healer | 6a6b8161d9f85426bae2ea8ea7f080fff6a28d0a03d98f11b3f6b2ec330f5905

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a6b8161d9f85426bae2ea8ea7f080fff6a28d0a03d98f11b3f6b2ec330f5905.exe
Size

704KB
MD5

c3f8624a527d5f6d9cc280ae64da25ff
SHA1

573306e3c80bdfc1bc902d8e5d9f5c527d73940d
SHA256

6a6b8161d9f85426bae2ea8ea7f080fff6a28d0a03d98f11b3f6b2ec330f5905
SHA512

4e94bb790b12dc5e63707b40f508feba4e4057a1eac81e89d5ede123bcae915c0841489937615aa6c19ad813f2686854b02846a5256dd97f579428aaa28ef506
SSDEEP

12288:/y90nvvBol/sfsLM4D8h2AaVHRyEPmRgXlBl4kMWCKi7KNEryBls:/y+vBiI4Ih23HRy/RgX/Gkpo7KNqyw

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1048-18-0x0000000004820000-0x000000000483A000-memory.dmp	healer
behavioral1/memory/1048-20-0x0000000004CF0000-0x0000000004D08000-memory.dmp	healer
behavioral1/memory/1048-42-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-48-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-46-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-44-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-40-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-38-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-37-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-34-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-32-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-30-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-28-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-26-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-24-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-22-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/1048-21-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr655828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr655828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr655828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr655828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr655828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr655828.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/5100-59-0x00000000048D0000-0x000000000490C000-memory.dmp	family_redline
behavioral1/memory/5100-60-0x00000000077B0000-0x00000000077EA000-memory.dmp	family_redline
behavioral1/memory/5100-66-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-76-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-94-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-92-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-90-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-88-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-84-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-82-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-80-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-78-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-74-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-72-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-70-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-68-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-86-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-64-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-62-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline
behavioral1/memory/5100-61-0x00000000077B0000-0x00000000077E5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
432	un059623.exe
1048	pr655828.exe
5100	qu791640.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr655828.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr655828.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un059623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6a6b8161d9f85426bae2ea8ea7f080fff6a28d0a03d98f11b3f6b2ec330f5905.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4856	1048	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un059623.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr655828.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu791640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a6b8161d9f85426bae2ea8ea7f080fff6a28d0a03d98f11b3f6b2ec330f5905.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1048	pr655828.exe
1048	pr655828.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1048	pr655828.exe
Token: SeDebugPrivilege	5100	qu791640.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 432	3844	6a6b8161d9f85426bae2ea8ea7f080fff6a28d0a03d98f11b3f6b2ec330f5905.exe	86
PID 3844 wrote to memory of 432	3844	6a6b8161d9f85426bae2ea8ea7f080fff6a28d0a03d98f11b3f6b2ec330f5905.exe	86
PID 3844 wrote to memory of 432	3844	6a6b8161d9f85426bae2ea8ea7f080fff6a28d0a03d98f11b3f6b2ec330f5905.exe	86
PID 432 wrote to memory of 1048	432	un059623.exe	88
PID 432 wrote to memory of 1048	432	un059623.exe	88
PID 432 wrote to memory of 1048	432	un059623.exe	88
PID 432 wrote to memory of 5100	432	un059623.exe	98
PID 432 wrote to memory of 5100	432	un059623.exe	98
PID 432 wrote to memory of 5100	432	un059623.exe	98

C:\Users\Admin\AppData\Local\Temp\6a6b8161d9f85426bae2ea8ea7f080fff6a28d0a03d98f11b3f6b2ec330f5905.exe
"C:\Users\Admin\AppData\Local\Temp\6a6b8161d9f85426bae2ea8ea7f080fff6a28d0a03d98f11b3f6b2ec330f5905.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un059623.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un059623.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr655828.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr655828.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1084
      4⤵
      Program crash
      PID:4856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu791640.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu791640.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1048 -ip 1048
1⤵
PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un059623.exe

Filesize
550KB

MD5
c8b6c957bb7ad19a7d26cab43396bc05

SHA1
c0a99269ca6218093e8954dc0c244f0868b90c03

SHA256
f481d8f3865731a0ff4553068f66a50f17fefab148caf65ca29d387a41a077b2

SHA512
2e05b3e03cf47d90fc49dca6c5cd71ebb9a6c10c5b466e8aa2424b99dfd2fdf1361906e736902728a44f684e89832ea8a4ca5a23695986ad495e90efc216d75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr655828.exe

Filesize
277KB

MD5
6d5ef4480f6812e3ceb9b27d4267dfa6

SHA1
1c334669b4aea559fe67b5d6588b4fef245cda56

SHA256
b3f6252c04ac2d97c668397ef6e5c63e55f612ec8323387537b91b70b49de785

SHA512
a5225c589370d41b636dd3c26ee37b3d6bb9b39df8c845ab9a253ad9097dc5118834bc84855439a3178abc31458432174ecdc8bba046a8f2d0e2911ad26e4c92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu791640.exe

Filesize
361KB

MD5
81a3f211c9bccafc0e00e50ce61b7a8c

SHA1
f4ddf83074f546a3d233308852a86416a29cdfb9

SHA256
d2f980ec9eeb860e4cb10ec418f3c806c8f1b274c4cedd860cc889dd5f3cdddc

SHA512
52d8d09bf66ccc6b456f5c62e5241bed2ba97a7418e5fa8b1c9a0778d2f51b336e1dafd209972f6f44ebce61251ba860f75f32b13867c312c637e8b2da64de7e

Download Submit
memory/1048-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1048-32-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-18-0x0000000004820000-0x000000000483A000-memory.dmp

Filesize
104KB

Download
memory/1048-19-0x00000000072D0000-0x0000000007874000-memory.dmp

Filesize
5.6MB

Download
memory/1048-20-0x0000000004CF0000-0x0000000004D08000-memory.dmp

Filesize
96KB

Download
memory/1048-42-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-48-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-46-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-44-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-40-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-38-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-37-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-34-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-53-0x0000000000400000-0x0000000002BAE000-memory.dmp

Filesize
39.7MB

Download
memory/1048-30-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-28-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-26-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-24-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-22-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-21-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/1048-49-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/1048-50-0x0000000000400000-0x0000000002BAE000-memory.dmp

Filesize
39.7MB

Download
memory/1048-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1048-54-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1048-16-0x0000000002C80000-0x0000000002CAD000-memory.dmp

Filesize
180KB

Download
memory/1048-15-0x0000000002E70000-0x0000000002F70000-memory.dmp

Filesize
1024KB

Download
memory/5100-62-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-60-0x00000000077B0000-0x00000000077EA000-memory.dmp

Filesize
232KB

Download
memory/5100-66-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-76-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-94-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-92-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-90-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-88-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-84-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-59-0x00000000048D0000-0x000000000490C000-memory.dmp

Filesize
240KB

Download
memory/5100-80-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-78-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-74-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-72-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-70-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-68-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-86-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-64-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-82-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-61-0x00000000077B0000-0x00000000077E5000-memory.dmp

Filesize
212KB

Download
memory/5100-853-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

Filesize
6.1MB

Download
memory/5100-854-0x000000000A340000-0x000000000A352000-memory.dmp

Filesize
72KB

Download
memory/5100-855-0x000000000A360000-0x000000000A46A000-memory.dmp

Filesize
1.0MB

Download
memory/5100-856-0x000000000A480000-0x000000000A4BC000-memory.dmp

Filesize
240KB

Download
memory/5100-857-0x00000000047B0000-0x00000000047FC000-memory.dmp

Filesize
304KB

Download