healer | 64001b2604e6836a605c4e76769310c270113a8b7e75b91c1cfbc656876a69ae

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64001b2604e6836a605c4e76769310c270113a8b7e75b91c1cfbc656876a69ae.exe
Size

690KB
MD5

08d8b03fb6eff7e95f8c534969e64d69
SHA1

36067c601e8e0cd99e08c1f90dee17cf01ef1ad0
SHA256

64001b2604e6836a605c4e76769310c270113a8b7e75b91c1cfbc656876a69ae
SHA512

28759000b6f655dd8ba8d4992da136ae0aeb46f7a9ed6cf08a5218b42b1c47f59ccdf89ab82d8d5f0dc74e3bb7c0d81703ae5d5725ac12fadf104e8433f8a015
SSDEEP

12288:cy90YARYw0l3zPaA9CxC2jUjjONPABe/co1m2uBIDlKCijpLnf3FRX:cyuWLDagQC2UONYizQ2nZixnfVRX

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/180-18-0x0000000002200000-0x000000000221A000-memory.dmp	healer
behavioral1/memory/180-20-0x0000000002350000-0x0000000002368000-memory.dmp	healer
behavioral1/memory/180-46-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-45-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-43-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-40-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-38-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-36-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-35-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-33-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-48-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-31-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-29-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-27-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-24-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-22-0x0000000002350000-0x0000000002363000-memory.dmp	healer
behavioral1/memory/180-21-0x0000000002350000-0x0000000002363000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	63810715.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	63810715.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	63810715.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	63810715.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	63810715.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	63810715.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2628-59-0x0000000002580000-0x00000000025BC000-memory.dmp	family_redline
behavioral1/memory/2628-60-0x0000000004A70000-0x0000000004AAA000-memory.dmp	family_redline
behavioral1/memory/2628-72-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-76-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-94-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-92-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-88-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-86-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-84-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-82-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-80-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-78-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-74-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-70-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-68-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-90-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-66-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-64-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-62-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline
behavioral1/memory/2628-61-0x0000000004A70000-0x0000000004AA5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4944	un327402.exe
180	63810715.exe
2628	rk486608.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	63810715.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	63810715.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	64001b2604e6836a605c4e76769310c270113a8b7e75b91c1cfbc656876a69ae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un327402.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4124	180	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	64001b2604e6836a605c4e76769310c270113a8b7e75b91c1cfbc656876a69ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un327402.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	63810715.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk486608.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
180	63810715.exe
180	63810715.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	180	63810715.exe
Token: SeDebugPrivilege	2628	rk486608.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4944	1468	64001b2604e6836a605c4e76769310c270113a8b7e75b91c1cfbc656876a69ae.exe	84
PID 1468 wrote to memory of 4944	1468	64001b2604e6836a605c4e76769310c270113a8b7e75b91c1cfbc656876a69ae.exe	84
PID 1468 wrote to memory of 4944	1468	64001b2604e6836a605c4e76769310c270113a8b7e75b91c1cfbc656876a69ae.exe	84
PID 4944 wrote to memory of 180	4944	un327402.exe	85
PID 4944 wrote to memory of 180	4944	un327402.exe	85
PID 4944 wrote to memory of 180	4944	un327402.exe	85
PID 4944 wrote to memory of 2628	4944	un327402.exe	96
PID 4944 wrote to memory of 2628	4944	un327402.exe	96
PID 4944 wrote to memory of 2628	4944	un327402.exe	96

C:\Users\Admin\AppData\Local\Temp\64001b2604e6836a605c4e76769310c270113a8b7e75b91c1cfbc656876a69ae.exe
"C:\Users\Admin\AppData\Local\Temp\64001b2604e6836a605c4e76769310c270113a8b7e75b91c1cfbc656876a69ae.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un327402.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un327402.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4944
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63810715.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63810715.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 180 -s 1088
      4⤵
      Program crash
      PID:4124
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk486608.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk486608.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 180 -ip 180
1⤵
PID:3496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un327402.exe

Filesize
536KB

MD5
194d53e20968fc82a7bfb66f4591dced

SHA1
3a97cd6239a080b521a2f0afc629a7b4e1672523

SHA256
e7162e5c65e55b831b6affef3f46a9b477608a65629fb86217f8fc278870784b

SHA512
94b618d8de2df02dded6eb4ffa68e3a2a62f5838b5ac4c2c4ab1cae2c1b3a99e9e9c929b127eb9dd02271d2542e9d911afbf1639552750e52add430bc6bd1fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\63810715.exe

Filesize
259KB

MD5
c2da47a95dcf70c1673e814aaf292065

SHA1
ed6552aaf3753130051ecddc3c122de7de8c83e8

SHA256
524c1ae5c9df30409bfdbf222c18e11ba22033276c60a563e9606fc5a7cd512d

SHA512
63acaf5f9c0375b962e8bd24477868815a6c3c4174d92df2a9e9d0349e62adaf47d23b343873351b449a797ee5661c44207b325d50631a705547d4c62b47104d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk486608.exe

Filesize
341KB

MD5
c047fd13e6f9984762b040b27be75ac1

SHA1
aceeefc29f5ecd2e8bbf1e6aeb7c5725405baff3

SHA256
1b2dad60ed5d48b27c392a81b4079c800fb0a8e533d00d3586398a2c77b2e4fe

SHA512
65433525ff5d2f21522adab6a851cd66808e1aad8ebd3817d3215e1aed72bcd395e8773fa2e897e91f19ad9e1b5c78f480632e0fd6093691072f67ae570e5e70

Download Submit
memory/180-53-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/180-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/180-18-0x0000000002200000-0x000000000221A000-memory.dmp

Filesize
104KB

Download
memory/180-19-0x0000000004AA0000-0x0000000005044000-memory.dmp

Filesize
5.6MB

Download
memory/180-20-0x0000000002350000-0x0000000002368000-memory.dmp

Filesize
96KB

Download
memory/180-46-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-45-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-43-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-40-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-38-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-36-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-35-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-33-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-48-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-31-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-29-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-27-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-24-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-22-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-21-0x0000000002350000-0x0000000002363000-memory.dmp

Filesize
76KB

Download
memory/180-49-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/180-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/180-15-0x0000000000650000-0x0000000000750000-memory.dmp

Filesize
1024KB

Download
memory/180-54-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/180-17-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2628-64-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-60-0x0000000004A70000-0x0000000004AAA000-memory.dmp

Filesize
232KB

Download
memory/2628-72-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-76-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-94-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-92-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-88-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-86-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-84-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-82-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-80-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-78-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-74-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-70-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-68-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-90-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-66-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-59-0x0000000002580000-0x00000000025BC000-memory.dmp

Filesize
240KB

Download
memory/2628-62-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-61-0x0000000004A70000-0x0000000004AA5000-memory.dmp

Filesize
212KB

Download
memory/2628-853-0x0000000007570000-0x0000000007B88000-memory.dmp

Filesize
6.1MB

Download
memory/2628-854-0x0000000007BF0000-0x0000000007C02000-memory.dmp

Filesize
72KB

Download
memory/2628-855-0x0000000007C10000-0x0000000007D1A000-memory.dmp

Filesize
1.0MB

Download
memory/2628-856-0x0000000007D30000-0x0000000007D6C000-memory.dmp

Filesize
240KB

Download
memory/2628-857-0x0000000002350000-0x000000000239C000-memory.dmp

Filesize
304KB

Download