healer | 400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a

Analysis

max time kernel
298s
max time network
302s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe
Size

989KB
MD5

caa77db1d9e91c03420de42d0881b211
SHA1

6adec40078a6253bbd06cbfa728ff4518355ac59
SHA256

400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a
SHA512

aecb982c6ea0b3b875302fe39b0292624660463b57af51e97acf37c735f84f40512de6baec82e8fdfb357defb45a6cae4c9f6210719822e039f5c32bd3b45649
SSDEEP

24576:1yl5k1tfjHfabqFIr8iHlOi6JIni5NWxlOhD:Q/qtrHf7C8oAirnCAxlO

Score

10^/10

healer redline kira dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

kira

77.91.68.48:19071

Attributes

auth_value
1677a40fd8997eb89377e1681911e9c6

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/2904-87-0x0000000000020000-0x000000000002A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k6701060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k6701060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k6701060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k6701060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k6701060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k6701060.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2376	y5860936.exe
2864	y3802276.exe
2904	k6701060.exe
1652	l3477921.exe

Loads dropped DLL 10 IoCs

pid	Process
2388	400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe
2376	y5860936.exe
2376	y5860936.exe
2864	y3802276.exe
2864	y3802276.exe
2864	y3802276.exe
2904	k6701060.exe
2864	y3802276.exe
2864	y3802276.exe
1652	l3477921.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	k6701060.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k6701060.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5860936.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3802276.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3802276.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5860936.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2904	k6701060.exe
2904	k6701060.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	k6701060.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2376	2388	400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe	28
PID 2388 wrote to memory of 2376	2388	400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe	28
PID 2388 wrote to memory of 2376	2388	400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe	28
PID 2388 wrote to memory of 2376	2388	400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe	28
PID 2388 wrote to memory of 2376	2388	400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe	28
PID 2388 wrote to memory of 2376	2388	400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe	28
PID 2388 wrote to memory of 2376	2388	400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe	28
PID 2376 wrote to memory of 2864	2376	y5860936.exe	29
PID 2376 wrote to memory of 2864	2376	y5860936.exe	29
PID 2376 wrote to memory of 2864	2376	y5860936.exe	29
PID 2376 wrote to memory of 2864	2376	y5860936.exe	29
PID 2376 wrote to memory of 2864	2376	y5860936.exe	29
PID 2376 wrote to memory of 2864	2376	y5860936.exe	29
PID 2376 wrote to memory of 2864	2376	y5860936.exe	29
PID 2864 wrote to memory of 2904	2864	y3802276.exe	30
PID 2864 wrote to memory of 2904	2864	y3802276.exe	30
PID 2864 wrote to memory of 2904	2864	y3802276.exe	30
PID 2864 wrote to memory of 2904	2864	y3802276.exe	30
PID 2864 wrote to memory of 2904	2864	y3802276.exe	30
PID 2864 wrote to memory of 2904	2864	y3802276.exe	30
PID 2864 wrote to memory of 2904	2864	y3802276.exe	30
PID 2864 wrote to memory of 1652	2864	y3802276.exe	32
PID 2864 wrote to memory of 1652	2864	y3802276.exe	32
PID 2864 wrote to memory of 1652	2864	y3802276.exe	32
PID 2864 wrote to memory of 1652	2864	y3802276.exe	32
PID 2864 wrote to memory of 1652	2864	y3802276.exe	32
PID 2864 wrote to memory of 1652	2864	y3802276.exe	32
PID 2864 wrote to memory of 1652	2864	y3802276.exe	32

C:\Users\Admin\AppData\Local\Temp\400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe
"C:\Users\Admin\AppData\Local\Temp\400c9c607756481252a7af2454dc1184049d6976063ea908c1f98564ffbe9d4a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5860936.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5860936.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3802276.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3802276.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Loads dropped DLL
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2904
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5860936.exe

Filesize
864KB

MD5
5a4a5f9430f4f3d14865b534f2794e2e

SHA1
50a5faf4d0626803833d53ba979275077716b7fc

SHA256
c415277a0775ceb47d7d61a04f7b7f2e880d1ded41c829a1041fbef839bb3371

SHA512
9dc6d6c8e70e9af6600a286af16900bbee821df8881d297dd79473d97bc9ab693772ea4d57de7c2b0007007b1d6588dd6eabbd0b320aaf97d6b434254b263994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5860936.exe

Filesize
864KB

MD5
5a4a5f9430f4f3d14865b534f2794e2e

SHA1
50a5faf4d0626803833d53ba979275077716b7fc

SHA256
c415277a0775ceb47d7d61a04f7b7f2e880d1ded41c829a1041fbef839bb3371

SHA512
9dc6d6c8e70e9af6600a286af16900bbee821df8881d297dd79473d97bc9ab693772ea4d57de7c2b0007007b1d6588dd6eabbd0b320aaf97d6b434254b263994

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3802276.exe

Filesize
681KB

MD5
34d2bcd49671a6011997a5abd32cefc5

SHA1
68a491ef05bbbfd178443b9a5e769e77bc46e8bf

SHA256
e688fb73fe1fc51ab69407869fedd26643f2ea2c6641e200184acfebf7be8775

SHA512
9decdcd47771105fe5d300f7d0b8142c83b7549723fed37dfa71aa173eee66cce0175ef408236fd2a8c06886b568060c76b842cb4a4fb76bbde9b86658cb5345

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3802276.exe

Filesize
681KB

MD5
34d2bcd49671a6011997a5abd32cefc5

SHA1
68a491ef05bbbfd178443b9a5e769e77bc46e8bf

SHA256
e688fb73fe1fc51ab69407869fedd26643f2ea2c6641e200184acfebf7be8775

SHA512
9decdcd47771105fe5d300f7d0b8142c83b7549723fed37dfa71aa173eee66cce0175ef408236fd2a8c06886b568060c76b842cb4a4fb76bbde9b86658cb5345

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe

Filesize
530KB

MD5
a15b1453fa4a1c6745bfcdb865d1df8b

SHA1
1c4a12b2820ffb4d0202530847cf11d8422234b1

SHA256
2317542dd3e1cec3ac23007334b5982ff5f0a51a8fe86a98043bcb4bee3ccdd6

SHA512
346b962cf7aa307facb6ef9079ff4ee310e6ac136d351b110578e2e9053cdcd55caa73b30976d5fdbe4daab2413f33d936ee8e3439b0a9e777ae9f960adc7867

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe

Filesize
530KB

MD5
a15b1453fa4a1c6745bfcdb865d1df8b

SHA1
1c4a12b2820ffb4d0202530847cf11d8422234b1

SHA256
2317542dd3e1cec3ac23007334b5982ff5f0a51a8fe86a98043bcb4bee3ccdd6

SHA512
346b962cf7aa307facb6ef9079ff4ee310e6ac136d351b110578e2e9053cdcd55caa73b30976d5fdbe4daab2413f33d936ee8e3439b0a9e777ae9f960adc7867

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe

Filesize
530KB

MD5
a15b1453fa4a1c6745bfcdb865d1df8b

SHA1
1c4a12b2820ffb4d0202530847cf11d8422234b1

SHA256
2317542dd3e1cec3ac23007334b5982ff5f0a51a8fe86a98043bcb4bee3ccdd6

SHA512
346b962cf7aa307facb6ef9079ff4ee310e6ac136d351b110578e2e9053cdcd55caa73b30976d5fdbe4daab2413f33d936ee8e3439b0a9e777ae9f960adc7867

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe

Filesize
691KB

MD5
a420e82c9d5b88bdd191622b51f2f4c1

SHA1
6e0488ccdce614833cb257fb959d0bfe00020677

SHA256
de53f60e0365a056a97763f9e6ca1e768a15423bbcaba8e09e3f61a641556e0d

SHA512
df191fe6aa6e9c70720af112c893db4b28018f1ea4f2874215fb0b79b35bab6088d9f01ed20c54c517620adb2aa94f038396155ca9d5c6ca04039f376f698f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe

Filesize
691KB

MD5
a420e82c9d5b88bdd191622b51f2f4c1

SHA1
6e0488ccdce614833cb257fb959d0bfe00020677

SHA256
de53f60e0365a056a97763f9e6ca1e768a15423bbcaba8e09e3f61a641556e0d

SHA512
df191fe6aa6e9c70720af112c893db4b28018f1ea4f2874215fb0b79b35bab6088d9f01ed20c54c517620adb2aa94f038396155ca9d5c6ca04039f376f698f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe

Filesize
691KB

MD5
a420e82c9d5b88bdd191622b51f2f4c1

SHA1
6e0488ccdce614833cb257fb959d0bfe00020677

SHA256
de53f60e0365a056a97763f9e6ca1e768a15423bbcaba8e09e3f61a641556e0d

SHA512
df191fe6aa6e9c70720af112c893db4b28018f1ea4f2874215fb0b79b35bab6088d9f01ed20c54c517620adb2aa94f038396155ca9d5c6ca04039f376f698f10

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5860936.exe

Filesize
864KB

MD5
5a4a5f9430f4f3d14865b534f2794e2e

SHA1
50a5faf4d0626803833d53ba979275077716b7fc

SHA256
c415277a0775ceb47d7d61a04f7b7f2e880d1ded41c829a1041fbef839bb3371

SHA512
9dc6d6c8e70e9af6600a286af16900bbee821df8881d297dd79473d97bc9ab693772ea4d57de7c2b0007007b1d6588dd6eabbd0b320aaf97d6b434254b263994

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5860936.exe

Filesize
864KB

MD5
5a4a5f9430f4f3d14865b534f2794e2e

SHA1
50a5faf4d0626803833d53ba979275077716b7fc

SHA256
c415277a0775ceb47d7d61a04f7b7f2e880d1ded41c829a1041fbef839bb3371

SHA512
9dc6d6c8e70e9af6600a286af16900bbee821df8881d297dd79473d97bc9ab693772ea4d57de7c2b0007007b1d6588dd6eabbd0b320aaf97d6b434254b263994

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3802276.exe

Filesize
681KB

MD5
34d2bcd49671a6011997a5abd32cefc5

SHA1
68a491ef05bbbfd178443b9a5e769e77bc46e8bf

SHA256
e688fb73fe1fc51ab69407869fedd26643f2ea2c6641e200184acfebf7be8775

SHA512
9decdcd47771105fe5d300f7d0b8142c83b7549723fed37dfa71aa173eee66cce0175ef408236fd2a8c06886b568060c76b842cb4a4fb76bbde9b86658cb5345

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3802276.exe

Filesize
681KB

MD5
34d2bcd49671a6011997a5abd32cefc5

SHA1
68a491ef05bbbfd178443b9a5e769e77bc46e8bf

SHA256
e688fb73fe1fc51ab69407869fedd26643f2ea2c6641e200184acfebf7be8775

SHA512
9decdcd47771105fe5d300f7d0b8142c83b7549723fed37dfa71aa173eee66cce0175ef408236fd2a8c06886b568060c76b842cb4a4fb76bbde9b86658cb5345

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe

Filesize
530KB

MD5
a15b1453fa4a1c6745bfcdb865d1df8b

SHA1
1c4a12b2820ffb4d0202530847cf11d8422234b1

SHA256
2317542dd3e1cec3ac23007334b5982ff5f0a51a8fe86a98043bcb4bee3ccdd6

SHA512
346b962cf7aa307facb6ef9079ff4ee310e6ac136d351b110578e2e9053cdcd55caa73b30976d5fdbe4daab2413f33d936ee8e3439b0a9e777ae9f960adc7867

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe

Filesize
530KB

MD5
a15b1453fa4a1c6745bfcdb865d1df8b

SHA1
1c4a12b2820ffb4d0202530847cf11d8422234b1

SHA256
2317542dd3e1cec3ac23007334b5982ff5f0a51a8fe86a98043bcb4bee3ccdd6

SHA512
346b962cf7aa307facb6ef9079ff4ee310e6ac136d351b110578e2e9053cdcd55caa73b30976d5fdbe4daab2413f33d936ee8e3439b0a9e777ae9f960adc7867

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\k6701060.exe

Filesize
530KB

MD5
a15b1453fa4a1c6745bfcdb865d1df8b

SHA1
1c4a12b2820ffb4d0202530847cf11d8422234b1

SHA256
2317542dd3e1cec3ac23007334b5982ff5f0a51a8fe86a98043bcb4bee3ccdd6

SHA512
346b962cf7aa307facb6ef9079ff4ee310e6ac136d351b110578e2e9053cdcd55caa73b30976d5fdbe4daab2413f33d936ee8e3439b0a9e777ae9f960adc7867

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe

Filesize
691KB

MD5
a420e82c9d5b88bdd191622b51f2f4c1

SHA1
6e0488ccdce614833cb257fb959d0bfe00020677

SHA256
de53f60e0365a056a97763f9e6ca1e768a15423bbcaba8e09e3f61a641556e0d

SHA512
df191fe6aa6e9c70720af112c893db4b28018f1ea4f2874215fb0b79b35bab6088d9f01ed20c54c517620adb2aa94f038396155ca9d5c6ca04039f376f698f10

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe

Filesize
691KB

MD5
a420e82c9d5b88bdd191622b51f2f4c1

SHA1
6e0488ccdce614833cb257fb959d0bfe00020677

SHA256
de53f60e0365a056a97763f9e6ca1e768a15423bbcaba8e09e3f61a641556e0d

SHA512
df191fe6aa6e9c70720af112c893db4b28018f1ea4f2874215fb0b79b35bab6088d9f01ed20c54c517620adb2aa94f038396155ca9d5c6ca04039f376f698f10

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3477921.exe

Filesize
691KB

MD5
a420e82c9d5b88bdd191622b51f2f4c1

SHA1
6e0488ccdce614833cb257fb959d0bfe00020677

SHA256
de53f60e0365a056a97763f9e6ca1e768a15423bbcaba8e09e3f61a641556e0d

SHA512
df191fe6aa6e9c70720af112c893db4b28018f1ea4f2874215fb0b79b35bab6088d9f01ed20c54c517620adb2aa94f038396155ca9d5c6ca04039f376f698f10

Download Submit
memory/1652-101-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/1652-105-0x0000000000510000-0x0000000000516000-memory.dmp

Filesize
24KB

Download
memory/1652-106-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/1652-107-0x0000000000BD0000-0x0000000000C10000-memory.dmp

Filesize
256KB

Download
memory/2904-87-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download