healer | 033b3e889226df9d21f548829af3dec1df12899de48a406eb4e29a531d283699

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 23:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

033b3e889226df9d21f548829af3dec1df12899de48a406eb4e29a531d283699.exe
Size

746KB
MD5

f0313f1f14e032d835ef044701213d35
SHA1

50ecf35d5ba6a290576b412e7bc9a0f9227376ce
SHA256

033b3e889226df9d21f548829af3dec1df12899de48a406eb4e29a531d283699
SHA512

42e5f0e48da5493cd9fe8dbe0155c31643d24d2858c98edee93c5551ceee766254d212f7ccd8a06c6ad2620ef63e08116d2ea70dad12a18cc1ec633e541b1f4f
SSDEEP

12288:8y90jWxQ2PGIg2Xh/Q352MCPjH8bVLoshvl99FFWGIgbK4wqJlfAzI/z:8y9x5PdFXhS51CPjc5LzvD9nTbbKZqfz

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2972-19-0x0000000002560000-0x000000000257A000-memory.dmp	healer
behavioral1/memory/2972-21-0x0000000002750000-0x0000000002768000-memory.dmp	healer
behavioral1/memory/2972-46-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-49-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-47-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-43-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-41-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-39-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-37-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-33-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-31-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-29-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-27-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-25-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-23-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-22-0x0000000002750000-0x0000000002762000-memory.dmp	healer
behavioral1/memory/2972-35-0x0000000002750000-0x0000000002762000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	23485769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	23485769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	23485769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	23485769.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	23485769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	23485769.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2964-61-0x00000000028F0000-0x000000000292C000-memory.dmp	family_redline
behavioral1/memory/2964-62-0x0000000004D40000-0x0000000004D7A000-memory.dmp	family_redline
behavioral1/memory/2964-66-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-70-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-96-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-94-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-92-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-90-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-88-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-86-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-84-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-80-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-78-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-76-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-74-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-72-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-68-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-82-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-64-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline
behavioral1/memory/2964-63-0x0000000004D40000-0x0000000004D75000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2876	un505434.exe
2972	23485769.exe
2964	rk808366.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	23485769.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	23485769.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	033b3e889226df9d21f548829af3dec1df12899de48a406eb4e29a531d283699.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un505434.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	033b3e889226df9d21f548829af3dec1df12899de48a406eb4e29a531d283699.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un505434.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23485769.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk808366.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2972	23485769.exe
2972	23485769.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	23485769.exe
Token: SeDebugPrivilege	2964	rk808366.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 2876	2292	033b3e889226df9d21f548829af3dec1df12899de48a406eb4e29a531d283699.exe	83
PID 2292 wrote to memory of 2876	2292	033b3e889226df9d21f548829af3dec1df12899de48a406eb4e29a531d283699.exe	83
PID 2292 wrote to memory of 2876	2292	033b3e889226df9d21f548829af3dec1df12899de48a406eb4e29a531d283699.exe	83
PID 2876 wrote to memory of 2972	2876	un505434.exe	84
PID 2876 wrote to memory of 2972	2876	un505434.exe	84
PID 2876 wrote to memory of 2972	2876	un505434.exe	84
PID 2876 wrote to memory of 2964	2876	un505434.exe	92
PID 2876 wrote to memory of 2964	2876	un505434.exe	92
PID 2876 wrote to memory of 2964	2876	un505434.exe	92

C:\Users\Admin\AppData\Local\Temp\033b3e889226df9d21f548829af3dec1df12899de48a406eb4e29a531d283699.exe
"C:\Users\Admin\AppData\Local\Temp\033b3e889226df9d21f548829af3dec1df12899de48a406eb4e29a531d283699.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un505434.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un505434.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23485769.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23485769.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk808366.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk808366.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un505434.exe

Filesize
592KB

MD5
b83b04304254cfbd823e5064b964b9b7

SHA1
1b899ac8b348e008952a7e7b062b5d044f776654

SHA256
9f25f396d04d8025d944f74e5be96e4d52bf976285b4098b4556ad8745829362

SHA512
c3007fb5048b6503773b250c28436777b01be9fd5c4a0721bd88a24dfcfe3696e190d06fa7ad7de07a6e170adc66ed595275cae019490c417944b2aec496dcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23485769.exe

Filesize
377KB

MD5
714c5e1697de7cba8c22bf1725341d34

SHA1
c0e401494426720809c3396c5128adec5ee9136f

SHA256
671ae8cadad7fcddc651403bc1bd012118a9b0dc13580039bfbeb669d276603a

SHA512
982ccf3e1b4f72f9457088dade864f6dceecabc2f8bf6685ddb7d869f00559dc227f010697a5e8ade495b5ce8945081a411de7e1fbd2dcaf2d89ffe1e8df9f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk808366.exe

Filesize
459KB

MD5
f1096284a0a9db4d3692272d2b437090

SHA1
3e9666b8b6b55b8d8463a36aa897edf9eb4b0b6c

SHA256
baa59afe2a4a25997367eac26d80d137927b54ae834ce43141e468a64806f4e2

SHA512
873444057ac3ced8dbdbb33894a5a3d30b3492c7cadcbec58c352c56c15e46d44e335e7ca410cd829565c506ebdba2d41086ff01ea6ee8b8c41bec448c129583

Download Submit
memory/2964-76-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-80-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-856-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

Filesize
72KB

Download
memory/2964-855-0x0000000007930000-0x0000000007F48000-memory.dmp

Filesize
6.1MB

Download
memory/2964-63-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-64-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-82-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-68-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-72-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-74-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-858-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/2964-859-0x0000000002760000-0x00000000027AC000-memory.dmp

Filesize
304KB

Download
memory/2964-78-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-857-0x0000000007FC0000-0x00000000080CA000-memory.dmp

Filesize
1.0MB

Download
memory/2964-84-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-86-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-88-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-90-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-92-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-94-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-96-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-70-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-66-0x0000000004D40000-0x0000000004D75000-memory.dmp

Filesize
212KB

Download
memory/2964-62-0x0000000004D40000-0x0000000004D7A000-memory.dmp

Filesize
232KB

Download
memory/2964-61-0x00000000028F0000-0x000000000292C000-memory.dmp

Filesize
240KB

Download
memory/2972-41-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2972-55-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2972-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2972-51-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/2972-50-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/2972-35-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-22-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-23-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-25-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-27-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-29-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-31-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-33-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-37-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-39-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-43-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-47-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-49-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-46-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/2972-21-0x0000000002750000-0x0000000002768000-memory.dmp

Filesize
96KB

Download
memory/2972-20-0x0000000004F00000-0x00000000054A4000-memory.dmp

Filesize
5.6MB

Download
memory/2972-19-0x0000000002560000-0x000000000257A000-memory.dmp

Filesize
104KB

Download
memory/2972-18-0x0000000000400000-0x0000000000803000-memory.dmp

Filesize
4.0MB

Download
memory/2972-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2972-15-0x0000000000AD0000-0x0000000000BD0000-memory.dmp

Filesize
1024KB

Download
memory/2972-16-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download