healer | d501d2ca6413ee5b89e2a5c2f226baa2bf9325d310130126c05d7a6691bedf18

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d501d2ca6413ee5b89e2a5c2f226baa2bf9325d310130126c05d7a6691bedf18.exe
Size

678KB
MD5

3f1e4e8ab10c67fbe9ba500568be7f99
SHA1

fe151a14d99519ae2851d6deccfd55cfeaba4a93
SHA256

d501d2ca6413ee5b89e2a5c2f226baa2bf9325d310130126c05d7a6691bedf18
SHA512

a82fcd40b0253edb1d3123125f0df86df42144d00273035e277062e61f7573ac2af590695a115220c00c24bdf9ac3c77a0393c1c01bcb9ff496755b74f678829
SSDEEP

12288:rMruy90v0QGvofwl4WdEiIlRw06l9Xbd0O5O61H7Zodlzm13qJFU5W:5yuHO2wiWxU09d5H1H7ZpnA

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2136-19-0x0000000002710000-0x000000000272A000-memory.dmp	healer
behavioral1/memory/2136-21-0x00000000028F0000-0x0000000002908000-memory.dmp	healer
behavioral1/memory/2136-47-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-45-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-43-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-41-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-49-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-39-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-37-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-35-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-33-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-31-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-29-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-27-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-26-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-23-0x00000000028F0000-0x0000000002902000-memory.dmp	healer
behavioral1/memory/2136-22-0x00000000028F0000-0x0000000002902000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro4484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro4484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro4484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro4484.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro4484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro4484.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4388-61-0x0000000002650000-0x0000000002696000-memory.dmp	family_redline
behavioral1/memory/4388-62-0x0000000004DF0000-0x0000000004E34000-memory.dmp	family_redline
behavioral1/memory/4388-63-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-78-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-96-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-94-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-92-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-90-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-88-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-86-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-84-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-80-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-76-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-74-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-72-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-70-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-68-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-66-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-64-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline
behavioral1/memory/4388-82-0x0000000004DF0000-0x0000000004E2F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1788	un183717.exe
2136	pro4484.exe
4388	qu7019.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro4484.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro4484.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d501d2ca6413ee5b89e2a5c2f226baa2bf9325d310130126c05d7a6691bedf18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un183717.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2440	2136	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu7019.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d501d2ca6413ee5b89e2a5c2f226baa2bf9325d310130126c05d7a6691bedf18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un183717.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro4484.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2136	pro4484.exe
2136	pro4484.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2136	pro4484.exe
Token: SeDebugPrivilege	4388	qu7019.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 1788	1228	d501d2ca6413ee5b89e2a5c2f226baa2bf9325d310130126c05d7a6691bedf18.exe	83
PID 1228 wrote to memory of 1788	1228	d501d2ca6413ee5b89e2a5c2f226baa2bf9325d310130126c05d7a6691bedf18.exe	83
PID 1228 wrote to memory of 1788	1228	d501d2ca6413ee5b89e2a5c2f226baa2bf9325d310130126c05d7a6691bedf18.exe	83
PID 1788 wrote to memory of 2136	1788	un183717.exe	84
PID 1788 wrote to memory of 2136	1788	un183717.exe	84
PID 1788 wrote to memory of 2136	1788	un183717.exe	84
PID 1788 wrote to memory of 4388	1788	un183717.exe	95
PID 1788 wrote to memory of 4388	1788	un183717.exe	95
PID 1788 wrote to memory of 4388	1788	un183717.exe	95

C:\Users\Admin\AppData\Local\Temp\d501d2ca6413ee5b89e2a5c2f226baa2bf9325d310130126c05d7a6691bedf18.exe
"C:\Users\Admin\AppData\Local\Temp\d501d2ca6413ee5b89e2a5c2f226baa2bf9325d310130126c05d7a6691bedf18.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un183717.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un183717.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4484.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4484.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 1080
      4⤵
      Program crash
      PID:2440
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7019.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7019.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2136 -ip 2136
1⤵
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un183717.exe

Filesize
524KB

MD5
010e9bbc4c3b8bd3c8ac073c2e0e040e

SHA1
de9d6eb3ebc9a9a6cb7e4a470138bcc85171048b

SHA256
8749abb84beaf6d62bfb486970c49fb9ded2f8be36e9f35bea86797ae8ec6d4c

SHA512
3296932e1f32344b6090a134488d4aaee99009e899210f644e887bf4bc1621b92cd389520402739c8059312fe0295774bee82cf02321db82a20b5b5af327384a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro4484.exe

Filesize
289KB

MD5
1ad4bfb171cbd0eecc403207b6f8b537

SHA1
4c08ca5a5d315560c6c66c3e4002f1235906aa78

SHA256
67b567ed5555b66abcf2226116db1ff2259da9758622a22266e689381e80acc1

SHA512
bc9903db254efd253a47c094439722ed05d10f3cab269cf6d0abba15dd3c3abfe86d57521f89d2a4b8000724d7f12c88f6df52c9f325a1568c5ab702fe2aa14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu7019.exe

Filesize
348KB

MD5
001b446b97ab4f1ccd2bf5de518301f9

SHA1
35c8ba5431b7a81ec3ca4b74d2b70efa397d0674

SHA256
cb36f7338e9fc1799399b28a2ffa07ae2959a202bd93dc00f445c28966a442ea

SHA512
bdf8a3b5743cf698a693e6378bbaaba94ef266ae621b2ed470adbbae74b64aaad4bdf9301630fa54bf540da47353a3c0ea1a69ece99db5d2959b5c214ffb08d4

Download Submit
memory/2136-15-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

Filesize
1024KB

Download
memory/2136-16-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/2136-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-18-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/2136-19-0x0000000002710000-0x000000000272A000-memory.dmp

Filesize
104KB

Download
memory/2136-20-0x0000000005110000-0x00000000056B4000-memory.dmp

Filesize
5.6MB

Download
memory/2136-21-0x00000000028F0000-0x0000000002908000-memory.dmp

Filesize
96KB

Download
memory/2136-47-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-45-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-43-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-41-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-49-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-39-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-37-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-35-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-33-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-31-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-29-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-27-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-26-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-23-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-22-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/2136-50-0x0000000000AF0000-0x0000000000BF0000-memory.dmp

Filesize
1024KB

Download
memory/2136-51-0x00000000008E0000-0x000000000090D000-memory.dmp

Filesize
180KB

Download
memory/2136-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2136-55-0x0000000000400000-0x00000000007FC000-memory.dmp

Filesize
4.0MB

Download
memory/4388-61-0x0000000002650000-0x0000000002696000-memory.dmp

Filesize
280KB

Download
memory/4388-62-0x0000000004DF0000-0x0000000004E34000-memory.dmp

Filesize
272KB

Download
memory/4388-63-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-78-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-96-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-94-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-92-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-90-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-88-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-86-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-84-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-80-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-76-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-74-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-72-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-70-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-68-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-66-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-64-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-82-0x0000000004DF0000-0x0000000004E2F000-memory.dmp

Filesize
252KB

Download
memory/4388-969-0x0000000005450000-0x0000000005A68000-memory.dmp

Filesize
6.1MB

Download
memory/4388-970-0x0000000005AE0000-0x0000000005BEA000-memory.dmp

Filesize
1.0MB

Download
memory/4388-971-0x0000000005C20000-0x0000000005C32000-memory.dmp

Filesize
72KB

Download
memory/4388-972-0x0000000005C40000-0x0000000005C7C000-memory.dmp

Filesize
240KB

Download
memory/4388-973-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download