healer | b30198f61cc911ed1e7c2c3b31c64e8a20ac40c97cabec60f7aac9c1e93d6557

Analysis

max time kernel
119s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/11/2024, 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b30198f61cc911ed1e7c2c3b31c64e8a20ac40c97cabec60f7aac9c1e93d6557.exe
Size

1009KB
MD5

7d0d1d698d49945c121765846e1e8a0b
SHA1

880a37a7702cff9949f4ab490d0bdcebfae24972
SHA256

b30198f61cc911ed1e7c2c3b31c64e8a20ac40c97cabec60f7aac9c1e93d6557
SHA512

6e51dbf433b2c72de85cab8effc76ff0735653cadb054cd62dcdaa685f59a3b7a9d95876c8b5afe9a055d13633637f1bb99c28505990c903b0408ee254eeb7a2
SSDEEP

24576:jyuusfbGpqwb0zW8UOCWVLnOOCV7MXrGmjXUIeE:2cfbMbN8UOCWxOOk76rGQV

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000f000000023bb4-27.dat	healer
behavioral1/memory/1304-28-0x0000000000B90000-0x0000000000B9A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	buml52Rs72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	buml52Rs72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	buml52Rs72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	buml52Rs72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	buml52Rs72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	buml52Rs72.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4364-34-0x0000000007130000-0x0000000007176000-memory.dmp	family_redline
behavioral1/memory/4364-36-0x00000000071B0000-0x00000000071F4000-memory.dmp	family_redline
behavioral1/memory/4364-60-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-66-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-98-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-96-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-94-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-93-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-90-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-86-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-84-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-82-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-80-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-78-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-76-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-74-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-72-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-70-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-68-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-64-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-62-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-58-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-57-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-54-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-52-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-50-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-48-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-46-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-44-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-42-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-40-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-100-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-88-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-38-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline
behavioral1/memory/4364-37-0x00000000071B0000-0x00000000071EE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
1860	plWP11TL36.exe
3088	plYj52wv18.exe
3844	plLU89Im94.exe
1304	buml52Rs72.exe
4364	cacJ11FF38.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	buml52Rs72.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plWP11TL36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plYj52wv18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plLU89Im94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b30198f61cc911ed1e7c2c3b31c64e8a20ac40c97cabec60f7aac9c1e93d6557.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b30198f61cc911ed1e7c2c3b31c64e8a20ac40c97cabec60f7aac9c1e93d6557.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plWP11TL36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plYj52wv18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plLU89Im94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacJ11FF38.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1304	buml52Rs72.exe
1304	buml52Rs72.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1304	buml52Rs72.exe
Token: SeDebugPrivilege	4364	cacJ11FF38.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1860	4480	b30198f61cc911ed1e7c2c3b31c64e8a20ac40c97cabec60f7aac9c1e93d6557.exe	83
PID 4480 wrote to memory of 1860	4480	b30198f61cc911ed1e7c2c3b31c64e8a20ac40c97cabec60f7aac9c1e93d6557.exe	83
PID 4480 wrote to memory of 1860	4480	b30198f61cc911ed1e7c2c3b31c64e8a20ac40c97cabec60f7aac9c1e93d6557.exe	83
PID 1860 wrote to memory of 3088	1860	plWP11TL36.exe	84
PID 1860 wrote to memory of 3088	1860	plWP11TL36.exe	84
PID 1860 wrote to memory of 3088	1860	plWP11TL36.exe	84
PID 3088 wrote to memory of 3844	3088	plYj52wv18.exe	85
PID 3088 wrote to memory of 3844	3088	plYj52wv18.exe	85
PID 3088 wrote to memory of 3844	3088	plYj52wv18.exe	85
PID 3844 wrote to memory of 1304	3844	plLU89Im94.exe	87
PID 3844 wrote to memory of 1304	3844	plLU89Im94.exe	87
PID 3844 wrote to memory of 4364	3844	plLU89Im94.exe	97
PID 3844 wrote to memory of 4364	3844	plLU89Im94.exe	97
PID 3844 wrote to memory of 4364	3844	plLU89Im94.exe	97

C:\Users\Admin\AppData\Local\Temp\b30198f61cc911ed1e7c2c3b31c64e8a20ac40c97cabec60f7aac9c1e93d6557.exe
"C:\Users\Admin\AppData\Local\Temp\b30198f61cc911ed1e7c2c3b31c64e8a20ac40c97cabec60f7aac9c1e93d6557.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plWP11TL36.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plWP11TL36.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plYj52wv18.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plYj52wv18.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plLU89Im94.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plLU89Im94.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\buml52Rs72.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\buml52Rs72.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cacJ11FF38.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cacJ11FF38.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plWP11TL36.exe

Filesize
906KB

MD5
6e47a19ef5587e43248cbea69f66c3aa

SHA1
558089932941f476daca55a4db304ad1d3d1f349

SHA256
4e3740db90de1c77fabe89094c6e2c22895f56abbb39b0fdf4fd4f790c955581

SHA512
3c9cdd0c1004432787585c8a20034529525fd963e434d5cfecc2b76cc63672c4d3ac4c3ea4a102cea5550059ae41fe27fccaceaf193d7ca5ca9f62efa0cbfa33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plYj52wv18.exe

Filesize
682KB

MD5
3f5617ae1c2162774e2f87e29ac00aa7

SHA1
75ed5f80bbe6b677d77343eab4138bf1e23e327a

SHA256
c9e380d4e96ba0e6553809f962b5acd005ed4ca77a00c6c9f06fb7b4a36be3e3

SHA512
2132667df3aca34e85acedc1db7371370bb249f5d0eddaf16cad5f536460effc3a9b13cdaafe653cd0bfdb7c332c5e276ce1009eb710586a4a9c3385ae0daadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plLU89Im94.exe

Filesize
399KB

MD5
40e7b8445e8edd3a80a7fcf0f1fababb

SHA1
cb653edae5e775fc6349b1490bf45c0a7ee034cb

SHA256
18648b3a858a3cb3cabc55062646d3ffded61860deac35a050f0d7b2a873e242

SHA512
9ce86ae0fb7d8455a067c353aa40ef998e2b9861b39ba9c4c0cc5b1826cf764f44d866b9d9a8d23378281b6aac420fd38688a34ace24428984a930c5b9cff540

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\buml52Rs72.exe

Filesize
14KB

MD5
771686f244c2c60d1b9aa8b009f3f949

SHA1
a806cb44b348e1bb44f2c987d282e0f28f92cb8d

SHA256
c79e02b8281211c9eadec9e707fbd5ad8cf2b4a0c4b41c8634d57ce75520cf10

SHA512
cfc4e53b76d1bb42c1186dc43521b2bf3ef4e4030d6a5153f793fa3157689a85b286ecbf527c4cb774b8b1b327ff538c5960ff4f03f200d68aa1caaaba4ec79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cacJ11FF38.exe

Filesize
375KB

MD5
47b1a20db297f70b1d9db60ea51d14d9

SHA1
b55664710122138d23e0e295dcade2b9aea41120

SHA256
80aab4a4c16d1ab74369c2914ab0348c3ab3b600ee7d40eda315a18bda1cd287

SHA512
e9924f8f89b8268c2d88d427727cacecffee75358583934131150fd73a1372ca65e0159cb221f718a19f2386cfa2905f46d58cd19a4ed63b5f98f073c3753288

Download Submit
memory/1304-28-0x0000000000B90000-0x0000000000B9A000-memory.dmp

Filesize
40KB

Download
memory/4364-74-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-62-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-36-0x00000000071B0000-0x00000000071F4000-memory.dmp

Filesize
272KB

Download
memory/4364-60-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-66-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-98-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-96-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-94-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-93-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-90-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-86-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-84-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-82-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-80-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-78-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-76-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-34-0x0000000007130000-0x0000000007176000-memory.dmp

Filesize
280KB

Download
memory/4364-72-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-70-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-68-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-64-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-35-0x0000000007320000-0x00000000078C4000-memory.dmp

Filesize
5.6MB

Download
memory/4364-58-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-57-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-54-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-52-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-50-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-48-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-46-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-44-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-42-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-40-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-100-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-88-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-38-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-37-0x00000000071B0000-0x00000000071EE000-memory.dmp

Filesize
248KB

Download
memory/4364-943-0x00000000079D0000-0x0000000007FE8000-memory.dmp

Filesize
6.1MB

Download
memory/4364-944-0x0000000007FF0000-0x00000000080FA000-memory.dmp

Filesize
1.0MB

Download
memory/4364-945-0x0000000008120000-0x0000000008132000-memory.dmp

Filesize
72KB

Download
memory/4364-946-0x0000000008140000-0x000000000817C000-memory.dmp

Filesize
240KB

Download
memory/4364-947-0x0000000008290000-0x00000000082DC000-memory.dmp

Filesize
304KB

Download