healer | 18f40370e753a595223eb2e3c743aa6151acba029cf0375f73585ca35887651c

Analysis

max time kernel
129s
max time network
145s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
07/07/2023, 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

998783d5bfc48f5f48216f6bd46249ac.exe
Size

529KB
MD5

998783d5bfc48f5f48216f6bd46249ac
SHA1

c8f4fdccc7807da188179404a2bdb518fedf16fa
SHA256

18f40370e753a595223eb2e3c743aa6151acba029cf0375f73585ca35887651c
SHA512

c7926418900a5ce3ac90937954715cd9cfc519e0a5ef0fbe9e9647005bfa645cafa3808b3e456d9718855d9f59073e3296eb8f9b17499137242ebb3db842a304
SSDEEP

12288:w3R0fvkaRdnQgbsWCrx9vfcWo8ImlxqbEraG:w3Revk82gbsx9sWo8IdErn

Score

10^/10

healer redline furod dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/2228-83-0x0000000000020000-0x000000000002A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k5298834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k5298834.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k5298834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k5298834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k5298834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k5298834.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2060	y6259501.exe
2228	k5298834.exe
1304	l9508189.exe

Loads dropped DLL 8 IoCs

pid	Process
2396	998783d5bfc48f5f48216f6bd46249ac.exe
2060	y6259501.exe
2060	y6259501.exe
2060	y6259501.exe
2228	k5298834.exe
2060	y6259501.exe
2060	y6259501.exe
1304	l9508189.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k5298834.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k5298834.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	998783d5bfc48f5f48216f6bd46249ac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	998783d5bfc48f5f48216f6bd46249ac.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6259501.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6259501.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2228	k5298834.exe
2228	k5298834.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	k5298834.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2060	2396	998783d5bfc48f5f48216f6bd46249ac.exe	29
PID 2396 wrote to memory of 2060	2396	998783d5bfc48f5f48216f6bd46249ac.exe	29
PID 2396 wrote to memory of 2060	2396	998783d5bfc48f5f48216f6bd46249ac.exe	29
PID 2396 wrote to memory of 2060	2396	998783d5bfc48f5f48216f6bd46249ac.exe	29
PID 2396 wrote to memory of 2060	2396	998783d5bfc48f5f48216f6bd46249ac.exe	29
PID 2396 wrote to memory of 2060	2396	998783d5bfc48f5f48216f6bd46249ac.exe	29
PID 2396 wrote to memory of 2060	2396	998783d5bfc48f5f48216f6bd46249ac.exe	29
PID 2060 wrote to memory of 2228	2060	y6259501.exe	30
PID 2060 wrote to memory of 2228	2060	y6259501.exe	30
PID 2060 wrote to memory of 2228	2060	y6259501.exe	30
PID 2060 wrote to memory of 2228	2060	y6259501.exe	30
PID 2060 wrote to memory of 2228	2060	y6259501.exe	30
PID 2060 wrote to memory of 2228	2060	y6259501.exe	30
PID 2060 wrote to memory of 2228	2060	y6259501.exe	30
PID 2060 wrote to memory of 1304	2060	y6259501.exe	32
PID 2060 wrote to memory of 1304	2060	y6259501.exe	32
PID 2060 wrote to memory of 1304	2060	y6259501.exe	32
PID 2060 wrote to memory of 1304	2060	y6259501.exe	32
PID 2060 wrote to memory of 1304	2060	y6259501.exe	32
PID 2060 wrote to memory of 1304	2060	y6259501.exe	32
PID 2060 wrote to memory of 1304	2060	y6259501.exe	32

C:\Users\Admin\AppData\Local\Temp\998783d5bfc48f5f48216f6bd46249ac.exe
"C:\Users\Admin\AppData\Local\Temp\998783d5bfc48f5f48216f6bd46249ac.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6259501.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6259501.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5298834.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5298834.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2228
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9508189.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9508189.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6259501.exe

Filesize
260KB

MD5
d1dc1b6defd9be7e880f151395c88f9a

SHA1
806fdfa18d0a5546bfca0d5098e0a4a86d0cd105

SHA256
7a3894c8fc4f1e192d65c1cd495b7c446333a7d1806e34e899db325b0a5d3756

SHA512
79c7011a488d380b1e960f6a9bf3d7e31f839e305da40884267ed66da63b7b2c92feecfd696232713c2218da73c748e359f7ea4763db85696edb03d44214aa79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6259501.exe

Filesize
260KB

MD5
d1dc1b6defd9be7e880f151395c88f9a

SHA1
806fdfa18d0a5546bfca0d5098e0a4a86d0cd105

SHA256
7a3894c8fc4f1e192d65c1cd495b7c446333a7d1806e34e899db325b0a5d3756

SHA512
79c7011a488d380b1e960f6a9bf3d7e31f839e305da40884267ed66da63b7b2c92feecfd696232713c2218da73c748e359f7ea4763db85696edb03d44214aa79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5298834.exe

Filesize
96KB

MD5
93f157d1e1b5b842c9a6009e5027ab8b

SHA1
66eeb2081b8dda24eafc996efd0ecbd32a8450b6

SHA256
4bb00eb3499ee3ab2e62b2c61ed8192ef317cbe9d85c0ad6a4909fbfbf23def1

SHA512
d9162e3b4a71462e6147b02c446728804ffea689f5e32c8b84564bc0ff7c0bb991d9ca09e3e6f3539fe33d6bd0f700678d536b379325d86d9918cee6513d8297

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5298834.exe

Filesize
96KB

MD5
93f157d1e1b5b842c9a6009e5027ab8b

SHA1
66eeb2081b8dda24eafc996efd0ecbd32a8450b6

SHA256
4bb00eb3499ee3ab2e62b2c61ed8192ef317cbe9d85c0ad6a4909fbfbf23def1

SHA512
d9162e3b4a71462e6147b02c446728804ffea689f5e32c8b84564bc0ff7c0bb991d9ca09e3e6f3539fe33d6bd0f700678d536b379325d86d9918cee6513d8297

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5298834.exe

Filesize
96KB

MD5
93f157d1e1b5b842c9a6009e5027ab8b

SHA1
66eeb2081b8dda24eafc996efd0ecbd32a8450b6

SHA256
4bb00eb3499ee3ab2e62b2c61ed8192ef317cbe9d85c0ad6a4909fbfbf23def1

SHA512
d9162e3b4a71462e6147b02c446728804ffea689f5e32c8b84564bc0ff7c0bb991d9ca09e3e6f3539fe33d6bd0f700678d536b379325d86d9918cee6513d8297

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9508189.exe

Filesize
257KB

MD5
41d7bf74e93391e22c7092ec37378705

SHA1
d91d08ea920aa0723f5edba088e310bfdb29363d

SHA256
fa96451ec4effb5f1ce0ad0e0b94cc8d34255d2ac681909b6c9aa5f16f212109

SHA512
882a7f9e23cf717d9ebe0bd61f87738c7a9355547c5314f41ade16b745c9555e3bcaed1b60386de9ae0d7f39a7ce6dd321e8451f7ab45a1ec1c8134173aca3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9508189.exe

Filesize
257KB

MD5
41d7bf74e93391e22c7092ec37378705

SHA1
d91d08ea920aa0723f5edba088e310bfdb29363d

SHA256
fa96451ec4effb5f1ce0ad0e0b94cc8d34255d2ac681909b6c9aa5f16f212109

SHA512
882a7f9e23cf717d9ebe0bd61f87738c7a9355547c5314f41ade16b745c9555e3bcaed1b60386de9ae0d7f39a7ce6dd321e8451f7ab45a1ec1c8134173aca3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9508189.exe

Filesize
257KB

MD5
41d7bf74e93391e22c7092ec37378705

SHA1
d91d08ea920aa0723f5edba088e310bfdb29363d

SHA256
fa96451ec4effb5f1ce0ad0e0b94cc8d34255d2ac681909b6c9aa5f16f212109

SHA512
882a7f9e23cf717d9ebe0bd61f87738c7a9355547c5314f41ade16b745c9555e3bcaed1b60386de9ae0d7f39a7ce6dd321e8451f7ab45a1ec1c8134173aca3b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6259501.exe

Filesize
260KB

MD5
d1dc1b6defd9be7e880f151395c88f9a

SHA1
806fdfa18d0a5546bfca0d5098e0a4a86d0cd105

SHA256
7a3894c8fc4f1e192d65c1cd495b7c446333a7d1806e34e899db325b0a5d3756

SHA512
79c7011a488d380b1e960f6a9bf3d7e31f839e305da40884267ed66da63b7b2c92feecfd696232713c2218da73c748e359f7ea4763db85696edb03d44214aa79

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6259501.exe

Filesize
260KB

MD5
d1dc1b6defd9be7e880f151395c88f9a

SHA1
806fdfa18d0a5546bfca0d5098e0a4a86d0cd105

SHA256
7a3894c8fc4f1e192d65c1cd495b7c446333a7d1806e34e899db325b0a5d3756

SHA512
79c7011a488d380b1e960f6a9bf3d7e31f839e305da40884267ed66da63b7b2c92feecfd696232713c2218da73c748e359f7ea4763db85696edb03d44214aa79

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5298834.exe

Filesize
96KB

MD5
93f157d1e1b5b842c9a6009e5027ab8b

SHA1
66eeb2081b8dda24eafc996efd0ecbd32a8450b6

SHA256
4bb00eb3499ee3ab2e62b2c61ed8192ef317cbe9d85c0ad6a4909fbfbf23def1

SHA512
d9162e3b4a71462e6147b02c446728804ffea689f5e32c8b84564bc0ff7c0bb991d9ca09e3e6f3539fe33d6bd0f700678d536b379325d86d9918cee6513d8297

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5298834.exe

Filesize
96KB

MD5
93f157d1e1b5b842c9a6009e5027ab8b

SHA1
66eeb2081b8dda24eafc996efd0ecbd32a8450b6

SHA256
4bb00eb3499ee3ab2e62b2c61ed8192ef317cbe9d85c0ad6a4909fbfbf23def1

SHA512
d9162e3b4a71462e6147b02c446728804ffea689f5e32c8b84564bc0ff7c0bb991d9ca09e3e6f3539fe33d6bd0f700678d536b379325d86d9918cee6513d8297

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k5298834.exe

Filesize
96KB

MD5
93f157d1e1b5b842c9a6009e5027ab8b

SHA1
66eeb2081b8dda24eafc996efd0ecbd32a8450b6

SHA256
4bb00eb3499ee3ab2e62b2c61ed8192ef317cbe9d85c0ad6a4909fbfbf23def1

SHA512
d9162e3b4a71462e6147b02c446728804ffea689f5e32c8b84564bc0ff7c0bb991d9ca09e3e6f3539fe33d6bd0f700678d536b379325d86d9918cee6513d8297

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9508189.exe

Filesize
257KB

MD5
41d7bf74e93391e22c7092ec37378705

SHA1
d91d08ea920aa0723f5edba088e310bfdb29363d

SHA256
fa96451ec4effb5f1ce0ad0e0b94cc8d34255d2ac681909b6c9aa5f16f212109

SHA512
882a7f9e23cf717d9ebe0bd61f87738c7a9355547c5314f41ade16b745c9555e3bcaed1b60386de9ae0d7f39a7ce6dd321e8451f7ab45a1ec1c8134173aca3b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9508189.exe

Filesize
257KB

MD5
41d7bf74e93391e22c7092ec37378705

SHA1
d91d08ea920aa0723f5edba088e310bfdb29363d

SHA256
fa96451ec4effb5f1ce0ad0e0b94cc8d34255d2ac681909b6c9aa5f16f212109

SHA512
882a7f9e23cf717d9ebe0bd61f87738c7a9355547c5314f41ade16b745c9555e3bcaed1b60386de9ae0d7f39a7ce6dd321e8451f7ab45a1ec1c8134173aca3b8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9508189.exe

Filesize
257KB

MD5
41d7bf74e93391e22c7092ec37378705

SHA1
d91d08ea920aa0723f5edba088e310bfdb29363d

SHA256
fa96451ec4effb5f1ce0ad0e0b94cc8d34255d2ac681909b6c9aa5f16f212109

SHA512
882a7f9e23cf717d9ebe0bd61f87738c7a9355547c5314f41ade16b745c9555e3bcaed1b60386de9ae0d7f39a7ce6dd321e8451f7ab45a1ec1c8134173aca3b8

Download Submit
memory/1304-97-0x0000000000290000-0x00000000002C0000-memory.dmp

Filesize
192KB

Download
memory/1304-101-0x0000000000890000-0x0000000000896000-memory.dmp

Filesize
24KB

Download
memory/1304-102-0x0000000001DC0000-0x0000000001E00000-memory.dmp

Filesize
256KB

Download
memory/1304-103-0x0000000001DC0000-0x0000000001E00000-memory.dmp

Filesize
256KB

Download
memory/2228-83-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2396-54-0x0000000000310000-0x0000000000384000-memory.dmp

Filesize
464KB

Download