healer | e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe
Size

537KB
MD5

0188463907b46021fda18694973f8ceb
SHA1

c0faf7a04e43849adfeb74e584295c75d6c86d66
SHA256

e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d
SHA512

7cf9bac2617cb08ec3f3a4d2979f92d1e86dab00df74262681a098edeeaa87ea27c376f8fdc9b2a175160379e146d02f5c6c1441270c4e6c092879a30756bd5e
SSDEEP

12288:6Mr4y90fJbVVNxks+PJc0CphTMrRQ174w08:Wy0tV7xAc0wTMrRQ174g

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c60-12.dat	healer
behavioral1/memory/3524-15-0x00000000008E0000-0x00000000008EA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr716076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr716076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr716076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr716076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr716076.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr716076.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3472-22-0x00000000029B0000-0x00000000029F6000-memory.dmp	family_redline
behavioral1/memory/3472-24-0x00000000053D0000-0x0000000005414000-memory.dmp	family_redline
behavioral1/memory/3472-84-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-88-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-86-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-80-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-78-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-76-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-72-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-70-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-68-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-66-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-64-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-62-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-61-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-58-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-56-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-54-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-52-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-50-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-48-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-44-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-42-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-40-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-38-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-36-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-34-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-32-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-30-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-26-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-82-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-74-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-46-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-28-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline
behavioral1/memory/3472-25-0x00000000053D0000-0x000000000540F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1640	zifk5484.exe
3524	jr716076.exe
3472	ku030821.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr716076.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zifk5484.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zifk5484.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku030821.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3524	jr716076.exe
3524	jr716076.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3524	jr716076.exe
Token: SeDebugPrivilege	3472	ku030821.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 1640	4344	e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe	83
PID 4344 wrote to memory of 1640	4344	e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe	83
PID 4344 wrote to memory of 1640	4344	e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe	83
PID 1640 wrote to memory of 3524	1640	zifk5484.exe	84
PID 1640 wrote to memory of 3524	1640	zifk5484.exe	84
PID 1640 wrote to memory of 3472	1640	zifk5484.exe	94
PID 1640 wrote to memory of 3472	1640	zifk5484.exe	94
PID 1640 wrote to memory of 3472	1640	zifk5484.exe	94

C:\Users\Admin\AppData\Local\Temp\e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe
"C:\Users\Admin\AppData\Local\Temp\e2b1bfef3eecba44295878ccc3f9738d2265ac495c5790afd1e429452568433d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifk5484.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifk5484.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr716076.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr716076.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku030821.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku030821.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zifk5484.exe

Filesize
395KB

MD5
9855e10188e420bc8b9d5c314bd3484b

SHA1
4e45a1f9f6464d367171c88d32f5f3f7c3bcef3a

SHA256
e9ff910581190df9ca1c9802f986baaaa7ee04e666a6f7364f839d83a3266d57

SHA512
b597388ad774d03537b90ea7b5c6633030e910f82b11db0394e12ca4a0888afdfc2d925bb7bad770fc82862b112cd3f1996c271c0d107229d6a41030699a8e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr716076.exe

Filesize
13KB

MD5
9e6c3717b54ae8b2a310619a970c40aa

SHA1
fc0298392c7dbfb48842d113d698acf6015361f4

SHA256
72d58c4819b79f87a590ad57c1a738b8b453ed6fecd3bd0b0c568ab9b137372e

SHA512
a54e4953a37caf4e07ef40a9bf3a4fca42cd27ef792603474c684261796077544f128f7ec4993ad20060ffa2cd12e61411eb0f0d3bb643a5ecaf84f6a74ba70a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku030821.exe

Filesize
353KB

MD5
1a6c1bc8c705dc1ae42f78cf5e0c5c67

SHA1
e4b0a5dab9c40045cacfbd14fd6941d1aa78d9be

SHA256
b6a234c19abe5f02e7ff1ca17b8f8a2489e046a6aa57520f0e7d3f16236d272c

SHA512
05462c067a363032a54a7cbabf7e86e351b3d082337f2ec5b67c8a83bf9b1ea650a922d5f4b15163ff50fded7fdc5c4d5c57358cea1cc648ce4829f27945b7e2

Download Submit
memory/3472-58-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-32-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download
memory/3472-22-0x00000000029B0000-0x00000000029F6000-memory.dmp

Filesize
280KB

Download
memory/3472-23-0x0000000004DE0000-0x0000000005384000-memory.dmp

Filesize
5.6MB

Download
memory/3472-24-0x00000000053D0000-0x0000000005414000-memory.dmp

Filesize
272KB

Download
memory/3472-84-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-88-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-86-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-80-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-78-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-76-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-72-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-70-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-68-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-66-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-64-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-62-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-61-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-934-0x0000000005C40000-0x0000000005C7C000-memory.dmp

Filesize
240KB

Download
memory/3472-52-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-933-0x0000000005C20000-0x0000000005C32000-memory.dmp

Filesize
72KB

Download
memory/3472-54-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-50-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-48-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-44-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-42-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-40-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-38-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-36-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-34-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-56-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-30-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-26-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-82-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-74-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-46-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-28-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-25-0x00000000053D0000-0x000000000540F000-memory.dmp

Filesize
252KB

Download
memory/3472-931-0x0000000005440000-0x0000000005A58000-memory.dmp

Filesize
6.1MB

Download
memory/3472-932-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

Filesize
1.0MB

Download
memory/3524-16-0x00007FFE3CE33000-0x00007FFE3CE35000-memory.dmp

Filesize
8KB

Download
memory/3524-14-0x00007FFE3CE33000-0x00007FFE3CE35000-memory.dmp

Filesize
8KB

Download
memory/3524-15-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download