healer | 5133c72b126ee1a0cde662582b1d64de1318adc8ea8b269c05e50d9a21bf4d4a

Analysis

max time kernel
118s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5133c72b126ee1a0cde662582b1d64de1318adc8ea8b269c05e50d9a21bf4d4aN.exe
Size

931KB
MD5

ec29f8f17396692617d98b9c59b2fc70
SHA1

6f07033036d41a0c36320588a01f1f5f9c61e093
SHA256

5133c72b126ee1a0cde662582b1d64de1318adc8ea8b269c05e50d9a21bf4d4a
SHA512

e9c8f65fc919332652f5b455f42b018df7a5030fb87e5c9060c8f4de9ce64a4362ca3c14ee0ab01ffd72c4e2e07077c61bc25952bea46b0e4e78948b5fd8509a
SSDEEP

24576:lyOWcp/bklaVRdmt+5ajThH3qNJDqquyDWBZZg:AfksUDap3qNJDqqTDWB

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b82-19.dat	healer
behavioral1/memory/3576-22-0x0000000000630000-0x000000000063A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az803916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az803916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az803916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az803916.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az803916.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az803916.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/1900-29-0x0000000007100000-0x000000000713C000-memory.dmp	family_redline
behavioral1/memory/1900-31-0x0000000007750000-0x000000000778A000-memory.dmp	family_redline
behavioral1/memory/1900-37-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-49-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-96-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-93-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-91-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-89-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-87-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-85-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-83-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-81-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-80-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-77-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-75-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-73-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-71-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-70-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-67-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-65-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-63-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-61-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-59-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-57-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-55-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-53-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-47-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-45-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-43-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-41-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-39-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-51-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-35-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-33-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline
behavioral1/memory/1900-32-0x0000000007750000-0x0000000007785000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
1580	ki686712.exe
2588	ki498772.exe
3576	az803916.exe
1900	bu103693.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az803916.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5133c72b126ee1a0cde662582b1d64de1318adc8ea8b269c05e50d9a21bf4d4aN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ki686712.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ki498772.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5133c72b126ee1a0cde662582b1d64de1318adc8ea8b269c05e50d9a21bf4d4aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki686712.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki498772.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bu103693.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3576	az803916.exe
3576	az803916.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3576	az803916.exe
Token: SeDebugPrivilege	1900	bu103693.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 1580	468	5133c72b126ee1a0cde662582b1d64de1318adc8ea8b269c05e50d9a21bf4d4aN.exe	83
PID 468 wrote to memory of 1580	468	5133c72b126ee1a0cde662582b1d64de1318adc8ea8b269c05e50d9a21bf4d4aN.exe	83
PID 468 wrote to memory of 1580	468	5133c72b126ee1a0cde662582b1d64de1318adc8ea8b269c05e50d9a21bf4d4aN.exe	83
PID 1580 wrote to memory of 2588	1580	ki686712.exe	86
PID 1580 wrote to memory of 2588	1580	ki686712.exe	86
PID 1580 wrote to memory of 2588	1580	ki686712.exe	86
PID 2588 wrote to memory of 3576	2588	ki498772.exe	87
PID 2588 wrote to memory of 3576	2588	ki498772.exe	87
PID 2588 wrote to memory of 1900	2588	ki498772.exe	94
PID 2588 wrote to memory of 1900	2588	ki498772.exe	94
PID 2588 wrote to memory of 1900	2588	ki498772.exe	94

C:\Users\Admin\AppData\Local\Temp\5133c72b126ee1a0cde662582b1d64de1318adc8ea8b269c05e50d9a21bf4d4aN.exe
"C:\Users\Admin\AppData\Local\Temp\5133c72b126ee1a0cde662582b1d64de1318adc8ea8b269c05e50d9a21bf4d4aN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki686712.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki686712.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki498772.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki498772.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\az803916.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\az803916.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu103693.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu103693.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki686712.exe

Filesize
696KB

MD5
a205a45c2542663667e99f21467d3fa9

SHA1
7689e3fc35f3e908bd25bfa7a5cb2a1e62d3e970

SHA256
9b9b18c444df20c82d355ad5b2307c6ca60633a1c68c4ecbcf39431aa49736d6

SHA512
13e98cc71187d36e5d2dc67f7cc3b2cd10a437824019a42259a373ca1ba173ecc42403a261d75c389105e609bdbe059086bde16966749629caebb0bbe723d8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki498772.exe

Filesize
415KB

MD5
38008c6058bad07d61bdceeda4d63f4b

SHA1
f725bc40cc4e364a23fdd42ed7d3c2b67e43ca62

SHA256
a5876d959675b0df348b8cb93c8030c35deefee7ae77a837389b26c3ad9a95ae

SHA512
2c99508b3ae60a4a6926ad1b53df4f5d5db531ce0ca3c45594dd2566c52a8f6c8ac3f717c7776d68120b5e9bf8f1be3708f616043ec23f1cbec41290edeecd97

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\az803916.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bu103693.exe

Filesize
360KB

MD5
ab0d27b5dd5d2f31d9bfd069a8090dc8

SHA1
96ac29a4a37ad9ff201d57e95f8214f474f84ddb

SHA256
75db0398721e0a9127744ec665deeb5b07f0b19ece75ffa0885d6041dd15c504

SHA512
f7ad0a73fc5cd3d0fb98c528fb2e0a1c8334f72257ecb6faa02eaf9e2d631a823ee3d27bb1d5ba2146d657ba3379fa90a0bda7486961e2305676802e33855bbf

Download Submit
memory/1900-71-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-29-0x0000000007100000-0x000000000713C000-memory.dmp

Filesize
240KB

Download
memory/1900-828-0x0000000006C30000-0x0000000006C7C000-memory.dmp

Filesize
304KB

Download
memory/1900-70-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-30-0x0000000007160000-0x0000000007704000-memory.dmp

Filesize
5.6MB

Download
memory/1900-31-0x0000000007750000-0x000000000778A000-memory.dmp

Filesize
232KB

Download
memory/1900-37-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-49-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-96-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-93-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-827-0x000000000A480000-0x000000000A4BC000-memory.dmp

Filesize
240KB

Download
memory/1900-89-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-67-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-85-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-83-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-81-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-80-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-77-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-75-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-73-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-91-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-826-0x000000000A360000-0x000000000A46A000-memory.dmp

Filesize
1.0MB

Download
memory/1900-87-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-65-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-63-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-61-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-59-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-57-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-55-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-53-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-47-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-45-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-43-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-41-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-39-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-51-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-35-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-33-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-32-0x0000000007750000-0x0000000007785000-memory.dmp

Filesize
212KB

Download
memory/1900-824-0x0000000009C80000-0x000000000A298000-memory.dmp

Filesize
6.1MB

Download
memory/1900-825-0x000000000A340000-0x000000000A352000-memory.dmp

Filesize
72KB

Download
memory/3576-23-0x00007FFF3CD53000-0x00007FFF3CD55000-memory.dmp

Filesize
8KB

Download
memory/3576-21-0x00007FFF3CD53000-0x00007FFF3CD55000-memory.dmp

Filesize
8KB

Download
memory/3576-22-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download