healer | 2f674235ea813dbcc695f2047771b4f7f4bec6e0bf62e997d80d48832731f5ea

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f674235ea813dbcc695f2047771b4f7f4bec6e0bf62e997d80d48832731f5ea.exe
Size

695KB
MD5

72fe48e0e2608207486c486e5dad6ee6
SHA1

d56b94cd7c97ca337fb1cc56a3803b5ad41bb4fe
SHA256

2f674235ea813dbcc695f2047771b4f7f4bec6e0bf62e997d80d48832731f5ea
SHA512

213a7975fe09f9f5b8ab7e9a45ea59c9366e2e9c7e87a8994b258d7af2b67977d446765b640b94dee5f2da672fa59975432a7d4cb7670694172f3a485eef3c89
SSDEEP

12288:5Mr1y90GrVTY1E4QxEShz4WiYbHR7bweOaDzh8qenQmZgYz8l00Vz86ZkIKhvxhM:gytVTZl8jYbpbweOOF85BqNG0y6aBmH

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3912-17-0x0000000004A80000-0x0000000004A9A000-memory.dmp	healer
behavioral1/memory/3912-20-0x0000000004CF0000-0x0000000004D08000-memory.dmp	healer
behavioral1/memory/3912-26-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-48-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-46-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-44-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-42-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-40-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-38-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-36-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-34-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-32-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-30-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-28-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-24-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-22-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/3912-21-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro5363.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro5363.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro5363.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro5363.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro5363.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro5363.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/3208-60-0x0000000004AB0000-0x0000000004AF6000-memory.dmp	family_redline
behavioral1/memory/3208-61-0x0000000004B80000-0x0000000004BC4000-memory.dmp	family_redline
behavioral1/memory/3208-89-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-95-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-93-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-91-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-87-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-85-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-83-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-81-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-79-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-77-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-75-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-73-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-71-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-69-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-67-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-63-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-65-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline
behavioral1/memory/3208-62-0x0000000004B80000-0x0000000004BBF000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
880	un819644.exe
3912	pro5363.exe
3208	qu8106.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro5363.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro5363.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2f674235ea813dbcc695f2047771b4f7f4bec6e0bf62e997d80d48832731f5ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un819644.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4596	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3632	3912	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2f674235ea813dbcc695f2047771b4f7f4bec6e0bf62e997d80d48832731f5ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un819644.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro5363.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu8106.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3912	pro5363.exe
3912	pro5363.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	pro5363.exe
Token: SeDebugPrivilege	3208	qu8106.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3880 wrote to memory of 880	3880	2f674235ea813dbcc695f2047771b4f7f4bec6e0bf62e997d80d48832731f5ea.exe	85
PID 3880 wrote to memory of 880	3880	2f674235ea813dbcc695f2047771b4f7f4bec6e0bf62e997d80d48832731f5ea.exe	85
PID 3880 wrote to memory of 880	3880	2f674235ea813dbcc695f2047771b4f7f4bec6e0bf62e997d80d48832731f5ea.exe	85
PID 880 wrote to memory of 3912	880	un819644.exe	86
PID 880 wrote to memory of 3912	880	un819644.exe	86
PID 880 wrote to memory of 3912	880	un819644.exe	86
PID 880 wrote to memory of 3208	880	un819644.exe	97
PID 880 wrote to memory of 3208	880	un819644.exe	97
PID 880 wrote to memory of 3208	880	un819644.exe	97

C:\Users\Admin\AppData\Local\Temp\2f674235ea813dbcc695f2047771b4f7f4bec6e0bf62e997d80d48832731f5ea.exe
"C:\Users\Admin\AppData\Local\Temp\2f674235ea813dbcc695f2047771b4f7f4bec6e0bf62e997d80d48832731f5ea.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un819644.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un819644.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5363.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5363.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3912
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1080
      4⤵
      Program crash
      PID:3632
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8106.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8106.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3912 -ip 3912
1⤵
PID:3564

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un819644.exe

Filesize
553KB

MD5
7263c23ad966613f2ae960bb4247b9d9

SHA1
a939cf9ec61246932913206175c20a5b9ff9dc66

SHA256
7024e6b54e9f0d1b1af0177d4de32e45726c16c7f718673ed6dbd1b264f88e8c

SHA512
a1cdd2b80b50935b3401d2bc7edd811cfe3dbc20ec0fc60bf29b70d7fb4446e490e97385a033d9ee5d87f16a750deff7aea27e57c38a5f91a7ce3c7c3cf9f669

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5363.exe

Filesize
347KB

MD5
e6e9128a9b320188be8092cb2e6a7efe

SHA1
667a37f1fe15be9a971ef70ad28d209dfbb7b6db

SHA256
9ec10b343863e64f5e9e2fd16f0f8b570daac3b7c641e8d092c306904bb2cbb5

SHA512
06fdb6f2d9a74f1019a1490cea408a5294cba85e5e5106bc614b63dad00c16c99ba87b7ea95c241b94067d67a97c7e7cad1645c43f4402a2672072d22598dadd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu8106.exe

Filesize
405KB

MD5
962b72be7305450acfcf6b41c7a788f7

SHA1
f5aa49d4227e3c2ca7f6970d16fc5b9d88ea5c32

SHA256
f5439f14c30c8648798927a4d7cdcdf336fb0078657f0fc3ef65933395249a18

SHA512
80bbed864409fc79f4ca6f6d7c5b65c99554765e42b3733dc33e56e9dc64bd41e4fd89e6c37a73c241cbd2c387714bfb6d891edb58b10503e29c18ac91f16705

Download Submit
memory/3208-79-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-968-0x0000000007830000-0x0000000007E48000-memory.dmp

Filesize
6.1MB

Download
memory/3208-65-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-63-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-67-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-69-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-71-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-73-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-75-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-77-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-971-0x0000000007FD0000-0x000000000800C000-memory.dmp

Filesize
240KB

Download
memory/3208-972-0x0000000008120000-0x000000000816C000-memory.dmp

Filesize
304KB

Download
memory/3208-81-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-62-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-969-0x0000000007E70000-0x0000000007F7A000-memory.dmp

Filesize
1.0MB

Download
memory/3208-970-0x0000000007FB0000-0x0000000007FC2000-memory.dmp

Filesize
72KB

Download
memory/3208-83-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-85-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-87-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-91-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-93-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-95-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-89-0x0000000004B80000-0x0000000004BBF000-memory.dmp

Filesize
252KB

Download
memory/3208-61-0x0000000004B80000-0x0000000004BC4000-memory.dmp

Filesize
272KB

Download
memory/3208-60-0x0000000004AB0000-0x0000000004AF6000-memory.dmp

Filesize
280KB

Download
memory/3912-40-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3912-54-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/3912-52-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/3912-50-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3912-49-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download
memory/3912-21-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-22-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-24-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-28-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-30-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-32-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-34-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-36-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-38-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-42-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-44-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-46-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-48-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-26-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/3912-20-0x0000000004CF0000-0x0000000004D08000-memory.dmp

Filesize
96KB

Download
memory/3912-19-0x0000000007270000-0x0000000007814000-memory.dmp

Filesize
5.6MB

Download
memory/3912-18-0x0000000000400000-0x0000000002B84000-memory.dmp

Filesize
39.5MB

Download
memory/3912-17-0x0000000004A80000-0x0000000004A9A000-memory.dmp

Filesize
104KB

Download
memory/3912-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3912-15-0x0000000002E90000-0x0000000002F90000-memory.dmp

Filesize
1024KB

Download