healer | bfc9dc1a7fae0fd262d25ccb67c21ba1de11a323a69065dc814c178b7598a21f

Analysis

max time kernel
131s
max time network
145s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
14/07/2023, 19:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

bfc9dc1a7fae0fd262d25ccb67c21ba1de11a323a69065dc814c178b7598a21f.exe
Size

1.0MB
MD5

9fdc2ac20f02a470fd5ccf8827f28db9
SHA1

b95d76bf1b0953b3e53bd4b0970f39502e468a83
SHA256

bfc9dc1a7fae0fd262d25ccb67c21ba1de11a323a69065dc814c178b7598a21f
SHA512

32c059ce309598ee8134d6073068b7ac22a3958ca8dcbecf69d2e5e133dcf3ea0f9c62aaa81bee00134e4601f4ce0d7c5a0b480f29c330bee335d48bcac3cc50
SSDEEP

24576:NyOamX/qFcBxI9awPDBR4vHhPj4PgAQp2tEOaR:owXmVRMHJj4ovRh

Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

Detects Healer an antivirus disabler dropper 4 IoCs

resource	yara_rule
behavioral1/memory/2780-156-0x0000000000560000-0x000000000059E000-memory.dmp	healer
behavioral1/files/0x000600000001afd6-163.dat	healer
behavioral1/files/0x000600000001afd6-164.dat	healer
behavioral1/memory/3768-165-0x00000000000F0000-0x00000000000FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b4919231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7894925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7894925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7894925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b4919231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b4919231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b4919231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7894925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7894925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b4919231.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4148	v8573127.exe
4596	v8255727.exe
2464	v9041126.exe
2780	a7894925.exe
3768	b4919231.exe
4936	c2430248.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a7894925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7894925.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b4919231.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8255727.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8255727.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9041126.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9041126.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bfc9dc1a7fae0fd262d25ccb67c21ba1de11a323a69065dc814c178b7598a21f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bfc9dc1a7fae0fd262d25ccb67c21ba1de11a323a69065dc814c178b7598a21f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v8573127.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8573127.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2780	a7894925.exe
2780	a7894925.exe
3768	b4919231.exe
3768	b4919231.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	a7894925.exe
Token: SeDebugPrivilege	3768	b4919231.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 4148	1212	bfc9dc1a7fae0fd262d25ccb67c21ba1de11a323a69065dc814c178b7598a21f.exe	69
PID 1212 wrote to memory of 4148	1212	bfc9dc1a7fae0fd262d25ccb67c21ba1de11a323a69065dc814c178b7598a21f.exe	69
PID 1212 wrote to memory of 4148	1212	bfc9dc1a7fae0fd262d25ccb67c21ba1de11a323a69065dc814c178b7598a21f.exe	69
PID 4148 wrote to memory of 4596	4148	v8573127.exe	70
PID 4148 wrote to memory of 4596	4148	v8573127.exe	70
PID 4148 wrote to memory of 4596	4148	v8573127.exe	70
PID 4596 wrote to memory of 2464	4596	v8255727.exe	71
PID 4596 wrote to memory of 2464	4596	v8255727.exe	71
PID 4596 wrote to memory of 2464	4596	v8255727.exe	71
PID 2464 wrote to memory of 2780	2464	v9041126.exe	72
PID 2464 wrote to memory of 2780	2464	v9041126.exe	72
PID 2464 wrote to memory of 2780	2464	v9041126.exe	72
PID 2464 wrote to memory of 3768	2464	v9041126.exe	74
PID 2464 wrote to memory of 3768	2464	v9041126.exe	74
PID 4596 wrote to memory of 4936	4596	v8255727.exe	75
PID 4596 wrote to memory of 4936	4596	v8255727.exe	75
PID 4596 wrote to memory of 4936	4596	v8255727.exe	75

C:\Users\Admin\AppData\Local\Temp\bfc9dc1a7fae0fd262d25ccb67c21ba1de11a323a69065dc814c178b7598a21f.exe
"C:\Users\Admin\AppData\Local\Temp\bfc9dc1a7fae0fd262d25ccb67c21ba1de11a323a69065dc814c178b7598a21f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8573127.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8573127.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8255727.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8255727.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9041126.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9041126.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7894925.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7894925.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4919231.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4919231.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2430248.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2430248.exe
      4⤵
      Executes dropped EXE
      PID:4936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8573127.exe

Filesize
909KB

MD5
f8d67258221e0340b17d18d4b60ddf47

SHA1
a4e7b534ea1ee4db07a0187034b28428b2890f62

SHA256
05835f092fd7631b725f0a0e49020427cd3e661ba996185d67bf6c96d0cbe137

SHA512
78c761c6191602aa5eec0053328cb5ad55308f56cac4753a245263901b0279410685a86cc1a6c1c62cea00583e21a5a6370362a587ea3cd68d04d0b14cbbde67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8573127.exe

Filesize
909KB

MD5
f8d67258221e0340b17d18d4b60ddf47

SHA1
a4e7b534ea1ee4db07a0187034b28428b2890f62

SHA256
05835f092fd7631b725f0a0e49020427cd3e661ba996185d67bf6c96d0cbe137

SHA512
78c761c6191602aa5eec0053328cb5ad55308f56cac4753a245263901b0279410685a86cc1a6c1c62cea00583e21a5a6370362a587ea3cd68d04d0b14cbbde67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8255727.exe

Filesize
726KB

MD5
ec029d932ba0010ace4688fc8e3ce53b

SHA1
7b34f87ff6d6f0c04b5e31e4529b64de8b4574a9

SHA256
0698af13d215f47ba0ddda58017e4fa9ffed5ba146bb50a29f17be78a090e01c

SHA512
59b984dca8ef1cddb3d77c8b720cb418d280ee831804598c39408c1a57f9bab3220bf75b16d4bc7a8e88bc6f2db7201fe2e837c003eac1e335382f96eea54ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8255727.exe

Filesize
726KB

MD5
ec029d932ba0010ace4688fc8e3ce53b

SHA1
7b34f87ff6d6f0c04b5e31e4529b64de8b4574a9

SHA256
0698af13d215f47ba0ddda58017e4fa9ffed5ba146bb50a29f17be78a090e01c

SHA512
59b984dca8ef1cddb3d77c8b720cb418d280ee831804598c39408c1a57f9bab3220bf75b16d4bc7a8e88bc6f2db7201fe2e837c003eac1e335382f96eea54ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2430248.exe

Filesize
493KB

MD5
1c875db67ea81c811e5dc1b010a9487f

SHA1
419759bf707003d1e36397cf1cb3e2cc9f22de72

SHA256
5ee7d80550ebb10a79b9547a38cc1f2de61b245a324542629275de2d15af4f91

SHA512
9bcc1c821cea2e3ef7e05696b05109a9c896f8dc391c625fb23bc8b00b0bab60b320a089f5072a4a60be918eaac4dfe06aed4d21c5792dc7407f9a3ad5dd9293

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2430248.exe

Filesize
493KB

MD5
1c875db67ea81c811e5dc1b010a9487f

SHA1
419759bf707003d1e36397cf1cb3e2cc9f22de72

SHA256
5ee7d80550ebb10a79b9547a38cc1f2de61b245a324542629275de2d15af4f91

SHA512
9bcc1c821cea2e3ef7e05696b05109a9c896f8dc391c625fb23bc8b00b0bab60b320a089f5072a4a60be918eaac4dfe06aed4d21c5792dc7407f9a3ad5dd9293

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9041126.exe

Filesize
327KB

MD5
dd25515e54aeb695d3d9909930d1a728

SHA1
a87391e8c81d7c5b8db91d03010735f3eb27daa2

SHA256
cc30e30a786b760c80d4ca29edede2114f23e9a34c0fc64d981c6279468bd7c4

SHA512
e9cd940e635c69b9a7f24e9447771128ead4a2022bbf38e221ce33bcae39a001975a0a8c388ce798151a2a04d43d07a1fe684726aec8bd0c4e604e6712c965b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9041126.exe

Filesize
327KB

MD5
dd25515e54aeb695d3d9909930d1a728

SHA1
a87391e8c81d7c5b8db91d03010735f3eb27daa2

SHA256
cc30e30a786b760c80d4ca29edede2114f23e9a34c0fc64d981c6279468bd7c4

SHA512
e9cd940e635c69b9a7f24e9447771128ead4a2022bbf38e221ce33bcae39a001975a0a8c388ce798151a2a04d43d07a1fe684726aec8bd0c4e604e6712c965b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7894925.exe

Filesize
295KB

MD5
6529aa50b58955524bb2e0b36c4f4c2b

SHA1
98c5268bbe23d182ee99c0dd365c2974ca831718

SHA256
71cedd15834c57ae96d5eb3b1e0622c16b7aa8f03f9829dca91616996c1dd695

SHA512
ea77da8b0700b859ff06e56224bffdf1016fb7cf0361ef99d82ffd03f1ab82675e5e2f639ea46006fdff626dd07df40d05436dd37583704d82d2a6a06980fdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7894925.exe

Filesize
295KB

MD5
6529aa50b58955524bb2e0b36c4f4c2b

SHA1
98c5268bbe23d182ee99c0dd365c2974ca831718

SHA256
71cedd15834c57ae96d5eb3b1e0622c16b7aa8f03f9829dca91616996c1dd695

SHA512
ea77da8b0700b859ff06e56224bffdf1016fb7cf0361ef99d82ffd03f1ab82675e5e2f639ea46006fdff626dd07df40d05436dd37583704d82d2a6a06980fdc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4919231.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4919231.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/2780-148-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2780-161-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-158-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-157-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2780-156-0x0000000000560000-0x000000000059E000-memory.dmp

Filesize
248KB

Download
memory/2780-155-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-149-0x0000000000560000-0x000000000059E000-memory.dmp

Filesize
248KB

Download
memory/3768-165-0x00000000000F0000-0x00000000000FA000-memory.dmp

Filesize
40KB

Download
memory/3768-166-0x00007FFCD0C10000-0x00007FFCD15FC000-memory.dmp

Filesize
9.9MB

Download
memory/3768-168-0x00007FFCD0C10000-0x00007FFCD15FC000-memory.dmp

Filesize
9.9MB

Download
memory/4936-181-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/4936-173-0x0000000001FA0000-0x000000000202C000-memory.dmp

Filesize
560KB

Download
memory/4936-174-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4936-182-0x0000000001FA0000-0x000000000202C000-memory.dmp

Filesize
560KB

Download
memory/4936-184-0x00000000043F0000-0x00000000043F6000-memory.dmp

Filesize
24KB

Download
memory/4936-185-0x00000000049D0000-0x0000000004FD6000-memory.dmp

Filesize
6.0MB

Download
memory/4936-186-0x0000000005030000-0x000000000513A000-memory.dmp

Filesize
1.0MB

Download
memory/4936-187-0x0000000005160000-0x0000000005172000-memory.dmp

Filesize
72KB

Download
memory/4936-188-0x0000000005180000-0x00000000051BE000-memory.dmp

Filesize
248KB

Download
memory/4936-189-0x00000000051F0000-0x000000000523B000-memory.dmp

Filesize
300KB

Download
memory/4936-190-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download