healer | a4886e8ae4c4dd6113783459ae6550745429aafbf163975247c195bbf39a3c79

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4886e8ae4c4dd6113783459ae6550745429aafbf163975247c195bbf39a3c79.exe
Size

667KB
MD5

6ec8740288224d45e7a7be37aa106a06
SHA1

177c6eaf6a9d732e80e88d9108cff5d211e670ec
SHA256

a4886e8ae4c4dd6113783459ae6550745429aafbf163975247c195bbf39a3c79
SHA512

347a3643f482a99c65a6694cdce8bb4346092d2faca79be818986a99a93b36d6cc4dc4c0eee5256f8584d8b417d0ed0d0d348fbb5b12d383e2a73dbe3c1e396d
SSDEEP

12288:hMrAy90MG/D4hgVzulZ6PvmLEO1T2MXN9q9folsckOBCpFOzI:hy8D4hgzuzwv/MTr0oF/CFD

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/900-19-0x00000000027B0000-0x00000000027CA000-memory.dmp	healer
behavioral1/memory/900-21-0x0000000002850000-0x0000000002868000-memory.dmp	healer
behavioral1/memory/900-27-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-49-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-47-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-45-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-43-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-41-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-39-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-37-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-35-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-33-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-31-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-29-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-25-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-23-0x0000000002850000-0x0000000002862000-memory.dmp	healer
behavioral1/memory/900-22-0x0000000002850000-0x0000000002862000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro7468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro7468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro7468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro7468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro7468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro7468.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/2996-61-0x0000000002770000-0x00000000027B6000-memory.dmp	family_redline
behavioral1/memory/2996-62-0x00000000053E0000-0x0000000005424000-memory.dmp	family_redline
behavioral1/memory/2996-72-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-78-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-96-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-94-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-92-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-90-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-88-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-86-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-84-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-80-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-76-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-75-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-70-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-68-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-82-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-66-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-64-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline
behavioral1/memory/2996-63-0x00000000053E0000-0x000000000541F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2364	un223274.exe
900	pro7468.exe
2996	qu5164.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro7468.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro7468.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a4886e8ae4c4dd6113783459ae6550745429aafbf163975247c195bbf39a3c79.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un223274.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3968	900	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4886e8ae4c4dd6113783459ae6550745429aafbf163975247c195bbf39a3c79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un223274.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro7468.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu5164.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
900	pro7468.exe
900	pro7468.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	pro7468.exe
Token: SeDebugPrivilege	2996	qu5164.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 2364	4456	a4886e8ae4c4dd6113783459ae6550745429aafbf163975247c195bbf39a3c79.exe	83
PID 4456 wrote to memory of 2364	4456	a4886e8ae4c4dd6113783459ae6550745429aafbf163975247c195bbf39a3c79.exe	83
PID 4456 wrote to memory of 2364	4456	a4886e8ae4c4dd6113783459ae6550745429aafbf163975247c195bbf39a3c79.exe	83
PID 2364 wrote to memory of 900	2364	un223274.exe	84
PID 2364 wrote to memory of 900	2364	un223274.exe	84
PID 2364 wrote to memory of 900	2364	un223274.exe	84
PID 2364 wrote to memory of 2996	2364	un223274.exe	95
PID 2364 wrote to memory of 2996	2364	un223274.exe	95
PID 2364 wrote to memory of 2996	2364	un223274.exe	95

C:\Users\Admin\AppData\Local\Temp\a4886e8ae4c4dd6113783459ae6550745429aafbf163975247c195bbf39a3c79.exe
"C:\Users\Admin\AppData\Local\Temp\a4886e8ae4c4dd6113783459ae6550745429aafbf163975247c195bbf39a3c79.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223274.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223274.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7468.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7468.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:900
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 1084
      4⤵
      Program crash
      PID:3968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5164.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5164.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 900 -ip 900
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223274.exe

Filesize
525KB

MD5
352f59168e11cd9fdca8c12687a8faaf

SHA1
9d433806505456664f16a9ce7d2cd4cc8ba18fac

SHA256
44c08c3194abd63ea6fe9ae63703dd4debbfa8f749e2e447188d681573e4d51a

SHA512
7b7acc1e1c466dab7cebceb24bbf2d19074e55e9691a5ab1ebb3ba31776d824eca4f39fdc28071128ccd048a957a2d88b5ba6ee8bbbdf3e6ae78f665a1bc0ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro7468.exe

Filesize
295KB

MD5
5a084ce231fd50ca1489205c2c29f9cb

SHA1
31866271a913733871b79d7e0afaeafa58913155

SHA256
e2af38ffb3a91f838d262586d3a470a24c9bc1ec970d190d8b2b562eda961a6d

SHA512
e5389ca9c44ca55dde4396f81138ff3b7b6d29eaed2b74887bcbe06dcc16d82cf89c208dbc6a47662217d14c5c7e356af55f1da265aa9ed7c98c238e60275e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5164.exe

Filesize
353KB

MD5
0c202e33275612cd6c00bdb5efbb5c4a

SHA1
b5496a747f9a5cc22a38fe2dc0ea9c98368b24c9

SHA256
d8d800ddd5378974bd4dc900a6194e20d358b8f98b830c644d2b86351a41eafa

SHA512
0825ddc21319890b01f0967741ecbc8718009dc4899ebcee654b028f4ab912285e1881d3657ece0235afcf77336bf2f82301bbcd6cd6159f2e86e05dc3c28ddd

Download Submit
memory/900-15-0x0000000000880000-0x0000000000980000-memory.dmp

Filesize
1024KB

Download
memory/900-16-0x0000000000980000-0x00000000009AD000-memory.dmp

Filesize
180KB

Download
memory/900-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/900-18-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/900-19-0x00000000027B0000-0x00000000027CA000-memory.dmp

Filesize
104KB

Download
memory/900-20-0x0000000004DF0000-0x0000000005394000-memory.dmp

Filesize
5.6MB

Download
memory/900-21-0x0000000002850000-0x0000000002868000-memory.dmp

Filesize
96KB

Download
memory/900-27-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-49-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-47-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-45-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-43-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-41-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-39-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-37-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-35-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-33-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-31-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-29-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-25-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-23-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-22-0x0000000002850000-0x0000000002862000-memory.dmp

Filesize
72KB

Download
memory/900-50-0x0000000000880000-0x0000000000980000-memory.dmp

Filesize
1024KB

Download
memory/900-51-0x0000000000980000-0x00000000009AD000-memory.dmp

Filesize
180KB

Download
memory/900-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/900-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/900-55-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2996-61-0x0000000002770000-0x00000000027B6000-memory.dmp

Filesize
280KB

Download
memory/2996-62-0x00000000053E0000-0x0000000005424000-memory.dmp

Filesize
272KB

Download
memory/2996-72-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-78-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-96-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-94-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-92-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-90-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-88-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-86-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-84-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-80-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-76-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-75-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-70-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-68-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-82-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-66-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-64-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-63-0x00000000053E0000-0x000000000541F000-memory.dmp

Filesize
252KB

Download
memory/2996-969-0x0000000005440000-0x0000000005A58000-memory.dmp

Filesize
6.1MB

Download
memory/2996-970-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

Filesize
1.0MB

Download
memory/2996-971-0x0000000005C20000-0x0000000005C32000-memory.dmp

Filesize
72KB

Download
memory/2996-972-0x0000000005C40000-0x0000000005C7C000-memory.dmp

Filesize
240KB

Download
memory/2996-973-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download