healer | d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 22:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90.exe
Size

696KB
MD5

d62de16d2f4fa3a8e9930da9ef0bf025
SHA1

69f8afe82e08a4fe9fb54fca4707293629a875b6
SHA256

d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90
SHA512

5cb4eaa413c7b7e01129f786dd7e41b4735d65c673f5c7768869328c56ce5786c684ba3c954e5403d43830cf8f33a2556f0a4ff4fee6380dc17b7c405ca64e23
SSDEEP

12288:Uy90mqH/u1c5v4mmG3LmXPq0CvAjmBjdFRYU48dHV1Zd6760uaOyyxJYiJ3+x:UyXqH/6cxkG3aXPqiijaUXLM760Pyxub

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4996-18-0x0000000004A30000-0x0000000004A4A000-memory.dmp	healer
behavioral1/memory/4996-20-0x0000000007130000-0x0000000007148000-memory.dmp	healer
behavioral1/memory/4996-36-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-40-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-48-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-46-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-42-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-38-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-34-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-32-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-44-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-30-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-28-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-26-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-24-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-22-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/4996-21-0x0000000007130000-0x0000000007143000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	04753060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	04753060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	04753060.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	04753060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	04753060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	04753060.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/764-60-0x0000000004DF0000-0x0000000004E2C000-memory.dmp	family_redline
behavioral1/memory/764-61-0x0000000004E70000-0x0000000004EAA000-memory.dmp	family_redline
behavioral1/memory/764-67-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-77-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-95-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-93-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-89-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-87-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-85-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-84-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-81-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-79-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-75-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-73-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-71-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-69-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-91-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-65-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-63-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline
behavioral1/memory/764-62-0x0000000004E70000-0x0000000004EA5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4948	un652850.exe
4996	04753060.exe
764	rk083375.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	04753060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	04753060.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un652850.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
832	4996	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un652850.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	04753060.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk083375.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4996	04753060.exe
4996	04753060.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	04753060.exe
Token: SeDebugPrivilege	764	rk083375.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4948	4528	d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90.exe	83
PID 4528 wrote to memory of 4948	4528	d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90.exe	83
PID 4528 wrote to memory of 4948	4528	d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90.exe	83
PID 4948 wrote to memory of 4996	4948	un652850.exe	84
PID 4948 wrote to memory of 4996	4948	un652850.exe	84
PID 4948 wrote to memory of 4996	4948	un652850.exe	84
PID 4948 wrote to memory of 764	4948	un652850.exe	99
PID 4948 wrote to memory of 764	4948	un652850.exe	99
PID 4948 wrote to memory of 764	4948	un652850.exe	99

C:\Users\Admin\AppData\Local\Temp\d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90.exe
"C:\Users\Admin\AppData\Local\Temp\d5fc66404d5a010d47b2d59ca29014d7fcbc92c0c5b3d2f68d7f94b7b91ccf90.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652850.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652850.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04753060.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04753060.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 1080
      4⤵
      Program crash
      PID:832
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk083375.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk083375.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4996 -ip 4996
1⤵
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un652850.exe

Filesize
543KB

MD5
1852a138133837efab6d0fbffc7b3d57

SHA1
a83b9eb0ea88310e081fc15758b1853eda765efd

SHA256
00ec5e038b09b8a9b9f9473eb01c905fac4040b05c0fa2088ff554b47abdc8df

SHA512
90fea202fe5a19e4b5032b383ba0adc3d00b7fa0e233c121cfe4d14226fef4c0ffb979a9d8d22b8042b3a1069d0c76847463a645e3189551816445b22bd3daaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04753060.exe

Filesize
263KB

MD5
0b26ecec37f9b8137528342a18380ace

SHA1
bf7b26e55c23153e84bbfe64cbe52534400d7b99

SHA256
f081931ffe7d921a4c575dc86826b0dde3deba6a79a2ea17f446a1c4b5090d9d

SHA512
fb4ee9f145d54055103198f3cda84965aa7fbcc38b5f08aa027bfc794bc21de945be852d239ce251f9bc72520d8e3712860ee505c9784c9a85fafbdba2f74e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk083375.exe

Filesize
328KB

MD5
6ddc47760f1889b08c630f4d091d38f1

SHA1
f17c7e3ba402dac39f68052f9f19b951dc0ac1f0

SHA256
4670b324e40b23f3987e69bfa1764ec3ddfb39e91cd55e371ec040baa69a29d4

SHA512
774fc57157a025afdb1e06dd3f3eb45699be592d09ad21e392f8d3d2cfe5d27175cde1b3cec748a1dd19325e9fb0811fb9189eef82a9feb93ce93615fca0ac5e

Download Submit
memory/764-73-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-79-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-855-0x000000000A330000-0x000000000A342000-memory.dmp

Filesize
72KB

Download
memory/764-854-0x0000000009CE0000-0x000000000A2F8000-memory.dmp

Filesize
6.1MB

Download
memory/764-62-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-63-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-65-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-91-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-69-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-71-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

Filesize
240KB

Download
memory/764-858-0x0000000004C00000-0x0000000004C4C000-memory.dmp

Filesize
304KB

Download
memory/764-75-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-856-0x000000000A350000-0x000000000A45A000-memory.dmp

Filesize
1.0MB

Download
memory/764-81-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-84-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-85-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-87-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-89-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-93-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-95-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-77-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-67-0x0000000004E70000-0x0000000004EA5000-memory.dmp

Filesize
212KB

Download
memory/764-61-0x0000000004E70000-0x0000000004EAA000-memory.dmp

Filesize
232KB

Download
memory/764-60-0x0000000004DF0000-0x0000000004E2C000-memory.dmp

Filesize
240KB

Download
memory/4996-38-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-54-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/4996-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4996-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4996-50-0x0000000000400000-0x0000000002B99000-memory.dmp

Filesize
39.6MB

Download
memory/4996-51-0x0000000002C70000-0x0000000002C9D000-memory.dmp

Filesize
180KB

Download
memory/4996-49-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

Filesize
1024KB

Download
memory/4996-21-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-22-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-24-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-26-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-28-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-30-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-44-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-32-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-34-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-42-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-46-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-48-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-40-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-36-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/4996-20-0x0000000007130000-0x0000000007148000-memory.dmp

Filesize
96KB

Download
memory/4996-19-0x00000000072F0000-0x0000000007894000-memory.dmp

Filesize
5.6MB

Download
memory/4996-18-0x0000000004A30000-0x0000000004A4A000-memory.dmp

Filesize
104KB

Download
memory/4996-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4996-16-0x0000000002C70000-0x0000000002C9D000-memory.dmp

Filesize
180KB

Download
memory/4996-15-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

Filesize
1024KB

Download