healer | a606d445079a976908dd6e17fe4b3e41603b02efaeda36b4746e57e316277717

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a606d445079a976908dd6e17fe4b3e41603b02efaeda36b4746e57e316277717.exe
Size

1009KB
MD5

8489674101c7ca0825f778ed817d77b7
SHA1

17ac69199544d4f16393a7c84d0e73dcfd6b97dd
SHA256

a606d445079a976908dd6e17fe4b3e41603b02efaeda36b4746e57e316277717
SHA512

27548d4983efe8087f0f37d89c4984c99dab2dfc405cc7112c79f1ef3a182fece60dd52881c282a0efc8db55cf2bb1e1b9693436f5346263efe50f14a2f4e03b
SSDEEP

24576:0y/aBsiDIpWlK9NC4GV4CJD5rtg1qp/IKDa9WrrjisvnJGHlKPWw:DSBscq6K9NC4e4ot8qdIuDNYFKP/

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b9f-25.dat	healer
behavioral1/memory/3988-28-0x0000000000990000-0x000000000099A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	budW80hd20.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	budW80hd20.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	budW80hd20.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	budW80hd20.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	budW80hd20.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	budW80hd20.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3420-34-0x0000000007120000-0x0000000007166000-memory.dmp	family_redline
behavioral1/memory/3420-36-0x0000000007760000-0x00000000077A4000-memory.dmp	family_redline
behavioral1/memory/3420-48-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-46-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-100-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-98-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-96-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-94-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-90-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-88-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-87-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-82-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-80-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-79-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-76-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-74-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-72-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-70-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-66-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-64-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-62-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-60-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-58-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-56-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-54-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-52-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-50-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-44-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-43-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-40-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-92-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-84-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-68-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-38-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline
behavioral1/memory/3420-37-0x0000000007760000-0x000000000779E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
4420	plIF98Sr38.exe
2584	plML01hz30.exe
220	plWG34oR58.exe
3988	budW80hd20.exe
3420	camI25xZ44.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	budW80hd20.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a606d445079a976908dd6e17fe4b3e41603b02efaeda36b4746e57e316277717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plIF98Sr38.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plML01hz30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plWG34oR58.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a606d445079a976908dd6e17fe4b3e41603b02efaeda36b4746e57e316277717.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plIF98Sr38.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plML01hz30.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plWG34oR58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	camI25xZ44.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3988	budW80hd20.exe
3988	budW80hd20.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3988	budW80hd20.exe
Token: SeDebugPrivilege	3420	camI25xZ44.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 4420	3100	a606d445079a976908dd6e17fe4b3e41603b02efaeda36b4746e57e316277717.exe	83
PID 3100 wrote to memory of 4420	3100	a606d445079a976908dd6e17fe4b3e41603b02efaeda36b4746e57e316277717.exe	83
PID 3100 wrote to memory of 4420	3100	a606d445079a976908dd6e17fe4b3e41603b02efaeda36b4746e57e316277717.exe	83
PID 4420 wrote to memory of 2584	4420	plIF98Sr38.exe	85
PID 4420 wrote to memory of 2584	4420	plIF98Sr38.exe	85
PID 4420 wrote to memory of 2584	4420	plIF98Sr38.exe	85
PID 2584 wrote to memory of 220	2584	plML01hz30.exe	87
PID 2584 wrote to memory of 220	2584	plML01hz30.exe	87
PID 2584 wrote to memory of 220	2584	plML01hz30.exe	87
PID 220 wrote to memory of 3988	220	plWG34oR58.exe	88
PID 220 wrote to memory of 3988	220	plWG34oR58.exe	88
PID 220 wrote to memory of 3420	220	plWG34oR58.exe	99
PID 220 wrote to memory of 3420	220	plWG34oR58.exe	99
PID 220 wrote to memory of 3420	220	plWG34oR58.exe	99

C:\Users\Admin\AppData\Local\Temp\a606d445079a976908dd6e17fe4b3e41603b02efaeda36b4746e57e316277717.exe
"C:\Users\Admin\AppData\Local\Temp\a606d445079a976908dd6e17fe4b3e41603b02efaeda36b4746e57e316277717.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIF98Sr38.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIF98Sr38.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plML01hz30.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plML01hz30.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWG34oR58.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWG34oR58.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:220
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budW80hd20.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budW80hd20.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\camI25xZ44.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\camI25xZ44.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIF98Sr38.exe

Filesize
906KB

MD5
0779a57506eda18025182778e3073bc5

SHA1
02a9a020732e8c25f3b363bd790222842869a5f4

SHA256
66cc5272bc4ae378627b91bf57dcf3feb8e8e32eb24af7ab690c6406797bd74e

SHA512
0267d933332aff0086954228d0cf1d1cb5e266100a47d20226b61457a1331d92e0382a2bb109b55c3ab7b96dde553da0e28962e215e3212a8bb822e01422ad88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plML01hz30.exe

Filesize
682KB

MD5
2b2cc7bc561de7ecfaacdbf92bb3830e

SHA1
e06645c0cc0cd6c2578fb9a05a3f71d09ea28f84

SHA256
298d1267362cad5b010c9a258e70e7a3bea93f80b6d8cb26f1146f277d46efb5

SHA512
317cf3552a17b95e700a88f8fbcf7417873c68e19c3966901f5e7c7a4e1736b27bd2ebcb52b4668b58d3b7edee008aa563463a0bac9e114429f269d8b047bbf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWG34oR58.exe

Filesize
399KB

MD5
37f3f4f1b6a3088e4e490be4a9652e4f

SHA1
308d7afcb7fc65b6535d957002c8ce573b4a0a15

SHA256
260af22c5cac0687cab48a5dee076a4597272ca1b59b29b9dc55ddb8de3d0bb8

SHA512
91f63ba1d4a0d5b9efd01bb6629b65ebd4298fc2aed5536b488f68534d1149f69025b474101e56a7ae1908ebc989a18dd6700db21753585dfccc6a3bdbceb2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\budW80hd20.exe

Filesize
12KB

MD5
04c94ad223bab696de00a1fdfaf5e614

SHA1
9185415c103f3b46d5db57a52920603bc19db839

SHA256
da90d38e1ffcb41ce0c67ff25152839c9e898243ce1537de76ab118b49ba3f9a

SHA512
be8106939d470521437fcdd9a4f2f010116748fc837fcdcd5fbdbf90999cd7b699abaa250c4019a06ea7d5de0deeeec3a90410b4b2a6b37f757a3277549a7e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\camI25xZ44.exe

Filesize
375KB

MD5
5ff32f757fe387c14ed8b1388ed9ec51

SHA1
43465ddc0d2b6107b9ec69f4852abedc6dc7a3e3

SHA256
ed7b94310be80b1aadad0043ae5539fbdf5a5b57626e275cf1e93cda3a307c60

SHA512
f89a31e03ae0ec6116b58136b1362bab031f04a340738d5878152905ca69964c833fb5b58c339af3e71fc804e6f727983e8a9db43e58ac37875fb1e2d83a2c92

Download Submit
memory/3420-74-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-64-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-35-0x0000000007170000-0x0000000007714000-memory.dmp

Filesize
5.6MB

Download
memory/3420-36-0x0000000007760000-0x00000000077A4000-memory.dmp

Filesize
272KB

Download
memory/3420-48-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-46-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-100-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-98-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-96-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-94-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-90-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-88-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-87-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-82-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-80-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-79-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-76-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-947-0x0000000008150000-0x000000000819C000-memory.dmp

Filesize
304KB

Download
memory/3420-72-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-70-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-66-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-34-0x0000000007120000-0x0000000007166000-memory.dmp

Filesize
280KB

Download
memory/3420-62-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-60-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-58-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-56-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-54-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-52-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-50-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-44-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-43-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-40-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-92-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-84-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-68-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-38-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-37-0x0000000007760000-0x000000000779E000-memory.dmp

Filesize
248KB

Download
memory/3420-943-0x0000000007800000-0x0000000007E18000-memory.dmp

Filesize
6.1MB

Download
memory/3420-944-0x0000000007EA0000-0x0000000007FAA000-memory.dmp

Filesize
1.0MB

Download
memory/3420-945-0x0000000007FE0000-0x0000000007FF2000-memory.dmp

Filesize
72KB

Download
memory/3420-946-0x0000000008000000-0x000000000803C000-memory.dmp

Filesize
240KB

Download
memory/3988-28-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download