healer | 12f016c3c75bff495bda0f0b186f4236749ce27aa1ea9c3102256dfc81659af9

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12f016c3c75bff495bda0f0b186f4236749ce27aa1ea9c3102256dfc81659af9.exe
Size

677KB
MD5

cde7ad49879f49b3441172edff910f4f
SHA1

7cea89dd39282b846048133574e66d9cf1f89470
SHA256

12f016c3c75bff495bda0f0b186f4236749ce27aa1ea9c3102256dfc81659af9
SHA512

5f1bfcb9879ce2d020454ec555adb6d346cd69e86062c2996a490bbc1a1fe69af63be29ecf87103f1e5f1d7e9f378d7c7614e8d19bef896c34e79e892bb94396
SSDEEP

12288:2Mrfy90g9eV7SQe7LPf91LrXStXdAQ0BJrLgpRsOSH7fa2AufH:lyP0VGBnfzTS89TH+sDHbci

Score

10^/10

healer redline rosto discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rosto

hueref.eu:4162

Attributes

auth_value
07d81eba8cad42bbd0ae60042d48eac6

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4784-19-0x0000000002500000-0x000000000251A000-memory.dmp	healer
behavioral1/memory/4784-21-0x0000000004B20000-0x0000000004B38000-memory.dmp	healer
behavioral1/memory/4784-43-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-47-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-49-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-45-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-41-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-39-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-35-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-33-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-31-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-29-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-27-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-25-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-23-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-22-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer
behavioral1/memory/4784-37-0x0000000004B20000-0x0000000004B32000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	urFJ11qd85.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	urFJ11qd85.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	urFJ11qd85.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	urFJ11qd85.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	urFJ11qd85.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	urFJ11qd85.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/392-60-0x0000000004AF0000-0x0000000004B36000-memory.dmp	family_redline
behavioral1/memory/392-61-0x0000000004B70000-0x0000000004BB4000-memory.dmp	family_redline
behavioral1/memory/392-63-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-62-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-69-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-96-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-93-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-87-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-85-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-83-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-81-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-79-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-77-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-75-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-73-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-67-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-65-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-92-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-89-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline
behavioral1/memory/392-71-0x0000000004B70000-0x0000000004BAE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4068	ycFG01cg56.exe
4784	urFJ11qd85.exe
392	wrTA30tP82.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	urFJ11qd85.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	urFJ11qd85.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	12f016c3c75bff495bda0f0b186f4236749ce27aa1ea9c3102256dfc81659af9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ycFG01cg56.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5104	4784	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12f016c3c75bff495bda0f0b186f4236749ce27aa1ea9c3102256dfc81659af9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ycFG01cg56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	urFJ11qd85.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrTA30tP82.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4784	urFJ11qd85.exe
4784	urFJ11qd85.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4784	urFJ11qd85.exe
Token: SeDebugPrivilege	392	wrTA30tP82.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 4068	4520	12f016c3c75bff495bda0f0b186f4236749ce27aa1ea9c3102256dfc81659af9.exe	84
PID 4520 wrote to memory of 4068	4520	12f016c3c75bff495bda0f0b186f4236749ce27aa1ea9c3102256dfc81659af9.exe	84
PID 4520 wrote to memory of 4068	4520	12f016c3c75bff495bda0f0b186f4236749ce27aa1ea9c3102256dfc81659af9.exe	84
PID 4068 wrote to memory of 4784	4068	ycFG01cg56.exe	85
PID 4068 wrote to memory of 4784	4068	ycFG01cg56.exe	85
PID 4068 wrote to memory of 4784	4068	ycFG01cg56.exe	85
PID 4068 wrote to memory of 392	4068	ycFG01cg56.exe	99
PID 4068 wrote to memory of 392	4068	ycFG01cg56.exe	99
PID 4068 wrote to memory of 392	4068	ycFG01cg56.exe	99

C:\Users\Admin\AppData\Local\Temp\12f016c3c75bff495bda0f0b186f4236749ce27aa1ea9c3102256dfc81659af9.exe
"C:\Users\Admin\AppData\Local\Temp\12f016c3c75bff495bda0f0b186f4236749ce27aa1ea9c3102256dfc81659af9.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycFG01cg56.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycFG01cg56.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urFJ11qd85.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urFJ11qd85.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4784
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 1080
      4⤵
      Program crash
      PID:5104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrTA30tP82.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrTA30tP82.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4784 -ip 4784
1⤵
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ycFG01cg56.exe

Filesize
533KB

MD5
d48a0f8eaa7c065bc75d86a46ad854d4

SHA1
593c18433674e36e9ab3714803f9287660d9a854

SHA256
e93b4796e5bdedd5eb7878fcad872378a5c9d073b010e65114dd886f373dd930

SHA512
8e08e8884fdd3dc42ff890336133d1b0ec485f170d97acd0322c8f2fd0e265dd5b6ba6858c5b95d09f66e7c1265145393964fd2c9dd6d70c694ace14f2c7bba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\urFJ11qd85.exe

Filesize
259KB

MD5
6bc8513cf7109e5ac11a3ce08bd4aa75

SHA1
c3ac687b5f1622ede490ea7503900c5fa192fd25

SHA256
5c740441af175fbb77d481aebd50b3598b387dabaf576e5607c0e5866f62c729

SHA512
b6e62cdbb3bb1dfd09ddab7f2befdd8225c61e143adcd20a9f23e38992057e3cc89e08370a36f5f1a2c9162f3498d7d6dfe025e1c783efb75380760ecfa6ae0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\wrTA30tP82.exe

Filesize
317KB

MD5
951fa5356ac288731a279778680760cb

SHA1
ec2e18c615f5818742d946582d64e32bb88dbfbb

SHA256
f5f7055115e81907accaf5c574e871f2c009da8163df4d5930af1563f4f5b175

SHA512
b8385866f94ab644ad455571866080250acb23cb1d19208ec58cf316524e0b6c419620622c0fe0591b1ff0e3ee5a8e50a39ed0bc4a792ba4b9b903b0ed83d1c4

Download Submit
memory/392-75-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-79-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-969-0x0000000005870000-0x000000000597A000-memory.dmp

Filesize
1.0MB

Download
memory/392-968-0x0000000005210000-0x0000000005828000-memory.dmp

Filesize
6.1MB

Download
memory/392-71-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-89-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-92-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-65-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-67-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-73-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-971-0x00000000059D0000-0x0000000005A0C000-memory.dmp

Filesize
240KB

Download
memory/392-972-0x0000000005B20000-0x0000000005B6C000-memory.dmp

Filesize
304KB

Download
memory/392-77-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-970-0x00000000059B0000-0x00000000059C2000-memory.dmp

Filesize
72KB

Download
memory/392-81-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-83-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-85-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-87-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-93-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-96-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-69-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-62-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-63-0x0000000004B70000-0x0000000004BAE000-memory.dmp

Filesize
248KB

Download
memory/392-61-0x0000000004B70000-0x0000000004BB4000-memory.dmp

Filesize
272KB

Download
memory/392-60-0x0000000004AF0000-0x0000000004B36000-memory.dmp

Filesize
280KB

Download
memory/4784-41-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4784-54-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4784-51-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4784-50-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/4784-37-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-22-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-23-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-25-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-27-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-29-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-31-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-33-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-35-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-39-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-45-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-49-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-47-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-43-0x0000000004B20000-0x0000000004B32000-memory.dmp

Filesize
72KB

Download
memory/4784-21-0x0000000004B20000-0x0000000004B38000-memory.dmp

Filesize
96KB

Download
memory/4784-20-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/4784-19-0x0000000002500000-0x000000000251A000-memory.dmp

Filesize
104KB

Download
memory/4784-18-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4784-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4784-17-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/4784-15-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download