healer | 39fe03845f04099e7100c0462b899a7846ae32620bdc41599a99a4014bc0d9af

Analysis

max time kernel
128s
max time network
142s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10-07-2023 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf4474a7b955075ef14a48e2ba631181.exe
Size

538KB
MD5

bf4474a7b955075ef14a48e2ba631181
SHA1

ec69cb6eb45a99d4b3d0d6b276912872e56db4d9
SHA256

39fe03845f04099e7100c0462b899a7846ae32620bdc41599a99a4014bc0d9af
SHA512

53c3b917e24ac11351b5c47e5cd6f5019c6452cd8f2313d257edee764e857e6f17104cef96676ae13e6158f05715832307d64a4734c357ba2853a687b514e4b4
SSDEEP

12288:mP+gHY5z479uqXLp1ikYaAKxuGvykXM6ffvVJ:mb45479ugYaA4uGvykcuT

Score

10^/10

healer redline kira dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/3020-83-0x0000000000020000-0x000000000002A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k2167538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k2167538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k2167538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k2167538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k2167538.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k2167538.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1948	y0969918.exe
3020	k2167538.exe
1476	l0213278.exe

Loads dropped DLL 8 IoCs

pid	Process
2304	bf4474a7b955075ef14a48e2ba631181.exe
1948	y0969918.exe
1948	y0969918.exe
1948	y0969918.exe
3020	k2167538.exe
1948	y0969918.exe
1948	y0969918.exe
1476	l0213278.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k2167538.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k2167538.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0969918.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bf4474a7b955075ef14a48e2ba631181.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bf4474a7b955075ef14a48e2ba631181.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0969918.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3020	k2167538.exe
3020	k2167538.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3020	k2167538.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1948	2304	bf4474a7b955075ef14a48e2ba631181.exe	30
PID 2304 wrote to memory of 1948	2304	bf4474a7b955075ef14a48e2ba631181.exe	30
PID 2304 wrote to memory of 1948	2304	bf4474a7b955075ef14a48e2ba631181.exe	30
PID 2304 wrote to memory of 1948	2304	bf4474a7b955075ef14a48e2ba631181.exe	30
PID 2304 wrote to memory of 1948	2304	bf4474a7b955075ef14a48e2ba631181.exe	30
PID 2304 wrote to memory of 1948	2304	bf4474a7b955075ef14a48e2ba631181.exe	30
PID 2304 wrote to memory of 1948	2304	bf4474a7b955075ef14a48e2ba631181.exe	30
PID 1948 wrote to memory of 3020	1948	y0969918.exe	31
PID 1948 wrote to memory of 3020	1948	y0969918.exe	31
PID 1948 wrote to memory of 3020	1948	y0969918.exe	31
PID 1948 wrote to memory of 3020	1948	y0969918.exe	31
PID 1948 wrote to memory of 3020	1948	y0969918.exe	31
PID 1948 wrote to memory of 3020	1948	y0969918.exe	31
PID 1948 wrote to memory of 3020	1948	y0969918.exe	31
PID 1948 wrote to memory of 1476	1948	y0969918.exe	33
PID 1948 wrote to memory of 1476	1948	y0969918.exe	33
PID 1948 wrote to memory of 1476	1948	y0969918.exe	33
PID 1948 wrote to memory of 1476	1948	y0969918.exe	33
PID 1948 wrote to memory of 1476	1948	y0969918.exe	33
PID 1948 wrote to memory of 1476	1948	y0969918.exe	33
PID 1948 wrote to memory of 1476	1948	y0969918.exe	33

C:\Users\Admin\AppData\Local\Temp\bf4474a7b955075ef14a48e2ba631181.exe
"C:\Users\Admin\AppData\Local\Temp\bf4474a7b955075ef14a48e2ba631181.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0969918.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0969918.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2167538.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2167538.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0213278.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0213278.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0969918.exe

Filesize
261KB

MD5
ff8f41f8d820cfb682bc77c6c13808ab

SHA1
3167bce67ce2611855078e334e34667e0299e27d

SHA256
a396de8fb5b7a2395cb1f21c7da8b461f275013dbe4c64b8a79f050cfaff6b92

SHA512
ae7774e6f4ba1d2cd6a6b5bd445219a175f0288f2559be724fbee20be34c832764b0f10ccad86995ed6a2ca20c472be81380c106c5f5a43e4f8520e0b9015085

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0969918.exe

Filesize
261KB

MD5
ff8f41f8d820cfb682bc77c6c13808ab

SHA1
3167bce67ce2611855078e334e34667e0299e27d

SHA256
a396de8fb5b7a2395cb1f21c7da8b461f275013dbe4c64b8a79f050cfaff6b92

SHA512
ae7774e6f4ba1d2cd6a6b5bd445219a175f0288f2559be724fbee20be34c832764b0f10ccad86995ed6a2ca20c472be81380c106c5f5a43e4f8520e0b9015085

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2167538.exe

Filesize
104KB

MD5
44b0d473614a92635b6e39fbb6eb8903

SHA1
e5f7095bface72f0d384e20bc7cb692d515b5124

SHA256
f8375c4e4dd963fc2fad6d66efde942bde1558c5e6d7570b91f694a97331c571

SHA512
014c9fab42308d02fcb6ce4756018b59e593e76eb4bf9aecb3890460675fee5ddef7ea1f1d4e30c14d5bc02dc0f89e931620f14dc379540aef103c114df93598

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2167538.exe

Filesize
104KB

MD5
44b0d473614a92635b6e39fbb6eb8903

SHA1
e5f7095bface72f0d384e20bc7cb692d515b5124

SHA256
f8375c4e4dd963fc2fad6d66efde942bde1558c5e6d7570b91f694a97331c571

SHA512
014c9fab42308d02fcb6ce4756018b59e593e76eb4bf9aecb3890460675fee5ddef7ea1f1d4e30c14d5bc02dc0f89e931620f14dc379540aef103c114df93598

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2167538.exe

Filesize
104KB

MD5
44b0d473614a92635b6e39fbb6eb8903

SHA1
e5f7095bface72f0d384e20bc7cb692d515b5124

SHA256
f8375c4e4dd963fc2fad6d66efde942bde1558c5e6d7570b91f694a97331c571

SHA512
014c9fab42308d02fcb6ce4756018b59e593e76eb4bf9aecb3890460675fee5ddef7ea1f1d4e30c14d5bc02dc0f89e931620f14dc379540aef103c114df93598

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0213278.exe

Filesize
266KB

MD5
48e8f11014a2da94cfcc62412b6ef009

SHA1
76eb0a4b5f9f956f01d2d988aaae97c9021b4cf9

SHA256
212cc011131292fce872fba8067c1bfb63ee646239ef6cb8653d43ee9f94c01b

SHA512
f8efa4619f2773771f55918c467466d835aeca8dd1a8e0095cc569c70837b8c1eef57f5622eb39abbbb49db0f9e3b6af887b4cc989d18ec09d82a98049902db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0213278.exe

Filesize
266KB

MD5
48e8f11014a2da94cfcc62412b6ef009

SHA1
76eb0a4b5f9f956f01d2d988aaae97c9021b4cf9

SHA256
212cc011131292fce872fba8067c1bfb63ee646239ef6cb8653d43ee9f94c01b

SHA512
f8efa4619f2773771f55918c467466d835aeca8dd1a8e0095cc569c70837b8c1eef57f5622eb39abbbb49db0f9e3b6af887b4cc989d18ec09d82a98049902db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0213278.exe

Filesize
266KB

MD5
48e8f11014a2da94cfcc62412b6ef009

SHA1
76eb0a4b5f9f956f01d2d988aaae97c9021b4cf9

SHA256
212cc011131292fce872fba8067c1bfb63ee646239ef6cb8653d43ee9f94c01b

SHA512
f8efa4619f2773771f55918c467466d835aeca8dd1a8e0095cc569c70837b8c1eef57f5622eb39abbbb49db0f9e3b6af887b4cc989d18ec09d82a98049902db8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0969918.exe

Filesize
261KB

MD5
ff8f41f8d820cfb682bc77c6c13808ab

SHA1
3167bce67ce2611855078e334e34667e0299e27d

SHA256
a396de8fb5b7a2395cb1f21c7da8b461f275013dbe4c64b8a79f050cfaff6b92

SHA512
ae7774e6f4ba1d2cd6a6b5bd445219a175f0288f2559be724fbee20be34c832764b0f10ccad86995ed6a2ca20c472be81380c106c5f5a43e4f8520e0b9015085

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0969918.exe

Filesize
261KB

MD5
ff8f41f8d820cfb682bc77c6c13808ab

SHA1
3167bce67ce2611855078e334e34667e0299e27d

SHA256
a396de8fb5b7a2395cb1f21c7da8b461f275013dbe4c64b8a79f050cfaff6b92

SHA512
ae7774e6f4ba1d2cd6a6b5bd445219a175f0288f2559be724fbee20be34c832764b0f10ccad86995ed6a2ca20c472be81380c106c5f5a43e4f8520e0b9015085

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2167538.exe

Filesize
104KB

MD5
44b0d473614a92635b6e39fbb6eb8903

SHA1
e5f7095bface72f0d384e20bc7cb692d515b5124

SHA256
f8375c4e4dd963fc2fad6d66efde942bde1558c5e6d7570b91f694a97331c571

SHA512
014c9fab42308d02fcb6ce4756018b59e593e76eb4bf9aecb3890460675fee5ddef7ea1f1d4e30c14d5bc02dc0f89e931620f14dc379540aef103c114df93598

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2167538.exe

Filesize
104KB

MD5
44b0d473614a92635b6e39fbb6eb8903

SHA1
e5f7095bface72f0d384e20bc7cb692d515b5124

SHA256
f8375c4e4dd963fc2fad6d66efde942bde1558c5e6d7570b91f694a97331c571

SHA512
014c9fab42308d02fcb6ce4756018b59e593e76eb4bf9aecb3890460675fee5ddef7ea1f1d4e30c14d5bc02dc0f89e931620f14dc379540aef103c114df93598

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2167538.exe

Filesize
104KB

MD5
44b0d473614a92635b6e39fbb6eb8903

SHA1
e5f7095bface72f0d384e20bc7cb692d515b5124

SHA256
f8375c4e4dd963fc2fad6d66efde942bde1558c5e6d7570b91f694a97331c571

SHA512
014c9fab42308d02fcb6ce4756018b59e593e76eb4bf9aecb3890460675fee5ddef7ea1f1d4e30c14d5bc02dc0f89e931620f14dc379540aef103c114df93598

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0213278.exe

Filesize
266KB

MD5
48e8f11014a2da94cfcc62412b6ef009

SHA1
76eb0a4b5f9f956f01d2d988aaae97c9021b4cf9

SHA256
212cc011131292fce872fba8067c1bfb63ee646239ef6cb8653d43ee9f94c01b

SHA512
f8efa4619f2773771f55918c467466d835aeca8dd1a8e0095cc569c70837b8c1eef57f5622eb39abbbb49db0f9e3b6af887b4cc989d18ec09d82a98049902db8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0213278.exe

Filesize
266KB

MD5
48e8f11014a2da94cfcc62412b6ef009

SHA1
76eb0a4b5f9f956f01d2d988aaae97c9021b4cf9

SHA256
212cc011131292fce872fba8067c1bfb63ee646239ef6cb8653d43ee9f94c01b

SHA512
f8efa4619f2773771f55918c467466d835aeca8dd1a8e0095cc569c70837b8c1eef57f5622eb39abbbb49db0f9e3b6af887b4cc989d18ec09d82a98049902db8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0213278.exe

Filesize
266KB

MD5
48e8f11014a2da94cfcc62412b6ef009

SHA1
76eb0a4b5f9f956f01d2d988aaae97c9021b4cf9

SHA256
212cc011131292fce872fba8067c1bfb63ee646239ef6cb8653d43ee9f94c01b

SHA512
f8efa4619f2773771f55918c467466d835aeca8dd1a8e0095cc569c70837b8c1eef57f5622eb39abbbb49db0f9e3b6af887b4cc989d18ec09d82a98049902db8

Download Submit
memory/1476-97-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/1476-101-0x0000000000BD0000-0x0000000000BD6000-memory.dmp

Filesize
24KB

Download
memory/1476-102-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/1476-103-0x00000000048A0000-0x00000000048E0000-memory.dmp

Filesize
256KB

Download
memory/2304-54-0x00000000002F0000-0x0000000000364000-memory.dmp

Filesize
464KB

Download
memory/3020-83-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download