\Temp\c0eae757a44627c85fea4e2dcefdddaa3bbbbeb285dac8552507d3bc1a0825ab.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinJ5201.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinJ5201.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr146718.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr146718.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku087098.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku087098.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zinJ5201.exe

Filesize
392KB

MD5
c77caf5bbc9db1c9ee854c95b2d53923

SHA1
3120f19d1dd01d9a0f241d5b57c105f2a6d9f2ce

SHA256
f7a709e20e6e32b366d4a6ceb6948d4ff42b2a72248002bc8af590ca4c67dd94

SHA512
609272058f58a817db16d8ca94b869d699e6f92b9c5cb58b22db4b97342dc0cc0c403580f249c0685fdc2ccb6749bbb613b99f076b34c3abc28d1a550f25aeaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr146718.exe

Filesize
11KB

MD5
233f4b777cb9692cef182d04064d636a

SHA1
d193dc018f7aba50826efd14c02f056cfe68824a

SHA256
ec26924a86a2aba26bf0f29767840310b62e689bf470864985116c2401b18bc5

SHA512
9b401c36ce4b08165912bc9b8b6b0d55e6b224ba5e625bf325efaa753a4ea59a4ae2c78d7a5df3c3d48022910fa68fe7f66ce1a05d30fb20781076224375c155

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku087098.exe

Filesize
319KB

MD5
19014e4f5664d864d0a1b338e6883548

SHA1
ef7bb549807b406e22b02a3e74cc1d492cf87f8d

SHA256
3b7ed5c915819431c3fc5a2703a020b3f96e6aa6e2938dfc7b88823f3efdfaa4

SHA512
cb16d4d7f39adb14203dc26cf08dc7ec64e30fa203d7a939ea202df3117bd19c59f887dd7ea9cd15ef57da27f8ac4376b3151a65720341c3e6c0514387442aca

Download Submit
memory/3492-68-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-36-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp

Filesize
304KB

Download
memory/3492-22-0x0000000002320000-0x0000000002366000-memory.dmp

Filesize
280KB

Download
memory/3492-23-0x0000000004A50000-0x0000000004FF4000-memory.dmp

Filesize
5.6MB

Download
memory/3492-24-0x0000000005050000-0x0000000005094000-memory.dmp

Filesize
272KB

Download
memory/3492-28-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-26-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-25-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-38-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-88-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-86-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-84-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-82-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-80-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-78-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-76-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-74-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-70-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-934-0x00000000058F0000-0x000000000592C000-memory.dmp

Filesize
240KB

Download
memory/3492-62-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-933-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/3492-64-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-60-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-58-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-54-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-52-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-48-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-46-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-42-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-40-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-66-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-35-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-32-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-31-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-72-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-56-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-50-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-44-0x0000000005050000-0x000000000508F000-memory.dmp

Filesize
252KB

Download
memory/3492-931-0x00000000050F0000-0x0000000005708000-memory.dmp

Filesize
6.1MB

Download
memory/3492-932-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/4632-16-0x00007FFA70F63000-0x00007FFA70F65000-memory.dmp

Filesize
8KB

Download
memory/4632-14-0x00007FFA70F63000-0x00007FFA70F65000-memory.dmp

Filesize
8KB

Download
memory/4632-15-0x0000000000F30000-0x0000000000F3A000-memory.dmp

Filesize
40KB

Download