healer | 82cfacbd9b55025c13cfb4db72e1675b3509b0a48408f7ea33f49345ba318d39

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82cfacbd9b55025c13cfb4db72e1675b3509b0a48408f7ea33f49345ba318d39.exe
Size

701KB
MD5

378721a977eeaf8a36c7162acb692163
SHA1

852282d6635467354880c7a12c6f43691d500bb7
SHA256

82cfacbd9b55025c13cfb4db72e1675b3509b0a48408f7ea33f49345ba318d39
SHA512

eed2bf0569c3f5afebf5331276ac21f0f74ebbf085efca6b22e0961d63360ab750568c618a939c79a308c59d598fc998922eafcc45b053bd08e99dbaf8ec5bad
SSDEEP

12288:Ty90CQuICg4JU/c0WWrOMqYxee75tNtGMiJqhnRsBCFNOIbwv+eo:TyhjgZU0WWrFVAahnRsBCF/bwv+b

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3028-18-0x0000000002F40000-0x0000000002F5A000-memory.dmp	healer
behavioral1/memory/3028-20-0x0000000004D70000-0x0000000004D88000-memory.dmp	healer
behavioral1/memory/3028-24-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-32-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-48-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-46-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-44-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-42-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-40-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-38-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-34-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-30-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-28-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-26-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-21-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-36-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer
behavioral1/memory/3028-22-0x0000000004D70000-0x0000000004D82000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	99020891.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	99020891.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	99020891.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	99020891.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	99020891.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	99020891.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2928-60-0x0000000007100000-0x000000000713C000-memory.dmp	family_redline
behavioral1/memory/2928-61-0x0000000007740000-0x000000000777A000-memory.dmp	family_redline
behavioral1/memory/2928-67-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-75-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-95-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-93-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-91-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-89-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-87-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-85-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-81-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-79-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-77-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-73-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-71-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-69-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-83-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-65-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-63-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline
behavioral1/memory/2928-62-0x0000000007740000-0x0000000007775000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3420	un311114.exe
3028	99020891.exe
2928	rk861021.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	99020891.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	99020891.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	82cfacbd9b55025c13cfb4db72e1675b3509b0a48408f7ea33f49345ba318d39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un311114.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2612	3028	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	82cfacbd9b55025c13cfb4db72e1675b3509b0a48408f7ea33f49345ba318d39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un311114.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99020891.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk861021.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3028	99020891.exe
3028	99020891.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	99020891.exe
Token: SeDebugPrivilege	2928	rk861021.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 3420	2108	82cfacbd9b55025c13cfb4db72e1675b3509b0a48408f7ea33f49345ba318d39.exe	83
PID 2108 wrote to memory of 3420	2108	82cfacbd9b55025c13cfb4db72e1675b3509b0a48408f7ea33f49345ba318d39.exe	83
PID 2108 wrote to memory of 3420	2108	82cfacbd9b55025c13cfb4db72e1675b3509b0a48408f7ea33f49345ba318d39.exe	83
PID 3420 wrote to memory of 3028	3420	un311114.exe	84
PID 3420 wrote to memory of 3028	3420	un311114.exe	84
PID 3420 wrote to memory of 3028	3420	un311114.exe	84
PID 3420 wrote to memory of 2928	3420	un311114.exe	95
PID 3420 wrote to memory of 2928	3420	un311114.exe	95
PID 3420 wrote to memory of 2928	3420	un311114.exe	95

C:\Users\Admin\AppData\Local\Temp\82cfacbd9b55025c13cfb4db72e1675b3509b0a48408f7ea33f49345ba318d39.exe
"C:\Users\Admin\AppData\Local\Temp\82cfacbd9b55025c13cfb4db72e1675b3509b0a48408f7ea33f49345ba318d39.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un311114.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un311114.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99020891.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99020891.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 1084
      4⤵
      Program crash
      PID:2612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk861021.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk861021.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3028 -ip 3028
1⤵
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un311114.exe

Filesize
547KB

MD5
c6d39af32da35dda9099d9380ba051d8

SHA1
b49f3b394847bf15cb7b51e7fd3cb8011c7deb5f

SHA256
66458db8949d987da9eccb910b6da490e4b1e765d34cf0c21c86b523e432248e

SHA512
f308d80ba5f731fca7e6441a2d8a88d3c5895fca3d4a328d28bdde33d598693bd455052cb205eccdcd44e45fbc4c8adf55687f34c4830fc3656aa5c5c9c2f9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\99020891.exe

Filesize
269KB

MD5
34cc80e0dfa299de2e757c7d47e475e4

SHA1
91d1d83c0a115cce18aef56c01fb6fc22669d63a

SHA256
58e247e40089869b4bff00e47af6a5d37cda2dcdb52dbb28c0bbd98381ecb0f9

SHA512
64e624d0bfaca0e1662b3dd0d8c5f84e4e2ab427876f5717da84fcd7c007ff309c8861112c5213473b281c7b3b801f0aba6ddb93e88cba89d41ab7639a7b0a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk861021.exe

Filesize
353KB

MD5
8383dc8e068bc05989af853d68206298

SHA1
0e2e71d16d174384bcdf633d741664f24f72d191

SHA256
2902bd151a791cd990cca8112a033c351f17046e6bd8c0cc241eaccc274a633d

SHA512
54ac4d91102fe2f4b0b3aa73a03c62922609fd7c8c3794a33bec9885f684fa13c9420bceab0e3fb99b9a0b6ccfb0657bcb614f3161f86c8a9bc4f53d17aaef64

Download Submit
memory/2928-73-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-79-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-855-0x000000000A330000-0x000000000A342000-memory.dmp

Filesize
72KB

Download
memory/2928-854-0x0000000009C70000-0x000000000A288000-memory.dmp

Filesize
6.1MB

Download
memory/2928-62-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-63-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-65-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-83-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-69-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-71-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

Filesize
240KB

Download
memory/2928-858-0x0000000004B20000-0x0000000004B6C000-memory.dmp

Filesize
304KB

Download
memory/2928-77-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-856-0x000000000A350000-0x000000000A45A000-memory.dmp

Filesize
1.0MB

Download
memory/2928-81-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-85-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-87-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-89-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-91-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-93-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-95-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-75-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-67-0x0000000007740000-0x0000000007775000-memory.dmp

Filesize
212KB

Download
memory/2928-61-0x0000000007740000-0x000000000777A000-memory.dmp

Filesize
232KB

Download
memory/2928-60-0x0000000007100000-0x000000000713C000-memory.dmp

Filesize
240KB

Download
memory/3028-42-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-54-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/3028-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3028-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3028-50-0x0000000000400000-0x0000000002B9E000-memory.dmp

Filesize
39.6MB

Download
memory/3028-51-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/3028-49-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download
memory/3028-22-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-36-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-21-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-26-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-28-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-30-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-34-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-38-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-40-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-44-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-46-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-48-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-32-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-24-0x0000000004D70000-0x0000000004D82000-memory.dmp

Filesize
72KB

Download
memory/3028-20-0x0000000004D70000-0x0000000004D88000-memory.dmp

Filesize
96KB

Download
memory/3028-19-0x0000000007530000-0x0000000007AD4000-memory.dmp

Filesize
5.6MB

Download
memory/3028-18-0x0000000002F40000-0x0000000002F5A000-memory.dmp

Filesize
104KB

Download
memory/3028-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3028-16-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

Filesize
180KB

Download
memory/3028-15-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

Filesize
1024KB

Download