healer | 3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/11/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe
Size

673KB
MD5

ca08d8d104a198126a703084a9a257e7
SHA1

5ce48ac91b9bccb9c022074cc16bc0840514679b
SHA256

3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671
SHA512

7963dbf33d59e239f439c58eb6796c85e27b95a36e9c2060dce83d2c83e79d55d5a2e039dcd432427abd10b8486b4349125719b5023320e11aa50b9c0b11bfcc
SSDEEP

12288:AMrcy90mPmqpsTIVduM1JEIiT704GP6buW7hqvauah:MyDPmdI/ul9GPyucbuah

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3188-19-0x0000000002370000-0x000000000238A000-memory.dmp	healer
behavioral1/memory/3188-21-0x0000000002520000-0x0000000002538000-memory.dmp	healer
behavioral1/memory/3188-47-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-49-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-45-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-43-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-41-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-40-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-37-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-36-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-33-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-31-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-29-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-28-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-25-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-23-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/3188-22-0x0000000002520000-0x0000000002532000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9530.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9530.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9530.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9530.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9530.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9530.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/3916-60-0x0000000002490000-0x00000000024D6000-memory.dmp	family_redline
behavioral1/memory/3916-61-0x0000000002670000-0x00000000026B4000-memory.dmp	family_redline
behavioral1/memory/3916-75-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-65-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-63-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-62-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-87-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-95-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-93-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-91-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-90-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-85-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-83-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-82-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-79-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-77-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-73-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-71-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-69-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline
behavioral1/memory/3916-67-0x0000000002670000-0x00000000026AF000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3060	un998532.exe
3188	pro9530.exe
3916	qu3246.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro9530.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9530.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un998532.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1688	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3976	3188	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro9530.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu3246.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un998532.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3188	pro9530.exe
3188	pro9530.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3188	pro9530.exe
Token: SeDebugPrivilege	3916	qu3246.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 3060	4000	3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe	83
PID 4000 wrote to memory of 3060	4000	3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe	83
PID 4000 wrote to memory of 3060	4000	3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe	83
PID 3060 wrote to memory of 3188	3060	un998532.exe	84
PID 3060 wrote to memory of 3188	3060	un998532.exe	84
PID 3060 wrote to memory of 3188	3060	un998532.exe	84
PID 3060 wrote to memory of 3916	3060	un998532.exe	99
PID 3060 wrote to memory of 3916	3060	un998532.exe	99
PID 3060 wrote to memory of 3916	3060	un998532.exe	99

C:\Users\Admin\AppData\Local\Temp\3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe
"C:\Users\Admin\AppData\Local\Temp\3928299e3c40601b34a18e6f8ae2f9e49a0d82fd365892b41b303117650f3671.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un998532.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un998532.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9530.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9530.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3188
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 1020
      4⤵
      Program crash
      PID:3976
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3246.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3246.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3188 -ip 3188
1⤵
PID:1660

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un998532.exe

Filesize
531KB

MD5
4543bec8b42add374ebc0ccc6a745d32

SHA1
094a70e86284d96aa23590c73268a2034d44a9be

SHA256
6d3c3385b483561371cae9678c0d6fb688e7047450a345b9716e9b6ff0c2520a

SHA512
f2208a40ae3ff8bb57c255fc38983cade88564a0bb82383f45f6d81a6e1fd62f42125327ff4ba6b020678259b6aaac2cbf259822528fa8c95eceb15cf13cf200

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9530.exe

Filesize
260KB

MD5
b169da793fb7bcd483e1d8b395cd3c75

SHA1
c74701db8983d62e6bba608e7dda2625f7a79898

SHA256
7469cd9a996be0323d3a4387a948cb1fb984b10641e27ac002f81dbe1cde93a7

SHA512
e2f9bf0cfacac545e0c5b918cebe77be3e6c65e88ce62c72a113f34ee28a733b6e2ec22288cf51eeb6b46a28151dd0b419d2920037e8190adfe2fcfbbb060b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3246.exe

Filesize
319KB

MD5
0c1cefaf67449e3762e2536c09a041e6

SHA1
52172672115c7b95f113365f0b21ddc309dc0987

SHA256
d8a5df68240fb2b16268dbffc2dd76668181060997c8dc88c1590f662157e653

SHA512
f9139efbeca21ae5f9f10cbefe8d83f716549ae174080ab9a318b99cc16dfaab3d3640029551200207589de9d26c332481810434eb6e940cbe65637da14736e5

Download Submit
memory/3188-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3188-15-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/3188-17-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3188-18-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3188-19-0x0000000002370000-0x000000000238A000-memory.dmp

Filesize
104KB

Download
memory/3188-20-0x0000000004A60000-0x0000000005004000-memory.dmp

Filesize
5.6MB

Download
memory/3188-21-0x0000000002520000-0x0000000002538000-memory.dmp

Filesize
96KB

Download
memory/3188-47-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-49-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-45-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-43-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-41-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-40-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-37-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-36-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-33-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-31-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-29-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-28-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-25-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-23-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-22-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/3188-50-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/3188-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3188-54-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3188-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3916-60-0x0000000002490000-0x00000000024D6000-memory.dmp

Filesize
280KB

Download
memory/3916-61-0x0000000002670000-0x00000000026B4000-memory.dmp

Filesize
272KB

Download
memory/3916-75-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-65-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-63-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-62-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-87-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-95-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-93-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-91-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-90-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-85-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-83-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-82-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-79-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-77-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-73-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-71-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-69-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-67-0x0000000002670000-0x00000000026AF000-memory.dmp

Filesize
252KB

Download
memory/3916-968-0x00000000051F0000-0x0000000005808000-memory.dmp

Filesize
6.1MB

Download
memory/3916-969-0x0000000005810000-0x000000000591A000-memory.dmp

Filesize
1.0MB

Download
memory/3916-970-0x0000000004BE0000-0x0000000004BF2000-memory.dmp

Filesize
72KB

Download
memory/3916-971-0x0000000005920000-0x000000000595C000-memory.dmp

Filesize
240KB

Download
memory/3916-972-0x0000000005A60000-0x0000000005AAC000-memory.dmp

Filesize
304KB

Download