healer | 01c16fbc6a6086ecb9ed3db54ba300da43b613db973916b5d33377d82448af0b

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01c16fbc6a6086ecb9ed3db54ba300da43b613db973916b5d33377d82448af0b.exe
Size

1.0MB
MD5

892241ad213489346bb2895f50db7182
SHA1

4677dcd6cd4ec9c2d9c03c67f21a686ffaace9ce
SHA256

01c16fbc6a6086ecb9ed3db54ba300da43b613db973916b5d33377d82448af0b
SHA512

553590294595c89db05fc74086c7b41f9dedb8b84497c997b65e19e69d8edf0b1f58f591a1a2f9e08f09cf673dd04fa7aee029dac4d127a74317d8c8cb3fab7f
SSDEEP

24576:xyLRl3ifIiZHq8NUoW5SK7HmzV/5J20voxlFmY9kA5:kLRFifIAHqEUF7HmzV/+opYOu

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca4-26.dat	healer
behavioral1/memory/400-28-0x0000000000AC0000-0x0000000000ACA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	iZr18Zw94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	iZr18Zw94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	iZr18Zw94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	iZr18Zw94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	iZr18Zw94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	iZr18Zw94.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4572-34-0x0000000004E10000-0x0000000004E56000-memory.dmp	family_redline
behavioral1/memory/4572-36-0x00000000071E0000-0x0000000007224000-memory.dmp	family_redline
behavioral1/memory/4572-46-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-52-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-100-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-98-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-96-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-92-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-90-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-88-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-86-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-84-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-82-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-80-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-78-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-76-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-72-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-70-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-69-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-64-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-62-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-60-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-58-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-56-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-54-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-50-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-48-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-44-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-42-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-94-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-74-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-66-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-40-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-38-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline
behavioral1/memory/4572-37-0x00000000071E0000-0x000000000721E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
1692	vmMv21Ck09.exe
3668	vmTV25bD98.exe
3724	vmCC45UR45.exe
400	iZr18Zw94.exe
4572	kCL70Eg97.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	iZr18Zw94.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	vmCC45UR45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	01c16fbc6a6086ecb9ed3db54ba300da43b613db973916b5d33377d82448af0b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vmMv21Ck09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vmTV25bD98.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01c16fbc6a6086ecb9ed3db54ba300da43b613db973916b5d33377d82448af0b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmMv21Ck09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmTV25bD98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmCC45UR45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kCL70Eg97.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
400	iZr18Zw94.exe
400	iZr18Zw94.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	400	iZr18Zw94.exe
Token: SeDebugPrivilege	4572	kCL70Eg97.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4132 wrote to memory of 1692	4132	01c16fbc6a6086ecb9ed3db54ba300da43b613db973916b5d33377d82448af0b.exe	83
PID 4132 wrote to memory of 1692	4132	01c16fbc6a6086ecb9ed3db54ba300da43b613db973916b5d33377d82448af0b.exe	83
PID 4132 wrote to memory of 1692	4132	01c16fbc6a6086ecb9ed3db54ba300da43b613db973916b5d33377d82448af0b.exe	83
PID 1692 wrote to memory of 3668	1692	vmMv21Ck09.exe	84
PID 1692 wrote to memory of 3668	1692	vmMv21Ck09.exe	84
PID 1692 wrote to memory of 3668	1692	vmMv21Ck09.exe	84
PID 3668 wrote to memory of 3724	3668	vmTV25bD98.exe	85
PID 3668 wrote to memory of 3724	3668	vmTV25bD98.exe	85
PID 3668 wrote to memory of 3724	3668	vmTV25bD98.exe	85
PID 3724 wrote to memory of 400	3724	vmCC45UR45.exe	86
PID 3724 wrote to memory of 400	3724	vmCC45UR45.exe	86
PID 3724 wrote to memory of 4572	3724	vmCC45UR45.exe	94
PID 3724 wrote to memory of 4572	3724	vmCC45UR45.exe	94
PID 3724 wrote to memory of 4572	3724	vmCC45UR45.exe	94

C:\Users\Admin\AppData\Local\Temp\01c16fbc6a6086ecb9ed3db54ba300da43b613db973916b5d33377d82448af0b.exe
"C:\Users\Admin\AppData\Local\Temp\01c16fbc6a6086ecb9ed3db54ba300da43b613db973916b5d33377d82448af0b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4132
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmMv21Ck09.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmMv21Ck09.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmTV25bD98.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmTV25bD98.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmCC45UR45.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmCC45UR45.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3724
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iZr18Zw94.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iZr18Zw94.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCL70Eg97.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCL70Eg97.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmMv21Ck09.exe

Filesize
958KB

MD5
ea7d43c7cb4ac10ec9c172bff16252e3

SHA1
ff5853768cced1af53a3d827cc2479476ec60773

SHA256
23a4536793a8aec31b1267e9d50a0fd7047baea1fa0f74b41c8e1fa2cb530713

SHA512
91a18fd3d0a9bc19a00e30453a53acd838ded5b00a552a74bc0043d8ea3e15ea02f975398d912a715d33d9e5fe6a31fd91d7c3930f9b6299f7a27e6a7651788a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmTV25bD98.exe

Filesize
681KB

MD5
bfdb236953fd6f20a30d2e48fc060e71

SHA1
75d92febad298484a37cfcf853ba415a2e2a2082

SHA256
20232973088bb43f1a2796586923337fed6c422fb6ef7154697e202ae8b1234c

SHA512
38175baa7e5748d5691a99d084890340bc9867c16d620ca34313c6ded73f247e5aa424ae5f581d78712eaa1ffd2f5e259768e3ec01f58dfd9a6cc25c8887c882

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmCC45UR45.exe

Filesize
399KB

MD5
e32a2da1573afe3929d763dfacffec50

SHA1
3759c499b0ae90872a7a243332deab57c621721a

SHA256
9fd3e9335e9d7401c8278d4f285afc7889df425acff94e0d1ae87eb9ba417c59

SHA512
96a04c87093c3838190eed7d79b24c1558e34f25efa2bbb572ecd1b24ca56cc09da1a6e9921065850ee9b43d90426418655f9e265ed9b01289457ecb8be68750

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iZr18Zw94.exe

Filesize
13KB

MD5
265e5658d37fc90b5f582894c46825c4

SHA1
a74362e2c8f379636a974a88b7bdb99698782483

SHA256
676d54e9b461599d8389edf0731dd0ec10c02d1a0f1dd94bed77fa07a876cb02

SHA512
7caf7e5a3a828a5a845eff72b87d20deacbd891bb322a0b74d85d018c9fa9ec6a9b1f9b85e631539472f5052aa2cc7dc421f2d5397e27db63a6eb8989e147f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCL70Eg97.exe

Filesize
374KB

MD5
534196314ab3a6ddde9383161e04bb1c

SHA1
1aada3e9ec093f011c9e1c4c557f2e9da73861cd

SHA256
d4eb393c9ee03f90888b37f01abdb6bb09d44416bacdfd5216c29f2739993c7e

SHA512
4d134be97ff5f2af6d2b9f8dadff10ace57447cf3a51f13a1d69b933de3a94673bf5c3c3899ff68036a2c4ec579248c015b974c5bdb51488ed8819227950ff8b

Download Submit
memory/400-28-0x0000000000AC0000-0x0000000000ACA000-memory.dmp

Filesize
40KB

Download
memory/4572-76-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-62-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-36-0x00000000071E0000-0x0000000007224000-memory.dmp

Filesize
272KB

Download
memory/4572-46-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-52-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-100-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-98-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-96-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-92-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-90-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-88-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-86-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-84-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-82-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-80-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-78-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-34-0x0000000004E10000-0x0000000004E56000-memory.dmp

Filesize
280KB

Download
memory/4572-72-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-70-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-69-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-64-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-35-0x0000000007360000-0x0000000007904000-memory.dmp

Filesize
5.6MB

Download
memory/4572-60-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-58-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-56-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-54-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-50-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-48-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-44-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-42-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-94-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-74-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-66-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-40-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-38-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-37-0x00000000071E0000-0x000000000721E000-memory.dmp

Filesize
248KB

Download
memory/4572-943-0x0000000007910000-0x0000000007F28000-memory.dmp

Filesize
6.1MB

Download
memory/4572-944-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/4572-945-0x00000000072F0000-0x0000000007302000-memory.dmp

Filesize
72KB

Download
memory/4572-946-0x0000000007310000-0x000000000734C000-memory.dmp

Filesize
240KB

Download
memory/4572-947-0x0000000008150000-0x000000000819C000-memory.dmp

Filesize
304KB

Download