healer | 268a4ee58a386fbae349a87323e3d01645cc559bc1ee7cd5f048b41fa85111a7

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

268a4ee58a386fbae349a87323e3d01645cc559bc1ee7cd5f048b41fa85111a7.exe
Size

704KB
MD5

bf440890b7875fceea1f327c5bfe9ee9
SHA1

1993e42fbaaadb5479b330d27089d8c22e2dd872
SHA256

268a4ee58a386fbae349a87323e3d01645cc559bc1ee7cd5f048b41fa85111a7
SHA512

6f167a5e682deb2e8575c54de05d551a287ddc96c23ef5d1daf685a932f0e8bc1b783f5e4420619a6b4466e2f6b1a33e82cad44190fffd1cfd8d91a81050b20e
SSDEEP

12288:fy90keFv3PKCS4YGU0qlzqRjs/Fra/QSGXJEFuW8PfTF9mi1ZaNbIiZtjxmNziLt:fycv3PG0uzqRjya0XJEwLfp9minaVdmy

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2808-18-0x00000000049A0000-0x00000000049BA000-memory.dmp	healer
behavioral1/memory/2808-20-0x0000000004C00000-0x0000000004C18000-memory.dmp	healer
behavioral1/memory/2808-48-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-46-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-44-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-42-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-40-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-38-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-36-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-34-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-32-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-30-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-28-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-26-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-24-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-22-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer
behavioral1/memory/2808-21-0x0000000004C00000-0x0000000004C12000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr746181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr746181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr746181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr746181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr746181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr746181.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/3960-59-0x00000000049E0000-0x0000000004A1C000-memory.dmp	family_redline
behavioral1/memory/3960-60-0x00000000071D0000-0x000000000720A000-memory.dmp	family_redline
behavioral1/memory/3960-70-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-76-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-74-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-72-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-84-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-80-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-68-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-66-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-64-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-62-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-61-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-94-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-92-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-90-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-88-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-86-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-82-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline
behavioral1/memory/3960-78-0x00000000071D0000-0x0000000007205000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3756	un334464.exe
2808	pr746181.exe
3960	qu180526.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr746181.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr746181.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	268a4ee58a386fbae349a87323e3d01645cc559bc1ee7cd5f048b41fa85111a7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un334464.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1092	2808	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	268a4ee58a386fbae349a87323e3d01645cc559bc1ee7cd5f048b41fa85111a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un334464.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr746181.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu180526.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2808	pr746181.exe
2808	pr746181.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	pr746181.exe
Token: SeDebugPrivilege	3960	qu180526.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 3756	1132	268a4ee58a386fbae349a87323e3d01645cc559bc1ee7cd5f048b41fa85111a7.exe	83
PID 1132 wrote to memory of 3756	1132	268a4ee58a386fbae349a87323e3d01645cc559bc1ee7cd5f048b41fa85111a7.exe	83
PID 1132 wrote to memory of 3756	1132	268a4ee58a386fbae349a87323e3d01645cc559bc1ee7cd5f048b41fa85111a7.exe	83
PID 3756 wrote to memory of 2808	3756	un334464.exe	84
PID 3756 wrote to memory of 2808	3756	un334464.exe	84
PID 3756 wrote to memory of 2808	3756	un334464.exe	84
PID 3756 wrote to memory of 3960	3756	un334464.exe	104
PID 3756 wrote to memory of 3960	3756	un334464.exe	104
PID 3756 wrote to memory of 3960	3756	un334464.exe	104

C:\Users\Admin\AppData\Local\Temp\268a4ee58a386fbae349a87323e3d01645cc559bc1ee7cd5f048b41fa85111a7.exe
"C:\Users\Admin\AppData\Local\Temp\268a4ee58a386fbae349a87323e3d01645cc559bc1ee7cd5f048b41fa85111a7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un334464.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un334464.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3756
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr746181.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr746181.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 1020
      4⤵
      Program crash
      PID:1092
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu180526.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu180526.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2808 -ip 2808
1⤵
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un334464.exe

Filesize
550KB

MD5
1d27e53bce28751f6e8ee177255a0e16

SHA1
88466ccf21aabbf14c2ae0aed0df30436359bcb7

SHA256
dfec06032925501aad06442f422607d57b61cfe2aae95445ddb9f407c1bbf762

SHA512
1874618fa127cb1896fe6bcab10ebd6a330a915c81e95d48e980fceadc00a746c6a5d1fc1d500df54cf8e83a6fa18fbb0b0bee8d228713ced03a689c84090bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr746181.exe

Filesize
286KB

MD5
37463f7e27099a4a20478708040138d2

SHA1
b456f5af75303bbe776c57bb49e990d45592fd44

SHA256
9a86abee99783d0839215dc44de92f9e1a13243885814adf53537ec27701727f

SHA512
6e210f679ef50c7439342ffdff799c064febfe6bd7e243903e44b6791ebb5516a3d2279f169b94b6a783fcd1b8ecee66e4602f8a47077492d34d35e4eaba5c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu180526.exe

Filesize
368KB

MD5
b7ac03e518721861d818508fdd3f9f13

SHA1
87987b4a97af055a555454fb16a23758ce999fad

SHA256
318f9b8c5eea8a62eac343059e4d7dd4f4b41542abf2b0513be33994f892836a

SHA512
9e96c9d95d68c187ea0a28873b63059f361a6f1b734ea4a47323da8b5224f97db0305beaaaaef352e3e3e3bf615b44fb92c7c262fcab373c8518527cf117d6af

Download Submit
memory/2808-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2808-46-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-18-0x00000000049A0000-0x00000000049BA000-memory.dmp

Filesize
104KB

Download
memory/2808-19-0x00000000072B0000-0x0000000007854000-memory.dmp

Filesize
5.6MB

Download
memory/2808-20-0x0000000004C00000-0x0000000004C18000-memory.dmp

Filesize
96KB

Download
memory/2808-48-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-53-0x0000000000400000-0x0000000002BB1000-memory.dmp

Filesize
39.7MB

Download
memory/2808-44-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-42-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-40-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-38-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-36-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-34-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-32-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-30-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-28-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-26-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-24-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-15-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

Filesize
1024KB

Download
memory/2808-21-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-49-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

Filesize
1024KB

Download
memory/2808-50-0x0000000000400000-0x0000000002BB1000-memory.dmp

Filesize
39.7MB

Download
memory/2808-16-0x0000000002DE0000-0x0000000002E0D000-memory.dmp

Filesize
180KB

Download
memory/2808-54-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2808-22-0x0000000004C00000-0x0000000004C12000-memory.dmp

Filesize
72KB

Download
memory/2808-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3960-60-0x00000000071D0000-0x000000000720A000-memory.dmp

Filesize
232KB

Download
memory/3960-74-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-856-0x000000000A490000-0x000000000A4CC000-memory.dmp

Filesize
240KB

Download
memory/3960-76-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-70-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-72-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-84-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-92-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-68-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-66-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-64-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-857-0x0000000006D00000-0x0000000006D4C000-memory.dmp

Filesize
304KB

Download
memory/3960-94-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-61-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-80-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-90-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-88-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-86-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-82-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-78-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download
memory/3960-853-0x0000000009CD0000-0x000000000A2E8000-memory.dmp

Filesize
6.1MB

Download
memory/3960-854-0x000000000A350000-0x000000000A362000-memory.dmp

Filesize
72KB

Download
memory/3960-855-0x000000000A370000-0x000000000A47A000-memory.dmp

Filesize
1.0MB

Download
memory/3960-59-0x00000000049E0000-0x0000000004A1C000-memory.dmp

Filesize
240KB

Download
memory/3960-62-0x00000000071D0000-0x0000000007205000-memory.dmp

Filesize
212KB

Download