healer | 6c92206cb77ac5804b777681f9645991d5255ffcb0bdeca387c90a426f391afc

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c92206cb77ac5804b777681f9645991d5255ffcb0bdeca387c90a426f391afc.exe
Size

554KB
MD5

a1d2441da928ecb9633b193c625069ff
SHA1

406a8c14b7e778c12c32b4cfd6b58686ee664dd4
SHA256

6c92206cb77ac5804b777681f9645991d5255ffcb0bdeca387c90a426f391afc
SHA512

648a10566e30fab4255e636072a06fc34804b1aa4425d4beb9005827fa86dabe37eae6254f6ff3ae064ddc8980de3f13d8a3a90f8adc0c5cd05b37097221d6d9
SSDEEP

12288:ZMr9y90C/N6MgxZLNLlF/jwtBZa4Uogpzt0bsU30+GEJb:Uy7g1h/stB4BoGLe0yR

Score

10^/10

healer redline boris discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

boris

193.233.20.32:4125

Attributes

auth_value
766b5bdf6dbefcf7ca223351952fc38f

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b80-12.dat	healer
behavioral1/memory/2728-15-0x00000000008B0000-0x00000000008BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	pro9273.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro9273.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro9273.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro9273.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro9273.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro9273.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/1520-22-0x00000000049C0000-0x0000000004A06000-memory.dmp	family_redline
behavioral1/memory/1520-24-0x0000000007880000-0x00000000078C4000-memory.dmp	family_redline
behavioral1/memory/1520-34-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-88-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-86-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-84-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-82-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-78-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-76-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-74-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-72-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-70-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-68-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-66-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-64-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-62-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-58-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-56-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-54-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-52-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-50-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-48-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-46-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-44-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-42-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-40-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-38-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-36-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-32-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-80-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-30-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-60-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-28-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-26-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline
behavioral1/memory/1520-25-0x0000000007880000-0x00000000078BF000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
184	unio3153.exe
2728	pro9273.exe
1520	qu2053.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro9273.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6c92206cb77ac5804b777681f9645991d5255ffcb0bdeca387c90a426f391afc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	unio3153.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6c92206cb77ac5804b777681f9645991d5255ffcb0bdeca387c90a426f391afc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unio3153.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu2053.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2728	pro9273.exe
2728	pro9273.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	pro9273.exe
Token: SeDebugPrivilege	1520	qu2053.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 184	4880	6c92206cb77ac5804b777681f9645991d5255ffcb0bdeca387c90a426f391afc.exe	84
PID 4880 wrote to memory of 184	4880	6c92206cb77ac5804b777681f9645991d5255ffcb0bdeca387c90a426f391afc.exe	84
PID 4880 wrote to memory of 184	4880	6c92206cb77ac5804b777681f9645991d5255ffcb0bdeca387c90a426f391afc.exe	84
PID 184 wrote to memory of 2728	184	unio3153.exe	85
PID 184 wrote to memory of 2728	184	unio3153.exe	85
PID 184 wrote to memory of 1520	184	unio3153.exe	96
PID 184 wrote to memory of 1520	184	unio3153.exe	96
PID 184 wrote to memory of 1520	184	unio3153.exe	96

C:\Users\Admin\AppData\Local\Temp\6c92206cb77ac5804b777681f9645991d5255ffcb0bdeca387c90a426f391afc.exe
"C:\Users\Admin\AppData\Local\Temp\6c92206cb77ac5804b777681f9645991d5255ffcb0bdeca387c90a426f391afc.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3153.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3153.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9273.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9273.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2053.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2053.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio3153.exe

Filesize
412KB

MD5
55655b23c7725a65fc852e45a4c0248c

SHA1
f99a431059c7a13e1fdcfeea55ab719992ec1e91

SHA256
1aec96bb3638835e16f4a63149b5aa5af19750994ee22c84715816a0d1dbf95e

SHA512
20c76fc4af7be2f1e165c99426f7497eb282056b5633caa5aa516cd36903911341ffdb82d489aa201937277a1d7c3dd42950d370ea3db1a9f09b47a90d485387

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro9273.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2053.exe

Filesize
386KB

MD5
a506903954933fca1bd0d12ff4715a18

SHA1
666658224ee71fbb45b04a668dbcd589db98fabd

SHA256
d969f5e5c982e341fe787cc4780401829effc73ea31e0de24b002d6b1fe407a5

SHA512
dcea79eb2b4a2acf83e1c491833c46d7e256db815b9da25330d6656a090d336090a21a66bf08ed736df785b70a0be595a5adfcdafcc1d011d9e64a410f500205

Download Submit
memory/1520-62-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-22-0x00000000049C0000-0x0000000004A06000-memory.dmp

Filesize
280KB

Download
memory/1520-935-0x0000000008250000-0x000000000829C000-memory.dmp

Filesize
304KB

Download
memory/1520-56-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-23-0x0000000007290000-0x0000000007834000-memory.dmp

Filesize
5.6MB

Download
memory/1520-24-0x0000000007880000-0x00000000078C4000-memory.dmp

Filesize
272KB

Download
memory/1520-34-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-88-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-86-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-84-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-58-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-78-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-54-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-74-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-72-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-70-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-68-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-66-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-64-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-934-0x0000000008100000-0x000000000813C000-memory.dmp

Filesize
240KB

Download
memory/1520-82-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-933-0x00000000080E0000-0x00000000080F2000-memory.dmp

Filesize
72KB

Download
memory/1520-76-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-52-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-50-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-48-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-46-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-44-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-42-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-40-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-38-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-36-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-32-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-80-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-30-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-60-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-28-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-26-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-25-0x0000000007880000-0x00000000078BF000-memory.dmp

Filesize
252KB

Download
memory/1520-931-0x0000000007900000-0x0000000007F18000-memory.dmp

Filesize
6.1MB

Download
memory/1520-932-0x0000000007FA0000-0x00000000080AA000-memory.dmp

Filesize
1.0MB

Download
memory/2728-16-0x00007FFCC7643000-0x00007FFCC7645000-memory.dmp

Filesize
8KB

Download
memory/2728-14-0x00007FFCC7643000-0x00007FFCC7645000-memory.dmp

Filesize
8KB

Download
memory/2728-15-0x00000000008B0000-0x00000000008BA000-memory.dmp

Filesize
40KB

Download