healer | b97a2107200b733d25fbae9281a945bc28fbcb8797c6f78f3e85177df05f652b

Analysis

max time kernel
129s
max time network
143s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

89d6484a515b5fb8066a5afc5.exe
Size

529KB
MD5

89d6484a515b5fb8066a5afc589c3d8f
SHA1

509d9dfe15468f971baf2f488a7b8dab34684f5e
SHA256

b97a2107200b733d25fbae9281a945bc28fbcb8797c6f78f3e85177df05f652b
SHA512

81a2f2db99c4d33c3c3d07148ee176e9ef99f62955682e481072f4c68e7c0d5111ff9634f238bf8b6a36ff2e936aabb404b44490376cb9077945832341d99d8b
SSDEEP

12288:vglufvsaRdnQgJxrXf4GGl9LzBy3Y9zgg28M:vgl0vs82gJxTf4GyJCY9m8M

Score

10^/10

healer redline furod dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/564-83-0x0000000000020000-0x000000000002A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0333591.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0333591.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0333591.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k0333591.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0333591.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0333591.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2908	y9385749.exe
564	k0333591.exe
2360	l3056309.exe

Loads dropped DLL 8 IoCs

pid	Process
2948	89d6484a515b5fb8066a5afc5.exe
2908	y9385749.exe
2908	y9385749.exe
2908	y9385749.exe
564	k0333591.exe
2908	y9385749.exe
2908	y9385749.exe
2360	l3056309.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k0333591.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0333591.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	89d6484a515b5fb8066a5afc5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	89d6484a515b5fb8066a5afc5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y9385749.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9385749.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
564	k0333591.exe
564	k0333591.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	564	k0333591.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2908	2948	89d6484a515b5fb8066a5afc5.exe	29
PID 2948 wrote to memory of 2908	2948	89d6484a515b5fb8066a5afc5.exe	29
PID 2948 wrote to memory of 2908	2948	89d6484a515b5fb8066a5afc5.exe	29
PID 2948 wrote to memory of 2908	2948	89d6484a515b5fb8066a5afc5.exe	29
PID 2948 wrote to memory of 2908	2948	89d6484a515b5fb8066a5afc5.exe	29
PID 2948 wrote to memory of 2908	2948	89d6484a515b5fb8066a5afc5.exe	29
PID 2948 wrote to memory of 2908	2948	89d6484a515b5fb8066a5afc5.exe	29
PID 2908 wrote to memory of 564	2908	y9385749.exe	30
PID 2908 wrote to memory of 564	2908	y9385749.exe	30
PID 2908 wrote to memory of 564	2908	y9385749.exe	30
PID 2908 wrote to memory of 564	2908	y9385749.exe	30
PID 2908 wrote to memory of 564	2908	y9385749.exe	30
PID 2908 wrote to memory of 564	2908	y9385749.exe	30
PID 2908 wrote to memory of 564	2908	y9385749.exe	30
PID 2908 wrote to memory of 2360	2908	y9385749.exe	32
PID 2908 wrote to memory of 2360	2908	y9385749.exe	32
PID 2908 wrote to memory of 2360	2908	y9385749.exe	32
PID 2908 wrote to memory of 2360	2908	y9385749.exe	32
PID 2908 wrote to memory of 2360	2908	y9385749.exe	32
PID 2908 wrote to memory of 2360	2908	y9385749.exe	32
PID 2908 wrote to memory of 2360	2908	y9385749.exe	32

C:\Users\Admin\AppData\Local\Temp\89d6484a515b5fb8066a5afc5.exe
"C:\Users\Admin\AppData\Local\Temp\89d6484a515b5fb8066a5afc5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9385749.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9385749.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0333591.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0333591.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3056309.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3056309.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9385749.exe

Filesize
261KB

MD5
13023f10bed3d071ff49fc478a2b2eab

SHA1
9db2b57c0169d03c31ed4dd14f14ae8e8fd3dd06

SHA256
c6d4244405e81c317c313243ea96c69df6300497a8e51da5c0f0481ac20e3254

SHA512
1fb387303c5f9471e6b93a70e9605c4ba307c5689d5ebc50005e5d2a4daee713fc556c595d5b808bdb84560e69e2507771ab919d3fe666d3e2ee559a74faab07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9385749.exe

Filesize
261KB

MD5
13023f10bed3d071ff49fc478a2b2eab

SHA1
9db2b57c0169d03c31ed4dd14f14ae8e8fd3dd06

SHA256
c6d4244405e81c317c313243ea96c69df6300497a8e51da5c0f0481ac20e3254

SHA512
1fb387303c5f9471e6b93a70e9605c4ba307c5689d5ebc50005e5d2a4daee713fc556c595d5b808bdb84560e69e2507771ab919d3fe666d3e2ee559a74faab07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0333591.exe

Filesize
96KB

MD5
76a8dfd5b2734f0ee95866ccbc4dfcbc

SHA1
47213be49699496b0d1fa4374cdb677dbeee3583

SHA256
5d50a35748db2cf42de387de191274056222b183ea0a5be6b1fb31e410b77ff7

SHA512
b0b0fc9861e9fcfaa7424218b93142bfa5fcaeb1b4f5780828cf09c06bcf618447ed66588e8c14e25d1af6f7d373903aa8293435dad5f9b13a31233d547e9e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0333591.exe

Filesize
96KB

MD5
76a8dfd5b2734f0ee95866ccbc4dfcbc

SHA1
47213be49699496b0d1fa4374cdb677dbeee3583

SHA256
5d50a35748db2cf42de387de191274056222b183ea0a5be6b1fb31e410b77ff7

SHA512
b0b0fc9861e9fcfaa7424218b93142bfa5fcaeb1b4f5780828cf09c06bcf618447ed66588e8c14e25d1af6f7d373903aa8293435dad5f9b13a31233d547e9e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0333591.exe

Filesize
96KB

MD5
76a8dfd5b2734f0ee95866ccbc4dfcbc

SHA1
47213be49699496b0d1fa4374cdb677dbeee3583

SHA256
5d50a35748db2cf42de387de191274056222b183ea0a5be6b1fb31e410b77ff7

SHA512
b0b0fc9861e9fcfaa7424218b93142bfa5fcaeb1b4f5780828cf09c06bcf618447ed66588e8c14e25d1af6f7d373903aa8293435dad5f9b13a31233d547e9e12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3056309.exe

Filesize
257KB

MD5
1dae438dd12d4dc92c58c335c7d8bd48

SHA1
d8c5af0468601252473b7f076d22cf865a3cab33

SHA256
419b115e5949b5c50b24a7939dc3db65c1a7b329a578b66efa28914f9cf4c715

SHA512
d85337599a8d1c068a035aadbdf3f498c3faea4f268d3835135e30d969c57b2f030617573f478691f4594d231b96621a4606ad97ca565a4f69c7f511e90a98dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3056309.exe

Filesize
257KB

MD5
1dae438dd12d4dc92c58c335c7d8bd48

SHA1
d8c5af0468601252473b7f076d22cf865a3cab33

SHA256
419b115e5949b5c50b24a7939dc3db65c1a7b329a578b66efa28914f9cf4c715

SHA512
d85337599a8d1c068a035aadbdf3f498c3faea4f268d3835135e30d969c57b2f030617573f478691f4594d231b96621a4606ad97ca565a4f69c7f511e90a98dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3056309.exe

Filesize
257KB

MD5
1dae438dd12d4dc92c58c335c7d8bd48

SHA1
d8c5af0468601252473b7f076d22cf865a3cab33

SHA256
419b115e5949b5c50b24a7939dc3db65c1a7b329a578b66efa28914f9cf4c715

SHA512
d85337599a8d1c068a035aadbdf3f498c3faea4f268d3835135e30d969c57b2f030617573f478691f4594d231b96621a4606ad97ca565a4f69c7f511e90a98dc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9385749.exe

Filesize
261KB

MD5
13023f10bed3d071ff49fc478a2b2eab

SHA1
9db2b57c0169d03c31ed4dd14f14ae8e8fd3dd06

SHA256
c6d4244405e81c317c313243ea96c69df6300497a8e51da5c0f0481ac20e3254

SHA512
1fb387303c5f9471e6b93a70e9605c4ba307c5689d5ebc50005e5d2a4daee713fc556c595d5b808bdb84560e69e2507771ab919d3fe666d3e2ee559a74faab07

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9385749.exe

Filesize
261KB

MD5
13023f10bed3d071ff49fc478a2b2eab

SHA1
9db2b57c0169d03c31ed4dd14f14ae8e8fd3dd06

SHA256
c6d4244405e81c317c313243ea96c69df6300497a8e51da5c0f0481ac20e3254

SHA512
1fb387303c5f9471e6b93a70e9605c4ba307c5689d5ebc50005e5d2a4daee713fc556c595d5b808bdb84560e69e2507771ab919d3fe666d3e2ee559a74faab07

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0333591.exe

Filesize
96KB

MD5
76a8dfd5b2734f0ee95866ccbc4dfcbc

SHA1
47213be49699496b0d1fa4374cdb677dbeee3583

SHA256
5d50a35748db2cf42de387de191274056222b183ea0a5be6b1fb31e410b77ff7

SHA512
b0b0fc9861e9fcfaa7424218b93142bfa5fcaeb1b4f5780828cf09c06bcf618447ed66588e8c14e25d1af6f7d373903aa8293435dad5f9b13a31233d547e9e12

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0333591.exe

Filesize
96KB

MD5
76a8dfd5b2734f0ee95866ccbc4dfcbc

SHA1
47213be49699496b0d1fa4374cdb677dbeee3583

SHA256
5d50a35748db2cf42de387de191274056222b183ea0a5be6b1fb31e410b77ff7

SHA512
b0b0fc9861e9fcfaa7424218b93142bfa5fcaeb1b4f5780828cf09c06bcf618447ed66588e8c14e25d1af6f7d373903aa8293435dad5f9b13a31233d547e9e12

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0333591.exe

Filesize
96KB

MD5
76a8dfd5b2734f0ee95866ccbc4dfcbc

SHA1
47213be49699496b0d1fa4374cdb677dbeee3583

SHA256
5d50a35748db2cf42de387de191274056222b183ea0a5be6b1fb31e410b77ff7

SHA512
b0b0fc9861e9fcfaa7424218b93142bfa5fcaeb1b4f5780828cf09c06bcf618447ed66588e8c14e25d1af6f7d373903aa8293435dad5f9b13a31233d547e9e12

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3056309.exe

Filesize
257KB

MD5
1dae438dd12d4dc92c58c335c7d8bd48

SHA1
d8c5af0468601252473b7f076d22cf865a3cab33

SHA256
419b115e5949b5c50b24a7939dc3db65c1a7b329a578b66efa28914f9cf4c715

SHA512
d85337599a8d1c068a035aadbdf3f498c3faea4f268d3835135e30d969c57b2f030617573f478691f4594d231b96621a4606ad97ca565a4f69c7f511e90a98dc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3056309.exe

Filesize
257KB

MD5
1dae438dd12d4dc92c58c335c7d8bd48

SHA1
d8c5af0468601252473b7f076d22cf865a3cab33

SHA256
419b115e5949b5c50b24a7939dc3db65c1a7b329a578b66efa28914f9cf4c715

SHA512
d85337599a8d1c068a035aadbdf3f498c3faea4f268d3835135e30d969c57b2f030617573f478691f4594d231b96621a4606ad97ca565a4f69c7f511e90a98dc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3056309.exe

Filesize
257KB

MD5
1dae438dd12d4dc92c58c335c7d8bd48

SHA1
d8c5af0468601252473b7f076d22cf865a3cab33

SHA256
419b115e5949b5c50b24a7939dc3db65c1a7b329a578b66efa28914f9cf4c715

SHA512
d85337599a8d1c068a035aadbdf3f498c3faea4f268d3835135e30d969c57b2f030617573f478691f4594d231b96621a4606ad97ca565a4f69c7f511e90a98dc

Download Submit
memory/564-83-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2360-97-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/2360-101-0x0000000002220000-0x0000000002226000-memory.dmp

Filesize
24KB

Download
memory/2360-102-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/2360-103-0x0000000004A30000-0x0000000004A70000-memory.dmp

Filesize
256KB

Download
memory/2948-54-0x0000000000600000-0x0000000000674000-memory.dmp

Filesize
464KB

Download