healer | 83258fe81b568e34a9531f48c88a95a59a8b82299978e9fd7a0e651220a69537

Analysis

max time kernel
138s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2023, 01:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.0MB
MD5

ecb780e0b9a862f01b73fc28e175e2b0
SHA1

4f52114d9c4744f9a563caeaee925b3d9c1d66f8
SHA256

83258fe81b568e34a9531f48c88a95a59a8b82299978e9fd7a0e651220a69537
SHA512

574ec92f9c4680011281ca933afbcda5786f8044728fd3448ddf5464ba562e51fad53e1694f5ebd8688e98ea9383c3185ad92a6160c6981f81f08b64350f62f8
SSDEEP

24576:vyiuBTR9IYqU5Z05UOKg0Izc3qO5qYsr4BRd+ZO8FrbO:6iCRIYzOK1eYsr28

Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

Detects Healer an antivirus disabler dropper 4 IoCs

resource	yara_rule
behavioral2/memory/2080-169-0x00000000005A0000-0x00000000005DE000-memory.dmp	healer
behavioral2/files/0x00060000000231f2-177.dat	healer
behavioral2/files/0x00060000000231f2-178.dat	healer
behavioral2/memory/2268-179-0x0000000000EB0000-0x0000000000EBA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b6396037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b6396037.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4340372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4340372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4340372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b6396037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b6396037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4340372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4340372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4340372.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b6396037.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b6396037.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1088	v2555540.exe
4084	v1287778.exe
4232	v2967426.exe
2080	a4340372.exe
2268	b6396037.exe
2264	c6692687.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4340372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4340372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b6396037.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2555540.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2555540.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1287778.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1287778.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2967426.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2967426.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2080	a4340372.exe
2080	a4340372.exe
2268	b6396037.exe
2268	b6396037.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	a4340372.exe
Token: SeDebugPrivilege	2268	b6396037.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 1088	4408	file.exe	84
PID 4408 wrote to memory of 1088	4408	file.exe	84
PID 4408 wrote to memory of 1088	4408	file.exe	84
PID 1088 wrote to memory of 4084	1088	v2555540.exe	85
PID 1088 wrote to memory of 4084	1088	v2555540.exe	85
PID 1088 wrote to memory of 4084	1088	v2555540.exe	85
PID 4084 wrote to memory of 4232	4084	v1287778.exe	86
PID 4084 wrote to memory of 4232	4084	v1287778.exe	86
PID 4084 wrote to memory of 4232	4084	v1287778.exe	86
PID 4232 wrote to memory of 2080	4232	v2967426.exe	87
PID 4232 wrote to memory of 2080	4232	v2967426.exe	87
PID 4232 wrote to memory of 2080	4232	v2967426.exe	87
PID 4232 wrote to memory of 2268	4232	v2967426.exe	100
PID 4232 wrote to memory of 2268	4232	v2967426.exe	100
PID 4084 wrote to memory of 2264	4084	v1287778.exe	101
PID 4084 wrote to memory of 2264	4084	v1287778.exe	101
PID 4084 wrote to memory of 2264	4084	v1287778.exe	101

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2555540.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2555540.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1287778.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1287778.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2967426.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2967426.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4340372.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4340372.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6396037.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6396037.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6692687.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6692687.exe
      4⤵
      Executes dropped EXE
      PID:2264

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2555540.exe

Filesize
905KB

MD5
fbfcca8511468a149b1555c4887e85e9

SHA1
fb63c88183f312e437ce938a1b451fdfee7c7c29

SHA256
b7dd35909b984d61822381083925749fafbc9e237a8dbe97ed462b3da619e6b4

SHA512
c07a8e0d4e875093b84e0b8500d1ffe11c1a82fe9f044761e253da1b031665ae6d2639ee313a6973fd3c04d6f9eae2e5be0b059bbffb8bf0b93c08cf1ae42550

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2555540.exe

Filesize
905KB

MD5
fbfcca8511468a149b1555c4887e85e9

SHA1
fb63c88183f312e437ce938a1b451fdfee7c7c29

SHA256
b7dd35909b984d61822381083925749fafbc9e237a8dbe97ed462b3da619e6b4

SHA512
c07a8e0d4e875093b84e0b8500d1ffe11c1a82fe9f044761e253da1b031665ae6d2639ee313a6973fd3c04d6f9eae2e5be0b059bbffb8bf0b93c08cf1ae42550

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1287778.exe

Filesize
721KB

MD5
3efa31ed97c04506d00fb197a139fcf4

SHA1
ab7710ee4ba81a350dc37842e751c06d76c3c356

SHA256
b3af9f3a6dba25fb7cd38013491fc2e7231dbe610c74d0c2d4c4c78611d1b10a

SHA512
cb008db39b8c97d1e1d6e7ee821a78ef5a7c84e6167697b323227aa6a5c05ffafbb6988f7c68da7f551b57ca32d63b7c30ff9a1e73c3ae4a95483807f84c8e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1287778.exe

Filesize
721KB

MD5
3efa31ed97c04506d00fb197a139fcf4

SHA1
ab7710ee4ba81a350dc37842e751c06d76c3c356

SHA256
b3af9f3a6dba25fb7cd38013491fc2e7231dbe610c74d0c2d4c4c78611d1b10a

SHA512
cb008db39b8c97d1e1d6e7ee821a78ef5a7c84e6167697b323227aa6a5c05ffafbb6988f7c68da7f551b57ca32d63b7c30ff9a1e73c3ae4a95483807f84c8e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6692687.exe

Filesize
488KB

MD5
b713e8964954225745e7595c026bfa92

SHA1
d859411c1a9bfeb6b438bc98f5704cb80c4aa13e

SHA256
4a0c4f3cb60c059ad63a55fa1107480d1e4d7a82f046058ec297f687cfcc872f

SHA512
30d65fd374d21c25dbbd2bf3d36fa9aec67ff00b00db7a664ff80fcfb5eeaf9139b67ade9e701b1c7911cae7490fb05a1c017e5c78f29b650c800287d9fb4b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6692687.exe

Filesize
488KB

MD5
b713e8964954225745e7595c026bfa92

SHA1
d859411c1a9bfeb6b438bc98f5704cb80c4aa13e

SHA256
4a0c4f3cb60c059ad63a55fa1107480d1e4d7a82f046058ec297f687cfcc872f

SHA512
30d65fd374d21c25dbbd2bf3d36fa9aec67ff00b00db7a664ff80fcfb5eeaf9139b67ade9e701b1c7911cae7490fb05a1c017e5c78f29b650c800287d9fb4b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2967426.exe

Filesize
326KB

MD5
4f2de442c482db264d63daf538a66c75

SHA1
4bb33cb0645568d0162716295d761d33eb6cd191

SHA256
1cd510282f74ae0408209d171293591c2a7b6a5053f77518d9d24c420ac266b3

SHA512
39947760375758cd644ccaca701cf27a962841c9c35d758e427d9edf3db5b98c893d69134c347b220543558b3348ea0ee8bbeb9bcd9a2cf4ee8b82b6b54cb75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2967426.exe

Filesize
326KB

MD5
4f2de442c482db264d63daf538a66c75

SHA1
4bb33cb0645568d0162716295d761d33eb6cd191

SHA256
1cd510282f74ae0408209d171293591c2a7b6a5053f77518d9d24c420ac266b3

SHA512
39947760375758cd644ccaca701cf27a962841c9c35d758e427d9edf3db5b98c893d69134c347b220543558b3348ea0ee8bbeb9bcd9a2cf4ee8b82b6b54cb75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4340372.exe

Filesize
295KB

MD5
db4a8f8b3e24f897483f34f5f18976bb

SHA1
cced15e3e7fafcdc76eae1da109a8a58c5760047

SHA256
e658af8dcaf728407601c915253413d0991f730d9d4afc32e12b0247845e68ca

SHA512
290ede4832f50d00c527a50b0bbf501aa645a10ae8a8dc2cbc4c3b72f7c8cd3df2c91f1c9e8451aad8df7cbaded9a7bb460be50e8a42f2b0610485ee639252b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a4340372.exe

Filesize
295KB

MD5
db4a8f8b3e24f897483f34f5f18976bb

SHA1
cced15e3e7fafcdc76eae1da109a8a58c5760047

SHA256
e658af8dcaf728407601c915253413d0991f730d9d4afc32e12b0247845e68ca

SHA512
290ede4832f50d00c527a50b0bbf501aa645a10ae8a8dc2cbc4c3b72f7c8cd3df2c91f1c9e8451aad8df7cbaded9a7bb460be50e8a42f2b0610485ee639252b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6396037.exe

Filesize
11KB

MD5
efeeda40c40cace9285277ac2e8086c7

SHA1
ddcc6fd29f5d7f77773ca19330ddb63330646644

SHA256
3d1ba545074d04ff68022e2837500167342aecf56c1c7766827ace8438439fc1

SHA512
9dfa63390688caf88726a797bbc8a66012f6278e28f989f996087a1687660fae3ef12ac3ceebf7dd88a525599f1f1360c7d863e0ecf1cb05df400cb9079161fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6396037.exe

Filesize
11KB

MD5
efeeda40c40cace9285277ac2e8086c7

SHA1
ddcc6fd29f5d7f77773ca19330ddb63330646644

SHA256
3d1ba545074d04ff68022e2837500167342aecf56c1c7766827ace8438439fc1

SHA512
9dfa63390688caf88726a797bbc8a66012f6278e28f989f996087a1687660fae3ef12ac3ceebf7dd88a525599f1f1360c7d863e0ecf1cb05df400cb9079161fb

Download Submit
memory/2080-168-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/2080-172-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/2080-175-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/2080-171-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2080-170-0x0000000006BD0000-0x0000000006BD1000-memory.dmp

Filesize
4KB

Download
memory/2080-169-0x00000000005A0000-0x00000000005DE000-memory.dmp

Filesize
248KB

Download
memory/2080-162-0x00000000005A0000-0x00000000005DE000-memory.dmp

Filesize
248KB

Download
memory/2080-161-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2264-195-0x00000000005C0000-0x000000000064C000-memory.dmp

Filesize
560KB

Download
memory/2264-199-0x00000000051D0000-0x00000000051E2000-memory.dmp

Filesize
72KB

Download
memory/2264-186-0x00000000005C0000-0x000000000064C000-memory.dmp

Filesize
560KB

Download
memory/2264-187-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2264-204-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/2264-194-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/2264-203-0x0000000074AB0000-0x0000000075260000-memory.dmp

Filesize
7.7MB

Download
memory/2264-197-0x00000000049F0000-0x0000000005008000-memory.dmp

Filesize
6.1MB

Download
memory/2264-198-0x00000000050A0000-0x00000000051AA000-memory.dmp

Filesize
1.0MB

Download
memory/2264-200-0x0000000006DF0000-0x0000000006E00000-memory.dmp

Filesize
64KB

Download
memory/2264-202-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2264-201-0x00000000051F0000-0x000000000522C000-memory.dmp

Filesize
240KB

Download
memory/2268-182-0x00007FFC2B200000-0x00007FFC2BCC1000-memory.dmp

Filesize
10.8MB

Download
memory/2268-179-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

Filesize
40KB

Download
memory/2268-180-0x00007FFC2B200000-0x00007FFC2BCC1000-memory.dmp

Filesize
10.8MB

Download