healer | c1aecf0aec2ac070f5d3cab5bc6bf6884ab84caa9dc54af79b9fe19cc23ccf4c

Analysis

max time kernel
117s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1aecf0aec2ac070f5d3cab5bc6bf6884ab84caa9dc54af79b9fe19cc23ccf4cN.exe
Size

1009KB
MD5

45a8c63cc29bb29e718ce0c8c1447020
SHA1

ac6e7ae55b48f26a960175fc1eb51c39a0503b5b
SHA256

c1aecf0aec2ac070f5d3cab5bc6bf6884ab84caa9dc54af79b9fe19cc23ccf4c
SHA512

ca0051dd2dc32efaadaf7802ef3fe2b346fbb47e357db9fddaad1fe618f0e66c64725e6d597e072af5fae1690d822f1ad9d85fb03ffb6860592d6ce37fb1b836
SSDEEP

24576:jyuusfbGpqwb0zW8UOCWVLnOOCV7MXrGmjXUIe:2cfbMbN8UOCWxOOk76rGQ

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023c98-25.dat	healer
behavioral1/memory/2568-28-0x00000000006D0000-0x00000000006DA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	buml52Rs72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	buml52Rs72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	buml52Rs72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	buml52Rs72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	buml52Rs72.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	buml52Rs72.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/3468-34-0x0000000007100000-0x0000000007146000-memory.dmp	family_redline
behavioral1/memory/3468-36-0x00000000071A0000-0x00000000071E4000-memory.dmp	family_redline
behavioral1/memory/3468-64-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-84-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-98-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-96-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-94-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-93-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-90-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-88-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-86-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-82-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-80-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-78-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-76-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-74-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-72-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-70-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-68-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-66-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-62-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-60-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-58-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-56-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-54-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-52-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-50-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-48-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-46-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-44-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-42-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-100-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-40-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-38-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline
behavioral1/memory/3468-37-0x00000000071A0000-0x00000000071DE000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
1852	plWP11TL36.exe
2040	plYj52wv18.exe
2904	plLU89Im94.exe
2568	buml52Rs72.exe
3468	cacJ11FF38.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	buml52Rs72.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	plWP11TL36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	plYj52wv18.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	plLU89Im94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c1aecf0aec2ac070f5d3cab5bc6bf6884ab84caa9dc54af79b9fe19cc23ccf4cN.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c1aecf0aec2ac070f5d3cab5bc6bf6884ab84caa9dc54af79b9fe19cc23ccf4cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plWP11TL36.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plYj52wv18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	plLU89Im94.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacJ11FF38.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2568	buml52Rs72.exe
2568	buml52Rs72.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	buml52Rs72.exe
Token: SeDebugPrivilege	3468	cacJ11FF38.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 1852	4068	c1aecf0aec2ac070f5d3cab5bc6bf6884ab84caa9dc54af79b9fe19cc23ccf4cN.exe	84
PID 4068 wrote to memory of 1852	4068	c1aecf0aec2ac070f5d3cab5bc6bf6884ab84caa9dc54af79b9fe19cc23ccf4cN.exe	84
PID 4068 wrote to memory of 1852	4068	c1aecf0aec2ac070f5d3cab5bc6bf6884ab84caa9dc54af79b9fe19cc23ccf4cN.exe	84
PID 1852 wrote to memory of 2040	1852	plWP11TL36.exe	85
PID 1852 wrote to memory of 2040	1852	plWP11TL36.exe	85
PID 1852 wrote to memory of 2040	1852	plWP11TL36.exe	85
PID 2040 wrote to memory of 2904	2040	plYj52wv18.exe	87
PID 2040 wrote to memory of 2904	2040	plYj52wv18.exe	87
PID 2040 wrote to memory of 2904	2040	plYj52wv18.exe	87
PID 2904 wrote to memory of 2568	2904	plLU89Im94.exe	88
PID 2904 wrote to memory of 2568	2904	plLU89Im94.exe	88
PID 2904 wrote to memory of 3468	2904	plLU89Im94.exe	95
PID 2904 wrote to memory of 3468	2904	plLU89Im94.exe	95
PID 2904 wrote to memory of 3468	2904	plLU89Im94.exe	95

C:\Users\Admin\AppData\Local\Temp\c1aecf0aec2ac070f5d3cab5bc6bf6884ab84caa9dc54af79b9fe19cc23ccf4cN.exe
"C:\Users\Admin\AppData\Local\Temp\c1aecf0aec2ac070f5d3cab5bc6bf6884ab84caa9dc54af79b9fe19cc23ccf4cN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plWP11TL36.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plWP11TL36.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plYj52wv18.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plYj52wv18.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plLU89Im94.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plLU89Im94.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\buml52Rs72.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\buml52Rs72.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cacJ11FF38.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cacJ11FF38.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plWP11TL36.exe

Filesize
906KB

MD5
6e47a19ef5587e43248cbea69f66c3aa

SHA1
558089932941f476daca55a4db304ad1d3d1f349

SHA256
4e3740db90de1c77fabe89094c6e2c22895f56abbb39b0fdf4fd4f790c955581

SHA512
3c9cdd0c1004432787585c8a20034529525fd963e434d5cfecc2b76cc63672c4d3ac4c3ea4a102cea5550059ae41fe27fccaceaf193d7ca5ca9f62efa0cbfa33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plYj52wv18.exe

Filesize
682KB

MD5
3f5617ae1c2162774e2f87e29ac00aa7

SHA1
75ed5f80bbe6b677d77343eab4138bf1e23e327a

SHA256
c9e380d4e96ba0e6553809f962b5acd005ed4ca77a00c6c9f06fb7b4a36be3e3

SHA512
2132667df3aca34e85acedc1db7371370bb249f5d0eddaf16cad5f536460effc3a9b13cdaafe653cd0bfdb7c332c5e276ce1009eb710586a4a9c3385ae0daadc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plLU89Im94.exe

Filesize
399KB

MD5
40e7b8445e8edd3a80a7fcf0f1fababb

SHA1
cb653edae5e775fc6349b1490bf45c0a7ee034cb

SHA256
18648b3a858a3cb3cabc55062646d3ffded61860deac35a050f0d7b2a873e242

SHA512
9ce86ae0fb7d8455a067c353aa40ef998e2b9861b39ba9c4c0cc5b1826cf764f44d866b9d9a8d23378281b6aac420fd38688a34ace24428984a930c5b9cff540

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\buml52Rs72.exe

Filesize
14KB

MD5
771686f244c2c60d1b9aa8b009f3f949

SHA1
a806cb44b348e1bb44f2c987d282e0f28f92cb8d

SHA256
c79e02b8281211c9eadec9e707fbd5ad8cf2b4a0c4b41c8634d57ce75520cf10

SHA512
cfc4e53b76d1bb42c1186dc43521b2bf3ef4e4030d6a5153f793fa3157689a85b286ecbf527c4cb774b8b1b327ff538c5960ff4f03f200d68aa1caaaba4ec79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\cacJ11FF38.exe

Filesize
375KB

MD5
47b1a20db297f70b1d9db60ea51d14d9

SHA1
b55664710122138d23e0e295dcade2b9aea41120

SHA256
80aab4a4c16d1ab74369c2914ab0348c3ab3b600ee7d40eda315a18bda1cd287

SHA512
e9924f8f89b8268c2d88d427727cacecffee75358583934131150fd73a1372ca65e0159cb221f718a19f2386cfa2905f46d58cd19a4ed63b5f98f073c3753288

Download Submit
memory/2568-28-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/3468-74-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-62-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-36-0x00000000071A0000-0x00000000071E4000-memory.dmp

Filesize
272KB

Download
memory/3468-64-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-84-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-98-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-96-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-94-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-93-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-90-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-88-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-86-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-82-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-80-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-78-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-76-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-34-0x0000000007100000-0x0000000007146000-memory.dmp

Filesize
280KB

Download
memory/3468-72-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-70-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-68-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-66-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-35-0x0000000007210000-0x00000000077B4000-memory.dmp

Filesize
5.6MB

Download
memory/3468-60-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-58-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-56-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-54-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-52-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-50-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-48-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-46-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-44-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-42-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-100-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-40-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-38-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-37-0x00000000071A0000-0x00000000071DE000-memory.dmp

Filesize
248KB

Download
memory/3468-943-0x0000000007940000-0x0000000007F58000-memory.dmp

Filesize
6.1MB

Download
memory/3468-944-0x0000000007FE0000-0x00000000080EA000-memory.dmp

Filesize
1.0MB

Download
memory/3468-945-0x0000000008120000-0x0000000008132000-memory.dmp

Filesize
72KB

Download
memory/3468-946-0x0000000008140000-0x000000000817C000-memory.dmp

Filesize
240KB

Download
memory/3468-947-0x0000000008290000-0x00000000082DC000-memory.dmp

Filesize
304KB

Download