healer | 219c0c2a9796ccc9dc33af36a9c8bec21f8ceb765b9306a57e7b6411ca3d07cf

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

219c0c2a9796ccc9dc33af36a9c8bec21f8ceb765b9306a57e7b6411ca3d07cf.exe
Size

685KB
MD5

e2cdaad05f64139652dd39dda5598cb4
SHA1

e3591bf1ba08bf472f9a0c9326901834b0f2fa2c
SHA256

219c0c2a9796ccc9dc33af36a9c8bec21f8ceb765b9306a57e7b6411ca3d07cf
SHA512

91b4387b4c63f2760773bb4bdaee0c01b8487636b18cde83420da81a6e195adf4443b88e096b90ee0f315ac288f83d54482bfdf959467a651efb87124265282b
SSDEEP

12288:dy90bU3xJ0Itbpc1vzUqtFoMHqtAbBNfiY2aR5/H6KqJUhKt:dyDoLDtTqt8i1an/nthw

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2876-18-0x0000000004B10000-0x0000000004B2A000-memory.dmp	healer
behavioral1/memory/2876-20-0x0000000007130000-0x0000000007148000-memory.dmp	healer
behavioral1/memory/2876-24-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-48-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-47-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-44-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-42-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-40-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-38-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-37-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-34-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-33-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-30-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-28-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-26-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-22-0x0000000007130000-0x0000000007143000-memory.dmp	healer
behavioral1/memory/2876-21-0x0000000007130000-0x0000000007143000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	36785942.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	36785942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	36785942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	36785942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	36785942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	36785942.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 20 IoCs

resource	yara_rule
behavioral1/memory/4600-60-0x00000000070E0000-0x000000000711C000-memory.dmp	family_redline
behavioral1/memory/4600-61-0x0000000007180000-0x00000000071BA000-memory.dmp	family_redline
behavioral1/memory/4600-69-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-75-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-95-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-93-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-91-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-89-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-87-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-85-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-83-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-79-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-78-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-73-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-72-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-67-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-65-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-81-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-63-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline
behavioral1/memory/4600-62-0x0000000007180000-0x00000000071B5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1840	un556638.exe
2876	36785942.exe
4600	rk371594.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	36785942.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	36785942.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	219c0c2a9796ccc9dc33af36a9c8bec21f8ceb765b9306a57e7b6411ca3d07cf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un556638.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3000	2876	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	219c0c2a9796ccc9dc33af36a9c8bec21f8ceb765b9306a57e7b6411ca3d07cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un556638.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36785942.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rk371594.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2876	36785942.exe
2876	36785942.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	36785942.exe
Token: SeDebugPrivilege	4600	rk371594.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1840	1180	219c0c2a9796ccc9dc33af36a9c8bec21f8ceb765b9306a57e7b6411ca3d07cf.exe	83
PID 1180 wrote to memory of 1840	1180	219c0c2a9796ccc9dc33af36a9c8bec21f8ceb765b9306a57e7b6411ca3d07cf.exe	83
PID 1180 wrote to memory of 1840	1180	219c0c2a9796ccc9dc33af36a9c8bec21f8ceb765b9306a57e7b6411ca3d07cf.exe	83
PID 1840 wrote to memory of 2876	1840	un556638.exe	85
PID 1840 wrote to memory of 2876	1840	un556638.exe	85
PID 1840 wrote to memory of 2876	1840	un556638.exe	85
PID 1840 wrote to memory of 4600	1840	un556638.exe	100
PID 1840 wrote to memory of 4600	1840	un556638.exe	100
PID 1840 wrote to memory of 4600	1840	un556638.exe	100

C:\Users\Admin\AppData\Local\Temp\219c0c2a9796ccc9dc33af36a9c8bec21f8ceb765b9306a57e7b6411ca3d07cf.exe
"C:\Users\Admin\AppData\Local\Temp\219c0c2a9796ccc9dc33af36a9c8bec21f8ceb765b9306a57e7b6411ca3d07cf.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un556638.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un556638.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36785942.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36785942.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2876
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 1080
      4⤵
      Program crash
      PID:3000
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk371594.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk371594.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2876 -ip 2876
1⤵
PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un556638.exe

Filesize
531KB

MD5
1fe5178b55e9e241e74f5d0d39cfcd24

SHA1
396f8e8cd937c914a9690a57fd516bdce97ecbfa

SHA256
2001226a08182897ea91b0b3ecd9d64b0cf9a4987a3336675ff5dcabc8fe8292

SHA512
420dca3a92d2063e09049c3bfee127288e07ee42af65f749ba2ab5b1d6d9d56ec5427836b469bd783a31fdfd36507a981b21e9a068705b3502681b33f3479457

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\36785942.exe

Filesize
249KB

MD5
5bd306355486a0998f3517019cc58465

SHA1
4cb97e21e13be8c1871e77369acdeef20847387d

SHA256
5c0094823c3e6622611c87b00653a1d12fc3e90b55bdc13a159bd8858683674b

SHA512
7b5d57fef07956e1d8344d79a16b50ab9b41a2381d4562174353e0800cf9be17466baf5297d02c32d3d920e06fea656cd3ae925c8088d7ac6b056253219492c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk371594.exe

Filesize
332KB

MD5
5763a23ae7d3eab616a5680e63e34285

SHA1
e5890cf13fe6662da73c8ac727f6512097d69944

SHA256
7bad362c9437ff5a860f443cd66e79c5cae9d8331d9427c6c49707d55ddb352c

SHA512
6a1d17dd3b5930bad056e394ed6f9c597ddcb7978b76989c9cd771c022456216995ceaa16ca48c293dd5f41f042bd1c86820836493afa91b4d7d254b0ecac80a

Download Submit
memory/2876-15-0x0000000002F00000-0x0000000003000000-memory.dmp

Filesize
1024KB

Download
memory/2876-16-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/2876-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2876-18-0x0000000004B10000-0x0000000004B2A000-memory.dmp

Filesize
104KB

Download
memory/2876-19-0x0000000007200000-0x00000000077A4000-memory.dmp

Filesize
5.6MB

Download
memory/2876-20-0x0000000007130000-0x0000000007148000-memory.dmp

Filesize
96KB

Download
memory/2876-24-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-48-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-47-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-44-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-42-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-40-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-38-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-37-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-34-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-33-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-30-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-28-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-26-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-22-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-21-0x0000000007130000-0x0000000007143000-memory.dmp

Filesize
76KB

Download
memory/2876-49-0x0000000002F00000-0x0000000003000000-memory.dmp

Filesize
1024KB

Download
memory/2876-51-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

Filesize
180KB

Download
memory/2876-50-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/2876-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2876-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2876-54-0x0000000000400000-0x0000000002B9A000-memory.dmp

Filesize
39.6MB

Download
memory/4600-60-0x00000000070E0000-0x000000000711C000-memory.dmp

Filesize
240KB

Download
memory/4600-61-0x0000000007180000-0x00000000071BA000-memory.dmp

Filesize
232KB

Download
memory/4600-69-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-75-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-95-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-93-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-91-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-89-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-87-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-85-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-83-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-79-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-78-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-73-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-72-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-67-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-65-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-81-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-63-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-62-0x0000000007180000-0x00000000071B5000-memory.dmp

Filesize
212KB

Download
memory/4600-854-0x0000000009CE0000-0x000000000A2F8000-memory.dmp

Filesize
6.1MB

Download
memory/4600-855-0x000000000A330000-0x000000000A342000-memory.dmp

Filesize
72KB

Download
memory/4600-856-0x000000000A350000-0x000000000A45A000-memory.dmp

Filesize
1.0MB

Download
memory/4600-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

Filesize
240KB

Download
memory/4600-858-0x0000000004A80000-0x0000000004ACC000-memory.dmp

Filesize
304KB

Download