healer | 698bb5d2efef036d94e9de8cef0b7aa32baefe9193ceb2aded0e1c5ff0a30ccc

Analysis

max time kernel
132s
max time network
146s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
15/07/2023, 01:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

698bb5d2efef036d94e9de8cef0b7aa32baefe9193ceb2aded0e1c5ff0a30ccc.exe
Size

1.0MB
MD5

8a2ae238b7519370b4bb8d5a8eb584f5
SHA1

a45cd66914912f371a84ce252ec77984f5a1308f
SHA256

698bb5d2efef036d94e9de8cef0b7aa32baefe9193ceb2aded0e1c5ff0a30ccc
SHA512

b6a6cbaedef8041c5906fa828870cd0daf096ba3e1edbf11c3958d0fd2a99249379cbacb004520b0f00e3656bf2c4b90a7588a85492b6ddceb67600bca1767ce
SSDEEP

24576:xyhC3g69EAQsPGaqRjQQhFlvESesRYCrvylrO:khigkNPGr5MS68qlr

Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

Detects Healer an antivirus disabler dropper 4 IoCs

resource	yara_rule
behavioral1/memory/608-158-0x0000000000490000-0x00000000004CE000-memory.dmp	healer
behavioral1/files/0x000600000001b04e-166.dat	healer
behavioral1/files/0x000600000001b04e-167.dat	healer
behavioral1/memory/992-168-0x0000000000D90000-0x0000000000D9A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2950926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2950926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2950926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b2148933.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2950926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2950926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b2148933.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b2148933.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b2148933.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b2148933.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
692	v7693644.exe
1900	v2381345.exe
3212	v5800703.exe
608	a2950926.exe
992	b2148933.exe
4024	c5782216.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2950926.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b2148933.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a2950926.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5800703.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	698bb5d2efef036d94e9de8cef0b7aa32baefe9193ceb2aded0e1c5ff0a30ccc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	698bb5d2efef036d94e9de8cef0b7aa32baefe9193ceb2aded0e1c5ff0a30ccc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7693644.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7693644.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v2381345.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2381345.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5800703.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
608	a2950926.exe
608	a2950926.exe
992	b2148933.exe
992	b2148933.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	608	a2950926.exe
Token: SeDebugPrivilege	992	b2148933.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 692	4976	698bb5d2efef036d94e9de8cef0b7aa32baefe9193ceb2aded0e1c5ff0a30ccc.exe	70
PID 4976 wrote to memory of 692	4976	698bb5d2efef036d94e9de8cef0b7aa32baefe9193ceb2aded0e1c5ff0a30ccc.exe	70
PID 4976 wrote to memory of 692	4976	698bb5d2efef036d94e9de8cef0b7aa32baefe9193ceb2aded0e1c5ff0a30ccc.exe	70
PID 692 wrote to memory of 1900	692	v7693644.exe	71
PID 692 wrote to memory of 1900	692	v7693644.exe	71
PID 692 wrote to memory of 1900	692	v7693644.exe	71
PID 1900 wrote to memory of 3212	1900	v2381345.exe	72
PID 1900 wrote to memory of 3212	1900	v2381345.exe	72
PID 1900 wrote to memory of 3212	1900	v2381345.exe	72
PID 3212 wrote to memory of 608	3212	v5800703.exe	73
PID 3212 wrote to memory of 608	3212	v5800703.exe	73
PID 3212 wrote to memory of 608	3212	v5800703.exe	73
PID 3212 wrote to memory of 992	3212	v5800703.exe	75
PID 3212 wrote to memory of 992	3212	v5800703.exe	75
PID 1900 wrote to memory of 4024	1900	v2381345.exe	76
PID 1900 wrote to memory of 4024	1900	v2381345.exe	76
PID 1900 wrote to memory of 4024	1900	v2381345.exe	76

C:\Users\Admin\AppData\Local\Temp\698bb5d2efef036d94e9de8cef0b7aa32baefe9193ceb2aded0e1c5ff0a30ccc.exe
"C:\Users\Admin\AppData\Local\Temp\698bb5d2efef036d94e9de8cef0b7aa32baefe9193ceb2aded0e1c5ff0a30ccc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7693644.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7693644.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2381345.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2381345.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5800703.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5800703.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2950926.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2950926.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2148933.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2148933.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5782216.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5782216.exe
      4⤵
      Executes dropped EXE
      PID:4024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
957779c42144282d8cd83192b8fbc7cf

SHA1
de83d08d2cca06b9ff3d1ef239d6b60b705d25fe

SHA256
0d7ca7ba65e2b465e4878e324ceab8f8981f5ec06dcf5bc32559a4467a9c7d51

SHA512
f1549c61b4f2906d13b2aabb74772c2bc826cd42373d7bb6c48cbb125d5aa2ec17617e6b5e67e8aae3bb5790cc831cdba48a45008ed01df4fba8be448cce39fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7693644.exe

Filesize
904KB

MD5
b02a84645f9be51226d50cf3585e3b45

SHA1
205aebe6fa2c254dc713344742d1b35dd204dcef

SHA256
c49c64c3d3cb8f8710a24e74f5c6e8a36fda82e7958dceced058ad015c8da7af

SHA512
8a8a878a0bde005cee36a0d66879d3d055f56966e46fcaa3f94cfaa75fd9ac98c06504c2b04f3a8170338ab910ae0c9d3ee163dbec2198e93bc4b071366af245

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7693644.exe

Filesize
904KB

MD5
b02a84645f9be51226d50cf3585e3b45

SHA1
205aebe6fa2c254dc713344742d1b35dd204dcef

SHA256
c49c64c3d3cb8f8710a24e74f5c6e8a36fda82e7958dceced058ad015c8da7af

SHA512
8a8a878a0bde005cee36a0d66879d3d055f56966e46fcaa3f94cfaa75fd9ac98c06504c2b04f3a8170338ab910ae0c9d3ee163dbec2198e93bc4b071366af245

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2381345.exe

Filesize
720KB

MD5
f7f95d5d028e0073e2288246dd77fc68

SHA1
2dab9a76b58b81da3c1ba363ed2d46731c4fbf51

SHA256
d255afd134e48d521ac2d6392d07979836bf6417ec7002549a07eac9bb6a74bc

SHA512
4b582b2bb85af16074c33a707dec2b3c1a4fa7e635183ba0407e4a640764ce707faec55190493ffa2de78ba5d6ec6113bb8b1617de781ea57b9eb63e798bd756

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2381345.exe

Filesize
720KB

MD5
f7f95d5d028e0073e2288246dd77fc68

SHA1
2dab9a76b58b81da3c1ba363ed2d46731c4fbf51

SHA256
d255afd134e48d521ac2d6392d07979836bf6417ec7002549a07eac9bb6a74bc

SHA512
4b582b2bb85af16074c33a707dec2b3c1a4fa7e635183ba0407e4a640764ce707faec55190493ffa2de78ba5d6ec6113bb8b1617de781ea57b9eb63e798bd756

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5782216.exe

Filesize
489KB

MD5
5ed8bc96fd6a2054dba46afca92857cd

SHA1
13e4d6ca743957f81d38ab514673662668663e1a

SHA256
a6d423222e35d702eeb2912635afaee19578c96f5345f038581c787c7688518d

SHA512
d8d6aff317ded5d5221fb70f715e0305aa8559be10b5a4de336169effd15db16e55d881c28476085b72b03bf22320d6bb0880e09f951aa816a86cee650d772e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5782216.exe

Filesize
489KB

MD5
5ed8bc96fd6a2054dba46afca92857cd

SHA1
13e4d6ca743957f81d38ab514673662668663e1a

SHA256
a6d423222e35d702eeb2912635afaee19578c96f5345f038581c787c7688518d

SHA512
d8d6aff317ded5d5221fb70f715e0305aa8559be10b5a4de336169effd15db16e55d881c28476085b72b03bf22320d6bb0880e09f951aa816a86cee650d772e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5800703.exe

Filesize
324KB

MD5
7eef102111bd66a9b180039082dab067

SHA1
99d456d861bdb1ddb59ed5a3072cfa855e21343f

SHA256
e69be6875fc1fff0c663eb901a291d7f6cd76ba40193b0c9259a216f87238078

SHA512
d4d82e569220fea278281d7697487e9b7fb76e646858d543338d98f815907a5d3ee05657d4955c9854ae9584c8a548a7536ac938cf9e3fa79d8dd8591bfa9733

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5800703.exe

Filesize
324KB

MD5
7eef102111bd66a9b180039082dab067

SHA1
99d456d861bdb1ddb59ed5a3072cfa855e21343f

SHA256
e69be6875fc1fff0c663eb901a291d7f6cd76ba40193b0c9259a216f87238078

SHA512
d4d82e569220fea278281d7697487e9b7fb76e646858d543338d98f815907a5d3ee05657d4955c9854ae9584c8a548a7536ac938cf9e3fa79d8dd8591bfa9733

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2950926.exe

Filesize
294KB

MD5
419e8bfef232453f81bdf640d1cc4f08

SHA1
2279688676a25401733e99552ec0fb72f9ba9786

SHA256
7ceca6c46cd141179a4a9894802b35ce3dd26b87a53be368298f7dbd69290b2a

SHA512
d99ecdf8bb276bb89dfa09e7e197a5643b6f24b4eeda6d225e24b8d25e45d464096157e56a3cf8c150c739902053dee8b2b910090c03c85fdc96e9d0255302e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a2950926.exe

Filesize
294KB

MD5
419e8bfef232453f81bdf640d1cc4f08

SHA1
2279688676a25401733e99552ec0fb72f9ba9786

SHA256
7ceca6c46cd141179a4a9894802b35ce3dd26b87a53be368298f7dbd69290b2a

SHA512
d99ecdf8bb276bb89dfa09e7e197a5643b6f24b4eeda6d225e24b8d25e45d464096157e56a3cf8c150c739902053dee8b2b910090c03c85fdc96e9d0255302e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2148933.exe

Filesize
11KB

MD5
d770c7bc8f671371883dd453989735a3

SHA1
0fe95fb8a56747d639b67e03cf1ceed9aaab8af1

SHA256
24d702a270e77a14f0a3889f4183286536edf9956f222f0a9c39d7a4676d7d68

SHA512
5fe34286075540ab526529c5e5b79e20ace3f21b265094bee2b8be50bc3189b750f1117a851fe8fa6d660fc5186e29fa8966d5d236ca436c7cb565eee43b5a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2148933.exe

Filesize
11KB

MD5
d770c7bc8f671371883dd453989735a3

SHA1
0fe95fb8a56747d639b67e03cf1ceed9aaab8af1

SHA256
24d702a270e77a14f0a3889f4183286536edf9956f222f0a9c39d7a4676d7d68

SHA512
5fe34286075540ab526529c5e5b79e20ace3f21b265094bee2b8be50bc3189b750f1117a851fe8fa6d660fc5186e29fa8966d5d236ca436c7cb565eee43b5a8d

Download Submit
memory/608-157-0x0000000073680000-0x0000000073D6E000-memory.dmp

Filesize
6.9MB

Download
memory/608-161-0x0000000073680000-0x0000000073D6E000-memory.dmp

Filesize
6.9MB

Download
memory/608-164-0x0000000073680000-0x0000000073D6E000-memory.dmp

Filesize
6.9MB

Download
memory/608-160-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/608-159-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/608-158-0x0000000000490000-0x00000000004CE000-memory.dmp

Filesize
248KB

Download
memory/608-151-0x0000000000490000-0x00000000004CE000-memory.dmp

Filesize
248KB

Download
memory/608-150-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/992-168-0x0000000000D90000-0x0000000000D9A000-memory.dmp

Filesize
40KB

Download
memory/992-169-0x00007FFCC6BB0000-0x00007FFCC759C000-memory.dmp

Filesize
9.9MB

Download
memory/992-171-0x00007FFCC6BB0000-0x00007FFCC759C000-memory.dmp

Filesize
9.9MB

Download
memory/4024-186-0x00000000044D0000-0x00000000044D6000-memory.dmp

Filesize
24KB

Download
memory/4024-176-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4024-183-0x0000000073680000-0x0000000073D6E000-memory.dmp

Filesize
6.9MB

Download
memory/4024-184-0x0000000000590000-0x000000000061C000-memory.dmp

Filesize
560KB

Download
memory/4024-175-0x0000000000590000-0x000000000061C000-memory.dmp

Filesize
560KB

Download
memory/4024-187-0x0000000006C90000-0x0000000007296000-memory.dmp

Filesize
6.0MB

Download
memory/4024-188-0x00000000072A0000-0x00000000073AA000-memory.dmp

Filesize
1.0MB

Download
memory/4024-189-0x0000000006A30000-0x0000000006A42000-memory.dmp

Filesize
72KB

Download
memory/4024-190-0x0000000006A50000-0x0000000006A8E000-memory.dmp

Filesize
248KB

Download
memory/4024-191-0x0000000006C20000-0x0000000006C6B000-memory.dmp

Filesize
300KB

Download
memory/4024-192-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4024-193-0x0000000073680000-0x0000000073D6E000-memory.dmp

Filesize
6.9MB

Download