healer | 852ec70548a5cd1acb0fece45c62c9ee90e713c5e8ad04b1cce188836d756d05

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

852ec70548a5cd1acb0fece45c62c9ee90e713c5e8ad04b1cce188836d756d05.exe
Size

677KB
MD5

94fad4c430628b7dad6c4db0b0760ce8
SHA1

889ae1924ad04d938d7e53b55677a11d4df447da
SHA256

852ec70548a5cd1acb0fece45c62c9ee90e713c5e8ad04b1cce188836d756d05
SHA512

28c7ea37a4ea06095274a141a53574800acc92cda4632d6e2118a92cb79b6dc2ef0abfd193967ace0cc471ee20bc42f74d8c350fbbbb60e37a5191a5c5d877d3
SSDEEP

12288:NMrUy90DzRVIpjHg8l1AfHNcvMFnAf2Ij5FMOfY0q0+JrLFgz7rYbCYk21i:xyIVQjA8lmPNcvMFnAf2IcO9oHy7sDM

Score

10^/10

healer redline rosto discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosto

hueref.eu:4162

Attributes

auth_value
07d81eba8cad42bbd0ae60042d48eac6

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2040-19-0x0000000002440000-0x000000000245A000-memory.dmp	healer
behavioral1/memory/2040-21-0x0000000002810000-0x0000000002828000-memory.dmp	healer
behavioral1/memory/2040-41-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-49-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-47-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-45-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-43-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-37-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-35-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-33-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-32-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-29-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-27-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-25-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-39-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-22-0x0000000002810000-0x0000000002822000-memory.dmp	healer
behavioral1/memory/2040-23-0x0000000002810000-0x0000000002822000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	urKm27Aa05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	urKm27Aa05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	urKm27Aa05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	urKm27Aa05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	urKm27Aa05.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	urKm27Aa05.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/960-60-0x0000000004B20000-0x0000000004B66000-memory.dmp	family_redline
behavioral1/memory/960-61-0x0000000004BA0000-0x0000000004BE4000-memory.dmp	family_redline
behavioral1/memory/960-73-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-71-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-67-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-65-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-63-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-62-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-81-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-95-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-91-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-89-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-88-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-85-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-83-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-79-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-78-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-75-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-69-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral1/memory/960-93-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1640	ycNb25rF81.exe
2040	urKm27Aa05.exe
960	wrTU33pf85.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	urKm27Aa05.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	urKm27Aa05.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	852ec70548a5cd1acb0fece45c62c9ee90e713c5e8ad04b1cce188836d756d05.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ycNb25rF81.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5068	2040	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	urKm27Aa05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrTU33pf85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	852ec70548a5cd1acb0fece45c62c9ee90e713c5e8ad04b1cce188836d756d05.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ycNb25rF81.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2040	urKm27Aa05.exe
2040	urKm27Aa05.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	urKm27Aa05.exe
Token: SeDebugPrivilege	960	wrTU33pf85.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4344 wrote to memory of 1640	4344	852ec70548a5cd1acb0fece45c62c9ee90e713c5e8ad04b1cce188836d756d05.exe	83
PID 4344 wrote to memory of 1640	4344	852ec70548a5cd1acb0fece45c62c9ee90e713c5e8ad04b1cce188836d756d05.exe	83
PID 4344 wrote to memory of 1640	4344	852ec70548a5cd1acb0fece45c62c9ee90e713c5e8ad04b1cce188836d756d05.exe	83
PID 1640 wrote to memory of 2040	1640	ycNb25rF81.exe	84
PID 1640 wrote to memory of 2040	1640	ycNb25rF81.exe	84
PID 1640 wrote to memory of 2040	1640	ycNb25rF81.exe	84
PID 1640 wrote to memory of 960	1640	ycNb25rF81.exe	95
PID 1640 wrote to memory of 960	1640	ycNb25rF81.exe	95
PID 1640 wrote to memory of 960	1640	ycNb25rF81.exe	95

C:\Users\Admin\AppData\Local\Temp\852ec70548a5cd1acb0fece45c62c9ee90e713c5e8ad04b1cce188836d756d05.exe
"C:\Users\Admin\AppData\Local\Temp\852ec70548a5cd1acb0fece45c62c9ee90e713c5e8ad04b1cce188836d756d05.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4344
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycNb25rF81.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycNb25rF81.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urKm27Aa05.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urKm27Aa05.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1028
      4⤵
      Program crash
      PID:5068
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrTU33pf85.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrTU33pf85.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2040 -ip 2040
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycNb25rF81.exe

Filesize
532KB

MD5
f2d6aedc78080f65228f82db8b9b7f05

SHA1
86e8f27d6012181a48c5b952ee55462a1b9e7cfd

SHA256
af292bddc824de396ae75fdf316d503e6ba5d8fc2b09f679b92dcc08f2bf052f

SHA512
62c18e1c2dec2bd0c63e3594f79355aac97f029b52e54f68b8ac5c8dd7dc7729863be518183cf487b583deb8a64887fd129e9704167871a8bc7aa11b21020674

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urKm27Aa05.exe

Filesize
259KB

MD5
e81295153c3707c51f654aed1d0d3894

SHA1
c7439f934eedbe9126f6f322d97a4476cad66a2d

SHA256
bd396af471cee1d5564f070eba6ebec32590ac56e5f7e1d1b9fbd3efd9fa6c97

SHA512
b9fd0c969a4b706709c59582d2f8e6f868f485b48a1e93578c7aab4340bd9e7df4e6a948ad0934073c7c32028794a42be88f51495080ded91a47115758559d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrTU33pf85.exe

Filesize
317KB

MD5
951fa5356ac288731a279778680760cb

SHA1
ec2e18c615f5818742d946582d64e32bb88dbfbb

SHA256
f5f7055115e81907accaf5c574e871f2c009da8163df4d5930af1563f4f5b175

SHA512
b8385866f94ab644ad455571866080250acb23cb1d19208ec58cf316524e0b6c419620622c0fe0591b1ff0e3ee5a8e50a39ed0bc4a792ba4b9b903b0ed83d1c4

Download Submit
memory/960-85-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-89-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-969-0x0000000005870000-0x000000000597A000-memory.dmp

Filesize
1.0MB

Download
memory/960-968-0x0000000005200000-0x0000000005818000-memory.dmp

Filesize
6.1MB

Download
memory/960-93-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-69-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-75-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-78-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-79-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-83-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-971-0x00000000059D0000-0x0000000005A0C000-memory.dmp

Filesize
240KB

Download
memory/960-972-0x0000000005B20000-0x0000000005B6C000-memory.dmp

Filesize
304KB

Download
memory/960-88-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-970-0x00000000059B0000-0x00000000059C2000-memory.dmp

Filesize
72KB

Download
memory/960-91-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-95-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-81-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-62-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-63-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-65-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-67-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-71-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-73-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/960-61-0x0000000004BA0000-0x0000000004BE4000-memory.dmp

Filesize
272KB

Download
memory/960-60-0x0000000004B20000-0x0000000004B66000-memory.dmp

Filesize
280KB

Download
memory/2040-43-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2040-54-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2040-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2040-50-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download
memory/2040-23-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-22-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-39-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-25-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-27-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-29-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-32-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-33-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-35-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-37-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-45-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-47-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-49-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-41-0x0000000002810000-0x0000000002822000-memory.dmp

Filesize
72KB

Download
memory/2040-21-0x0000000002810000-0x0000000002828000-memory.dmp

Filesize
96KB

Download
memory/2040-20-0x0000000004CF0000-0x0000000005294000-memory.dmp

Filesize
5.6MB

Download
memory/2040-19-0x0000000002440000-0x000000000245A000-memory.dmp

Filesize
104KB

Download
memory/2040-18-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2040-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2040-17-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2040-15-0x00000000007E0000-0x00000000008E0000-memory.dmp

Filesize
1024KB

Download