healer | 3b228b6b48f179ecc7f2abe87354bf73582c13e2a3986d564f05ceb477e12907

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b228b6b48f179ecc7f2abe87354bf73582c13e2a3986d564f05ceb477e12907.exe
Size

537KB
MD5

65b828471c69f28e1b841cac91d5a815
SHA1

d3e621be6880b3c95fb047c988dbc03ab97399ef
SHA256

3b228b6b48f179ecc7f2abe87354bf73582c13e2a3986d564f05ceb477e12907
SHA512

b492e716e5bb5fb7799530c46066cedc16f8785371351aa7edb006511eae56c1f8685addb0aab11e279108e8650d78e61eba33897832b4b8b888930975887837
SSDEEP

12288:uMrKy90nxRfcDMz8HMA+lZUrvH/wZH9tXtqf2xvzqtcW:gycSsblZofwR9tdquxvo5

Score

10^/10

healer redline rosn discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023c51-12.dat	healer
behavioral1/memory/220-15-0x0000000000E00000-0x0000000000E0A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	jr935796.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	jr935796.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	jr935796.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	jr935796.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	jr935796.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	jr935796.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4020-22-0x00000000026E0000-0x0000000002726000-memory.dmp	family_redline
behavioral1/memory/4020-24-0x0000000004E50000-0x0000000004E94000-memory.dmp	family_redline
behavioral1/memory/4020-76-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-88-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-86-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-84-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-82-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-80-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-78-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-74-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-72-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-70-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-68-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-66-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-64-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-63-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-60-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-58-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-57-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-54-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-52-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-50-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-48-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-46-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-44-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-40-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-38-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-36-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-34-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-32-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-30-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-28-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-26-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-42-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline
behavioral1/memory/4020-25-0x0000000004E50000-0x0000000004E8F000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4816	ziVq3610.exe
220	jr935796.exe
4020	ku115825.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	jr935796.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3b228b6b48f179ecc7f2abe87354bf73582c13e2a3986d564f05ceb477e12907.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ziVq3610.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ku115825.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3b228b6b48f179ecc7f2abe87354bf73582c13e2a3986d564f05ceb477e12907.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziVq3610.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
220	jr935796.exe
220	jr935796.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	jr935796.exe
Token: SeDebugPrivilege	4020	ku115825.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3312 wrote to memory of 4816	3312	3b228b6b48f179ecc7f2abe87354bf73582c13e2a3986d564f05ceb477e12907.exe	84
PID 3312 wrote to memory of 4816	3312	3b228b6b48f179ecc7f2abe87354bf73582c13e2a3986d564f05ceb477e12907.exe	84
PID 3312 wrote to memory of 4816	3312	3b228b6b48f179ecc7f2abe87354bf73582c13e2a3986d564f05ceb477e12907.exe	84
PID 4816 wrote to memory of 220	4816	ziVq3610.exe	85
PID 4816 wrote to memory of 220	4816	ziVq3610.exe	85
PID 4816 wrote to memory of 4020	4816	ziVq3610.exe	96
PID 4816 wrote to memory of 4020	4816	ziVq3610.exe	96
PID 4816 wrote to memory of 4020	4816	ziVq3610.exe	96

C:\Users\Admin\AppData\Local\Temp\3b228b6b48f179ecc7f2abe87354bf73582c13e2a3986d564f05ceb477e12907.exe
"C:\Users\Admin\AppData\Local\Temp\3b228b6b48f179ecc7f2abe87354bf73582c13e2a3986d564f05ceb477e12907.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVq3610.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVq3610.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr935796.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr935796.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku115825.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku115825.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziVq3610.exe

Filesize
395KB

MD5
4a2b11a46df3f7a9cae582f71e86b47a

SHA1
9b64eb9f30a8d1bdb7779176c0bd3979c156562d

SHA256
0e2132ccb9f3ad2e4420a8d647073c3440c8357192a867752e93354f8aa9f688

SHA512
4ea3773c2b14ed649eb81f1ae036da8403b0d9b0a0975813dbfd99a65a1cd85a14ab36741c79bc24c4e89e4a7a96fc32a14ce4ed499a0284f5c753d22eec8425

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr935796.exe

Filesize
14KB

MD5
1da60c77d1e9b828f6872143aaf9df81

SHA1
e8978f38fe7860fbb5b59e06c5e2aa4e2bbdf03f

SHA256
f354701456dd17de3ffd3db2ca19480b92aa2ff25a22638a6cc9edd34265de44

SHA512
218ed812972f4007e628472e3cace165d8ae2503e33bd6025c6f740680103543222571b496d9cfec5a16023ae6c2425a8c47a489e590763862156730bb8e497b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku115825.exe

Filesize
352KB

MD5
1d5762e011e59a61a69f9198eabf91a0

SHA1
4ec5ca587c6e025779b8f9c0fccd2931d5718985

SHA256
ddb15b2f9006ff29dfc556f2009f13eebb31d5d0dad438cacc3dc5d9eecd3a5c

SHA512
416bc67ba1c0013a5eed3e33dba604a0db6431e014fa3d7823660697b0a3b528d98d6d4c0c31afc04357ea616cc2ca3b101a8097c0b6d288d4b83a6d534431a6

Download Submit
memory/220-14-0x00007FF9A1513000-0x00007FF9A1515000-memory.dmp

Filesize
8KB

Download
memory/220-15-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/220-16-0x00007FF9A1513000-0x00007FF9A1515000-memory.dmp

Filesize
8KB

Download
memory/4020-63-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-52-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-24-0x0000000004E50000-0x0000000004E94000-memory.dmp

Filesize
272KB

Download
memory/4020-76-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-88-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-86-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-84-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-82-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-80-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-78-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-74-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-72-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-70-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-68-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-66-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-64-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-22-0x00000000026E0000-0x0000000002726000-memory.dmp

Filesize
280KB

Download
memory/4020-60-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-58-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-57-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-54-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-23-0x0000000004F20000-0x00000000054C4000-memory.dmp

Filesize
5.6MB

Download
memory/4020-50-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-48-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-46-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-44-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-40-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-38-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-36-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-34-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-32-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-30-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-28-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-26-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-42-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-25-0x0000000004E50000-0x0000000004E8F000-memory.dmp

Filesize
252KB

Download
memory/4020-931-0x00000000054D0000-0x0000000005AE8000-memory.dmp

Filesize
6.1MB

Download
memory/4020-932-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

Filesize
1.0MB

Download
memory/4020-933-0x0000000005C20000-0x0000000005C32000-memory.dmp

Filesize
72KB

Download
memory/4020-934-0x0000000005C40000-0x0000000005C7C000-memory.dmp

Filesize
240KB

Download
memory/4020-935-0x0000000005D90000-0x0000000005DDC000-memory.dmp

Filesize
304KB

Download