healer | ff30b66adead0487105b1efabdda434de52d909067d5d5b455b31cdc7f297c3d

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 00:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff30b66adead0487105b1efabdda434de52d909067d5d5b455b31cdc7f297c3d.exe
Size

1.2MB
MD5

d4d178bdf5129dc6d5c691bc67135801
SHA1

e66bf9203661c218863bd8a1ed6ae21baa81cf04
SHA256

ff30b66adead0487105b1efabdda434de52d909067d5d5b455b31cdc7f297c3d
SHA512

0c0d488bbe64b564e6b61af6282e1df84a0d00f21345b1b77ac5b502c694ab9c49b1f7782545f7a901522cd87af304d280857e6f3c3484fd07cb1187411be413
SSDEEP

24576:1yUYCpJjQGBCj1xWPe8qP0zF8MTwiAtZDlBMbycKKIH:QTCptCShqPurw/tHC

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cbe-34.dat	healer
behavioral1/memory/3144-35-0x0000000000460000-0x000000000046A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	buuS77FO00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	buuS77FO00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	buuS77FO00.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	buuS77FO00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	buuS77FO00.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	buuS77FO00.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/836-41-0x0000000002640000-0x0000000002686000-memory.dmp	family_redline
behavioral1/memory/836-43-0x0000000005140000-0x0000000005184000-memory.dmp	family_redline
behavioral1/memory/836-47-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-45-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-44-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-53-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-107-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-105-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-103-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-101-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-99-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-95-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-93-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-91-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-89-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-87-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-85-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-83-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-81-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-79-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-75-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-73-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-72-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-69-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-67-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-65-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-63-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-61-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-59-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-57-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-51-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-49-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-97-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-77-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline
behavioral1/memory/836-55-0x0000000005140000-0x000000000517E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
4004	plZX27kZ08.exe
880	plHm06kE81.exe
3032	plVo29vA61.exe
5084	plcg65aT79.exe
3144	buuS77FO00.exe
836	cain57MR85.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	buuS77FO00.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ff30b66adead0487105b1efabdda434de52d909067d5d5b455b31cdc7f297c3d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plZX27kZ08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plHm06kE81.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plVo29vA61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	plcg65aT79.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plcg65aT79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cain57MR85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff30b66adead0487105b1efabdda434de52d909067d5d5b455b31cdc7f297c3d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plZX27kZ08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plHm06kE81.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plVo29vA61.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3144	buuS77FO00.exe
3144	buuS77FO00.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3144	buuS77FO00.exe
Token: SeDebugPrivilege	836	cain57MR85.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 4004	2424	ff30b66adead0487105b1efabdda434de52d909067d5d5b455b31cdc7f297c3d.exe	83
PID 2424 wrote to memory of 4004	2424	ff30b66adead0487105b1efabdda434de52d909067d5d5b455b31cdc7f297c3d.exe	83
PID 2424 wrote to memory of 4004	2424	ff30b66adead0487105b1efabdda434de52d909067d5d5b455b31cdc7f297c3d.exe	83
PID 4004 wrote to memory of 880	4004	plZX27kZ08.exe	84
PID 4004 wrote to memory of 880	4004	plZX27kZ08.exe	84
PID 4004 wrote to memory of 880	4004	plZX27kZ08.exe	84
PID 880 wrote to memory of 3032	880	plHm06kE81.exe	85
PID 880 wrote to memory of 3032	880	plHm06kE81.exe	85
PID 880 wrote to memory of 3032	880	plHm06kE81.exe	85
PID 3032 wrote to memory of 5084	3032	plVo29vA61.exe	87
PID 3032 wrote to memory of 5084	3032	plVo29vA61.exe	87
PID 3032 wrote to memory of 5084	3032	plVo29vA61.exe	87
PID 5084 wrote to memory of 3144	5084	plcg65aT79.exe	89
PID 5084 wrote to memory of 3144	5084	plcg65aT79.exe	89
PID 5084 wrote to memory of 836	5084	plcg65aT79.exe	93
PID 5084 wrote to memory of 836	5084	plcg65aT79.exe	93
PID 5084 wrote to memory of 836	5084	plcg65aT79.exe	93

C:\Users\Admin\AppData\Local\Temp\ff30b66adead0487105b1efabdda434de52d909067d5d5b455b31cdc7f297c3d.exe
"C:\Users\Admin\AppData\Local\Temp\ff30b66adead0487105b1efabdda434de52d909067d5d5b455b31cdc7f297c3d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plZX27kZ08.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plZX27kZ08.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plHm06kE81.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plHm06kE81.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plVo29vA61.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plVo29vA61.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plcg65aT79.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plcg65aT79.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5084
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buuS77FO00.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buuS77FO00.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cain57MR85.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cain57MR85.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plZX27kZ08.exe

Filesize
1.0MB

MD5
4056ccf7760144ddf41a609330a69dd4

SHA1
795a7056f55a3a6d133d22622c6eff0b6ac2fd66

SHA256
7d9eb0419874f06b9b8eeefade911ef1490df20df3379d22326f08ee144dc044

SHA512
31d886712cfcc9db48cb96cd5366c258e678bdf865b0d9beae3000de0d4c694c4dc44b4b65e546768b0b2c16df1fbe46cc57b35e87d5107d1030e112d6443598

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plHm06kE81.exe

Filesize
935KB

MD5
a7f89049410a2540320160cb5aa4dc0b

SHA1
27c23292997a9aae453ed6732a464207eba540b2

SHA256
88ae21b6059ae7713b9164b88f89060d67adb1a95302275f00278ddfc15f60a4

SHA512
781a3da7722f9947cbc561fd867a0415ed7e1c6ebc07cdb3337f8f9bd31629a9f53883fa214644c0b5dafe75877c7f1fdf0ff7a248b6d3d95ccd8e5925194d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plVo29vA61.exe

Filesize
666KB

MD5
18b50a5365512c35b034db1dabff4380

SHA1
4e7c1fa80d53c7f71c45f53e0b91cc8a78212485

SHA256
0c4006c420916ae6722d0b29e5a4e83a05553a3ded7345c6ffaea62723e2785e

SHA512
ff02fb308fbcf4fefd92d983f0ec866de38c00f1e58b2ac429ea4261cec9188adf5e3340f4faa9d0272b14519fbe2cac2460ec0d2426011ccb4832450dad80da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plcg65aT79.exe

Filesize
391KB

MD5
ac31f61f3217f4005e47d6bad786b67f

SHA1
fc1e56f5d1ca872220d1ce8baa97f08dd2f369bd

SHA256
9e545b84cca58bdbd7a8851c7616947088a6d2ca1ccf8af68a25f40191788597

SHA512
db839526ba02ebbb647f07741c5c0feee757bd73101c60ccb4eb0c51f1ce87dd64062647a85b5a98350239c0b41a7d2abadb161ee380f7070a46f5b6cb884e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buuS77FO00.exe

Filesize
16KB

MD5
af035cfe17849e3380700de9e01ab03b

SHA1
fd39c68008bcce6712f176203e8476dd3741060e

SHA256
732f8837169163774d9cd9c6b3bd296f61afee0403e6c208180ada83c479935c

SHA512
ebe250c1e21a7443cb6869b7fa796d33083ad307b564bfd6e980560550df98a9bbcd5b2bcb768cd858f13e4846152ae982c95fa0c35a7996c67fa28c9417cfe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cain57MR85.exe

Filesize
301KB

MD5
0b1fc7b6b5f423e268221516747427e9

SHA1
46193a7985ffd4b645fb2abf9eb10bc11a78a537

SHA256
d798407025621d1aab6e51a2cd6b6b8db9b0832b5ff932001ae3a42789c69bc2

SHA512
120304b76de795816e47f07555c149c65dc52a152b92dafc5f5e4ff4dc4c09e8a1ca3b71c043d0cecb2f4c74e434ba0ec9ae4bd15a3cf22bb880326c77be02e8

Download Submit
memory/836-85-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-79-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-42-0x0000000004B50000-0x00000000050F4000-memory.dmp

Filesize
5.6MB

Download
memory/836-43-0x0000000005140000-0x0000000005184000-memory.dmp

Filesize
272KB

Download
memory/836-47-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-45-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-44-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-53-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-107-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-105-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-103-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-101-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-99-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-95-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-93-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-91-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-89-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-87-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-954-0x0000000005C50000-0x0000000005C9C000-memory.dmp

Filesize
304KB

Download
memory/836-83-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-81-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-41-0x0000000002640000-0x0000000002686000-memory.dmp

Filesize
280KB

Download
memory/836-75-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-73-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-72-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-69-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-67-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-65-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-63-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-61-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-59-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-57-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-51-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-49-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-97-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-77-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-55-0x0000000005140000-0x000000000517E000-memory.dmp

Filesize
248KB

Download
memory/836-950-0x0000000005300000-0x0000000005918000-memory.dmp

Filesize
6.1MB

Download
memory/836-951-0x00000000059A0000-0x0000000005AAA000-memory.dmp

Filesize
1.0MB

Download
memory/836-952-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

Filesize
72KB

Download
memory/836-953-0x0000000005B00000-0x0000000005B3C000-memory.dmp

Filesize
240KB

Download
memory/3144-35-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download