healer | 2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe
Size

1.3MB
MD5

a73a320ca4658c2d003a6fc843761794
SHA1

af52138b8f1c072d91c0fff2e0c3eea30d2ad30a
SHA256

2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7
SHA512

8f7529c65c438a98c3805ba75748f659a53a46cb2bd68aea740629efcb921d0f6ff6914f44681c5870f077259021e5fb672d0caa665db03fac1aca4164f79035
SSDEEP

24576:Ry758EE+uHSUB5mg+5rJT3gugZ1xV6QnNohmS2:E/ruyUB5mg+5NUugxNohf

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cbc-33.dat	healer
behavioral1/memory/1556-35-0x0000000000FE0000-0x0000000000FEA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az608066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az608066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az608066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az608066.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az608066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az608066.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4524-41-0x0000000007250000-0x000000000728C000-memory.dmp	family_redline
behavioral1/memory/4524-43-0x00000000072D0000-0x000000000730A000-memory.dmp	family_redline
behavioral1/memory/4524-47-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-49-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-105-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-63-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-45-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-44-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-107-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-103-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-102-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-99-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-97-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-96-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-93-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-91-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-89-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-87-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-85-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-83-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-81-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-79-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-77-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-75-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-73-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-71-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-69-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-67-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-65-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-61-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-59-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-57-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-55-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-53-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline
behavioral1/memory/4524-51-0x00000000072D0000-0x0000000007305000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
2612	ki123788.exe
220	ki960717.exe
1952	ki905089.exe
1636	ki539106.exe
1556	az608066.exe
4524	bu764058.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az608066.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ki123788.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ki960717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ki905089.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	ki539106.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki123788.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki960717.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki905089.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki539106.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bu764058.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1556	az608066.exe
1556	az608066.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	az608066.exe
Token: SeDebugPrivilege	4524	bu764058.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3304 wrote to memory of 2612	3304	2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe	83
PID 3304 wrote to memory of 2612	3304	2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe	83
PID 3304 wrote to memory of 2612	3304	2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe	83
PID 2612 wrote to memory of 220	2612	ki123788.exe	85
PID 2612 wrote to memory of 220	2612	ki123788.exe	85
PID 2612 wrote to memory of 220	2612	ki123788.exe	85
PID 220 wrote to memory of 1952	220	ki960717.exe	87
PID 220 wrote to memory of 1952	220	ki960717.exe	87
PID 220 wrote to memory of 1952	220	ki960717.exe	87
PID 1952 wrote to memory of 1636	1952	ki905089.exe	88
PID 1952 wrote to memory of 1636	1952	ki905089.exe	88
PID 1952 wrote to memory of 1636	1952	ki905089.exe	88
PID 1636 wrote to memory of 1556	1636	ki539106.exe	89
PID 1636 wrote to memory of 1556	1636	ki539106.exe	89
PID 1636 wrote to memory of 4524	1636	ki539106.exe	95
PID 1636 wrote to memory of 4524	1636	ki539106.exe	95
PID 1636 wrote to memory of 4524	1636	ki539106.exe	95

C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe
"C:\Users\Admin\AppData\Local\Temp\2068c0ad73997c7abc1b9bcde96b6e8ccf8435786f729d9cafeb6903569bcdf7.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki123788.exe

Filesize
1.1MB

MD5
81695a25572f9b04f59a40e9255436e9

SHA1
d3c0e748f96d847e21343e32258bfefa92639b62

SHA256
e43217264dce9e9e706f490764a84e54ad3137e7c11257e539011f47a8b5c510

SHA512
d588355a7018e86b3895da68add882e4c2bce7a58a48ff38fb9f2b839333923f7badcf006705ee2b56741e37bb22aef31de4740f0104b707e2c5e6131e226878

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki960717.exe

Filesize
918KB

MD5
a8fa8b5b703cd4a989ebe6d3db1cc979

SHA1
a2fa8e852ce71c8a30d8b169b0f3e353e63385f3

SHA256
4fa8e60aa9a1518ecb06e8f4175024c4c4c619a84e1873806c43e2042e38cd85

SHA512
98064a4eae9de3c9dd66979991c36027afbfda471ba5d86b4b3bea0a7eea1ab434924d67a37c83ca2493dd41ab316a4bbff2a9e6cac9c01222e1935a0c1d9fef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki905089.exe

Filesize
696KB

MD5
6dddc4eed66aeae399550478f80ceccd

SHA1
5a394c340ef198966e44a541824f0c743ff857e9

SHA256
a431548c5449115dc12c53266da5294f606369066f03d93efc87c2f4d3ccb44c

SHA512
8c0cdd158dc94c36e96e4baed5008b1de334dd7a7490490978154cc8b2843435b1c9f682c01b60162a0106c0329b9f19775bf0bc68b91af2360f62af8c772c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ki539106.exe

Filesize
415KB

MD5
29fc7e4116d91cfa05827b9d438b0762

SHA1
3e4a5ecd904af4e6178c03d8bbe4fde231acd741

SHA256
e507f88f40fa5a08de94652d237f07fca16bc762af44bc9618812405f6af539d

SHA512
fc1995e59743f32d4dad2fda56ae13015c8ede26abd07602904f686022e7ab89de095d174854615bfcb64f25d22cc17dd6c4329882e3daa9f880424e0eb90e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\az608066.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bu764058.exe

Filesize
360KB

MD5
1b19fb007cece0cb3086c05822851636

SHA1
b595026b70930eb8642ff1506f1516ac28d772f2

SHA256
eed41f31904040aa00292202a481d7fbedad4af7cb2edb54bc24ccf3b928b8df

SHA512
8416b777a0786a5e97c6150cfb6b038c39b8478a6d87f1d4f516d0aba3f094237b1348b9febb848a13b009239423575469bace06c0638befe1210232ae3a965c

Download Submit
memory/1556-35-0x0000000000FE0000-0x0000000000FEA000-memory.dmp

Filesize
40KB

Download
memory/4524-89-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-81-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-43-0x00000000072D0000-0x000000000730A000-memory.dmp

Filesize
232KB

Download
memory/4524-47-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-49-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-105-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-63-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-45-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-44-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-107-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-103-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-102-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-99-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-97-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-96-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-93-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-91-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-41-0x0000000007250000-0x000000000728C000-memory.dmp

Filesize
240KB

Download
memory/4524-87-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-85-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-83-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-42-0x00000000073B0000-0x0000000007954000-memory.dmp

Filesize
5.6MB

Download
memory/4524-79-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-77-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-75-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-73-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-71-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-69-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-67-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-65-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-61-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-59-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-57-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-55-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-53-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-51-0x00000000072D0000-0x0000000007305000-memory.dmp

Filesize
212KB

Download
memory/4524-836-0x0000000009DE0000-0x000000000A3F8000-memory.dmp

Filesize
6.1MB

Download
memory/4524-837-0x000000000A480000-0x000000000A492000-memory.dmp

Filesize
72KB

Download
memory/4524-838-0x000000000A4A0000-0x000000000A5AA000-memory.dmp

Filesize
1.0MB

Download
memory/4524-839-0x000000000A5C0000-0x000000000A5FC000-memory.dmp

Filesize
240KB

Download
memory/4524-840-0x0000000004D30000-0x0000000004D7C000-memory.dmp

Filesize
304KB

Download