healer | 755f4344d6c0333adf37b3d731b959327e2bbf5bcea4f316d4a288c801ab86e9

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

755f4344d6c0333adf37b3d731b959327e2bbf5bcea4f316d4a288c801ab86e9N.exe
Size

1.0MB
MD5

1a29062a3b6ecfb1e0e15146e3f4a0f0
SHA1

f7ca636a88707be0daa090e81abd991d3e85a15c
SHA256

755f4344d6c0333adf37b3d731b959327e2bbf5bcea4f316d4a288c801ab86e9
SHA512

7c3b557c47c254daef57c31209e25b1ce329d2829abaea20a259fd6dc2124b3ca45c7ef3037b7e6fda75bdcc418841296748d7206eb7b759bb3f95d125cda885
SSDEEP

24576:Py+VCvaizvC1Hdj+QYKQYNmxckwYBWPG5iE2n4zKyb:a+cv8dCQYKQYk8wtc

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0032000000023b8a-25.dat	healer
behavioral1/memory/2820-28-0x0000000000BC0000-0x0000000000BCA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	bupU57YL07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	bupU57YL07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	bupU57YL07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	bupU57YL07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	bupU57YL07.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	bupU57YL07.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3216-34-0x00000000024A0000-0x00000000024E6000-memory.dmp	family_redline
behavioral1/memory/3216-36-0x0000000004CA0000-0x0000000004CE4000-memory.dmp	family_redline
behavioral1/memory/3216-50-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-82-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-100-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-98-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-96-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-92-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-90-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-88-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-86-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-80-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-78-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-76-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-74-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-72-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-70-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-66-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-64-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-62-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-61-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-58-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-56-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-54-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-52-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-48-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-46-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-44-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-40-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-94-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-84-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-68-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-42-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-38-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline
behavioral1/memory/3216-37-0x0000000004CA0000-0x0000000004CDE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
752	plUA07sK23.exe
3788	plSC79Ev52.exe
1040	plDv13Mo92.exe
2820	bupU57YL07.exe
3216	caVZ71Tq47.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	bupU57YL07.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plDv13Mo92.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	755f4344d6c0333adf37b3d731b959327e2bbf5bcea4f316d4a288c801ab86e9N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plUA07sK23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plSC79Ev52.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	755f4344d6c0333adf37b3d731b959327e2bbf5bcea4f316d4a288c801ab86e9N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plUA07sK23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plSC79Ev52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plDv13Mo92.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caVZ71Tq47.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2820	bupU57YL07.exe
2820	bupU57YL07.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	bupU57YL07.exe
Token: SeDebugPrivilege	3216	caVZ71Tq47.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 752	5064	755f4344d6c0333adf37b3d731b959327e2bbf5bcea4f316d4a288c801ab86e9N.exe	84
PID 5064 wrote to memory of 752	5064	755f4344d6c0333adf37b3d731b959327e2bbf5bcea4f316d4a288c801ab86e9N.exe	84
PID 5064 wrote to memory of 752	5064	755f4344d6c0333adf37b3d731b959327e2bbf5bcea4f316d4a288c801ab86e9N.exe	84
PID 752 wrote to memory of 3788	752	plUA07sK23.exe	86
PID 752 wrote to memory of 3788	752	plUA07sK23.exe	86
PID 752 wrote to memory of 3788	752	plUA07sK23.exe	86
PID 3788 wrote to memory of 1040	3788	plSC79Ev52.exe	87
PID 3788 wrote to memory of 1040	3788	plSC79Ev52.exe	87
PID 3788 wrote to memory of 1040	3788	plSC79Ev52.exe	87
PID 1040 wrote to memory of 2820	1040	plDv13Mo92.exe	88
PID 1040 wrote to memory of 2820	1040	plDv13Mo92.exe	88
PID 1040 wrote to memory of 3216	1040	plDv13Mo92.exe	94
PID 1040 wrote to memory of 3216	1040	plDv13Mo92.exe	94
PID 1040 wrote to memory of 3216	1040	plDv13Mo92.exe	94

C:\Users\Admin\AppData\Local\Temp\755f4344d6c0333adf37b3d731b959327e2bbf5bcea4f316d4a288c801ab86e9N.exe
"C:\Users\Admin\AppData\Local\Temp\755f4344d6c0333adf37b3d731b959327e2bbf5bcea4f316d4a288c801ab86e9N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plUA07sK23.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plUA07sK23.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSC79Ev52.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSC79Ev52.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plDv13Mo92.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plDv13Mo92.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1040
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bupU57YL07.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bupU57YL07.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caVZ71Tq47.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caVZ71Tq47.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plUA07sK23.exe

Filesize
936KB

MD5
be704dd2becfc994a21d58a33e93ba97

SHA1
b9b42f262eb32e4d3cb9fc1fc40cfcf87b62c87c

SHA256
39d10d316230362d345728bc995a0710205b1e011d14a06cab138f7a2b066c1c

SHA512
41e1978648ae815d1a86c1c9b4dd47ee236acff24dc43c428ed91dc70d04035514c17aa76308fc4cd1e7bd7ac4c5240f3df6f445c1b10ee7c9e8922c0cffbc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSC79Ev52.exe

Filesize
666KB

MD5
595012eba8deca6530704fd09b6d27b6

SHA1
ec095c60658465fba60d326545a24460bed0875d

SHA256
a497a6c1cbe29e984eb2b74a7ffd4df3e9fc7e1cec9dbed4703edc6bf679dbc4

SHA512
d3dc363c2180669d25237f2475c9eb9914c8b97cf4b3fa4f4f01202e1272fe2dafced4fe582a3a8bcfa18c3b6690ded1709e6de13749d7a14f7f51b0250832c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plDv13Mo92.exe

Filesize
391KB

MD5
fb801db9f05b95fd3db16a4d59c6e346

SHA1
3635ac9b4370430de1b9d709672a1014050bcd67

SHA256
e2d6e7b34ab435e695604014b09678344d950997b922bed43888cf388db73426

SHA512
a12d5995484fe9a3f02e7187d19d5ada35b4065198593b833c52dfbfbae870a232b12a36789789d44690ff017ba689107ca31606b0026ba2b5f80350402d6089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bupU57YL07.exe

Filesize
16KB

MD5
6fc39149b0ad5a9cc8f325e78d2c1d45

SHA1
d07a1d90a20a80c0ac215d3bb30f9311481e3d86

SHA256
4465c8a76b5fdf1f2cd4a4bf81397e6366ede4f0333933e2474e380fd21c1301

SHA512
e44629576500f40ee9431f0ccc57a313f88496084bb2c4b54124ba46fe23d2f8afc7046c5443966a6f0d6ad69ec8fd7aa2ab0312a1a2873d85c824670bd6c486

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caVZ71Tq47.exe

Filesize
302KB

MD5
5b4052ee747278a02dac44898f59aaee

SHA1
6b59810f74916a6921ea2276b57b6f5f61c79654

SHA256
baddc727c186e86b475b2b6dd68a39db563c8f1b6129e7e5f88fb4060cb7ee80

SHA512
9d14b58234c4790199902771cecd0723a17e01e7fd1cc5a66d7d92e1848de7347e86429c8985ea885e345e0a80d550af5b4629c98a8e30142c8c21201d7e2c23

Download Submit
memory/2820-28-0x0000000000BC0000-0x0000000000BCA000-memory.dmp

Filesize
40KB

Download
memory/3216-72-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-61-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-36-0x0000000004CA0000-0x0000000004CE4000-memory.dmp

Filesize
272KB

Download
memory/3216-50-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-82-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-100-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-98-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-96-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-92-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-90-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-88-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-86-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-80-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-78-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-76-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-74-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-34-0x00000000024A0000-0x00000000024E6000-memory.dmp

Filesize
280KB

Download
memory/3216-70-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-66-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-64-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-62-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-35-0x0000000004DE0000-0x0000000005384000-memory.dmp

Filesize
5.6MB

Download
memory/3216-58-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-56-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-943-0x0000000005390000-0x00000000059A8000-memory.dmp

Filesize
6.1MB

Download
memory/3216-945-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

Filesize
72KB

Download
memory/3216-944-0x00000000059B0000-0x0000000005ABA000-memory.dmp

Filesize
1.0MB

Download
memory/3216-946-0x0000000005B00000-0x0000000005B3C000-memory.dmp

Filesize
240KB

Download
memory/3216-54-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-52-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-947-0x0000000005C50000-0x0000000005C9C000-memory.dmp

Filesize
304KB

Download
memory/3216-48-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-46-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-44-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-40-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-94-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-84-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-68-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-42-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-38-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download
memory/3216-37-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

Filesize
248KB

Download