healer | cc544d9558345b63240b951f9ac101a8d9af1ff87312cbc301568e4bc9a63e8d

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc544d9558345b63240b951f9ac101a8d9af1ff87312cbc301568e4bc9a63e8d.exe
Size

544KB
MD5

d3e023021a222d7d21a64b3423cdf1e6
SHA1

67c18a25f080b938b9b99d85bbeec96f33879a23
SHA256

cc544d9558345b63240b951f9ac101a8d9af1ff87312cbc301568e4bc9a63e8d
SHA512

f8d39ca6841cdac9e87af34e76a9c507c53d022e2de40c7928b4c551d7f0497c42768641ba0feefe5ceeaaea3d1df35908260384f7665840c9bd8c9735dbadcd
SSDEEP

12288:AMroy90S3IraRDITs5tjL7KpwrdGlLL/Oie8067eMRnIV:YyRSYcgR7KpwEPV067Pu

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c75-12.dat	healer
behavioral1/memory/1416-15-0x0000000000FD0000-0x0000000000FDA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	sw21IZ13Ew63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	sw21IZ13Ew63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	sw21IZ13Ew63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	sw21IZ13Ew63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	sw21IZ13Ew63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	sw21IZ13Ew63.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/2896-22-0x0000000007120000-0x0000000007166000-memory.dmp	family_redline
behavioral1/memory/2896-24-0x00000000071A0000-0x00000000071E4000-memory.dmp	family_redline
behavioral1/memory/2896-28-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-34-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-32-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-31-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-86-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-74-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-66-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-56-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-26-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-25-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-36-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-88-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-84-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-82-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-80-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-78-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-76-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-72-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-70-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-68-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-64-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-62-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-60-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-58-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-54-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-52-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-50-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-48-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-46-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-44-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-42-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-40-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/2896-38-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2576	vkF8605ff.exe
1416	sw21IZ13Ew63.exe
2896	tne72va32.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	sw21IZ13Ew63.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cc544d9558345b63240b951f9ac101a8d9af1ff87312cbc301568e4bc9a63e8d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vkF8605ff.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tne72va32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc544d9558345b63240b951f9ac101a8d9af1ff87312cbc301568e4bc9a63e8d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vkF8605ff.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1416	sw21IZ13Ew63.exe
1416	sw21IZ13Ew63.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	sw21IZ13Ew63.exe
Token: SeDebugPrivilege	2896	tne72va32.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2576	2820	cc544d9558345b63240b951f9ac101a8d9af1ff87312cbc301568e4bc9a63e8d.exe	85
PID 2820 wrote to memory of 2576	2820	cc544d9558345b63240b951f9ac101a8d9af1ff87312cbc301568e4bc9a63e8d.exe	85
PID 2820 wrote to memory of 2576	2820	cc544d9558345b63240b951f9ac101a8d9af1ff87312cbc301568e4bc9a63e8d.exe	85
PID 2576 wrote to memory of 1416	2576	vkF8605ff.exe	86
PID 2576 wrote to memory of 1416	2576	vkF8605ff.exe	86
PID 2576 wrote to memory of 2896	2576	vkF8605ff.exe	89
PID 2576 wrote to memory of 2896	2576	vkF8605ff.exe	89
PID 2576 wrote to memory of 2896	2576	vkF8605ff.exe	89

C:\Users\Admin\AppData\Local\Temp\cc544d9558345b63240b951f9ac101a8d9af1ff87312cbc301568e4bc9a63e8d.exe
"C:\Users\Admin\AppData\Local\Temp\cc544d9558345b63240b951f9ac101a8d9af1ff87312cbc301568e4bc9a63e8d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkF8605ff.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkF8605ff.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw21IZ13Ew63.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw21IZ13Ew63.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tne72va32.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tne72va32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vkF8605ff.exe

Filesize
399KB

MD5
071dc8c4781353cf24c24699aa6109a0

SHA1
988e0b8cc4b1240a5fe4fbc14c6254b78aebb253

SHA256
c8988d331dc51790ab1a3a2b20cb9e5b03328d4c720a50aa85720f3f052cf096

SHA512
091d0b22207843973942ef5d3a4a54b54af5e8b248ec2229537b3d2f7f3607d796b09dadfe4180523a7af647093e15cefcefd366f467e287d852164ae8a59d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw21IZ13Ew63.exe

Filesize
12KB

MD5
252714ab63ffd3ae7d5866c721a1c067

SHA1
5111e57276d1e5e131ab294620124b90cc87abfb

SHA256
e19b8611ec700756d96309085aff2b8fe2d20a4fdb2ceda5ce614dc6232caf3f

SHA512
1eeb7578c8a418fdbb198e3a1558b739b7c8d6ff744ea75e167a7e45ecfd0c4b421cc4bf601c8f747e8cedf7440b1391e559d3e585f4635277e6553cb435bbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tne72va32.exe

Filesize
375KB

MD5
dd695b3f307c18f512d6904dac758773

SHA1
bd0abb0dbc8ae3954cd04da6216d0c1a5b77716c

SHA256
7046a0c9d3792cfadd1c8f3d0191e202ef566c08b261e60195096fd88a4880d6

SHA512
475283a657a7ee613ad01cd6449ae455d0368b5351f8128e7ccce0589d358c7af29f110db208a29ccf3237d7d7155d10d49ad0864665f6b966a588a3827f3263

Download Submit
memory/1416-14-0x00007FFE0A923000-0x00007FFE0A925000-memory.dmp

Filesize
8KB

Download
memory/1416-15-0x0000000000FD0000-0x0000000000FDA000-memory.dmp

Filesize
40KB

Download
memory/1416-16-0x00007FFE0A923000-0x00007FFE0A925000-memory.dmp

Filesize
8KB

Download
memory/2896-82-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-70-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-24-0x00000000071A0000-0x00000000071E4000-memory.dmp

Filesize
272KB

Download
memory/2896-28-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-34-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-32-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-31-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-86-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-74-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-66-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-56-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-26-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-25-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-36-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-88-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-84-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-22-0x0000000007120000-0x0000000007166000-memory.dmp

Filesize
280KB

Download
memory/2896-80-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-78-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-76-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-72-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-23-0x0000000007220000-0x00000000077C4000-memory.dmp

Filesize
5.6MB

Download
memory/2896-68-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-64-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-62-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-60-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-58-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-931-0x0000000007800000-0x0000000007E18000-memory.dmp

Filesize
6.1MB

Download
memory/2896-54-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-52-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-50-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-48-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-46-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-44-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-42-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-40-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-38-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/2896-932-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

Filesize
1.0MB

Download
memory/2896-933-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

Filesize
72KB

Download
memory/2896-934-0x0000000008100000-0x000000000813C000-memory.dmp

Filesize
240KB

Download
memory/2896-935-0x0000000008150000-0x000000000819C000-memory.dmp

Filesize
304KB

Download