healer | 205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35.exe
Size

790KB
MD5

df3d356ba863856d39273f0156865b09
SHA1

2d40afb6525867d548072b7c1ed976f3d47fbeda
SHA256

205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35
SHA512

1756d35e7e85cf5a0ebe86cfe965e9d3ca9f937107c1fe0b6acc412aa6554ada2f45543910a7508c208a98e3f968c08b223df9befcd5b7b2babf17d85cd693ef
SSDEEP

12288:gMrEy90eqjOJ3osazfavoJzjysL01au4243TBTjA49ie4uZPsTKVItAHo67:UyiKo1fZJPjenyZlPwFAX

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2124-19-0x0000000002260000-0x000000000227A000-memory.dmp	healer
behavioral1/memory/2124-21-0x0000000002410000-0x0000000002428000-memory.dmp	healer
behavioral1/memory/2124-49-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-47-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-45-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-43-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-41-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-39-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-37-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-35-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-33-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-31-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-29-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-27-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-25-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-23-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2124-22-0x0000000002410000-0x0000000002422000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro3785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro3785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro3785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro3785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro3785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro3785.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/2928-2143-0x0000000005400000-0x0000000005432000-memory.dmp	family_redline
behavioral1/files/0x000c000000022719-2148.dat	family_redline
behavioral1/memory/3868-2156-0x00000000002C0000-0x00000000002F0000-memory.dmp	family_redline
behavioral1/files/0x000a000000023b9a-2165.dat	family_redline
behavioral1/memory/5244-2167-0x0000000000C20000-0x0000000000C4E000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	qu5694.exe

Executes dropped EXE 5 IoCs

pid	Process
4764	un106350.exe
2124	pro3785.exe
2928	qu5694.exe
3868	1.exe
5244	si657051.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro3785.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro3785.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un106350.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2444	2124	WerFault.exe	84
1216	2928	WerFault.exe	101

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un106350.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro3785.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu5694.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si657051.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2124	pro3785.exe
2124	pro3785.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	pro3785.exe
Token: SeDebugPrivilege	2928	qu5694.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 4764	2464	205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35.exe	83
PID 2464 wrote to memory of 4764	2464	205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35.exe	83
PID 2464 wrote to memory of 4764	2464	205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35.exe	83
PID 4764 wrote to memory of 2124	4764	un106350.exe	84
PID 4764 wrote to memory of 2124	4764	un106350.exe	84
PID 4764 wrote to memory of 2124	4764	un106350.exe	84
PID 4764 wrote to memory of 2928	4764	un106350.exe	101
PID 4764 wrote to memory of 2928	4764	un106350.exe	101
PID 4764 wrote to memory of 2928	4764	un106350.exe	101
PID 2928 wrote to memory of 3868	2928	qu5694.exe	102
PID 2928 wrote to memory of 3868	2928	qu5694.exe	102
PID 2928 wrote to memory of 3868	2928	qu5694.exe	102
PID 2464 wrote to memory of 5244	2464	205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35.exe	105
PID 2464 wrote to memory of 5244	2464	205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35.exe	105
PID 2464 wrote to memory of 5244	2464	205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35.exe	105

C:\Users\Admin\AppData\Local\Temp\205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35.exe
"C:\Users\Admin\AppData\Local\Temp\205f9492cb97befb063a2a76111ba2e7902d171e2c84c3e4a6882fd77ab6fd35.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un106350.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un106350.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3785.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3785.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2124
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 1104
      4⤵
      Program crash
      PID:2444
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5694.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5694.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 1392
      4⤵
      Program crash
      PID:1216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si657051.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si657051.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2124 -ip 2124
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2928 -ip 2928
1⤵
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si657051.exe

Filesize
169KB

MD5
c7b38a304221415977212af3d02a90ce

SHA1
e1f1ccafe266b7145f141503754a355a7f091db3

SHA256
0124426f579b2b030723aa37399d2467f1727db29c1f7bba09ef0d549e779444

SHA512
fa0ee58ae41038a8901edc1c3d18515aabfc1922a82f3ea85613e9751307752b11584cea9a6be2ffaaeb62c477c55f1a2389f2dbea823014fb49b54d9770be5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un106350.exe

Filesize
635KB

MD5
ed5d695d328260f3e1c8696f1e657d75

SHA1
fcaa1fbd12bed4862bfea9c4c2b0118464374a73

SHA256
656b708bcfd2c63244ac4d8d74fecdb85dce708c182ef5473969179dac7b4a95

SHA512
306a5be878ce0bf0312fe6294bd08d0e46231ed6fcd6693e3696ee6789a44e0977a2219991bee075bb1eb4e91850f704fd1673314a93b425e4a9fef4ebf49d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro3785.exe

Filesize
233KB

MD5
6dd8815b78b4349259dadf07a88c961e

SHA1
ecc9e80e3365af3f41a0214dd19d7e20bdef9872

SHA256
fe1e7286fa8980a9fc1320f41e41d01d845f8c14d2e381a9556399b7e78dd2d0

SHA512
b182cf980cea93092e62c159d050e0ed5fe7810adcbb8aa8bada3667a8866a87c2d63670469c0cd4efcb876240f4e4acd34ee680dc8b5eecc8c8bc55fbe12bb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu5694.exe

Filesize
417KB

MD5
05bed18a68cafada4e07cc717a368ed9

SHA1
c83902a0948d5540968e5b61f19fa1b74f21c0f1

SHA256
d027a8a46a2b341af735e1333bb530edade4c42d9fe9c8cb0dbc7432bdbc4b40

SHA512
801d3436654c2ef6e97f92161f0c1d2fea8479124f8ea53fc0f7a101d1f1489842f9ce6f2a2943108c847068cc1741d1c24e34eca1030ea2e56f6264a0c8d798

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/2124-15-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/2124-16-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/2124-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2124-18-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-19-0x0000000002260000-0x000000000227A000-memory.dmp

Filesize
104KB

Download
memory/2124-20-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/2124-21-0x0000000002410000-0x0000000002428000-memory.dmp

Filesize
96KB

Download
memory/2124-49-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-47-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-45-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-43-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-41-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-39-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-37-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-35-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-33-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-31-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-29-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-27-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-25-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-23-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-22-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2124-50-0x00000000004D0000-0x00000000005D0000-memory.dmp

Filesize
1024KB

Download
memory/2124-51-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/2124-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2124-55-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2124-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2928-61-0x0000000004BC0000-0x0000000004C26000-memory.dmp

Filesize
408KB

Download
memory/2928-62-0x00000000051E0000-0x0000000005246000-memory.dmp

Filesize
408KB

Download
memory/2928-76-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-80-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-96-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-94-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-90-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-89-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-86-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-84-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-82-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-78-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-74-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-72-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-70-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-68-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-66-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-64-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-92-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-63-0x00000000051E0000-0x000000000523F000-memory.dmp

Filesize
380KB

Download
memory/2928-2143-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/3868-2156-0x00000000002C0000-0x00000000002F0000-memory.dmp

Filesize
192KB

Download
memory/3868-2157-0x00000000009F0000-0x00000000009F6000-memory.dmp

Filesize
24KB

Download
memory/3868-2158-0x00000000052E0000-0x00000000058F8000-memory.dmp

Filesize
6.1MB

Download
memory/3868-2159-0x0000000004DD0000-0x0000000004EDA000-memory.dmp

Filesize
1.0MB

Download
memory/3868-2160-0x0000000004700000-0x0000000004712000-memory.dmp

Filesize
72KB

Download
memory/3868-2161-0x0000000004CC0000-0x0000000004CFC000-memory.dmp

Filesize
240KB

Download
memory/3868-2162-0x0000000004D00000-0x0000000004D4C000-memory.dmp

Filesize
304KB

Download
memory/5244-2167-0x0000000000C20000-0x0000000000C4E000-memory.dmp

Filesize
184KB

Download
memory/5244-2168-0x0000000002CC0000-0x0000000002CC6000-memory.dmp

Filesize
24KB

Download