healer | fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02.exe
Size

794KB
MD5

5b30ac019150145b1fd8de5447d9803d
SHA1

5dad018ff72eb4d648a08c2e9efbd486820f2111
SHA256

fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02
SHA512

dd0fc81a15c9474f3ff88f769583df324d789f34a2ed992629b9d107154ddd757c9ed3d950001a836f755fd740bf3917878de39fad33173b90437c4b833da01f
SSDEEP

12288:fMrTy90nP7c3hvyIf7jyiX8O8Jw4XBkz1pZ7m+EKp1If9Emiqb1ToV+Yju:cyoc3hvVuHXBkz1P4I1I1Em51ANC

Score

10^/10

healer redline diza norm discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.124.145:4125

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Extracted

Family

redline

Botnet

diza

77.91.124.145:4125

Attributes

auth_value
bbab0d2f0ae4d4fdd6b17077d93b3e80

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2748-19-0x0000000002390000-0x00000000023AA000-memory.dmp	healer
behavioral1/memory/2748-21-0x0000000002500000-0x0000000002518000-memory.dmp	healer
behavioral1/memory/2748-25-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-49-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-47-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-45-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-43-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-41-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-39-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-37-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-35-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-33-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-31-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-29-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-27-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-23-0x0000000002500000-0x0000000002512000-memory.dmp	healer
behavioral1/memory/2748-22-0x0000000002500000-0x0000000002512000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	pro0526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	pro0526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	pro0526.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	pro0526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	pro0526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	pro0526.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1940-2143-0x0000000005400000-0x0000000005432000-memory.dmp	family_redline
behavioral1/files/0x0012000000023a82-2148.dat	family_redline
behavioral1/memory/5484-2156-0x0000000000390000-0x00000000003C0000-memory.dmp	family_redline
behavioral1/files/0x000a000000023b8f-2164.dat	family_redline
behavioral1/memory/5824-2167-0x0000000000FE0000-0x000000000100E000-memory.dmp	family_redline

Redline family
redline

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	qu2059.exe

Executes dropped EXE 5 IoCs

pid	Process
4352	un702703.exe
2748	pro0526.exe
1940	qu2059.exe
5484	1.exe
5824	si816436.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	pro0526.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	pro0526.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	un702703.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4712	2748	WerFault.exe	84
5692	1940	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	un702703.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pro0526.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qu2059.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	si816436.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2748	pro0526.exe
2748	pro0526.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	pro0526.exe
Token: SeDebugPrivilege	1940	qu2059.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 4352	1748	fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02.exe	83
PID 1748 wrote to memory of 4352	1748	fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02.exe	83
PID 1748 wrote to memory of 4352	1748	fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02.exe	83
PID 4352 wrote to memory of 2748	4352	un702703.exe	84
PID 4352 wrote to memory of 2748	4352	un702703.exe	84
PID 4352 wrote to memory of 2748	4352	un702703.exe	84
PID 4352 wrote to memory of 1940	4352	un702703.exe	95
PID 4352 wrote to memory of 1940	4352	un702703.exe	95
PID 4352 wrote to memory of 1940	4352	un702703.exe	95
PID 1940 wrote to memory of 5484	1940	qu2059.exe	96
PID 1940 wrote to memory of 5484	1940	qu2059.exe	96
PID 1940 wrote to memory of 5484	1940	qu2059.exe	96
PID 1748 wrote to memory of 5824	1748	fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02.exe	99
PID 1748 wrote to memory of 5824	1748	fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02.exe	99
PID 1748 wrote to memory of 5824	1748	fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02.exe	99

C:\Users\Admin\AppData\Local\Temp\fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02.exe
"C:\Users\Admin\AppData\Local\Temp\fa33d35c3509f9cfbde8ed4d441fb8d878270d05b5151be15771bbbfc1a09d02.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un702703.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un702703.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0526.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0526.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 1084
      4⤵
      Program crash
      PID:4712
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2059.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2059.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\Temp\1.exe
      "C:\Windows\Temp\1.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5484
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 1452
      4⤵
      Program crash
      PID:5692
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si816436.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si816436.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2748 -ip 2748
1⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1940 -ip 1940
1⤵
PID:5544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si816436.exe

Filesize
168KB

MD5
74d181ac6f8ec9c721c9b9ff3bfbe77e

SHA1
a764c5bab9bd9009afbdf37cdd20d47b2898dd1c

SHA256
690ad8c4b6b0c8595f9637056fd7f8aff11f12c47e0d1fa48ff3ae8d0f10379d

SHA512
291ef42186affa9cc26c34f232ca75170c8df7cd6ba068e42db4f9721f0c57c0b1abc717eac9eac858d27e0779e97f96c3b2ca3ce07351ef33d5a9766b5f269a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un702703.exe

Filesize
641KB

MD5
f9c4b4c7d761c075584d296eeac188c7

SHA1
bc914c11a1621372a96de6bbd2262d42433b47ae

SHA256
e8ff534efd840ea81763ba1165ddd99f1b3163cfa3e0f9bba9b6d3aaec571047

SHA512
672beb1c6a4433454bd4124c142003bb05fe0f5fde78dd761ef077810f3c8a79abdca03ae16a78e90b33f1ad851cb964b8571c574e9acb81bd6c4646fd61c89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro0526.exe

Filesize
241KB

MD5
4726bbfda6752e508bff71677a35e718

SHA1
66218dc3775889e0e9a8b6df31730a8d6f7c155a

SHA256
b6b6acd582a8fd3e6316ab97f14b4eb720b2afb0d8e718db0c8af06ce0058c21

SHA512
a81b2132e934e0d2684b12da3bcb0a7347eefaec5e8767f4af73eea71cc4932f6aa22188adfef3771d11d1c7dc51d9af6a004548211fe7dfd2e9881c397e2493

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu2059.exe

Filesize
424KB

MD5
436654a3aba91c50f89e911b559973d7

SHA1
48645f387a75e1771bbfef54b5fbbc1ee7e271e5

SHA256
6d25e726d8c088346cf69c23d34a91814e8ca8a28f14da02f8b1f13c28cafdcb

SHA512
6d3677fcb0b425257f491d76bf6ad00970fde6938462210cc2bf1c63067e2fc1a609b7d7a081386f7297ed98f8ab53bd739f9871c327da9aec78f8da2951260e

Download Submit
C:\Windows\Temp\1.exe

Filesize
168KB

MD5
1073b2e7f778788852d3f7bb79929882

SHA1
7f5ca4d69e0fcaf8fe6de2e80455a8b90eb6e2c4

SHA256
c46ef7b768c697e57d379ddfdfd3fb4931bf3d535730ef60feca9332e7a19feb

SHA512
90cacc509128f9dfb4d96ae9e847ed61b2062297f39d03f481fb1f798b45b36a2d3a8fe2e6415bdc8ce363cf21decee5a9e080f23270395712da1fea9f4952d0

Download Submit
memory/1940-66-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-61-0x0000000004B70000-0x0000000004BD6000-memory.dmp

Filesize
408KB

Download
memory/1940-2143-0x0000000005400000-0x0000000005432000-memory.dmp

Filesize
200KB

Download
memory/1940-63-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-64-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-92-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-94-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-96-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-68-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-70-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-72-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-76-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-78-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-80-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-84-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-86-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-88-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-82-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-74-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-90-0x00000000051D0000-0x000000000522F000-memory.dmp

Filesize
380KB

Download
memory/1940-62-0x00000000051D0000-0x0000000005236000-memory.dmp

Filesize
408KB

Download
memory/2748-29-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-41-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2748-18-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2748-52-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2748-51-0x0000000000590000-0x00000000005BD000-memory.dmp

Filesize
180KB

Download
memory/2748-22-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-23-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-47-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-50-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/2748-27-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-19-0x0000000002390000-0x00000000023AA000-memory.dmp

Filesize
104KB

Download
memory/2748-31-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-33-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-35-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-37-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-39-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-55-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2748-43-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2748-45-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-49-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-25-0x0000000002500000-0x0000000002512000-memory.dmp

Filesize
72KB

Download
memory/2748-21-0x0000000002500000-0x0000000002518000-memory.dmp

Filesize
96KB

Download
memory/2748-20-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/2748-16-0x0000000000590000-0x00000000005BD000-memory.dmp

Filesize
180KB

Download
memory/2748-15-0x00000000007C0000-0x00000000008C0000-memory.dmp

Filesize
1024KB

Download
memory/5484-2157-0x0000000004B70000-0x0000000004B76000-memory.dmp

Filesize
24KB

Download
memory/5484-2158-0x0000000005330000-0x0000000005948000-memory.dmp

Filesize
6.1MB

Download
memory/5484-2159-0x0000000004E20000-0x0000000004F2A000-memory.dmp

Filesize
1.0MB

Download
memory/5484-2160-0x0000000004D10000-0x0000000004D22000-memory.dmp

Filesize
72KB

Download
memory/5484-2161-0x0000000004D70000-0x0000000004DAC000-memory.dmp

Filesize
240KB

Download
memory/5484-2156-0x0000000000390000-0x00000000003C0000-memory.dmp

Filesize
192KB

Download
memory/5484-2166-0x0000000004DC0000-0x0000000004E0C000-memory.dmp

Filesize
304KB

Download
memory/5824-2167-0x0000000000FE0000-0x000000000100E000-memory.dmp

Filesize
184KB

Download
memory/5824-2168-0x0000000003290000-0x0000000003296000-memory.dmp

Filesize
24KB

Download