healer | fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0

Analysis

max time kernel
118s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0N.exe
Size

1.0MB
MD5

35e0a09c1a2609fdf2f2a861b00a6820
SHA1

a7e032118a1f53f3aa7ab0af4444b29a47cc2b5c
SHA256

fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0
SHA512

8052c12e28eebb2b605de7874ad8378eb724fb2a93d2e302a04c09f814ad23263d907d9248714e69b4690e9a15089464cbf7b773daa996cba0f13803203402b3
SSDEEP

24576:xyLRl3ifIiZHq8NUoW5SK7HmzV/5J20voxlFmY9kA:kLRFifIAHqEUF7HmzV/+opYO

Score

10^/10

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rumfa

193.233.20.24:4123

Attributes

auth_value
749d02a6b4ef1fa2ad908e44ec2296dc

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca8-25.dat	healer
behavioral1/memory/4248-28-0x0000000000EF0000-0x0000000000EFA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	iZr18Zw94.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	iZr18Zw94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	iZr18Zw94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	iZr18Zw94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	iZr18Zw94.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	iZr18Zw94.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 35 IoCs

resource	yara_rule
behavioral1/memory/4788-34-0x0000000004C10000-0x0000000004C56000-memory.dmp	family_redline
behavioral1/memory/4788-36-0x00000000071D0000-0x0000000007214000-memory.dmp	family_redline
behavioral1/memory/4788-37-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-60-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-100-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-98-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-96-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-94-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-92-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-90-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-88-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-86-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-84-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-82-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-80-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-78-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-74-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-73-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-70-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-68-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-67-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-64-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-62-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-58-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-56-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-55-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-52-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-50-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-48-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-46-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-44-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-42-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-40-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-38-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline
behavioral1/memory/4788-76-0x00000000071D0000-0x000000000720E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
2268	vmMv21Ck09.exe
4724	vmTV25bD98.exe
3852	vmCC45UR45.exe
4248	iZr18Zw94.exe
4788	kCL70Eg97.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	iZr18Zw94.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vmMv21Ck09.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	vmTV25bD98.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	vmCC45UR45.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmMv21Ck09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmTV25bD98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vmCC45UR45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kCL70Eg97.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4248	iZr18Zw94.exe
4248	iZr18Zw94.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	iZr18Zw94.exe
Token: SeDebugPrivilege	4788	kCL70Eg97.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 2268	1584	fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0N.exe	83
PID 1584 wrote to memory of 2268	1584	fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0N.exe	83
PID 1584 wrote to memory of 2268	1584	fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0N.exe	83
PID 2268 wrote to memory of 4724	2268	vmMv21Ck09.exe	84
PID 2268 wrote to memory of 4724	2268	vmMv21Ck09.exe	84
PID 2268 wrote to memory of 4724	2268	vmMv21Ck09.exe	84
PID 4724 wrote to memory of 3852	4724	vmTV25bD98.exe	85
PID 4724 wrote to memory of 3852	4724	vmTV25bD98.exe	85
PID 4724 wrote to memory of 3852	4724	vmTV25bD98.exe	85
PID 3852 wrote to memory of 4248	3852	vmCC45UR45.exe	86
PID 3852 wrote to memory of 4248	3852	vmCC45UR45.exe	86
PID 3852 wrote to memory of 4788	3852	vmCC45UR45.exe	95
PID 3852 wrote to memory of 4788	3852	vmCC45UR45.exe	95
PID 3852 wrote to memory of 4788	3852	vmCC45UR45.exe	95

C:\Users\Admin\AppData\Local\Temp\fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0N.exe
"C:\Users\Admin\AppData\Local\Temp\fa2937c0e9375bbfa91e08fabe90eeeedeeb51514633f396b544118f271025d0N.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmMv21Ck09.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmMv21Ck09.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmTV25bD98.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmTV25bD98.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmCC45UR45.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmCC45UR45.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iZr18Zw94.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iZr18Zw94.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCL70Eg97.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCL70Eg97.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmMv21Ck09.exe

Filesize
958KB

MD5
ea7d43c7cb4ac10ec9c172bff16252e3

SHA1
ff5853768cced1af53a3d827cc2479476ec60773

SHA256
23a4536793a8aec31b1267e9d50a0fd7047baea1fa0f74b41c8e1fa2cb530713

SHA512
91a18fd3d0a9bc19a00e30453a53acd838ded5b00a552a74bc0043d8ea3e15ea02f975398d912a715d33d9e5fe6a31fd91d7c3930f9b6299f7a27e6a7651788a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmTV25bD98.exe

Filesize
681KB

MD5
bfdb236953fd6f20a30d2e48fc060e71

SHA1
75d92febad298484a37cfcf853ba415a2e2a2082

SHA256
20232973088bb43f1a2796586923337fed6c422fb6ef7154697e202ae8b1234c

SHA512
38175baa7e5748d5691a99d084890340bc9867c16d620ca34313c6ded73f247e5aa424ae5f581d78712eaa1ffd2f5e259768e3ec01f58dfd9a6cc25c8887c882

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmCC45UR45.exe

Filesize
399KB

MD5
e32a2da1573afe3929d763dfacffec50

SHA1
3759c499b0ae90872a7a243332deab57c621721a

SHA256
9fd3e9335e9d7401c8278d4f285afc7889df425acff94e0d1ae87eb9ba417c59

SHA512
96a04c87093c3838190eed7d79b24c1558e34f25efa2bbb572ecd1b24ca56cc09da1a6e9921065850ee9b43d90426418655f9e265ed9b01289457ecb8be68750

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iZr18Zw94.exe

Filesize
13KB

MD5
265e5658d37fc90b5f582894c46825c4

SHA1
a74362e2c8f379636a974a88b7bdb99698782483

SHA256
676d54e9b461599d8389edf0731dd0ec10c02d1a0f1dd94bed77fa07a876cb02

SHA512
7caf7e5a3a828a5a845eff72b87d20deacbd891bb322a0b74d85d018c9fa9ec6a9b1f9b85e631539472f5052aa2cc7dc421f2d5397e27db63a6eb8989e147f9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kCL70Eg97.exe

Filesize
374KB

MD5
534196314ab3a6ddde9383161e04bb1c

SHA1
1aada3e9ec093f011c9e1c4c557f2e9da73861cd

SHA256
d4eb393c9ee03f90888b37f01abdb6bb09d44416bacdfd5216c29f2739993c7e

SHA512
4d134be97ff5f2af6d2b9f8dadff10ace57447cf3a51f13a1d69b933de3a94673bf5c3c3899ff68036a2c4ec579248c015b974c5bdb51488ed8819227950ff8b

Download Submit
memory/4248-28-0x0000000000EF0000-0x0000000000EFA000-memory.dmp

Filesize
40KB

Download
memory/4788-78-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-67-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-36-0x00000000071D0000-0x0000000007214000-memory.dmp

Filesize
272KB

Download
memory/4788-37-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-60-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-100-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-98-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-96-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-94-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-92-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-90-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-88-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-86-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-84-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-82-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-80-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-34-0x0000000004C10000-0x0000000004C56000-memory.dmp

Filesize
280KB

Download
memory/4788-74-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-73-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-70-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-68-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-35-0x00000000073C0000-0x0000000007964000-memory.dmp

Filesize
5.6MB

Download
memory/4788-64-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-62-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-58-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-56-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-55-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-52-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-50-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-48-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-46-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-44-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-42-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-40-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-38-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-76-0x00000000071D0000-0x000000000720E000-memory.dmp

Filesize
248KB

Download
memory/4788-943-0x0000000007970000-0x0000000007F88000-memory.dmp

Filesize
6.1MB

Download
memory/4788-944-0x0000000007F90000-0x000000000809A000-memory.dmp

Filesize
1.0MB

Download
memory/4788-945-0x00000000072F0000-0x0000000007302000-memory.dmp

Filesize
72KB

Download
memory/4788-946-0x0000000007310000-0x000000000734C000-memory.dmp

Filesize
240KB

Download
memory/4788-947-0x0000000007360000-0x00000000073AC000-memory.dmp

Filesize
304KB

Download