healer | 702ba0918ba09c30862f24a97793ee1b7d6a61bf5dc91ccb06b9f5ba53423957

Analysis

max time kernel
119s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

702ba0918ba09c30862f24a97793ee1b7d6a61bf5dc91ccb06b9f5ba53423957.exe
Size

568KB
MD5

eb0e8f6c748997db0ce829249f800507
SHA1

576be9bc68f59170ef1a2fa86c83bbd36dcbfaf1
SHA256

702ba0918ba09c30862f24a97793ee1b7d6a61bf5dc91ccb06b9f5ba53423957
SHA512

51ab0a4e5dfcfc2bb5d4db31843c8c11cf4bbfa53b832194276f7a9db8371e702fad27fb9eef4dc099ceeeedca1810e83d16799c191d6384e560f628b67bc08c
SSDEEP

12288:iy90o14Qudgv1Dx9ItxE9JaOXkg6/PV81lBwzo/rC+I:iyb4l+1wEPxyOBuoTC+I

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cb3-12.dat	healer
behavioral1/memory/628-15-0x0000000000910000-0x000000000091A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	it729947.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	it729947.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	it729947.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	it729947.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	it729947.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	it729947.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4508-22-0x0000000004CC0000-0x0000000004CFC000-memory.dmp	family_redline
behavioral1/memory/4508-24-0x0000000004D80000-0x0000000004DBA000-memory.dmp	family_redline
behavioral1/memory/4508-26-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-40-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-88-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-86-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-84-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-82-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-80-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-78-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-72-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-70-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-68-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-66-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-64-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-62-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-60-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-58-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-56-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-54-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-52-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-50-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-46-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-45-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-43-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-38-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-37-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-34-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-32-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-30-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-28-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-76-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-74-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-48-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline
behavioral1/memory/4508-25-0x0000000004D80000-0x0000000004DB5000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4628	zirh1110.exe
628	it729947.exe
4508	jr051792.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	it729947.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	702ba0918ba09c30862f24a97793ee1b7d6a61bf5dc91ccb06b9f5ba53423957.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zirh1110.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	702ba0918ba09c30862f24a97793ee1b7d6a61bf5dc91ccb06b9f5ba53423957.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zirh1110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jr051792.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
628	it729947.exe
628	it729947.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	it729947.exe
Token: SeDebugPrivilege	4508	jr051792.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 4628	1972	702ba0918ba09c30862f24a97793ee1b7d6a61bf5dc91ccb06b9f5ba53423957.exe	83
PID 1972 wrote to memory of 4628	1972	702ba0918ba09c30862f24a97793ee1b7d6a61bf5dc91ccb06b9f5ba53423957.exe	83
PID 1972 wrote to memory of 4628	1972	702ba0918ba09c30862f24a97793ee1b7d6a61bf5dc91ccb06b9f5ba53423957.exe	83
PID 4628 wrote to memory of 628	4628	zirh1110.exe	84
PID 4628 wrote to memory of 628	4628	zirh1110.exe	84
PID 4628 wrote to memory of 4508	4628	zirh1110.exe	89
PID 4628 wrote to memory of 4508	4628	zirh1110.exe	89
PID 4628 wrote to memory of 4508	4628	zirh1110.exe	89

C:\Users\Admin\AppData\Local\Temp\702ba0918ba09c30862f24a97793ee1b7d6a61bf5dc91ccb06b9f5ba53423957.exe
"C:\Users\Admin\AppData\Local\Temp\702ba0918ba09c30862f24a97793ee1b7d6a61bf5dc91ccb06b9f5ba53423957.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirh1110.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirh1110.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it729947.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it729947.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr051792.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr051792.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zirh1110.exe

Filesize
414KB

MD5
d560297c408a1461e0d7b6a66c0ff418

SHA1
d10f31e40926dfa0973cbba6d36c115672a0264b

SHA256
5d0ca654d68c559fc48f72a94055678e97b50428ffa41829e2c5d432f56a0975

SHA512
a84c5ad9e8351e00c6cfa12b72f5f1ece2841280ff761d50f49ca7f92f5e177fdba6a43040bfb0c082da4bdc9e6f7659e960efefe91900d528a632227b30c6a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it729947.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr051792.exe

Filesize
362KB

MD5
b838b8f2b473c4f776197d77c337c151

SHA1
b13adc63a37672506a09d795e2157e16acfe05fa

SHA256
0d05fb1eb8723716ea0b66e52767541ac4dc2f60c6d2ecd3660e7b384a7da3cd

SHA512
fe6659d8719f41285a6e7802793f505f2dd47c93136f693a1a66dd65421cf4447ff9901a78bb202050bbe15372d56084b73b56661ae834830fd5994e2fe5df09

Download Submit
memory/628-14-0x00007FF9E7FE3000-0x00007FF9E7FE5000-memory.dmp

Filesize
8KB

Download
memory/628-15-0x0000000000910000-0x000000000091A000-memory.dmp

Filesize
40KB

Download
memory/628-16-0x00007FF9E7FE3000-0x00007FF9E7FE5000-memory.dmp

Filesize
8KB

Download
memory/4508-72-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-62-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-24-0x0000000004D80000-0x0000000004DBA000-memory.dmp

Filesize
232KB

Download
memory/4508-26-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-40-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-88-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-86-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-84-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-82-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-820-0x0000000007570000-0x00000000075AC000-memory.dmp

Filesize
240KB

Download
memory/4508-819-0x000000000A530000-0x000000000A63A000-memory.dmp

Filesize
1.0MB

Download
memory/4508-821-0x0000000004BD0000-0x0000000004C1C000-memory.dmp

Filesize
304KB

Download
memory/4508-818-0x0000000007530000-0x0000000007542000-memory.dmp

Filesize
72KB

Download
memory/4508-817-0x0000000009F10000-0x000000000A528000-memory.dmp

Filesize
6.1MB

Download
memory/4508-80-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-78-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-22-0x0000000004CC0000-0x0000000004CFC000-memory.dmp

Filesize
240KB

Download
memory/4508-70-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-68-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-66-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-64-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-23-0x00000000075E0000-0x0000000007B84000-memory.dmp

Filesize
5.6MB

Download
memory/4508-60-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-58-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-56-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-54-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-52-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-50-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-46-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-45-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-43-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-38-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-37-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-34-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-32-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-30-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-28-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-76-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-74-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-48-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download
memory/4508-25-0x0000000004D80000-0x0000000004DB5000-memory.dmp

Filesize
212KB

Download