healer | 6388154b88d7e6430e048e6b44ae647527fea9bb48918f678b04600396fd9095

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20-07-2023 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4c1293dce1605a1556693303e88cd64.exe
Size

389KB
MD5

b4c1293dce1605a1556693303e88cd64
SHA1

5b36befa445ad4a4407d146f65fa73481c4e7fb5
SHA256

6388154b88d7e6430e048e6b44ae647527fea9bb48918f678b04600396fd9095
SHA512

8dfd45f57faa3b2140675eb081d87823643a0024a544575a9d7803414ec7100bc1ad39e2b03fdcad04d6cc8293bbc86bc5bae9fa4452165c18160108915925fb
SSDEEP

12288:EMrUy90DroP4MYhD3nlF4ifHyA3s+MQh3d:wyi0xYhDX8HkTht

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 4 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015c38-68.dat	healer
behavioral1/files/0x0008000000015c38-70.dat	healer
behavioral1/files/0x0008000000015c38-71.dat	healer
behavioral1/memory/1640-72-0x0000000000D50000-0x0000000000D5A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p8137477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p8137477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p8137477.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p8137477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p8137477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p8137477.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2120	z0632674.exe
1640	p8137477.exe
2960	r5541124.exe

Loads dropped DLL 5 IoCs

pid	Process
1040	b4c1293dce1605a1556693303e88cd64.exe
2120	z0632674.exe
2120	z0632674.exe
2120	z0632674.exe
2960	r5541124.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	p8137477.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p8137477.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	b4c1293dce1605a1556693303e88cd64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b4c1293dce1605a1556693303e88cd64.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0632674.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0632674.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1640	p8137477.exe
1640	p8137477.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	p8137477.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2120	1040	b4c1293dce1605a1556693303e88cd64.exe	28
PID 1040 wrote to memory of 2120	1040	b4c1293dce1605a1556693303e88cd64.exe	28
PID 1040 wrote to memory of 2120	1040	b4c1293dce1605a1556693303e88cd64.exe	28
PID 1040 wrote to memory of 2120	1040	b4c1293dce1605a1556693303e88cd64.exe	28
PID 1040 wrote to memory of 2120	1040	b4c1293dce1605a1556693303e88cd64.exe	28
PID 1040 wrote to memory of 2120	1040	b4c1293dce1605a1556693303e88cd64.exe	28
PID 1040 wrote to memory of 2120	1040	b4c1293dce1605a1556693303e88cd64.exe	28
PID 2120 wrote to memory of 1640	2120	z0632674.exe	29
PID 2120 wrote to memory of 1640	2120	z0632674.exe	29
PID 2120 wrote to memory of 1640	2120	z0632674.exe	29
PID 2120 wrote to memory of 1640	2120	z0632674.exe	29
PID 2120 wrote to memory of 1640	2120	z0632674.exe	29
PID 2120 wrote to memory of 1640	2120	z0632674.exe	29
PID 2120 wrote to memory of 1640	2120	z0632674.exe	29
PID 2120 wrote to memory of 2960	2120	z0632674.exe	30
PID 2120 wrote to memory of 2960	2120	z0632674.exe	30
PID 2120 wrote to memory of 2960	2120	z0632674.exe	30
PID 2120 wrote to memory of 2960	2120	z0632674.exe	30
PID 2120 wrote to memory of 2960	2120	z0632674.exe	30
PID 2120 wrote to memory of 2960	2120	z0632674.exe	30
PID 2120 wrote to memory of 2960	2120	z0632674.exe	30

C:\Users\Admin\AppData\Local\Temp\b4c1293dce1605a1556693303e88cd64.exe
"C:\Users\Admin\AppData\Local\Temp\b4c1293dce1605a1556693303e88cd64.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0632674.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0632674.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8137477.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8137477.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5541124.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5541124.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2960

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0632674.exe

Filesize
206KB

MD5
8ca0a12f0ae366aa1a0376551d08ebd9

SHA1
3449da575e4965dd1887828d88e557e79794aabf

SHA256
4e5e20cd5b854ab4d217f6d7866b472fbbac74b6168298e88b2580d330ed36a2

SHA512
fcd4f8b557e1878835107c626e8ecec40bc8cfb00456115de1a84430568e49b5b56d3818578eaf06a262b8acc15065a9ae721499669e12d9d58279025ebfa4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0632674.exe

Filesize
206KB

MD5
8ca0a12f0ae366aa1a0376551d08ebd9

SHA1
3449da575e4965dd1887828d88e557e79794aabf

SHA256
4e5e20cd5b854ab4d217f6d7866b472fbbac74b6168298e88b2580d330ed36a2

SHA512
fcd4f8b557e1878835107c626e8ecec40bc8cfb00456115de1a84430568e49b5b56d3818578eaf06a262b8acc15065a9ae721499669e12d9d58279025ebfa4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8137477.exe

Filesize
14KB

MD5
706a2ee7c943943f563411c91f8d7cce

SHA1
29880e82414e8963a34dc70a7e67f794ced8e121

SHA256
7d0ddac09ef5391e69ac6183eefcf5e5cdb29b8e2a866a6746ae3c9ff00f6c1f

SHA512
076e429862726912767d9aa5224850d22cfa8a1f98d69116963d04ac6a85543a9fde9aa53a0eb2306bef2e8f686a328b6a1e991d82fe65bde0556202f738ecd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8137477.exe

Filesize
14KB

MD5
706a2ee7c943943f563411c91f8d7cce

SHA1
29880e82414e8963a34dc70a7e67f794ced8e121

SHA256
7d0ddac09ef5391e69ac6183eefcf5e5cdb29b8e2a866a6746ae3c9ff00f6c1f

SHA512
076e429862726912767d9aa5224850d22cfa8a1f98d69116963d04ac6a85543a9fde9aa53a0eb2306bef2e8f686a328b6a1e991d82fe65bde0556202f738ecd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5541124.exe

Filesize
173KB

MD5
170149de9393a2ae1a97b321a674ec9c

SHA1
ed906575b5f1dd8b0b2a2d187a86b9ebac1b5483

SHA256
227bf7cdc5170f203ae0046af121ca26ae4cbf3919a620b1c30a82b4aee77122

SHA512
973dc3001cf3b4a77a0d01c5dc3e96687e968a2b1b5aafa795658c5b86e9c1c88cdd5e56d38cd9b1be239cbca95e6114e2d4d3d0f0ef81941bc54b7b296c0554

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5541124.exe

Filesize
173KB

MD5
170149de9393a2ae1a97b321a674ec9c

SHA1
ed906575b5f1dd8b0b2a2d187a86b9ebac1b5483

SHA256
227bf7cdc5170f203ae0046af121ca26ae4cbf3919a620b1c30a82b4aee77122

SHA512
973dc3001cf3b4a77a0d01c5dc3e96687e968a2b1b5aafa795658c5b86e9c1c88cdd5e56d38cd9b1be239cbca95e6114e2d4d3d0f0ef81941bc54b7b296c0554

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0632674.exe

Filesize
206KB

MD5
8ca0a12f0ae366aa1a0376551d08ebd9

SHA1
3449da575e4965dd1887828d88e557e79794aabf

SHA256
4e5e20cd5b854ab4d217f6d7866b472fbbac74b6168298e88b2580d330ed36a2

SHA512
fcd4f8b557e1878835107c626e8ecec40bc8cfb00456115de1a84430568e49b5b56d3818578eaf06a262b8acc15065a9ae721499669e12d9d58279025ebfa4ea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0632674.exe

Filesize
206KB

MD5
8ca0a12f0ae366aa1a0376551d08ebd9

SHA1
3449da575e4965dd1887828d88e557e79794aabf

SHA256
4e5e20cd5b854ab4d217f6d7866b472fbbac74b6168298e88b2580d330ed36a2

SHA512
fcd4f8b557e1878835107c626e8ecec40bc8cfb00456115de1a84430568e49b5b56d3818578eaf06a262b8acc15065a9ae721499669e12d9d58279025ebfa4ea

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\p8137477.exe

Filesize
14KB

MD5
706a2ee7c943943f563411c91f8d7cce

SHA1
29880e82414e8963a34dc70a7e67f794ced8e121

SHA256
7d0ddac09ef5391e69ac6183eefcf5e5cdb29b8e2a866a6746ae3c9ff00f6c1f

SHA512
076e429862726912767d9aa5224850d22cfa8a1f98d69116963d04ac6a85543a9fde9aa53a0eb2306bef2e8f686a328b6a1e991d82fe65bde0556202f738ecd7

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5541124.exe

Filesize
173KB

MD5
170149de9393a2ae1a97b321a674ec9c

SHA1
ed906575b5f1dd8b0b2a2d187a86b9ebac1b5483

SHA256
227bf7cdc5170f203ae0046af121ca26ae4cbf3919a620b1c30a82b4aee77122

SHA512
973dc3001cf3b4a77a0d01c5dc3e96687e968a2b1b5aafa795658c5b86e9c1c88cdd5e56d38cd9b1be239cbca95e6114e2d4d3d0f0ef81941bc54b7b296c0554

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\r5541124.exe

Filesize
173KB

MD5
170149de9393a2ae1a97b321a674ec9c

SHA1
ed906575b5f1dd8b0b2a2d187a86b9ebac1b5483

SHA256
227bf7cdc5170f203ae0046af121ca26ae4cbf3919a620b1c30a82b4aee77122

SHA512
973dc3001cf3b4a77a0d01c5dc3e96687e968a2b1b5aafa795658c5b86e9c1c88cdd5e56d38cd9b1be239cbca95e6114e2d4d3d0f0ef81941bc54b7b296c0554

Download Submit
memory/1640-74-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1640-75-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1640-73-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/1640-72-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/2960-82-0x0000000000BD0000-0x0000000000C00000-memory.dmp

Filesize
192KB

Download
memory/2960-83-0x00000000003F0000-0x00000000003F6000-memory.dmp

Filesize
24KB

Download