healer | 758731262e1423c5449b17922f8b98bed16cbbfb94e3e1988533c947a7aa1984

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

758731262e1423c5449b17922f8b98bed16cbbfb94e3e1988533c947a7aa1984.exe
Size

660KB
MD5

f43d3f25ce3cb843c3e9b7810abcaab8
SHA1

c9550fd2b5fc8652753912c0a81a221750b018f3
SHA256

758731262e1423c5449b17922f8b98bed16cbbfb94e3e1988533c947a7aa1984
SHA512

aabe71668e591d5afe6e8bc38b85d9255f81dd21412df04055aa94ff220e1f420e1322d2840714a50a3820dc17d5d4fc9632c583e5154ed1a5cf6fa508598f69
SSDEEP

12288:sMrGy90DpcV0kcaWilU4tl8hiLpPAiQ5IzLZ6HG90fs4rLi3iwaWPxA0Y:qycE0zBijIiLp5Q5IzN6m9Gs463iw5q

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3164-19-0x0000000002300000-0x000000000231A000-memory.dmp	healer
behavioral1/memory/3164-21-0x00000000024E0000-0x00000000024F8000-memory.dmp	healer
behavioral1/memory/3164-41-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-49-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-47-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-45-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-44-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-39-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-37-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-35-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-33-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-31-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-27-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-25-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-23-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-22-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/3164-29-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4246.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4246.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/5088-61-0x00000000025B0000-0x00000000025F6000-memory.dmp	family_redline
behavioral1/memory/5088-62-0x0000000004A80000-0x0000000004AC4000-memory.dmp	family_redline
behavioral1/memory/5088-74-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-82-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-96-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-94-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-92-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-88-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-86-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-84-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-80-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-78-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-76-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-72-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-70-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-68-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-90-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-66-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-64-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline
behavioral1/memory/5088-63-0x0000000004A80000-0x0000000004ABF000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4024	un268706.exe
3164	pro4246.exe
5088	qu7292.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4246.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4246.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	758731262e1423c5449b17922f8b98bed16cbbfb94e3e1988533c947a7aa1984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un268706.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1236	3164	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro4246.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu7292.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	758731262e1423c5449b17922f8b98bed16cbbfb94e3e1988533c947a7aa1984.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un268706.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3164	pro4246.exe
3164	pro4246.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3164	pro4246.exe
Token: SeDebugPrivilege	5088	qu7292.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 4024	3124	758731262e1423c5449b17922f8b98bed16cbbfb94e3e1988533c947a7aa1984.exe	85
PID 3124 wrote to memory of 4024	3124	758731262e1423c5449b17922f8b98bed16cbbfb94e3e1988533c947a7aa1984.exe	85
PID 3124 wrote to memory of 4024	3124	758731262e1423c5449b17922f8b98bed16cbbfb94e3e1988533c947a7aa1984.exe	85
PID 4024 wrote to memory of 3164	4024	un268706.exe	86
PID 4024 wrote to memory of 3164	4024	un268706.exe	86
PID 4024 wrote to memory of 3164	4024	un268706.exe	86
PID 4024 wrote to memory of 5088	4024	un268706.exe	95
PID 4024 wrote to memory of 5088	4024	un268706.exe	95
PID 4024 wrote to memory of 5088	4024	un268706.exe	95

C:\Users\Admin\AppData\Local\Temp\758731262e1423c5449b17922f8b98bed16cbbfb94e3e1988533c947a7aa1984.exe
"C:\Users\Admin\AppData\Local\Temp\758731262e1423c5449b17922f8b98bed16cbbfb94e3e1988533c947a7aa1984.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un268706.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un268706.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4024
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4246.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4246.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3164
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 1008
      4⤵
      Program crash
      PID:1236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7292.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7292.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3164 -ip 3164
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un268706.exe

Filesize
518KB

MD5
dae2f4e4a607034e1ad7c3320668da94

SHA1
327a8aa474e009634bad061293dc90a64c43d1c2

SHA256
42a391e3015484212bc778f785d417cdf6f47578b31bb97f2df5d2abd76de25d

SHA512
b8803d08725e971bc3abe3a6f98ca37136295d4f3ac801ae3c7c993583a1641ed9c9be69f665e12a215432b12330f1837ea5b8c696bf69a44db477dbd0219911

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4246.exe

Filesize
236KB

MD5
0e4c7bc066bd4ba9ca41bdc8f4c6b90f

SHA1
f1a40b8469e253c69b1955ec7b41d1238b1ddd0c

SHA256
791abd0e2e142fd27315374f651d667f5bf59c499f6b39a4133eaf86d459c3eb

SHA512
c6e6b00d44161ac635e6e233f48ff4932e2bdd38c0e693f25c64a586f3d02c038a5a7ba1af7ac0164bab97b25fa04bd4fcd47fa4a5c2699ef921225b122b24d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7292.exe

Filesize
295KB

MD5
a6f5ef180fc7657d381575fdd689cd53

SHA1
4525627edc28a8ba2e591f95260eec13a4b50867

SHA256
e57c73807cae78b0c99eec4578604c59e9bb549e0f199e81cc7989de8c989926

SHA512
8d1ad9bdb3d1b4eb12ef00bdb538c69b6e723c8ee98c6d67eb4a225381a9da9421eec292407b7c16a5a69418b3d5f9af7e0329e0cfbe58d0b47741b29699c000

Download Submit
memory/3164-15-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/3164-16-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/3164-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3164-18-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3164-19-0x0000000002300000-0x000000000231A000-memory.dmp

Filesize
104KB

Download
memory/3164-20-0x0000000004B80000-0x0000000005124000-memory.dmp

Filesize
5.6MB

Download
memory/3164-21-0x00000000024E0000-0x00000000024F8000-memory.dmp

Filesize
96KB

Download
memory/3164-41-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-49-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-47-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-45-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-44-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-39-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-37-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-35-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-33-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-31-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-27-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-25-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-23-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-22-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-29-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/3164-50-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/3164-51-0x0000000000810000-0x000000000083D000-memory.dmp

Filesize
180KB

Download
memory/3164-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3164-55-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3164-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5088-61-0x00000000025B0000-0x00000000025F6000-memory.dmp

Filesize
280KB

Download
memory/5088-62-0x0000000004A80000-0x0000000004AC4000-memory.dmp

Filesize
272KB

Download
memory/5088-74-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-82-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-96-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-94-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-92-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-88-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-86-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-84-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-80-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-78-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-76-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-72-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-70-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-68-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-90-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-66-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-64-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-63-0x0000000004A80000-0x0000000004ABF000-memory.dmp

Filesize
252KB

Download
memory/5088-969-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/5088-970-0x0000000005810000-0x000000000591A000-memory.dmp

Filesize
1.0MB

Download
memory/5088-971-0x0000000004BD0000-0x0000000004BE2000-memory.dmp

Filesize
72KB

Download
memory/5088-972-0x0000000004BF0000-0x0000000004C2C000-memory.dmp

Filesize
240KB

Download
memory/5088-973-0x0000000005A30000-0x0000000005A7C000-memory.dmp

Filesize
304KB

Download