healer | fcc5574f6473fce7408f99e50f3bdd15319c8a0a59c5a43080316e2661f81af4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10/11/2024, 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcc5574f6473fce7408f99e50f3bdd15319c8a0a59c5a43080316e2661f81af4.exe
Size

560KB
MD5

44832c40721c2cd48a78fbd718feb553
SHA1

49233fb1ae6e83a894672053f1cfa684713478fa
SHA256

fcc5574f6473fce7408f99e50f3bdd15319c8a0a59c5a43080316e2661f81af4
SHA512

fd8c5a3de3be15bbdcc3391399cc3acdb0f2a2961bdccf540ea2de4af891ca1fc0aa5b865b9c168c99e85c0995e4e05ce6260c3c0abebfcfb82d6725047fabc5
SSDEEP

12288:sMrey90veyhKcBrWcOcHCb+/j3I4IdhT2kuDOjg2vsgoMH:iyS9McOdjgKsgo6

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b7c-12.dat	healer
behavioral1/memory/4628-15-0x0000000000830000-0x000000000083A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr485217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr485217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr485217.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr485217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr485217.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr485217.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/1700-22-0x0000000002970000-0x00000000029B6000-memory.dmp	family_redline
behavioral1/memory/1700-24-0x0000000004EA0000-0x0000000004EE4000-memory.dmp	family_redline
behavioral1/memory/1700-32-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-38-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-86-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-84-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-82-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-80-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-76-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-74-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-73-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-70-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-68-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-67-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-64-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-62-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-60-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-58-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-56-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-54-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-50-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-48-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-46-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-44-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-42-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-36-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-34-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-89-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-78-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-52-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-40-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-30-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-28-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-26-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline
behavioral1/memory/1700-25-0x0000000004EA0000-0x0000000004EDF000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2752	ziLI8861.exe
4628	jr485217.exe
1700	ku785005.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr485217.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fcc5574f6473fce7408f99e50f3bdd15319c8a0a59c5a43080316e2661f81af4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziLI8861.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4240	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku785005.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcc5574f6473fce7408f99e50f3bdd15319c8a0a59c5a43080316e2661f81af4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziLI8861.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4628	jr485217.exe
4628	jr485217.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4628	jr485217.exe
Token: SeDebugPrivilege	1700	ku785005.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 2752	916	fcc5574f6473fce7408f99e50f3bdd15319c8a0a59c5a43080316e2661f81af4.exe	84
PID 916 wrote to memory of 2752	916	fcc5574f6473fce7408f99e50f3bdd15319c8a0a59c5a43080316e2661f81af4.exe	84
PID 916 wrote to memory of 2752	916	fcc5574f6473fce7408f99e50f3bdd15319c8a0a59c5a43080316e2661f81af4.exe	84
PID 2752 wrote to memory of 4628	2752	ziLI8861.exe	85
PID 2752 wrote to memory of 4628	2752	ziLI8861.exe	85
PID 2752 wrote to memory of 1700	2752	ziLI8861.exe	93
PID 2752 wrote to memory of 1700	2752	ziLI8861.exe	93
PID 2752 wrote to memory of 1700	2752	ziLI8861.exe	93

C:\Users\Admin\AppData\Local\Temp\fcc5574f6473fce7408f99e50f3bdd15319c8a0a59c5a43080316e2661f81af4.exe
"C:\Users\Admin\AppData\Local\Temp\fcc5574f6473fce7408f99e50f3bdd15319c8a0a59c5a43080316e2661f81af4.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLI8861.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLI8861.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr485217.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr485217.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku785005.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku785005.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1700

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziLI8861.exe

Filesize
407KB

MD5
bbf7025c87ad5f381c350e0c4d459750

SHA1
59ca10601bb0d85c755acbe30a5fac104c9c730d

SHA256
71397e33548dbddf1f3e96cc1ee1b324d852763de43f7d3f303f236026d3e371

SHA512
9769255aa213123aa3388cbeb9bee4c79a3718e1cf050506d6bf78e9eb0a7849062301a8bb60b3182be4816d7e1df8e8d5a08dc3b8cf4e43f9bb0b0d0735ade6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr485217.exe

Filesize
13KB

MD5
07dd5992421bcb7aa9890ac7ec1e1c2f

SHA1
4a721800877fc8376b46a9cffabc6d2f0557734b

SHA256
b11464d2cd811748a187db31891f74272128a6a084b324d94eb721df8584f8e8

SHA512
c32c537b6f41ff1332aa94f8c6aeb0f4a97577b94cc923a2d15a8ea16b8cfc43ee464eadcb7feb010a567e3d1e0da4467ea9cbd4475c788edcc51d66af729775

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku785005.exe

Filesize
370KB

MD5
f081f82d0e917cde300e3aa49a4a7cd9

SHA1
828c5aacbc15d7ddb01a1fb356b0e22677f6ce3e

SHA256
4e2c232444054eee31187a395baa8681a35aed0c4e07241e3ab46763063d33c6

SHA512
5bb05f0941ec4a103a4e2563353982e4c9585293d1465c34e428175abb6e775fc924d82b5afc27c15118d503b867b31d7be7cbea6b5dae4e62ea92bf078959fc

Download Submit
memory/1700-62-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-89-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-935-0x0000000005F10000-0x0000000005F5C000-memory.dmp

Filesize
304KB

Download
memory/1700-22-0x0000000002970000-0x00000000029B6000-memory.dmp

Filesize
280KB

Download
memory/1700-23-0x0000000004F50000-0x00000000054F4000-memory.dmp

Filesize
5.6MB

Download
memory/1700-24-0x0000000004EA0000-0x0000000004EE4000-memory.dmp

Filesize
272KB

Download
memory/1700-32-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-38-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-86-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-84-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-82-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-80-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-76-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-74-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-73-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-70-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-68-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-67-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-64-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-934-0x0000000005DD0000-0x0000000005E0C000-memory.dmp

Filesize
240KB

Download
memory/1700-56-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-933-0x0000000005D70000-0x0000000005D82000-memory.dmp

Filesize
72KB

Download
memory/1700-58-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-54-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-50-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-48-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-46-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-44-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-42-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-36-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-34-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-60-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-78-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-52-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-40-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-30-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-28-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-26-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-25-0x0000000004EA0000-0x0000000004EDF000-memory.dmp

Filesize
252KB

Download
memory/1700-931-0x0000000005600000-0x0000000005C18000-memory.dmp

Filesize
6.1MB

Download
memory/1700-932-0x0000000005C60000-0x0000000005D6A000-memory.dmp

Filesize
1.0MB

Download
memory/4628-16-0x00007FFCFC3B3000-0x00007FFCFC3B5000-memory.dmp

Filesize
8KB

Download
memory/4628-14-0x00007FFCFC3B3000-0x00007FFCFC3B5000-memory.dmp

Filesize
8KB

Download
memory/4628-15-0x0000000000830000-0x000000000083A000-memory.dmp

Filesize
40KB

Download