healer | 4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe
Size

814KB
MD5

225465b1e5ee6c2929d395ee103b042e
SHA1

eefb6b913b5f34a4f774e99aa260f498cc8eb082
SHA256

4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2
SHA512

00d98dc05f0b4a716f8c763fd565f86f733982dfcee13585c0eab7bc407749efafc70eba6ab4edc95eac2f05f099a3545c026589daadf773455605b2ca7a923b
SSDEEP

12288:9Mrsy900ED+a8nh9MqS46efwDXPnqMjK7GcjmPDoPy2iqGS29fkrSo7OqWSA2l3R:dy2+FheC6ef0fOpSbo62WRGZlAi33h

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1832-19-0x00000000025A0000-0x00000000025BA000-memory.dmp	healer
behavioral1/memory/1832-21-0x0000000002970000-0x0000000002988000-memory.dmp	healer
behavioral1/memory/1832-47-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-49-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-45-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-43-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-41-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-39-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-37-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-35-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-33-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-31-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-29-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-27-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-25-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-23-0x0000000002970000-0x0000000002982000-memory.dmp	healer
behavioral1/memory/1832-22-0x0000000002970000-0x0000000002982000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro8635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro8635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro8635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro8635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro8635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro8635.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1304-2143-0x0000000005760000-0x0000000005792000-memory.dmp	family_redline
behavioral1/files/0x000f000000023b3d-2148.dat	family_redline
behavioral1/memory/5272-2156-0x0000000000370000-0x00000000003A0000-memory.dmp	family_redline
behavioral1/files/0x000a000000023b40-2164.dat	family_redline
behavioral1/memory/5472-2167-0x0000000000620000-0x000000000064E000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	qu6839.exe

Executes dropped EXE 5 IoCs

pid	Process
3016	un629555.exe
1832	pro8635.exe
1304	qu6839.exe
5272	1.exe
5472	si673921.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro8635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro8635.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un629555.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1344	1832	WerFault.exe	84
5376	1304	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un629555.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro8635.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu6839.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si673921.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1832	pro8635.exe
1832	pro8635.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1832	pro8635.exe
Token: SeDebugPrivilege	1304	qu6839.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1192 wrote to memory of 3016	1192	4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe	83
PID 1192 wrote to memory of 3016	1192	4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe	83
PID 1192 wrote to memory of 3016	1192	4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe	83
PID 3016 wrote to memory of 1832	3016	un629555.exe	84
PID 3016 wrote to memory of 1832	3016	un629555.exe	84
PID 3016 wrote to memory of 1832	3016	un629555.exe	84
PID 3016 wrote to memory of 1304	3016	un629555.exe	97
PID 3016 wrote to memory of 1304	3016	un629555.exe	97
PID 3016 wrote to memory of 1304	3016	un629555.exe	97
PID 1304 wrote to memory of 5272	1304	qu6839.exe	98
PID 1304 wrote to memory of 5272	1304	qu6839.exe	98
PID 1304 wrote to memory of 5272	1304	qu6839.exe	98
PID 1192 wrote to memory of 5472	1192	4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe	101
PID 1192 wrote to memory of 5472	1192	4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe	101
PID 1192 wrote to memory of 5472	1192	4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe	101

C:\Users\Admin\AppData\Local\Temp\4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe
"C:\Users\Admin\AppData\Local\Temp\4cfe26e5a846fe94e3262cc3145d0a8b8dbaa4c89d7ce7b87d168378f865b0e2.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un629555.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un629555.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8635.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8635.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 1088
      4⤵
      Program crash
      PID:1344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6839.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6839.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5272
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 1532
      4⤵
      Program crash
      PID:5376
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si673921.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si673921.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1832 -ip 1832
1⤵
PID:748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1304 -ip 1304
1⤵
PID:5312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si673921.exe

Filesize
169KB

MD5
ae4a306dd730ae302996854f3b754e7f

SHA1
fd8cf2d3496fc54494d86eb73fa5260c3d35a49c

SHA256
c65cabb8db793631707c3069147eb046175923adfa5ff03636c0abe0aeffb992

SHA512
113ef93af0038620ebc8a3f9ec7d4c12ff84d230ad90acf6582f8a8ac7527c48819a8e8959666ad6e265e630cdf1afaf309cee6510ce978415c6f7d94aa10d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un629555.exe

Filesize
660KB

MD5
8b9f810e33f5e8200f6d37e43ce82281

SHA1
7b8b3ad9fcf5a1d208a03155a0ba3d4818ad4bc6

SHA256
d7b66da07e51f6edf06c7379f7aaa3452a4b32d04f323773914b9213dd178aac

SHA512
e3547ad6b3293d5290d15d750b8e6553492f4b2d7615cdec0129476fb91e7a6c5ab3d79926c1740ea88e6d5365add735f53ce1ccafb2b7dd9c6bc19b7eb841cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro8635.exe

Filesize
332KB

MD5
eddea95bc16deeccc55b95a664cb2301

SHA1
aac770e87772edf5f1817b365a0677adbf6019a3

SHA256
e0f245acda2e939da367f0e90ca337b06341ea36fb67ee693d523d6b003ad72f

SHA512
354f68afe35901bc0082d70ebd50a804c02505b77074348c27f2b07e245b42fcc29a9c81c443f896b73d22cc28f5eec766ba6aa7b86d6ec9a7d5384562d28d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu6839.exe

Filesize
495KB

MD5
e7260a946cf2a959f1db5f32d2ac2e73

SHA1
5959157428111844e8dd895dd1ca23d95b1ef63c

SHA256
9ba38864475ad08db8b2dae016e6284d0e7551e5736ed05e4160d28b2ca744bb

SHA512
5c6aef0477047a032fdb88966fab526359c94f1c7df698f5ba6f11848e578a0eb7651eb18ac0d07a1185a017879a0a04e9f3e44f9c57698c4a8b43198c184aed

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/1304-68-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-64-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-2143-0x0000000005760000-0x0000000005792000-memory.dmp

Filesize
200KB

Download
memory/1304-63-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-94-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-78-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-90-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-70-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-72-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-97-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-81-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-82-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-84-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-86-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-88-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-93-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-74-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-76-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-66-0x0000000004EA0000-0x0000000004EFF000-memory.dmp

Filesize
380KB

Download
memory/1304-62-0x0000000004EA0000-0x0000000004F06000-memory.dmp

Filesize
408KB

Download
memory/1304-61-0x0000000002AA0000-0x0000000002B06000-memory.dmp

Filesize
408KB

Download
memory/1832-43-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-55-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/1832-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1832-18-0x0000000000400000-0x0000000000807000-memory.dmp

Filesize
4.0MB

Download
memory/1832-16-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download
memory/1832-50-0x0000000000A20000-0x0000000000B20000-memory.dmp

Filesize
1024KB

Download
memory/1832-22-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-19-0x00000000025A0000-0x00000000025BA000-memory.dmp

Filesize
104KB

Download
memory/1832-23-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-25-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-27-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-29-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-31-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-33-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-35-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-37-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1832-39-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-15-0x0000000000A20000-0x0000000000B20000-memory.dmp

Filesize
1024KB

Download
memory/1832-51-0x0000000000990000-0x00000000009BD000-memory.dmp

Filesize
180KB

Download
memory/1832-45-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-49-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-47-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/1832-21-0x0000000002970000-0x0000000002988000-memory.dmp

Filesize
96KB

Download
memory/1832-20-0x0000000004FE0000-0x0000000005584000-memory.dmp

Filesize
5.6MB

Download
memory/1832-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1832-41-0x0000000002970000-0x0000000002982000-memory.dmp

Filesize
72KB

Download
memory/5272-2157-0x0000000002520000-0x0000000002526000-memory.dmp

Filesize
24KB

Download
memory/5272-2156-0x0000000000370000-0x00000000003A0000-memory.dmp

Filesize
192KB

Download
memory/5272-2159-0x0000000004DD0000-0x0000000004EDA000-memory.dmp

Filesize
1.0MB

Download
memory/5272-2160-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/5272-2161-0x0000000004D50000-0x0000000004D8C000-memory.dmp

Filesize
240KB

Download
memory/5272-2158-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/5272-2166-0x0000000004EE0000-0x0000000004F2C000-memory.dmp

Filesize
304KB

Download
memory/5472-2167-0x0000000000620000-0x000000000064E000-memory.dmp

Filesize
184KB

Download
memory/5472-2168-0x00000000010B0000-0x00000000010B6000-memory.dmp

Filesize
24KB

Download