healer | cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe
Size

696KB
MD5

e288231352766ba55eb8e2517a0a773b
SHA1

6f0346fdd7cb930992b2531d7f33d7de54fc5813
SHA256

cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f
SHA512

7dffa0d7756e86bc4a8c6bb106306df2c29d3702f7a0de99794bec18fefdc22451993d5d80d1e3336cc1eb9bc431eb94a79d944608e1e98c83fb7dc0071d7428
SSDEEP

12288:AMrry90VOSFgR63R9Ei+pGTVXhXuuleu/vtKLz3sWtnhATQs6cIjn0NUo:7yXW/Ei+peXhXuulR/vtyT1hATQshi0t

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1516-19-0x0000000002300000-0x000000000231A000-memory.dmp	healer
behavioral1/memory/1516-21-0x0000000002390000-0x00000000023A8000-memory.dmp	healer
behavioral1/memory/1516-47-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-45-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-42-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-39-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-37-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-35-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-33-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-31-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-29-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-27-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-25-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-23-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-49-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-43-0x0000000002390000-0x00000000023A2000-memory.dmp	healer
behavioral1/memory/1516-22-0x0000000002390000-0x00000000023A2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro6972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro6972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro6972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro6972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro6972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro6972.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/832-60-0x00000000027F0000-0x0000000002836000-memory.dmp	family_redline
behavioral1/memory/832-61-0x0000000004CF0000-0x0000000004D34000-memory.dmp	family_redline
behavioral1/memory/832-65-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-77-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-95-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-93-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-91-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-89-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-87-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-85-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-83-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-81-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-75-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-73-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-71-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-69-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-67-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-79-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-63-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline
behavioral1/memory/832-62-0x0000000004CF0000-0x0000000004D2F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4676	un436562.exe
1516	pro6972.exe
832	qu5749.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro6972.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro6972.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un436562.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2516	1516	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un436562.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro6972.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu5749.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1516	pro6972.exe
1516	pro6972.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1516	pro6972.exe
Token: SeDebugPrivilege	832	qu5749.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 4676	4204	cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe	83
PID 4204 wrote to memory of 4676	4204	cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe	83
PID 4204 wrote to memory of 4676	4204	cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe	83
PID 4676 wrote to memory of 1516	4676	un436562.exe	84
PID 4676 wrote to memory of 1516	4676	un436562.exe	84
PID 4676 wrote to memory of 1516	4676	un436562.exe	84
PID 4676 wrote to memory of 832	4676	un436562.exe	98
PID 4676 wrote to memory of 832	4676	un436562.exe	98
PID 4676 wrote to memory of 832	4676	un436562.exe	98

C:\Users\Admin\AppData\Local\Temp\cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe
"C:\Users\Admin\AppData\Local\Temp\cfa5aaf9cd6b49f3de97bd3f5a97a21d33b1fd0c89f06a3c63c62112d626de6f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un436562.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un436562.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6972.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6972.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1084
      4⤵
      Program crash
      PID:2516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5749.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5749.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1516 -ip 1516
1⤵
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un436562.exe

Filesize
553KB

MD5
d5488f997fbbb57cd0ed87ec7dc748ed

SHA1
4b2e17e49202a7298d1d2a56ddcfe8775ece6f64

SHA256
b976e94b4d396d9d7def1f88ec9f70238b0e3a838789e279886d0a6731b40a2d

SHA512
b9bdd584a99357d15e8883929d509c39ed0a958c1a7d0bf5989bcb32d5daeca92c683e363cc26e2da1b4c534bf9b6bc97866f5a87ab20d2c535c7bbf87f51215

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro6972.exe

Filesize
308KB

MD5
dc1bfe7e1f20b4f23a4ce1561838e703

SHA1
4d924b085df716509d66af328d5e350d992704a3

SHA256
44d3e344fb5b8ffbf9d1e8a9b2caced8263434e4a8d1c86a76709f97a4a5a4dc

SHA512
3aaf17d0b80dc608ceffccb55a12dca60106375845ebb3878349bf0f9edd3aa2c86363501478cbad18a8537847c073d51cb2cac01cabec555dbd092671b8a885

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5749.exe

Filesize
366KB

MD5
b145f03e41178d2cd2e0f553387fdf6c

SHA1
90eaee62904a8009935b3b66921edde862333e54

SHA256
5f00901d1ad7e47b899ea8a302faca8319744fc80d1fdd706488375598ff0e74

SHA512
0b93740f475cd7f0b6f123fbf5568aa4b79e70756b0e123c90f6418d7d0562aa27c45903e41bc912a4906d418b4ea7b2e656e09e03c9e11ae9daa76ff8d7ff89

Download Submit
memory/832-73-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-81-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-969-0x00000000059F0000-0x0000000005AFA000-memory.dmp

Filesize
1.0MB

Download
memory/832-968-0x0000000005350000-0x0000000005968000-memory.dmp

Filesize
6.1MB

Download
memory/832-62-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-63-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-79-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-67-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-69-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-71-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-971-0x0000000005B50000-0x0000000005B8C000-memory.dmp

Filesize
240KB

Download
memory/832-972-0x0000000005CA0000-0x0000000005CEC000-memory.dmp

Filesize
304KB

Download
memory/832-75-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-970-0x0000000005B30000-0x0000000005B42000-memory.dmp

Filesize
72KB

Download
memory/832-83-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-85-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-87-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-89-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-91-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-93-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-95-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-77-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-65-0x0000000004CF0000-0x0000000004D2F000-memory.dmp

Filesize
252KB

Download
memory/832-61-0x0000000004CF0000-0x0000000004D34000-memory.dmp

Filesize
272KB

Download
memory/832-60-0x00000000027F0000-0x0000000002836000-memory.dmp

Filesize
280KB

Download
memory/1516-37-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1516-54-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1516-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1516-50-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download
memory/1516-22-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-43-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-49-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-23-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-25-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-27-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-29-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-31-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-33-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-35-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-39-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-42-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-45-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-47-0x0000000002390000-0x00000000023A2000-memory.dmp

Filesize
72KB

Download
memory/1516-21-0x0000000002390000-0x00000000023A8000-memory.dmp

Filesize
96KB

Download
memory/1516-20-0x0000000004F00000-0x00000000054A4000-memory.dmp

Filesize
5.6MB

Download
memory/1516-19-0x0000000002300000-0x000000000231A000-memory.dmp

Filesize
104KB

Download
memory/1516-18-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1516-17-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download
memory/1516-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1516-15-0x00000000009F0000-0x0000000000AF0000-memory.dmp

Filesize
1024KB

Download