healer | d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2

Analysis

max time kernel
113s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2N.exe
Size

546KB
MD5

d99844cac597beecd897a9a6b2a3bae0
SHA1

1788b9e8040839c5547edc86e2a89c79529c65a5
SHA256

d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2
SHA512

8fd369390aac0966ccf4757441b8dd27bd99fff55bf78cc0936b91269c96e55d302fc4b434247c3ddbd3b832294d503360e7ef782a54f93953541e596b88e79a
SSDEEP

12288:EMrwy90rlRfU4pMr9ts1xEz7UkoZ6cSKiw:kyulRfU4pYz7oZrS4

Score

10^/10

healer redline boris discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4548-10-0x0000000004730000-0x000000000474A000-memory.dmp	healer
behavioral1/memory/4548-12-0x0000000004A20000-0x0000000004A38000-memory.dmp	healer
behavioral1/memory/4548-41-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-39-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-37-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-35-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-33-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-31-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-29-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-27-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-25-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-23-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-21-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-19-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-17-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-15-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer
behavioral1/memory/4548-14-0x0000000004A20000-0x0000000004A32000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0985.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro0985.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/1704-52-0x0000000002EB0000-0x0000000002EF6000-memory.dmp	family_redline
behavioral1/memory/1704-53-0x0000000004D30000-0x0000000004D74000-memory.dmp	family_redline
behavioral1/memory/1704-63-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-65-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-87-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-85-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-83-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-81-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-77-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-75-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-73-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-71-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-69-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-67-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-61-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-59-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-57-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-79-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-55-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline
behavioral1/memory/1704-54-0x0000000004D30000-0x0000000004D6F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 2 IoCs

pid	Process
4548	pro0985.exe
1704	qu5685.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0985.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0985.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4608	4548	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro0985.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu5685.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4548	pro0985.exe
4548	pro0985.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4548	pro0985.exe
Token: SeDebugPrivilege	1704	qu5685.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 4548	4932	d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2N.exe	83
PID 4932 wrote to memory of 4548	4932	d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2N.exe	83
PID 4932 wrote to memory of 4548	4932	d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2N.exe	83
PID 4932 wrote to memory of 1704	4932	d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2N.exe	96
PID 4932 wrote to memory of 1704	4932	d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2N.exe	96
PID 4932 wrote to memory of 1704	4932	d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2N.exe	96

C:\Users\Admin\AppData\Local\Temp\d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2N.exe
"C:\Users\Admin\AppData\Local\Temp\d06bd1a23a936990a2c6ec9ed3beaa7064fbc07b250f6c84bf9fac352847bcb2N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro0985.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro0985.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 1084
    3⤵
    - Program crash
    PID:4608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu5685.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu5685.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4548 -ip 4548
1⤵
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pro0985.exe

Filesize
328KB

MD5
b06bd59646169e60d6653710f991e7e9

SHA1
132efe77363166ed1d50bb52f04855679bf35541

SHA256
5ff17ca7c355a8cd0e9ef0fe60ddd6b5035e1b002a370a6f7aeeaa8bbb155105

SHA512
10d6ec9f2d170d5807b81fd44180bb6e1ddbe925193520d8b1d939dc58e5221b2f7098b4c029300467877fcfb0711b60284c45d3dc25abcdb016ff8e7e35a2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\qu5685.exe

Filesize
385KB

MD5
173503c2585ffefe842d44f062d32370

SHA1
0b7814aeaf6ad5cdaa393e6bfb581a66af1819a3

SHA256
05f83d2a08f461b87e6bf8dc70c026d11f2a2b5eea7e654ce2d0111e87810e4a

SHA512
52016e2fd2659cb5d9cd1077d88668c5f71b4f782336c1673fe292b507922f3b6a6de42867278a4a395d28db1cba2daaeffe87de84d139c4f4a72bc3dac7720d

Download Submit
memory/1704-73-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-61-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-964-0x0000000008150000-0x000000000819C000-memory.dmp

Filesize
304KB

Download
memory/1704-963-0x0000000008010000-0x000000000804C000-memory.dmp

Filesize
240KB

Download
memory/1704-54-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-55-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-79-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-57-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-59-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-52-0x0000000002EB0000-0x0000000002EF6000-memory.dmp

Filesize
280KB

Download
memory/1704-67-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-69-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-962-0x00000000072B0000-0x00000000072C2000-memory.dmp

Filesize
72KB

Download
memory/1704-71-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-960-0x00000000078A0000-0x0000000007EB8000-memory.dmp

Filesize
6.1MB

Download
memory/1704-961-0x0000000007EC0000-0x0000000007FCA000-memory.dmp

Filesize
1.0MB

Download
memory/1704-75-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-77-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-81-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-83-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-85-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-87-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-65-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-63-0x0000000004D30000-0x0000000004D6F000-memory.dmp

Filesize
252KB

Download
memory/1704-53-0x0000000004D30000-0x0000000004D74000-memory.dmp

Filesize
272KB

Download
memory/4548-25-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4548-47-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4548-46-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/4548-44-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4548-42-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download
memory/4548-14-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-15-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-17-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-19-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-21-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-23-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-8-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download
memory/4548-10-0x0000000004730000-0x000000000474A000-memory.dmp

Filesize
104KB

Download
memory/4548-27-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-29-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-31-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-33-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-35-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-37-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-39-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-41-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/4548-13-0x0000000000400000-0x0000000002B7F000-memory.dmp

Filesize
39.5MB

Download
memory/4548-12-0x0000000004A20000-0x0000000004A38000-memory.dmp

Filesize
96KB

Download
memory/4548-11-0x00000000072D0000-0x0000000007874000-memory.dmp

Filesize
5.6MB

Download