healer | 8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 01:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe
Size

1.5MB
MD5

34b6dd411e5243d69effcf36337df531
SHA1

a9c178a38835eb959fc5dcdceb9e5c067ac57f8a
SHA256

8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70
SHA512

e32a08e90879add60db728b5f5578618c7087f7a6b7f24dab4b6616be347a579bb8d08013e69aefaea168f72eeff6eeed81893f6f0163a9d430aceecf8222d63
SSDEEP

49152:wj+vEreRoZrq4dAGLOtlZkzuapRLl4YKEv1Cg7:2CEreEAGLOfapR54

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c74-33.dat	healer
behavioral1/memory/2912-35-0x0000000000850000-0x000000000085A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az828836.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az828836.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az828836.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az828836.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az828836.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az828836.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4528-41-0x00000000027A0000-0x00000000027DC000-memory.dmp	family_redline
behavioral1/memory/4528-43-0x0000000002880000-0x00000000028BA000-memory.dmp	family_redline
behavioral1/memory/4528-53-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-57-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-107-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-105-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-104-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-99-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-97-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-95-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-93-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-91-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-89-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-87-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-85-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-83-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-79-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-77-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-75-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-73-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-72-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-69-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-67-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-65-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-63-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-61-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-59-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-55-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-51-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-49-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-101-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-81-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-47-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-45-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline
behavioral1/memory/4528-44-0x0000000002880000-0x00000000028B5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
3628	ki382825.exe
4536	ki117293.exe
1828	ki476325.exe
5000	ki135310.exe
2912	az828836.exe
4528	bu828268.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az828836.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ki382825.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ki117293.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ki476325.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ki135310.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki382825.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki117293.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki476325.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki135310.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bu828268.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2912	az828836.exe
2912	az828836.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	az828836.exe
Token: SeDebugPrivilege	4528	bu828268.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 3628	2780	8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe	83
PID 2780 wrote to memory of 3628	2780	8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe	83
PID 2780 wrote to memory of 3628	2780	8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe	83
PID 3628 wrote to memory of 4536	3628	ki382825.exe	84
PID 3628 wrote to memory of 4536	3628	ki382825.exe	84
PID 3628 wrote to memory of 4536	3628	ki382825.exe	84
PID 4536 wrote to memory of 1828	4536	ki117293.exe	86
PID 4536 wrote to memory of 1828	4536	ki117293.exe	86
PID 4536 wrote to memory of 1828	4536	ki117293.exe	86
PID 1828 wrote to memory of 5000	1828	ki476325.exe	88
PID 1828 wrote to memory of 5000	1828	ki476325.exe	88
PID 1828 wrote to memory of 5000	1828	ki476325.exe	88
PID 5000 wrote to memory of 2912	5000	ki135310.exe	89
PID 5000 wrote to memory of 2912	5000	ki135310.exe	89
PID 5000 wrote to memory of 4528	5000	ki135310.exe	98
PID 5000 wrote to memory of 4528	5000	ki135310.exe	98
PID 5000 wrote to memory of 4528	5000	ki135310.exe	98

C:\Users\Admin\AppData\Local\Temp\8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe
"C:\Users\Admin\AppData\Local\Temp\8fbf824afd7fc568bb9d07814d44416b54189cffe1519b8458b8aeefaacdff70.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki382825.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki382825.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki117293.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki117293.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki476325.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki476325.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki135310.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki135310.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5000
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az828836.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az828836.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu828268.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu828268.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki382825.exe

Filesize
1.2MB

MD5
f66d9b9b309236b1facd9bc6fba5aae8

SHA1
351592c89b08c1f67746be392cbd2c2da64e6483

SHA256
c6eef272e6b81b1d7314ffe02fd63acee89414b0c6b9a61c10ef637c3dfd29a4

SHA512
9f8e54ef14dc65b558ea0ba6cfd69b1b791a70763906e12dd176457b3d8d95a88b962e52b10930c527ab4b843ae367c1e53af929bc00e182ba402b7403429173

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki117293.exe

Filesize
1.1MB

MD5
917ceb61d8a964a3480f6ef759e24a9a

SHA1
98108e669cfa57b91b6303700049339a5f047d5a

SHA256
3fe0160545c4a9c57aa8f48ad8dd61f4d657a88c1b1a9474106bc2194b91b977

SHA512
5ef6b1e7f9b0f6afabd6ca577ee8a2c8e2d816184c1c187fbe4cf0a5c5da75b8579dc916c8de321f4b8a34e919b5d254ef7b739f2996b5ffa48417dbf65f5cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki476325.exe

Filesize
804KB

MD5
399ad2aa24b1720a73cb8fff3ed6f0cd

SHA1
08f00a1e3e5fa286e2f56f5cdb9950fa63926d42

SHA256
96efa7276a3c68c40ed277abdb8b67ecd1efe45859078189b50e388e51ab10be

SHA512
744d0b26bec8ddc972c81c3fe16754ca817ec89decb328b1b2cb75ac1d765df86fb36c4b1bcbe6133e0c9d383b2ddd48dfcd2ea291e9c22e22293f3e33af76b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki135310.exe

Filesize
468KB

MD5
4dec899177ee885c5fa3c114efb100c9

SHA1
e192ca52b4ec5d6e5264d494663d598f255a9b4c

SHA256
ce1239031f738274540f6929f3a1d7cc384d8c6eb5f74ad432dcf588cd21dff8

SHA512
010bf06bbfdd8d0d89d94b5c59bb2e829f7ce4d554354e874f3cc654a9776be287e7874ab46baf960dd5a6c0538fe402afd9ac038ccb891c5456685c1b003565

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az828836.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu828268.exe

Filesize
487KB

MD5
a31efd9bc96386fdc6962173fe8f7916

SHA1
30818c7f3246fa64a80eb458a4dead2742b1d065

SHA256
9ff2cb2adf9fb68468f0429952c6b4dd4098c8bc395250ce14321f41f372a0e4

SHA512
b1fb924cebbd88d21556b3bfae291745db8cdec9d28c74d4cfe8811d509b6c6bb47931abb643afd01a29597c50decd976e2b0a63956b671092dad8aae71dc182

Download Submit
memory/2912-35-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/4528-79-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-72-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-43-0x0000000002880000-0x00000000028BA000-memory.dmp

Filesize
232KB

Download
memory/4528-53-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-57-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-107-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-105-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-104-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-99-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-97-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-95-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-93-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-91-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-89-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-87-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-85-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-83-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-41-0x00000000027A0000-0x00000000027DC000-memory.dmp

Filesize
240KB

Download
memory/4528-77-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-75-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-73-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-42-0x00000000050E0000-0x0000000005684000-memory.dmp

Filesize
5.6MB

Download
memory/4528-69-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-67-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-65-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-63-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-61-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-59-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-55-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-51-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-49-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-101-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-81-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-47-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-45-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-44-0x0000000002880000-0x00000000028B5000-memory.dmp

Filesize
212KB

Download
memory/4528-839-0x0000000005070000-0x00000000050AC000-memory.dmp

Filesize
240KB

Download
memory/4528-838-0x0000000008030000-0x000000000813A000-memory.dmp

Filesize
1.0MB

Download
memory/4528-837-0x0000000005040000-0x0000000005052000-memory.dmp

Filesize
72KB

Download
memory/4528-836-0x0000000007A10000-0x0000000008028000-memory.dmp

Filesize
6.1MB

Download
memory/4528-840-0x0000000002580000-0x00000000025CC000-memory.dmp

Filesize
304KB

Download