healer | ea3da77db58feac7844f16d04dc1e3a15167856eb5bcc7fad64618919e2204a3

Analysis

max time kernel
118s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea3da77db58feac7844f16d04dc1e3a15167856eb5bcc7fad64618919e2204a3.exe
Size

1.0MB
MD5

f6c4d9bcd369db29243fe4e0dad7172a
SHA1

c2b6a44ac5b7b6e34f4d45a64a02b5f8c0f05757
SHA256

ea3da77db58feac7844f16d04dc1e3a15167856eb5bcc7fad64618919e2204a3
SHA512

bae7e98e43bbf76108695be6e85665c01d78bcbb1088ab47617db9142ea83cf1c6364edc79cb40d6a9987e4be8f82468504fc8a01bbe0c1f678d0d4b5fab6c19
SSDEEP

24576:ayZ1XIWfI1bF/E21jDJ1fnaMpMzOv+FecyKheTAgwne7/4EsMl:hZC3j1vbPaM+e+LO2nI4EJ

Score

10^/10

healer redline rouch discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rouch

193.56.146.11:4162

Attributes

auth_value
1b1735bcfc122c708eae27ca352568de

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023be2-25.dat	healer
behavioral1/memory/4264-28-0x0000000000EC0000-0x0000000000ECA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	beBq41cn92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	beBq41cn92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	beBq41cn92.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	beBq41cn92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	beBq41cn92.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	beBq41cn92.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3800-34-0x0000000002350000-0x0000000002396000-memory.dmp	family_redline
behavioral1/memory/3800-36-0x0000000002730000-0x0000000002774000-memory.dmp	family_redline
behavioral1/memory/3800-68-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-92-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-100-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-98-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-96-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-90-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-88-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-86-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-84-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-82-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-80-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-78-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-76-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-74-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-72-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-70-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-66-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-64-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-62-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-60-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-58-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-56-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-54-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-52-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-50-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-48-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-46-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-44-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-40-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-94-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-42-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-38-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline
behavioral1/memory/3800-37-0x0000000002730000-0x000000000276E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
4984	ptBE1705lQ.exe
2348	ptWI1188zO.exe
1088	ptxw1625lv.exe
4264	beBq41cn92.exe
3800	cuVf00PI73.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	beBq41cn92.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ptWI1188zO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ptxw1625lv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ea3da77db58feac7844f16d04dc1e3a15167856eb5bcc7fad64618919e2204a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ptBE1705lQ.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea3da77db58feac7844f16d04dc1e3a15167856eb5bcc7fad64618919e2204a3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptBE1705lQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptWI1188zO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ptxw1625lv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cuVf00PI73.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4264	beBq41cn92.exe
4264	beBq41cn92.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4264	beBq41cn92.exe
Token: SeDebugPrivilege	3800	cuVf00PI73.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4984	4608	ea3da77db58feac7844f16d04dc1e3a15167856eb5bcc7fad64618919e2204a3.exe	83
PID 4608 wrote to memory of 4984	4608	ea3da77db58feac7844f16d04dc1e3a15167856eb5bcc7fad64618919e2204a3.exe	83
PID 4608 wrote to memory of 4984	4608	ea3da77db58feac7844f16d04dc1e3a15167856eb5bcc7fad64618919e2204a3.exe	83
PID 4984 wrote to memory of 2348	4984	ptBE1705lQ.exe	84
PID 4984 wrote to memory of 2348	4984	ptBE1705lQ.exe	84
PID 4984 wrote to memory of 2348	4984	ptBE1705lQ.exe	84
PID 2348 wrote to memory of 1088	2348	ptWI1188zO.exe	86
PID 2348 wrote to memory of 1088	2348	ptWI1188zO.exe	86
PID 2348 wrote to memory of 1088	2348	ptWI1188zO.exe	86
PID 1088 wrote to memory of 4264	1088	ptxw1625lv.exe	87
PID 1088 wrote to memory of 4264	1088	ptxw1625lv.exe	87
PID 1088 wrote to memory of 3800	1088	ptxw1625lv.exe	97
PID 1088 wrote to memory of 3800	1088	ptxw1625lv.exe	97
PID 1088 wrote to memory of 3800	1088	ptxw1625lv.exe	97

C:\Users\Admin\AppData\Local\Temp\ea3da77db58feac7844f16d04dc1e3a15167856eb5bcc7fad64618919e2204a3.exe
"C:\Users\Admin\AppData\Local\Temp\ea3da77db58feac7844f16d04dc1e3a15167856eb5bcc7fad64618919e2204a3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptBE1705lQ.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptBE1705lQ.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptWI1188zO.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptWI1188zO.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptxw1625lv.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptxw1625lv.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beBq41cn92.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beBq41cn92.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cuVf00PI73.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cuVf00PI73.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptBE1705lQ.exe

Filesize
936KB

MD5
99b4c46ab6c2e74cb4420cf6a37cf7ed

SHA1
7168715c75c96b94c9f7a2be99b6b80142718561

SHA256
4c9aed95952b6446ac8960b6b837bab84ea05ea1bbefde1c3b935766e19dd6a3

SHA512
ee7aa53145b1803de8c13a1d99361b9909137666ffed7344745f9b58de67252053bdc770a0fc58ee8c77657faeec07c65e7900de91ff44f0554df48210239fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptWI1188zO.exe

Filesize
667KB

MD5
441cd6cafea8f5b4b37aaa363e521d43

SHA1
60bdccdd66251a759d7ee9397e7da87b88444536

SHA256
4aec930e016c3b5b557f467e6ad28032e913c129406768c4686655ef86dbc0fc

SHA512
747390dc2308bb236ebc2a42ba4ad84e7e44f896a3babb31c5136a3f9d3feaf2575082ac309bfccd2122980e53830ee9406aa3c1ee924a70010762d1cfadebe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptxw1625lv.exe

Filesize
391KB

MD5
c898632e50ae4d02eaa06c07502461ea

SHA1
f7ce95b84e29ca5e1883383fd4b5d38d09481b77

SHA256
d3b06f368acb8274001cbaef40b3742eb49edc24de2af4c43dabe2301eb49840

SHA512
bbc4d72e81476ecffeb4c8ae72c385f40faf08db810ecb2c459131cfd16a65cba01ee9443a36ee70a122561c2a46d8222f78c09b1b31f5a64896cd7de194ba29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\beBq41cn92.exe

Filesize
11KB

MD5
03de47a528e4b7d3f0b33b2b7ddf07eb

SHA1
9380f4bdd2e3d73b89ae5066f037224b5774f43e

SHA256
e1c229ec6ba698c85f32fdd6d765f619d53e469643d0a68242c446779bd0ba46

SHA512
47dd68f5eea5a337fdbdfcc2cf6a459339afd193d10f31e9f6e3ec66347cccd554952631d6c7846620836531921bd055333bc3d33b6bc75ffda12f2cfc7e5ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cuVf00PI73.exe

Filesize
304KB

MD5
a562213cf445eaaf665759f35b4e91c2

SHA1
c37cb42d6b01cb56f0528499c8cb2d801176bf45

SHA256
457e081eb0be34e398946eda58be940aef13cd4390cb727cc848846833d307c3

SHA512
6944f4c08e8617f4ff143a96aeb4b4dc8c31562db7f6747bed36abb4116b540c181a5c42384505f1d059c3e3bbdf4f4ca3f74d0480b0e20efa28e1505f3b4fbd

Download Submit
memory/3800-74-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-64-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-35-0x0000000004DC0000-0x0000000005364000-memory.dmp

Filesize
5.6MB

Download
memory/3800-36-0x0000000002730000-0x0000000002774000-memory.dmp

Filesize
272KB

Download
memory/3800-68-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-92-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-100-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-98-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-96-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-90-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-88-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-86-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-84-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-82-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-80-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-78-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-76-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-947-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/3800-72-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-70-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-66-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-34-0x0000000002350000-0x0000000002396000-memory.dmp

Filesize
280KB

Download
memory/3800-62-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-60-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-58-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-56-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-54-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-52-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-50-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-48-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-46-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-44-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-40-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-94-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-42-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-38-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-37-0x0000000002730000-0x000000000276E000-memory.dmp

Filesize
248KB

Download
memory/3800-943-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/3800-944-0x0000000004C80000-0x0000000004D8A000-memory.dmp

Filesize
1.0MB

Download
memory/3800-945-0x00000000059A0000-0x00000000059B2000-memory.dmp

Filesize
72KB

Download
memory/3800-946-0x00000000059C0000-0x00000000059FC000-memory.dmp

Filesize
240KB

Download
memory/4264-28-0x0000000000EC0000-0x0000000000ECA000-memory.dmp

Filesize
40KB

Download