healer | 7256f7167ab97a01f6e63f918673242e6b0a5819114e6b905fd72f7fa95314e1

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7256f7167ab97a01f6e63f918673242e6b0a5819114e6b905fd72f7fa95314e1.exe
Size

705KB
MD5

b1639e303693b9da225c8dcab487ebf4
SHA1

9a9cc968c79486cf0ce57688aacf78da8069cc93
SHA256

7256f7167ab97a01f6e63f918673242e6b0a5819114e6b905fd72f7fa95314e1
SHA512

968f9a770d921835cae17a22435e1767a3e8380b27772b182d81559f3c6a92ecd3a3cbc79fdf0a5a7e98bd4e40b35f7e15721a62d67f77f23715478a7c12d99c
SSDEEP

12288:kMrdy90ONokVjYa1sTmwGXK6IWthriUyqKMn+7Bah8WSFhBmrZVr2:hyP3VsmFwOrR1qVArO

Score

10^/10

healer redline ronam discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

ronam

193.233.20.17:4139

Attributes

auth_value
125421d19d14dd7fd211bc7f6d4aea6c

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c78-19.dat	healer
behavioral1/memory/4576-22-0x00000000005F0000-0x00000000005FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	kVc95Fr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	kVc95Fr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	kVc95Fr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	kVc95Fr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	kVc95Fr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	kVc95Fr.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3696-29-0x00000000027B0000-0x00000000027F6000-memory.dmp	family_redline
behavioral1/memory/3696-31-0x0000000004B90000-0x0000000004BD4000-memory.dmp	family_redline
behavioral1/memory/3696-33-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-32-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-47-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-45-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-43-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-95-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-93-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-91-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-89-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-87-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-85-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-83-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-81-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-79-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-77-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-75-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-73-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-71-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-69-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-67-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-65-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-63-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-61-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-59-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-57-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-55-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-53-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-51-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-49-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-41-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-39-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-37-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline
behavioral1/memory/3696-35-0x0000000004B90000-0x0000000004BCE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
4016	dTj5574.exe
3740	dgO9099.exe
4576	kVc95Fr.exe
3696	nTt63tQ.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	kVc95Fr.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dgO9099.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7256f7167ab97a01f6e63f918673242e6b0a5819114e6b905fd72f7fa95314e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dTj5574.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7256f7167ab97a01f6e63f918673242e6b0a5819114e6b905fd72f7fa95314e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dTj5574.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dgO9099.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nTt63tQ.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4576	kVc95Fr.exe
4576	kVc95Fr.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4576	kVc95Fr.exe
Token: SeDebugPrivilege	3696	nTt63tQ.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 4016	2544	7256f7167ab97a01f6e63f918673242e6b0a5819114e6b905fd72f7fa95314e1.exe	83
PID 2544 wrote to memory of 4016	2544	7256f7167ab97a01f6e63f918673242e6b0a5819114e6b905fd72f7fa95314e1.exe	83
PID 2544 wrote to memory of 4016	2544	7256f7167ab97a01f6e63f918673242e6b0a5819114e6b905fd72f7fa95314e1.exe	83
PID 4016 wrote to memory of 3740	4016	dTj5574.exe	84
PID 4016 wrote to memory of 3740	4016	dTj5574.exe	84
PID 4016 wrote to memory of 3740	4016	dTj5574.exe	84
PID 3740 wrote to memory of 4576	3740	dgO9099.exe	86
PID 3740 wrote to memory of 4576	3740	dgO9099.exe	86
PID 3740 wrote to memory of 3696	3740	dgO9099.exe	98
PID 3740 wrote to memory of 3696	3740	dgO9099.exe	98
PID 3740 wrote to memory of 3696	3740	dgO9099.exe	98

C:\Users\Admin\AppData\Local\Temp\7256f7167ab97a01f6e63f918673242e6b0a5819114e6b905fd72f7fa95314e1.exe
"C:\Users\Admin\AppData\Local\Temp\7256f7167ab97a01f6e63f918673242e6b0a5819114e6b905fd72f7fa95314e1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dTj5574.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dTj5574.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgO9099.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgO9099.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kVc95Fr.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kVc95Fr.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nTt63tQ.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nTt63tQ.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dTj5574.exe

Filesize
560KB

MD5
9541ee9bc68917c55ec37330240f1e79

SHA1
d5cb62d90dfbdab685196e57f0de4f6153a03557

SHA256
269bb20e5949c2a20a898ef80e2004729e76b56a7a90a359a4227e51fc55d52a

SHA512
1071142d1d8e31870607729dc03a8ccf54580370ba6e95ac052ce4eaf59e570d62df4698a87ea4614c76ea7e75d86b06be2d4d0c45f695361b0b5eefec888430

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgO9099.exe

Filesize
416KB

MD5
fd279d6c502bb5815cc0d2ba50099f2e

SHA1
ee9a7ae2722e9eb2594e36067fa2e1b47add5cc4

SHA256
0fdfbe94f1c627d89b6a6eab497454106aaf393db020bab809d6b20434ef78dd

SHA512
b2c849c1390416b872881a8677b745e265604f76a283ada7309f327685f8ef19f856d53acd0d5322cd612e9e5adafac70024f2bf596869a143eabe0dd73e701d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\kVc95Fr.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nTt63tQ.exe

Filesize
346KB

MD5
ffd34e60c3a72a6b439d9587853d35c6

SHA1
9e3d035ea5abcb297c889815604264b08fa75c10

SHA256
d2788fc5b5355089111a056425a10fdccd4add6ac61b7db0137c93d52dd4d418

SHA512
51e6cf28e3b8f7d95fa3b028283b8e089eebb78bbaea2aaaa606e51d166695a5b345b8c7e7fa6be61493bd2fbfa3f4eb10ca9565e09d7b33cfcf6174ad743de1

Download Submit
memory/3696-77-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-29-0x00000000027B0000-0x00000000027F6000-memory.dmp

Filesize
280KB

Download
memory/3696-942-0x0000000005B40000-0x0000000005B8C000-memory.dmp

Filesize
304KB

Download
memory/3696-75-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-30-0x0000000004C30000-0x00000000051D4000-memory.dmp

Filesize
5.6MB

Download
memory/3696-31-0x0000000004B90000-0x0000000004BD4000-memory.dmp

Filesize
272KB

Download
memory/3696-33-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-32-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-47-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-45-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-941-0x00000000059F0000-0x0000000005A2C000-memory.dmp

Filesize
240KB

Download
memory/3696-95-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-73-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-91-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-89-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-87-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-85-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-83-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-81-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-79-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-43-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-940-0x00000000059D0000-0x00000000059E2000-memory.dmp

Filesize
72KB

Download
memory/3696-93-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-71-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-69-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-67-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-65-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-63-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-61-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-59-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-57-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-55-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-53-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-51-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-49-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-41-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-39-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-37-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-35-0x0000000004B90000-0x0000000004BCE000-memory.dmp

Filesize
248KB

Download
memory/3696-938-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/3696-939-0x0000000005890000-0x000000000599A000-memory.dmp

Filesize
1.0MB

Download
memory/4576-24-0x00007FF997F80000-0x00007FF99801D000-memory.dmp

Filesize
628KB

Download
memory/4576-22-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/4576-21-0x00007FF997F80000-0x00007FF99801D000-memory.dmp

Filesize
628KB

Download