healer | c8a7e6ab4d96aaca0bc08f8dc3fb8a05fe142cd2c146d4d88b010fba42549e57

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

791e63f96785263631778a788be1a5bd447d34a981f3f862dc3811da6f57517eN.exe
Size

988KB
MD5

0716cb4fc3300ea544aa9147add0cd66
SHA1

55cccfc66f64799a4c9964a83cb3beab00bc15ab
SHA256

c8a7e6ab4d96aaca0bc08f8dc3fb8a05fe142cd2c146d4d88b010fba42549e57
SHA512

e48ecb711d8f6299306a549c31aea03da24b4ca7b1784b77baeb233fedc3174150b497dbabee6bf15e44ba48a4c4b2fa640c10f58978d219601f09d0ff643bb8
SSDEEP

24576:9yTkrV/fBJPYJc5iECeiQmyf4+ffIufLbIu7LXvU6fZ7s4:YC/fBJrEQfbfH/I6/Uyj

Score

10^/10

healer redline rouch discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rouch

193.56.146.11:4162

Attributes

auth_value
1b1735bcfc122c708eae27ca352568de

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c93-26.dat	healer
behavioral1/memory/440-28-0x0000000000AC0000-0x0000000000ACA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	buWn98dD16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	buWn98dD16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	buWn98dD16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	buWn98dD16.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	buWn98dD16.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	buWn98dD16.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3100-34-0x00000000024C0000-0x0000000002506000-memory.dmp	family_redline
behavioral1/memory/3100-36-0x0000000004BA0000-0x0000000004BE4000-memory.dmp	family_redline
behavioral1/memory/3100-44-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-52-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-100-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-98-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-96-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-94-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-92-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-88-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-86-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-84-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-82-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-80-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-78-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-76-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-74-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-72-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-70-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-66-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-64-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-62-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-60-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-58-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-56-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-54-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-50-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-48-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-46-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-42-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-40-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-90-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-68-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-38-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/3100-37-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
4492	pllC18Qk39.exe
3604	plwY09bN79.exe
3020	plCH03Nw70.exe
440	buWn98dD16.exe
3100	caXw45IP32.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	buWn98dD16.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	pllC18Qk39.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plwY09bN79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plCH03Nw70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	791e63f96785263631778a788be1a5bd447d34a981f3f862dc3811da6f57517eN.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	791e63f96785263631778a788be1a5bd447d34a981f3f862dc3811da6f57517eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pllC18Qk39.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plwY09bN79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plCH03Nw70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caXw45IP32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
440	buWn98dD16.exe
440	buWn98dD16.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	440	buWn98dD16.exe
Token: SeDebugPrivilege	3100	caXw45IP32.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 4492	960	791e63f96785263631778a788be1a5bd447d34a981f3f862dc3811da6f57517eN.exe	85
PID 960 wrote to memory of 4492	960	791e63f96785263631778a788be1a5bd447d34a981f3f862dc3811da6f57517eN.exe	85
PID 960 wrote to memory of 4492	960	791e63f96785263631778a788be1a5bd447d34a981f3f862dc3811da6f57517eN.exe	85
PID 4492 wrote to memory of 3604	4492	pllC18Qk39.exe	86
PID 4492 wrote to memory of 3604	4492	pllC18Qk39.exe	86
PID 4492 wrote to memory of 3604	4492	pllC18Qk39.exe	86
PID 3604 wrote to memory of 3020	3604	plwY09bN79.exe	87
PID 3604 wrote to memory of 3020	3604	plwY09bN79.exe	87
PID 3604 wrote to memory of 3020	3604	plwY09bN79.exe	87
PID 3020 wrote to memory of 440	3020	plCH03Nw70.exe	89
PID 3020 wrote to memory of 440	3020	plCH03Nw70.exe	89
PID 3020 wrote to memory of 3100	3020	plCH03Nw70.exe	100
PID 3020 wrote to memory of 3100	3020	plCH03Nw70.exe	100
PID 3020 wrote to memory of 3100	3020	plCH03Nw70.exe	100

C:\Users\Admin\AppData\Local\Temp\791e63f96785263631778a788be1a5bd447d34a981f3f862dc3811da6f57517eN.exe
"C:\Users\Admin\AppData\Local\Temp\791e63f96785263631778a788be1a5bd447d34a981f3f862dc3811da6f57517eN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pllC18Qk39.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pllC18Qk39.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwY09bN79.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwY09bN79.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plCH03Nw70.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plCH03Nw70.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\buWn98dD16.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\buWn98dD16.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caXw45IP32.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caXw45IP32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pllC18Qk39.exe

Filesize
892KB

MD5
38a79b303dbf1e840f3c4f1423360992

SHA1
4d678bc1f5c75c4f6b57a0b2493a6099963ed97f

SHA256
f1774aabf87b5cfcc1738b1330b582f0845e27279d131415224b6963fe5b0a55

SHA512
53696a82eaff437fe0a606be4300656bd94f997e5384b6ec602fb9aab928e9983b232f5553535753a1fb89b1f021ed371b04af3ec217f0fd83726a1a71dbae00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plwY09bN79.exe

Filesize
666KB

MD5
94c426638c1f64fdc0d0dce4bdcd4056

SHA1
a40557a4c07dff69ee81305eb3b08a0aef35ddb0

SHA256
4363afc66934ddd0dd1b770656fca1011c3eadad0a18720cb08688e6f86fdd10

SHA512
ab0efa613e98bc296b35056870c9f8ac5d708db38e3cef62a800d7da38f799ca18caa377bf1d347421ff2ad3aba14a725a8917246248cdfc8b213e22a42fce89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plCH03Nw70.exe

Filesize
391KB

MD5
9568f812dba507fd5cd9822039b8448e

SHA1
5386e39cc9ac8cd2f3bc6e58ab65f4a465aa4f09

SHA256
fddbd93d3d1a5bcc383380783fddad3cbb20237383fde0ff2be3518ffc8e999c

SHA512
617622bf4df6b29dcee5e5f8fbdb584edffa1f543e1bf71cf15f16e369185c23e80a658f2eb41e4f1937bb05f4573fbebad0b4b3d5fa9a554fc8671b9e8aa7da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\buWn98dD16.exe

Filesize
11KB

MD5
b51c52e0cfdbcac0fdcb10e370bf4eb7

SHA1
7c2d31fe4a5f6bce32b489769f59f5c84543fe07

SHA256
12db26be94b099b85be7e2b3154d52a4e74544618a2c3dfeeb58ce7cc02d8764

SHA512
d1cbc1195864189683742fe95726faa966c3771d20ebcf28c6f91d81872fe01ffa51c824e5c1bbf92973361709894eabd754d6d2cb832aac2ae8457965fe6dc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caXw45IP32.exe

Filesize
304KB

MD5
425a4e66387f5515e08c6258b5dc0c4d

SHA1
e8a3a200c7aa39c58d6f1245abe4af5dc8d81671

SHA256
f9d0ab38b7112071584629f74818f8ac3113d2db0a7bb3ef518aca5c1c08893d

SHA512
c1086d7971da5530878b40e7c09665235ffaba4303a8c8fc3d7e85f392ee1195079657727857880bb603d8f9739cc124199e2688a211d75e475ea1daaa1a464e

Download Submit
memory/440-28-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/3100-76-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-64-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-36-0x0000000004BA0000-0x0000000004BE4000-memory.dmp

Filesize
272KB

Download
memory/3100-44-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-52-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-100-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-98-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-96-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-94-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-92-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-88-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-86-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-84-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-82-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-80-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-78-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-34-0x00000000024C0000-0x0000000002506000-memory.dmp

Filesize
280KB

Download
memory/3100-74-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-72-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-70-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-66-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-35-0x0000000004CE0000-0x0000000005284000-memory.dmp

Filesize
5.6MB

Download
memory/3100-62-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-60-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-58-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-56-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-54-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-50-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-48-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-46-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-42-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-40-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-90-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-68-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-38-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-37-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/3100-943-0x0000000005390000-0x00000000059A8000-memory.dmp

Filesize
6.1MB

Download
memory/3100-944-0x00000000059B0000-0x0000000005ABA000-memory.dmp

Filesize
1.0MB

Download
memory/3100-945-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

Filesize
72KB

Download
memory/3100-946-0x0000000005B00000-0x0000000005B3C000-memory.dmp

Filesize
240KB

Download
memory/3100-947-0x0000000005C50000-0x0000000005C9C000-memory.dmp

Filesize
304KB

Download