healer | 5036d5966af7bd6985c2d7127d35b9c28681606d483fe0a1c77c9bf1c06bf5fb

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5036d5966af7bd6985c2d7127d35b9c28681606d483fe0a1c77c9bf1c06bf5fb.exe
Size

557KB
MD5

eafc265482e5b4d2149cee70435916b0
SHA1

7ceef40d86246fd21d0b56a602347391eb2ca245
SHA256

5036d5966af7bd6985c2d7127d35b9c28681606d483fe0a1c77c9bf1c06bf5fb
SHA512

41f2ddd613ba3bd6ff0b0eb260de3945913e3112b554ed3e12b5fe65f847dfd8c377bea7bb94ef5b7690583508a5c531eae6c31d8b819ce609611dcfbe369050
SSDEEP

12288:YMray90pzYC7uBzjhVFiNjRrbOcSbbfFbsG9G2qUOpO8e:iyGzYQ8zjh3iN1yb7WG9GdUce

Score

10^/10

healer redline fud discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

fud

193.233.20.27:4123

Attributes

auth_value
cddc991efd6918ad5321d80dac884b40

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cbc-12.dat	healer
behavioral1/memory/640-15-0x0000000000B90000-0x0000000000B9A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sf85fl05Hi40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sf85fl05Hi40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	sf85fl05Hi40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sf85fl05Hi40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sf85fl05Hi40.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sf85fl05Hi40.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/780-21-0x0000000004E40000-0x0000000004E86000-memory.dmp	family_redline
behavioral1/memory/780-23-0x0000000004EC0000-0x0000000004F04000-memory.dmp	family_redline
behavioral1/memory/780-35-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-25-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-24-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-51-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-87-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-83-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-81-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-79-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-77-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-75-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-73-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-71-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-69-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-65-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-63-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-62-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-57-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-55-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-54-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-49-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-47-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-45-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-43-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-41-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-39-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-37-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-33-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-31-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-29-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-27-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-85-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-67-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline
behavioral1/memory/780-59-0x0000000004EC0000-0x0000000004EFE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1440	vhsp6129hv.exe
640	sf85fl05Hi40.exe
780	tf03pc81Fd87.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	sf85fl05Hi40.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5036d5966af7bd6985c2d7127d35b9c28681606d483fe0a1c77c9bf1c06bf5fb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vhsp6129hv.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vhsp6129hv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tf03pc81Fd87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5036d5966af7bd6985c2d7127d35b9c28681606d483fe0a1c77c9bf1c06bf5fb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
640	sf85fl05Hi40.exe
640	sf85fl05Hi40.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	sf85fl05Hi40.exe
Token: SeDebugPrivilege	780	tf03pc81Fd87.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1440	2080	5036d5966af7bd6985c2d7127d35b9c28681606d483fe0a1c77c9bf1c06bf5fb.exe	83
PID 2080 wrote to memory of 1440	2080	5036d5966af7bd6985c2d7127d35b9c28681606d483fe0a1c77c9bf1c06bf5fb.exe	83
PID 2080 wrote to memory of 1440	2080	5036d5966af7bd6985c2d7127d35b9c28681606d483fe0a1c77c9bf1c06bf5fb.exe	83
PID 1440 wrote to memory of 640	1440	vhsp6129hv.exe	84
PID 1440 wrote to memory of 640	1440	vhsp6129hv.exe	84
PID 1440 wrote to memory of 780	1440	vhsp6129hv.exe	92
PID 1440 wrote to memory of 780	1440	vhsp6129hv.exe	92
PID 1440 wrote to memory of 780	1440	vhsp6129hv.exe	92

C:\Users\Admin\AppData\Local\Temp\5036d5966af7bd6985c2d7127d35b9c28681606d483fe0a1c77c9bf1c06bf5fb.exe
"C:\Users\Admin\AppData\Local\Temp\5036d5966af7bd6985c2d7127d35b9c28681606d483fe0a1c77c9bf1c06bf5fb.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhsp6129hv.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhsp6129hv.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf85fl05Hi40.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf85fl05Hi40.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf03pc81Fd87.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf03pc81Fd87.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhsp6129hv.exe

Filesize
412KB

MD5
a85bd99fbba6722a18066a2124eccfcb

SHA1
f6342074e21a10c1d20fcdc287e210602edc791a

SHA256
6e9c6732dd00d4028938a744269d4e1e96b35b93f6fc95b714c233ccb72a2318

SHA512
248ec4e6d307b34c0fa1492551d60b580c2b95bb12862517e80f0c9ebf8276c1bf92ddbdf06dc35bf9e6c2d5160fca9fff04686d470688502cf15ee378f0585e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf85fl05Hi40.exe

Filesize
11KB

MD5
a4d34446cfdf12793374ccb7ba0da56f

SHA1
197dedbeab753c93fb0efd1bf52d7516ec465f06

SHA256
015f7b41c79d9f6ab7e5670f55defaaba2a4e8ba56992538856e00e611850b8d

SHA512
bfa6d6a60933a90d2603b0e76c5809644c353b09ae6f72f69d5c3780f2c110237ed72b8bb77f2ca606b1c6c0b6db66e15ff54836a60f13140f597bcb78f03fe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf03pc81Fd87.exe

Filesize
409KB

MD5
d918db9077504212d04e97bc5857b710

SHA1
cbac3bfca65f8dfe4efd408bcf480f3d603f1d06

SHA256
ab46765a44c015f420a104a2ffee2d036dc0cb4ce25e72be2540eed2cd521bb3

SHA512
f00800d9c2616090029632b5fea54abacc92e9c323feda1ea3c50a2ffdacd0f047d4da66b185b75d4570bee869c9684a3746b1daf58cc66278cbb09a0946f187

Download Submit
memory/640-14-0x00007FFCA4F93000-0x00007FFCA4F95000-memory.dmp

Filesize
8KB

Download
memory/640-15-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/780-63-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-54-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-23-0x0000000004EC0000-0x0000000004F04000-memory.dmp

Filesize
272KB

Download
memory/780-35-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-25-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-24-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-51-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-87-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-83-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-81-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-79-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-77-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-75-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-73-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-71-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-69-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-65-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-21-0x0000000004E40000-0x0000000004E86000-memory.dmp

Filesize
280KB

Download
memory/780-62-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-57-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-55-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-22-0x0000000007460000-0x0000000007A04000-memory.dmp

Filesize
5.6MB

Download
memory/780-49-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-47-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-45-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-43-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-41-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-39-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-37-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-33-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-31-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-29-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-27-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-85-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-67-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-59-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/780-930-0x0000000007A10000-0x0000000008028000-memory.dmp

Filesize
6.1MB

Download
memory/780-931-0x0000000008030000-0x000000000813A000-memory.dmp

Filesize
1.0MB

Download
memory/780-932-0x0000000008140000-0x0000000008152000-memory.dmp

Filesize
72KB

Download
memory/780-933-0x0000000008160000-0x000000000819C000-memory.dmp

Filesize
240KB

Download
memory/780-934-0x00000000082A0000-0x00000000082EC000-memory.dmp

Filesize
304KB

Download