healer | 9e1599ff2a5b41029e3699dbafddb9a58418a7a2ac1bd7fd5b4d153f35bfa30e

Analysis

max time kernel
147s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5fbd4a4ce62d41a918ceee70d.exe
Size

783KB
MD5

5fbd4a4ce62d41a918ceee70d657e32c
SHA1

eb167931981fc0bdb8700449e7ad12ae7d6840ce
SHA256

9e1599ff2a5b41029e3699dbafddb9a58418a7a2ac1bd7fd5b4d153f35bfa30e
SHA512

a00dbc5803593edc8f2aef3ea93a895043c84de855d56917fba01d754191d43ec14a3c6ce6b22a17c628b4e21b20d1aa423bffb17fc39017f93907a683b99abf
SSDEEP

24576:d26dmvV82g96NMv/16Zbb6uNGJoCi2Oer+39Y5Dp:c6YCP6m3ASu0JoEosDp

Score

10^/10

healer redline norm dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

norm

77.91.68.70:19073

Attributes

auth_value
1514e6c0ec3d10a36f68f61b206f5759

Signatures

Detects Healer an antivirus disabler dropper 4 IoCs

resource	yara_rule
behavioral2/memory/4700-167-0x00000000004F0000-0x00000000004FA000-memory.dmp	healer
behavioral2/files/0x0008000000023235-174.dat	healer
behavioral2/files/0x0008000000023235-175.dat	healer
behavioral2/memory/3156-176-0x0000000000050000-0x000000000005A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b4434361.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a8302583.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8302583.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8302583.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b4434361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b4434361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b4434361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b4434361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b4434361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8302583.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8302583.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8302583.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
748	v2569021.exe
3404	v4893832.exe
3704	v0166767.exe
4700	a8302583.exe
3156	b4434361.exe
4008	c4853042.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a8302583.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8302583.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b4434361.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5fbd4a4ce62d41a918ceee70d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2569021.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2569021.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4893832.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4893832.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0166767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0166767.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5fbd4a4ce62d41a918ceee70d.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4700	a8302583.exe
4700	a8302583.exe
3156	b4434361.exe
3156	b4434361.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4700	a8302583.exe
Token: SeDebugPrivilege	3156	b4434361.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 748	2276	5fbd4a4ce62d41a918ceee70d.exe	85
PID 2276 wrote to memory of 748	2276	5fbd4a4ce62d41a918ceee70d.exe	85
PID 2276 wrote to memory of 748	2276	5fbd4a4ce62d41a918ceee70d.exe	85
PID 748 wrote to memory of 3404	748	v2569021.exe	86
PID 748 wrote to memory of 3404	748	v2569021.exe	86
PID 748 wrote to memory of 3404	748	v2569021.exe	86
PID 3404 wrote to memory of 3704	3404	v4893832.exe	87
PID 3404 wrote to memory of 3704	3404	v4893832.exe	87
PID 3404 wrote to memory of 3704	3404	v4893832.exe	87
PID 3704 wrote to memory of 4700	3704	v0166767.exe	88
PID 3704 wrote to memory of 4700	3704	v0166767.exe	88
PID 3704 wrote to memory of 4700	3704	v0166767.exe	88
PID 3704 wrote to memory of 3156	3704	v0166767.exe	90
PID 3704 wrote to memory of 3156	3704	v0166767.exe	90
PID 3404 wrote to memory of 4008	3404	v4893832.exe	93
PID 3404 wrote to memory of 4008	3404	v4893832.exe	93
PID 3404 wrote to memory of 4008	3404	v4893832.exe	93

C:\Users\Admin\AppData\Local\Temp\5fbd4a4ce62d41a918ceee70d.exe
"C:\Users\Admin\AppData\Local\Temp\5fbd4a4ce62d41a918ceee70d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2569021.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2569021.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4893832.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4893832.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0166767.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0166767.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3704
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8302583.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8302583.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4434361.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4434361.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4853042.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4853042.exe
      4⤵
      Executes dropped EXE
      PID:4008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2569021.exe

Filesize
518KB

MD5
3b881d2218bccde420ed0a8eab4b1c48

SHA1
ec450e14f36c1d0923ddb4182cf47d07d33bafc1

SHA256
21dca9e2b7264993d19ace0ec792ba68a7106260e53c779b58dd14e0bca9b542

SHA512
86b2fe77fa6a2509658398275ee4e2089dec412339777e04ce8ffb85a3cc8d62a0e240f4402074eae8c0cfc1269232b0415c56ed674103f51692c659bdae4d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2569021.exe

Filesize
518KB

MD5
3b881d2218bccde420ed0a8eab4b1c48

SHA1
ec450e14f36c1d0923ddb4182cf47d07d33bafc1

SHA256
21dca9e2b7264993d19ace0ec792ba68a7106260e53c779b58dd14e0bca9b542

SHA512
86b2fe77fa6a2509658398275ee4e2089dec412339777e04ce8ffb85a3cc8d62a0e240f4402074eae8c0cfc1269232b0415c56ed674103f51692c659bdae4d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4893832.exe

Filesize
393KB

MD5
0ba9e72e4e65dd2d9ba70e2f4663eebb

SHA1
6f9b8bed267ac1bc379ebb22467331b73f2a0814

SHA256
c50e078215a8b2565de03b5351d715a87d2d0eafe550175711a081f8e10c5b8b

SHA512
fd0652b3b08d4e40bd6e4d1f602949fe8e53ffc93510dbd770e7cc1f1b37f3f74bb0f147eced88a9499a39ab95f885bb666e199610712ff110123a78e922d495

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4893832.exe

Filesize
393KB

MD5
0ba9e72e4e65dd2d9ba70e2f4663eebb

SHA1
6f9b8bed267ac1bc379ebb22467331b73f2a0814

SHA256
c50e078215a8b2565de03b5351d715a87d2d0eafe550175711a081f8e10c5b8b

SHA512
fd0652b3b08d4e40bd6e4d1f602949fe8e53ffc93510dbd770e7cc1f1b37f3f74bb0f147eced88a9499a39ab95f885bb666e199610712ff110123a78e922d495

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4853042.exe

Filesize
256KB

MD5
23af0af93bf9c3902080ada413f2798a

SHA1
608b37211fefc256f605b37a4c0a7f54121c3ba6

SHA256
72e07461cf67eafed4cbdef4cca7fde53ef1dae5f7dcc7a54a219f02f14fe158

SHA512
c81edcd83f24698aceab70f33830c6446d672b31069bae9c75a59f0325ef15680fabe9b8f7bca8df790e3fa0bc224385185230d6619a2c338a6f68fdd83cb6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c4853042.exe

Filesize
256KB

MD5
23af0af93bf9c3902080ada413f2798a

SHA1
608b37211fefc256f605b37a4c0a7f54121c3ba6

SHA256
72e07461cf67eafed4cbdef4cca7fde53ef1dae5f7dcc7a54a219f02f14fe158

SHA512
c81edcd83f24698aceab70f33830c6446d672b31069bae9c75a59f0325ef15680fabe9b8f7bca8df790e3fa0bc224385185230d6619a2c338a6f68fdd83cb6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0166767.exe

Filesize
195KB

MD5
0c10e9300cf84c8194dd279138f7c2bf

SHA1
db0152ad65bdb7eb1875b1459d762c950da26ded

SHA256
ce6f8be39aece1c6a073ea54aa33b392c6f8b086baf12e1b065b6af1c45563ec

SHA512
7680d676684d79fcc19aa4c2c44b1213765f69657748bf471dbc9ed1958c55d2f0325ad14c965a6f2ae8392f6327c5f05b8b4d094cd0e57fae01d2c0ca14a28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0166767.exe

Filesize
195KB

MD5
0c10e9300cf84c8194dd279138f7c2bf

SHA1
db0152ad65bdb7eb1875b1459d762c950da26ded

SHA256
ce6f8be39aece1c6a073ea54aa33b392c6f8b086baf12e1b065b6af1c45563ec

SHA512
7680d676684d79fcc19aa4c2c44b1213765f69657748bf471dbc9ed1958c55d2f0325ad14c965a6f2ae8392f6327c5f05b8b4d094cd0e57fae01d2c0ca14a28a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8302583.exe

Filesize
93KB

MD5
9fd27f531f2f7ea0dbb33d7a44461252

SHA1
b7d302c90d220f6b28598a0700cd99b59b9dcadc

SHA256
3cbdfc49433fb7cd44204396348cec3e11b0d8ec006ea76b77f1b9b964e301f9

SHA512
5f98cb4d1b4a4dc461ba6f3f71533c7cc171c695e8a03ec8f637a3d8a2e4f8bea0b6243ad283c483faae73f4c1b445933724fe8b631dbb911a4186738833bbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8302583.exe

Filesize
93KB

MD5
9fd27f531f2f7ea0dbb33d7a44461252

SHA1
b7d302c90d220f6b28598a0700cd99b59b9dcadc

SHA256
3cbdfc49433fb7cd44204396348cec3e11b0d8ec006ea76b77f1b9b964e301f9

SHA512
5f98cb4d1b4a4dc461ba6f3f71533c7cc171c695e8a03ec8f637a3d8a2e4f8bea0b6243ad283c483faae73f4c1b445933724fe8b631dbb911a4186738833bbad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4434361.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4434361.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/2276-133-0x0000000000860000-0x0000000000914000-memory.dmp

Filesize
720KB

Download
memory/3156-176-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/4008-181-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/4008-186-0x0000000009F80000-0x000000000A598000-memory.dmp

Filesize
6.1MB

Download
memory/4008-187-0x000000000A610000-0x000000000A71A000-memory.dmp

Filesize
1.0MB

Download
memory/4008-189-0x000000000A750000-0x000000000A762000-memory.dmp

Filesize
72KB

Download
memory/4008-188-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4008-190-0x000000000A770000-0x000000000A7AC000-memory.dmp

Filesize
240KB

Download
memory/4008-191-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/4700-167-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download