healer | 131e1faef5713a5345afa4133739950d1aa641307cff84b86dc2195895d6daa5

Analysis

max time kernel
119s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

131e1faef5713a5345afa4133739950d1aa641307cff84b86dc2195895d6daa5N.exe
Size

1.2MB
MD5

80741e45f9657b88d186620c755e9c90
SHA1

34e040f3172471edb6a89f55904b0f4e5b123625
SHA256

131e1faef5713a5345afa4133739950d1aa641307cff84b86dc2195895d6daa5
SHA512

0f019d187bc8001671ad3df87a069597bb398f42d415d1aa4ad7089b9d9d570d570f0aeb143fa5f404d6e57cf618e65d2d2191bfb2ced751393ae1fad7814b27
SSDEEP

24576:qy5OtOQYwFh4RiWiKWg4TF8TEcp/YQPjUb5ggp6O3caO62+Hfl+yZfs6/YPBY9L9:xjFwfWixgvTNp/Y+s5ggN3X2+/l+ofsQ

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023cde-26.dat	healer
behavioral1/memory/640-28-0x0000000000270000-0x000000000027A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	az524598.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	az524598.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	az524598.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	az524598.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	az524598.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	az524598.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/1104-34-0x0000000002700000-0x000000000273C000-memory.dmp	family_redline
behavioral1/memory/1104-36-0x0000000004E10000-0x0000000004E4A000-memory.dmp	family_redline
behavioral1/memory/1104-40-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-38-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-37-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-70-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-100-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-98-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-96-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-94-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-92-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-90-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-88-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-86-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-84-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-82-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-80-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-78-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-74-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-73-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-68-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-66-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-64-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-62-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-61-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-58-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-56-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-54-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-52-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-50-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-48-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-46-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-44-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-42-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline
behavioral1/memory/1104-76-0x0000000004E10000-0x0000000004E45000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
432	ki367119.exe
3164	ki282399.exe
4168	ki127526.exe
640	az524598.exe
1104	bu413220.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	az524598.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	ki367119.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	ki282399.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	ki127526.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	131e1faef5713a5345afa4133739950d1aa641307cff84b86dc2195895d6daa5N.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki282399.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki127526.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bu413220.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	131e1faef5713a5345afa4133739950d1aa641307cff84b86dc2195895d6daa5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ki367119.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
640	az524598.exe
640	az524598.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	640	az524598.exe
Token: SeDebugPrivilege	1104	bu413220.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 432	3064	131e1faef5713a5345afa4133739950d1aa641307cff84b86dc2195895d6daa5N.exe	87
PID 3064 wrote to memory of 432	3064	131e1faef5713a5345afa4133739950d1aa641307cff84b86dc2195895d6daa5N.exe	87
PID 3064 wrote to memory of 432	3064	131e1faef5713a5345afa4133739950d1aa641307cff84b86dc2195895d6daa5N.exe	87
PID 432 wrote to memory of 3164	432	ki367119.exe	88
PID 432 wrote to memory of 3164	432	ki367119.exe	88
PID 432 wrote to memory of 3164	432	ki367119.exe	88
PID 3164 wrote to memory of 4168	3164	ki282399.exe	90
PID 3164 wrote to memory of 4168	3164	ki282399.exe	90
PID 3164 wrote to memory of 4168	3164	ki282399.exe	90
PID 4168 wrote to memory of 640	4168	ki127526.exe	91
PID 4168 wrote to memory of 640	4168	ki127526.exe	91
PID 4168 wrote to memory of 1104	4168	ki127526.exe	102
PID 4168 wrote to memory of 1104	4168	ki127526.exe	102
PID 4168 wrote to memory of 1104	4168	ki127526.exe	102

C:\Users\Admin\AppData\Local\Temp\131e1faef5713a5345afa4133739950d1aa641307cff84b86dc2195895d6daa5N.exe
"C:\Users\Admin\AppData\Local\Temp\131e1faef5713a5345afa4133739950d1aa641307cff84b86dc2195895d6daa5N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki367119.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki367119.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki282399.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki282399.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127526.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127526.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4168
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az524598.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az524598.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu413220.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu413220.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ki367119.exe

Filesize
1.1MB

MD5
76b83e12049c9ef27718b3a06f2276dc

SHA1
0eb2cfb7ceaeee8b5138d7fd9b6af365db738e36

SHA256
03c43e378d4d7963f268f3fe6c78199ef968ef854c75d074b21577945b388bab

SHA512
db950c57d660a99d14cf95b418eca41db4ae66ad4ae523f56d0349675a444eb44fd4c45c0bea970b96b6911c7551a85500eda46ebb85c49d720ce257a7ef95af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ki282399.exe

Filesize
806KB

MD5
c9449f5ebd44472681413d4c125fd416

SHA1
f609b80bfc544c7c6522312c05f80471c87e16fd

SHA256
164571e3dd01276d45cebac1cd65ceb95bf8bb7798c813d1b732d61c94ce8189

SHA512
04bef3eccd0d34297d700e45a4d81699a4823b107bba4f03b8a4d227c1ba7549f23905a46ccdee22dd6d41411b30161bee8b2853a5bd20dfd2bf82c326fe6a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ki127526.exe

Filesize
470KB

MD5
466c2c2fcb8ac9101c7bde9e416722c2

SHA1
53dfedfbce24e7797af6a7e302298df59ec3bbf5

SHA256
486afc5abe31c2f37e9add04197e77366875990cf2a9b01dca2b0e1c89beda26

SHA512
5b30ee5147fafced59ae0494da5892b6acf1000f0df40bb58c6627a21d9800da5b643df2db22ab2a19beae487079153802ff83ead597234553da119add468021

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\az524598.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bu413220.exe

Filesize
487KB

MD5
706e4debcc66c06d618853856ea58426

SHA1
88f6edc5d3f2d78c7bf47340a636836c134ffa39

SHA256
cfb3d4ca76f33ea57ced22db227e8f5038e7256606bdc440ad73b6de4eb01901

SHA512
f1a442d4613edecdd18d008fa0133a3dfb7db75188ca96f495fbf0d9d932840f926992bd660e4f79e4e00e42bf81d66138d754846bcceaee9950b414e3d2232e

Download Submit
memory/640-28-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/1104-82-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-68-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-36-0x0000000004E10000-0x0000000004E4A000-memory.dmp

Filesize
232KB

Download
memory/1104-40-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-38-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-37-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-70-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-100-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-98-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-96-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-94-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-92-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-90-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-88-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-86-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-84-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-34-0x0000000002700000-0x000000000273C000-memory.dmp

Filesize
240KB

Download
memory/1104-80-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-78-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-74-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-73-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-35-0x0000000004F50000-0x00000000054F4000-memory.dmp

Filesize
5.6MB

Download
memory/1104-66-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-64-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-62-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-61-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-58-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-56-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-54-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-52-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-50-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-48-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-46-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-44-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-42-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-76-0x0000000004E10000-0x0000000004E45000-memory.dmp

Filesize
212KB

Download
memory/1104-829-0x0000000007980000-0x0000000007F98000-memory.dmp

Filesize
6.1MB

Download
memory/1104-830-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

Filesize
72KB

Download
memory/1104-831-0x0000000007FC0000-0x00000000080CA000-memory.dmp

Filesize
1.0MB

Download
memory/1104-832-0x00000000080E0000-0x000000000811C000-memory.dmp

Filesize
240KB

Download
memory/1104-833-0x0000000002760000-0x00000000027AC000-memory.dmp

Filesize
304KB

Download