healer | 6dbb4dfc61ef7239f9215f8f9cf3ec2313e94c37833a60d1ab39e20c900c34ce

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dbb4dfc61ef7239f9215f8f9cf3ec2313e94c37833a60d1ab39e20c900c34ce.exe
Size

943KB
MD5

b301fce24bf99cd535d2a72daac7c712
SHA1

f21b257847837ff0c5c1e3ff4417c95c608d788c
SHA256

6dbb4dfc61ef7239f9215f8f9cf3ec2313e94c37833a60d1ab39e20c900c34ce
SHA512

12d099eb304290c3436d98aae39c7decfdfd4298a81d83f300ecf81e21779e716925db829182349ca527d7ce8f1bb988dcabe48cacbc2b5f0e5f8acc3d14e96d
SSDEEP

24576:ayP0UtuKjZJnBu61nvSqHdtg29yKKlTdPz7:hP6CZJnASf9R9yKeJP

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4092-22-0x0000000004C90000-0x0000000004CAA000-memory.dmp	healer
behavioral1/memory/4092-24-0x0000000004CF0000-0x0000000004D08000-memory.dmp	healer
behavioral1/memory/4092-52-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-50-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-48-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-46-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-44-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-42-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-40-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-38-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-36-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-34-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-32-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-30-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-28-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-26-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer
behavioral1/memory/4092-25-0x0000000004CF0000-0x0000000004D02000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pr028914.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pr028914.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pr028914.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pr028914.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pr028914.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pr028914.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4316-60-0x00000000048C0000-0x00000000048FC000-memory.dmp	family_redline
behavioral1/memory/4316-61-0x0000000004D30000-0x0000000004D6A000-memory.dmp	family_redline
behavioral1/memory/4316-71-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-77-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-95-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-93-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-92-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-87-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-85-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-83-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-81-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-79-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-75-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-73-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-69-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-67-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-65-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-90-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-63-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline
behavioral1/memory/4316-62-0x0000000004D30000-0x0000000004D65000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
3452	un029830.exe
4056	un505371.exe
4092	pr028914.exe
4316	qu339617.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pr028914.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pr028914.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6dbb4dfc61ef7239f9215f8f9cf3ec2313e94c37833a60d1ab39e20c900c34ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un029830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	un505371.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4908	4092	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6dbb4dfc61ef7239f9215f8f9cf3ec2313e94c37833a60d1ab39e20c900c34ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un029830.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un505371.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pr028914.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu339617.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4092	pr028914.exe
4092	pr028914.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	pr028914.exe
Token: SeDebugPrivilege	4316	qu339617.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 3452	4428	6dbb4dfc61ef7239f9215f8f9cf3ec2313e94c37833a60d1ab39e20c900c34ce.exe	83
PID 4428 wrote to memory of 3452	4428	6dbb4dfc61ef7239f9215f8f9cf3ec2313e94c37833a60d1ab39e20c900c34ce.exe	83
PID 4428 wrote to memory of 3452	4428	6dbb4dfc61ef7239f9215f8f9cf3ec2313e94c37833a60d1ab39e20c900c34ce.exe	83
PID 3452 wrote to memory of 4056	3452	un029830.exe	84
PID 3452 wrote to memory of 4056	3452	un029830.exe	84
PID 3452 wrote to memory of 4056	3452	un029830.exe	84
PID 4056 wrote to memory of 4092	4056	un505371.exe	85
PID 4056 wrote to memory of 4092	4056	un505371.exe	85
PID 4056 wrote to memory of 4092	4056	un505371.exe	85
PID 4056 wrote to memory of 4316	4056	un505371.exe	99
PID 4056 wrote to memory of 4316	4056	un505371.exe	99
PID 4056 wrote to memory of 4316	4056	un505371.exe	99

C:\Users\Admin\AppData\Local\Temp\6dbb4dfc61ef7239f9215f8f9cf3ec2313e94c37833a60d1ab39e20c900c34ce.exe
"C:\Users\Admin\AppData\Local\Temp\6dbb4dfc61ef7239f9215f8f9cf3ec2313e94c37833a60d1ab39e20c900c34ce.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un029830.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un029830.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un505371.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un505371.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr028914.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr028914.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4092
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 1084
        5⤵
        Program crash
        
        PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu339617.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu339617.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4092 -ip 4092
1⤵
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un029830.exe

Filesize
695KB

MD5
2c53d756d24257c0f5920913e2e3b3d2

SHA1
7b048182445e8c40cc016ff57a2c4ca64bc6f2f6

SHA256
1dbc429fb0605d5753f11e62756c8e53c099564f8acc9fd68297e386752b092d

SHA512
afc6e31f4a6513e2e784179bcde8fa2a3b60b2be3502da43a9f589a5b9f7ad9314f6a54bd6be214520fdd8bbfec82590e6ebf95f3b9e4ce7f9d18ccf0fc2b404

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\un505371.exe

Filesize
541KB

MD5
b45389e5b2d39fd8d2bc2af618d13e40

SHA1
27b330796e0759763dab5d48ae0f992e1c171ea8

SHA256
57f1aff496f6fd23cb647b7b9add787e741eaf26cb849b5efcf13bf84a662ea2

SHA512
4f8b8183546f2c32f8fea2cefed0d39f7cd3933aefbb5f957b1fcd2bd2c05ad3b2667ffb48b6dded5190ebd52db9f56eb90da5e753678fe5069c0b6a2fb0a542

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pr028914.exe

Filesize
278KB

MD5
780a7c968cf70664f381883a93532dfe

SHA1
1c3e9e004d08a4c0867cef27b280d85f26014a23

SHA256
f227e57f789588f9e3ba19e0541cdaf74b206d914ec16fc713656151be796a91

SHA512
316462223d5e7f5fb4784a46364ec06da79767a4a3f1dde584bf2e798c83c38475ce1a0ed9884ee505a26a3d4b43f92d8c09424f1342a49c55ed5d0329bda9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\qu339617.exe

Filesize
361KB

MD5
92794f23bb941e568759e7b16ee3bbfa

SHA1
fc1c6f9c8d7f67ecb1928c054b04178537ec9829

SHA256
bdb24a473d11bac433714ded72777ee29715f8d2069d430268713fe0d0f49369

SHA512
0794faefae7fede4aad8a95b76eff3250b1bc5adb5712a05d78f06196fdd77fc5c10c6bca621064c894185882e50275b5124b4d0e803398e3c565162ecb17596

Download Submit
memory/4092-40-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-38-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-52-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-50-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-48-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-46-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-44-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-42-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-23-0x0000000007320000-0x00000000078C4000-memory.dmp

Filesize
5.6MB

Download
memory/4092-24-0x0000000004CF0000-0x0000000004D08000-memory.dmp

Filesize
96KB

Download
memory/4092-36-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-34-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-32-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-30-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-28-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-26-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-25-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4092-53-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/4092-22-0x0000000004C90000-0x0000000004CAA000-memory.dmp

Filesize
104KB

Download
memory/4092-55-0x0000000000400000-0x0000000002BA6000-memory.dmp

Filesize
39.6MB

Download
memory/4316-60-0x00000000048C0000-0x00000000048FC000-memory.dmp

Filesize
240KB

Download
memory/4316-61-0x0000000004D30000-0x0000000004D6A000-memory.dmp

Filesize
232KB

Download
memory/4316-71-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-77-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-95-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-93-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-92-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-87-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-85-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-83-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-81-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-79-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-75-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-73-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-69-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-67-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-65-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-90-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-63-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-62-0x0000000004D30000-0x0000000004D65000-memory.dmp

Filesize
212KB

Download
memory/4316-854-0x0000000009D10000-0x000000000A328000-memory.dmp

Filesize
6.1MB

Download
memory/4316-855-0x000000000A340000-0x000000000A352000-memory.dmp

Filesize
72KB

Download
memory/4316-856-0x000000000A360000-0x000000000A46A000-memory.dmp

Filesize
1.0MB

Download
memory/4316-857-0x000000000A4D0000-0x000000000A50C000-memory.dmp

Filesize
240KB

Download
memory/4316-858-0x0000000004A30000-0x0000000004A7C000-memory.dmp

Filesize
304KB

Download