healer | b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe
Size

536KB
MD5

16dcc638e74d1f4baebf61b2166d562d
SHA1

073565b612683e3ee67325ffb03c24b27eeb8ce7
SHA256

b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a
SHA512

03466c966fa273cf9c92a54025e7b29f5936d7c27f4d7238bdeb85cb9f428f21ba1a1242af30b1b9e6d24eb76f2de44c9c6d976dbc9e2909f29ae94c3f45d595
SSDEEP

12288:mMrgy900i5f4HibHN0QXCguFONSzs+t2LC7ebk/w:qyy5bN0+C0NSn2O75/w

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023ba9-12.dat	healer
behavioral1/memory/4612-15-0x0000000000D00000-0x0000000000D0A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr039571.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr039571.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr039571.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr039571.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr039571.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr039571.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/2464-22-0x00000000026B0000-0x00000000026F6000-memory.dmp	family_redline
behavioral1/memory/2464-24-0x0000000002AF0000-0x0000000002B34000-memory.dmp	family_redline
behavioral1/memory/2464-34-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-38-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-88-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-86-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-84-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-82-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-78-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-76-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-74-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-72-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-70-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-68-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-66-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-62-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-60-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-59-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-56-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-54-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-52-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-50-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-48-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-46-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-44-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-40-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-37-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-32-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-30-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-80-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-64-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-42-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-28-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-26-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline
behavioral1/memory/2464-25-0x0000000002AF0000-0x0000000002B2F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4508	ziYR2294.exe
4612	jr039571.exe
2464	ku138258.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr039571.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziYR2294.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziYR2294.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku138258.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4612	jr039571.exe
4612	jr039571.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4612	jr039571.exe
Token: SeDebugPrivilege	2464	ku138258.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 4508	3216	b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe	83
PID 3216 wrote to memory of 4508	3216	b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe	83
PID 3216 wrote to memory of 4508	3216	b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe	83
PID 4508 wrote to memory of 4612	4508	ziYR2294.exe	84
PID 4508 wrote to memory of 4612	4508	ziYR2294.exe	84
PID 4508 wrote to memory of 2464	4508	ziYR2294.exe	95
PID 4508 wrote to memory of 2464	4508	ziYR2294.exe	95
PID 4508 wrote to memory of 2464	4508	ziYR2294.exe	95

C:\Users\Admin\AppData\Local\Temp\b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe
"C:\Users\Admin\AppData\Local\Temp\b32311fc807236503d975253740d1267e4214f13f174a458b5007d249214fa3a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYR2294.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYR2294.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4508
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr039571.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr039571.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku138258.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku138258.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziYR2294.exe

Filesize
394KB

MD5
0ecb404d22c9a553ec9d46ba77d82065

SHA1
4206b25482b941ef1c135b2fbcb51fcff6cccb70

SHA256
7b0ae6a4aa5211d01404a26a3519aef2a60ad5a45f7b5995d5c8f2eb269e71ea

SHA512
b12295a9783cd883189e2899370d0152e7de724c147446aefc6c86068958f54400b1a18c2b2105ff543f84b88f04f1dca18612517d5d7ad684d875cc1403dd1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr039571.exe

Filesize
13KB

MD5
1cae544cc6fd9799359bbd263ce70521

SHA1
b122272a668de00f35cd1f2bffdc00cac0d433b2

SHA256
e980eea6c4c53877af2553d66a4d376fdc78c3e22a8109e6ab3fa79bd5157368

SHA512
144bddd3b51b90ee46908d9f9815be9034351ecb8e01fe9745fc3fe0c743f155d8c682d5cdd429d1e3373dd23f086515858713333b3356fccb637c5553141c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku138258.exe

Filesize
353KB

MD5
528699ea7d92880803561479145f50ea

SHA1
0416d8c823d7bea34b6d35541018c063d7785fe1

SHA256
e0ad8709acff1be623434b9ea43c05ab7a542d8866782d08b9dfd5cb3fdbf3f0

SHA512
5b94c6b8e217d0eee1172276e147f4480ebbaa0a6a7825785e7077fe870399bda7a37c4e3e57599b772e9db13346b43f4af71531435eeb427fff27ac7618b4e4

Download Submit
memory/2464-62-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-32-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download
memory/2464-22-0x00000000026B0000-0x00000000026F6000-memory.dmp

Filesize
280KB

Download
memory/2464-23-0x0000000004EA0000-0x0000000005444000-memory.dmp

Filesize
5.6MB

Download
memory/2464-24-0x0000000002AF0000-0x0000000002B34000-memory.dmp

Filesize
272KB

Download
memory/2464-34-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-38-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-88-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-86-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-84-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-82-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-78-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-76-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-74-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-72-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-70-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-68-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-66-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-934-0x0000000005C40000-0x0000000005C7C000-memory.dmp

Filesize
240KB

Download
memory/2464-56-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-933-0x0000000005C20000-0x0000000005C32000-memory.dmp

Filesize
72KB

Download
memory/2464-59-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-54-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-52-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-50-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-48-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-46-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-44-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-40-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-37-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-60-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-30-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-80-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-64-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-42-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-28-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-26-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-25-0x0000000002AF0000-0x0000000002B2F000-memory.dmp

Filesize
252KB

Download
memory/2464-931-0x0000000005450000-0x0000000005A68000-memory.dmp

Filesize
6.1MB

Download
memory/2464-932-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

Filesize
1.0MB

Download
memory/4612-16-0x00007FFAAFA93000-0x00007FFAAFA95000-memory.dmp

Filesize
8KB

Download
memory/4612-14-0x00007FFAAFA93000-0x00007FFAAFA95000-memory.dmp

Filesize
8KB

Download
memory/4612-15-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download