healer | cc80c0ff50bc3d408942be684a8ece2344a05e5bf0dd00dad04b58305b99ae77

Analysis

max time kernel
128s
max time network
142s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 14:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb1d26f7a3e33cf0117b6ae71.exe
Size

529KB
MD5

cb1d26f7a3e33cf0117b6ae71acc5330
SHA1

d658ba5dcf77d1456ef14f467ddfbd0c48135d35
SHA256

cc80c0ff50bc3d408942be684a8ece2344a05e5bf0dd00dad04b58305b99ae77
SHA512

f14902749bf54fc1a9c80c45e078684f7a9e4e5e914c1491aed63b95ae97ac7ca7ce6940b7b5138a10172fa6706fd89077f9e854a9b74501fbadeee4c196c7d0
SSDEEP

12288:9UwpfvEaRdnQg3hG9dfx+PzQC8iWAVGTr:9UwFvE82g3hG7s7boTr

Score

10^/10

healer redline furod dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

furod

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/1328-83-0x0000000000020000-0x000000000002A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7069788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7069788.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k7069788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7069788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7069788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7069788.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2936	y4708277.exe
1328	k7069788.exe
524	l1421073.exe

Loads dropped DLL 8 IoCs

pid	Process
2308	cb1d26f7a3e33cf0117b6ae71.exe
2936	y4708277.exe
2936	y4708277.exe
2936	y4708277.exe
1328	k7069788.exe
2936	y4708277.exe
2936	y4708277.exe
524	l1421073.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k7069788.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7069788.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	cb1d26f7a3e33cf0117b6ae71.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cb1d26f7a3e33cf0117b6ae71.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4708277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4708277.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1328	k7069788.exe
1328	k7069788.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	k7069788.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2936	2308	cb1d26f7a3e33cf0117b6ae71.exe	29
PID 2308 wrote to memory of 2936	2308	cb1d26f7a3e33cf0117b6ae71.exe	29
PID 2308 wrote to memory of 2936	2308	cb1d26f7a3e33cf0117b6ae71.exe	29
PID 2308 wrote to memory of 2936	2308	cb1d26f7a3e33cf0117b6ae71.exe	29
PID 2308 wrote to memory of 2936	2308	cb1d26f7a3e33cf0117b6ae71.exe	29
PID 2308 wrote to memory of 2936	2308	cb1d26f7a3e33cf0117b6ae71.exe	29
PID 2308 wrote to memory of 2936	2308	cb1d26f7a3e33cf0117b6ae71.exe	29
PID 2936 wrote to memory of 1328	2936	y4708277.exe	30
PID 2936 wrote to memory of 1328	2936	y4708277.exe	30
PID 2936 wrote to memory of 1328	2936	y4708277.exe	30
PID 2936 wrote to memory of 1328	2936	y4708277.exe	30
PID 2936 wrote to memory of 1328	2936	y4708277.exe	30
PID 2936 wrote to memory of 1328	2936	y4708277.exe	30
PID 2936 wrote to memory of 1328	2936	y4708277.exe	30
PID 2936 wrote to memory of 524	2936	y4708277.exe	32
PID 2936 wrote to memory of 524	2936	y4708277.exe	32
PID 2936 wrote to memory of 524	2936	y4708277.exe	32
PID 2936 wrote to memory of 524	2936	y4708277.exe	32
PID 2936 wrote to memory of 524	2936	y4708277.exe	32
PID 2936 wrote to memory of 524	2936	y4708277.exe	32
PID 2936 wrote to memory of 524	2936	y4708277.exe	32

C:\Users\Admin\AppData\Local\Temp\cb1d26f7a3e33cf0117b6ae71.exe
"C:\Users\Admin\AppData\Local\Temp\cb1d26f7a3e33cf0117b6ae71.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4708277.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4708277.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7069788.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7069788.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1421073.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1421073.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4708277.exe

Filesize
260KB

MD5
99edeb9d24c2bc4e63c6d2ec000c94ef

SHA1
238ee3621d03570f4bc74c42d919a16207982179

SHA256
58c7a78e8506c189ce23b1654a0c6f31fba1b7b270ef84e1c1ba002e3320d00a

SHA512
51b73ce38a20274b3647b942d9eaddd147c10d969b73492a73aa80676d839a3a61cdc11f69597988abb097398d12bbc1a88bfcdb724ecc44f5cc1f7d471abf86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4708277.exe

Filesize
260KB

MD5
99edeb9d24c2bc4e63c6d2ec000c94ef

SHA1
238ee3621d03570f4bc74c42d919a16207982179

SHA256
58c7a78e8506c189ce23b1654a0c6f31fba1b7b270ef84e1c1ba002e3320d00a

SHA512
51b73ce38a20274b3647b942d9eaddd147c10d969b73492a73aa80676d839a3a61cdc11f69597988abb097398d12bbc1a88bfcdb724ecc44f5cc1f7d471abf86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7069788.exe

Filesize
96KB

MD5
ee29f72f5e8cb1588b4f800f2fde03dc

SHA1
95dfa0159afca6d3df442b236b25f8cdf93a33a1

SHA256
dac1f73b21cc0dfbf3c2b5314549fb0447aed7c8e350eb58b0698038cbf9081c

SHA512
769e9df286d00da19451991f5c4af4465f02ef274a1ba09f0f4d8dfddfdc382e2376ef9daea91470b64fe97ecf208b8a9502bfa698591f5bffd0e5a591d05b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7069788.exe

Filesize
96KB

MD5
ee29f72f5e8cb1588b4f800f2fde03dc

SHA1
95dfa0159afca6d3df442b236b25f8cdf93a33a1

SHA256
dac1f73b21cc0dfbf3c2b5314549fb0447aed7c8e350eb58b0698038cbf9081c

SHA512
769e9df286d00da19451991f5c4af4465f02ef274a1ba09f0f4d8dfddfdc382e2376ef9daea91470b64fe97ecf208b8a9502bfa698591f5bffd0e5a591d05b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7069788.exe

Filesize
96KB

MD5
ee29f72f5e8cb1588b4f800f2fde03dc

SHA1
95dfa0159afca6d3df442b236b25f8cdf93a33a1

SHA256
dac1f73b21cc0dfbf3c2b5314549fb0447aed7c8e350eb58b0698038cbf9081c

SHA512
769e9df286d00da19451991f5c4af4465f02ef274a1ba09f0f4d8dfddfdc382e2376ef9daea91470b64fe97ecf208b8a9502bfa698591f5bffd0e5a591d05b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1421073.exe

Filesize
257KB

MD5
58cd12697e7679ccfa0cb00f82bd5860

SHA1
8da0c4d42d73c9553eb6071bc9a13cd2d01b2a81

SHA256
84e70d3416575700e3821b4cf284164ee91f5d81a62a7462ef5c3c694f613fb8

SHA512
8d950e4e5b8dd650576e379bb0de0faaff80a5aa678ca4c136f93603e5212c1b4db096b572e603d596d501606bd059d3850c463a014a607608dca9c2db64a557

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1421073.exe

Filesize
257KB

MD5
58cd12697e7679ccfa0cb00f82bd5860

SHA1
8da0c4d42d73c9553eb6071bc9a13cd2d01b2a81

SHA256
84e70d3416575700e3821b4cf284164ee91f5d81a62a7462ef5c3c694f613fb8

SHA512
8d950e4e5b8dd650576e379bb0de0faaff80a5aa678ca4c136f93603e5212c1b4db096b572e603d596d501606bd059d3850c463a014a607608dca9c2db64a557

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1421073.exe

Filesize
257KB

MD5
58cd12697e7679ccfa0cb00f82bd5860

SHA1
8da0c4d42d73c9553eb6071bc9a13cd2d01b2a81

SHA256
84e70d3416575700e3821b4cf284164ee91f5d81a62a7462ef5c3c694f613fb8

SHA512
8d950e4e5b8dd650576e379bb0de0faaff80a5aa678ca4c136f93603e5212c1b4db096b572e603d596d501606bd059d3850c463a014a607608dca9c2db64a557

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4708277.exe

Filesize
260KB

MD5
99edeb9d24c2bc4e63c6d2ec000c94ef

SHA1
238ee3621d03570f4bc74c42d919a16207982179

SHA256
58c7a78e8506c189ce23b1654a0c6f31fba1b7b270ef84e1c1ba002e3320d00a

SHA512
51b73ce38a20274b3647b942d9eaddd147c10d969b73492a73aa80676d839a3a61cdc11f69597988abb097398d12bbc1a88bfcdb724ecc44f5cc1f7d471abf86

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4708277.exe

Filesize
260KB

MD5
99edeb9d24c2bc4e63c6d2ec000c94ef

SHA1
238ee3621d03570f4bc74c42d919a16207982179

SHA256
58c7a78e8506c189ce23b1654a0c6f31fba1b7b270ef84e1c1ba002e3320d00a

SHA512
51b73ce38a20274b3647b942d9eaddd147c10d969b73492a73aa80676d839a3a61cdc11f69597988abb097398d12bbc1a88bfcdb724ecc44f5cc1f7d471abf86

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7069788.exe

Filesize
96KB

MD5
ee29f72f5e8cb1588b4f800f2fde03dc

SHA1
95dfa0159afca6d3df442b236b25f8cdf93a33a1

SHA256
dac1f73b21cc0dfbf3c2b5314549fb0447aed7c8e350eb58b0698038cbf9081c

SHA512
769e9df286d00da19451991f5c4af4465f02ef274a1ba09f0f4d8dfddfdc382e2376ef9daea91470b64fe97ecf208b8a9502bfa698591f5bffd0e5a591d05b77

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7069788.exe

Filesize
96KB

MD5
ee29f72f5e8cb1588b4f800f2fde03dc

SHA1
95dfa0159afca6d3df442b236b25f8cdf93a33a1

SHA256
dac1f73b21cc0dfbf3c2b5314549fb0447aed7c8e350eb58b0698038cbf9081c

SHA512
769e9df286d00da19451991f5c4af4465f02ef274a1ba09f0f4d8dfddfdc382e2376ef9daea91470b64fe97ecf208b8a9502bfa698591f5bffd0e5a591d05b77

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7069788.exe

Filesize
96KB

MD5
ee29f72f5e8cb1588b4f800f2fde03dc

SHA1
95dfa0159afca6d3df442b236b25f8cdf93a33a1

SHA256
dac1f73b21cc0dfbf3c2b5314549fb0447aed7c8e350eb58b0698038cbf9081c

SHA512
769e9df286d00da19451991f5c4af4465f02ef274a1ba09f0f4d8dfddfdc382e2376ef9daea91470b64fe97ecf208b8a9502bfa698591f5bffd0e5a591d05b77

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1421073.exe

Filesize
257KB

MD5
58cd12697e7679ccfa0cb00f82bd5860

SHA1
8da0c4d42d73c9553eb6071bc9a13cd2d01b2a81

SHA256
84e70d3416575700e3821b4cf284164ee91f5d81a62a7462ef5c3c694f613fb8

SHA512
8d950e4e5b8dd650576e379bb0de0faaff80a5aa678ca4c136f93603e5212c1b4db096b572e603d596d501606bd059d3850c463a014a607608dca9c2db64a557

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1421073.exe

Filesize
257KB

MD5
58cd12697e7679ccfa0cb00f82bd5860

SHA1
8da0c4d42d73c9553eb6071bc9a13cd2d01b2a81

SHA256
84e70d3416575700e3821b4cf284164ee91f5d81a62a7462ef5c3c694f613fb8

SHA512
8d950e4e5b8dd650576e379bb0de0faaff80a5aa678ca4c136f93603e5212c1b4db096b572e603d596d501606bd059d3850c463a014a607608dca9c2db64a557

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1421073.exe

Filesize
257KB

MD5
58cd12697e7679ccfa0cb00f82bd5860

SHA1
8da0c4d42d73c9553eb6071bc9a13cd2d01b2a81

SHA256
84e70d3416575700e3821b4cf284164ee91f5d81a62a7462ef5c3c694f613fb8

SHA512
8d950e4e5b8dd650576e379bb0de0faaff80a5aa678ca4c136f93603e5212c1b4db096b572e603d596d501606bd059d3850c463a014a607608dca9c2db64a557

Download Submit
memory/524-97-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/524-101-0x0000000000B10000-0x0000000000B16000-memory.dmp

Filesize
24KB

Download
memory/524-102-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/524-103-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1328-83-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2308-54-0x0000000000330000-0x00000000003A4000-memory.dmp

Filesize
464KB

Download