healer | 54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/08/2023, 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe
Size

505KB
MD5

23a107a1fe6ee986f4721ec19f136399
SHA1

a00ed93e9bd11a00a6061b8429df24f8df4f61e1
SHA256

54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897
SHA512

f660d8e17f2a24f990a6c18ce89435ec2fd8572b9b21abdc04f6c6d1a8e88b7f1d185c89be5b8ffb875c7f6cbfa8a406d367e9767d48bc59d71561b3d8dac0f2
SSDEEP

12288:XMrIy90P5Uwb3usu2e1fhAXMQIdfDCILlLAs1EVh9uv:fy8fb3QMMu9S

Score

10^/10

healer redline dava dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dava

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023238-155.dat	healer
behavioral1/files/0x0007000000023238-156.dat	healer
behavioral1/memory/5056-157-0x0000000000810000-0x000000000081A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	h8498691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	h8498691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	h8498691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	h8498691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	h8498691.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	h8498691.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4808	x4665754.exe
3068	x1984678.exe
4120	g9953098.exe
5056	h8498691.exe
3736	i7767952.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	h8498691.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4665754.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1984678.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5056	h8498691.exe
5056	h8498691.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	h8498691.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 4808	624	54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe	82
PID 624 wrote to memory of 4808	624	54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe	82
PID 624 wrote to memory of 4808	624	54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe	82
PID 4808 wrote to memory of 3068	4808	x4665754.exe	83
PID 4808 wrote to memory of 3068	4808	x4665754.exe	83
PID 4808 wrote to memory of 3068	4808	x4665754.exe	83
PID 3068 wrote to memory of 4120	3068	x1984678.exe	84
PID 3068 wrote to memory of 4120	3068	x1984678.exe	84
PID 3068 wrote to memory of 4120	3068	x1984678.exe	84
PID 3068 wrote to memory of 5056	3068	x1984678.exe	85
PID 3068 wrote to memory of 5056	3068	x1984678.exe	85
PID 4808 wrote to memory of 3736	4808	x4665754.exe	94
PID 4808 wrote to memory of 3736	4808	x4665754.exe	94
PID 4808 wrote to memory of 3736	4808	x4665754.exe	94

C:\Users\Admin\AppData\Local\Temp\54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe
"C:\Users\Admin\AppData\Local\Temp\54ead869ce9ba38af86619bfe4ca3d8ee02f5db7090224ae0035ed534811c897.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4665754.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4665754.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1984678.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1984678.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9953098.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9953098.exe
      4⤵
      Executes dropped EXE
      PID:4120
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8498691.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8498691.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i7767952.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i7767952.exe
    3⤵
    - Executes dropped EXE
    PID:3736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4665754.exe

Filesize
373KB

MD5
869720a2907804ac96b822ca24efd884

SHA1
c8afb6e2d7f83707b6cd8e43340db1545dbd335a

SHA256
6ab23c38c247092969ca551966cec0fad89da72d527492255b78ee2a32bfc4ab

SHA512
3b2fc685816222383a908700add336f471b2dad8f7c3d65f589efa9247bc6572b58ec4203fc7ea391e94f1c6984672d3f907586a5cbfd36c18408d0308d2ae26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4665754.exe

Filesize
373KB

MD5
869720a2907804ac96b822ca24efd884

SHA1
c8afb6e2d7f83707b6cd8e43340db1545dbd335a

SHA256
6ab23c38c247092969ca551966cec0fad89da72d527492255b78ee2a32bfc4ab

SHA512
3b2fc685816222383a908700add336f471b2dad8f7c3d65f589efa9247bc6572b58ec4203fc7ea391e94f1c6984672d3f907586a5cbfd36c18408d0308d2ae26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i7767952.exe

Filesize
174KB

MD5
b79d3ce500e9637fc3e1335b5b5c989f

SHA1
13cd54295a333afeee0de52a21a71a590fd975d8

SHA256
3d991b6baa21fb4046423b397860c06e1b9cb6af2108ef6208e0615163856229

SHA512
f1a2ff015b942587aceba5e33b5521cde843d01f38ec28d7246db0d22ec4f8e824e907b47fce0aa8f885cd02c0eeb722813d7773f40bae18ea9c27307b1d1ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i7767952.exe

Filesize
174KB

MD5
b79d3ce500e9637fc3e1335b5b5c989f

SHA1
13cd54295a333afeee0de52a21a71a590fd975d8

SHA256
3d991b6baa21fb4046423b397860c06e1b9cb6af2108ef6208e0615163856229

SHA512
f1a2ff015b942587aceba5e33b5521cde843d01f38ec28d7246db0d22ec4f8e824e907b47fce0aa8f885cd02c0eeb722813d7773f40bae18ea9c27307b1d1ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1984678.exe

Filesize
216KB

MD5
a773977f28dd289638bdda8176821d6e

SHA1
aa38de144248cc21825abfb3616ba93b841176d2

SHA256
6cb7da828502a497679466d22687e37ed44c45687f9796d9912b353b77c44782

SHA512
666ffcec427f91721ae21b834e4c11f532583fdd912f6b576872d15d36e70fe636a523ac04fbc467ecb02cbbdd8bf1ad03dcb326ae29254dcdfcc1bdf7413dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1984678.exe

Filesize
216KB

MD5
a773977f28dd289638bdda8176821d6e

SHA1
aa38de144248cc21825abfb3616ba93b841176d2

SHA256
6cb7da828502a497679466d22687e37ed44c45687f9796d9912b353b77c44782

SHA512
666ffcec427f91721ae21b834e4c11f532583fdd912f6b576872d15d36e70fe636a523ac04fbc467ecb02cbbdd8bf1ad03dcb326ae29254dcdfcc1bdf7413dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9953098.exe

Filesize
140KB

MD5
46f215514d38705332b16b516228162d

SHA1
bbd96986d09536c7c40a28db347fc736fb56fb6a

SHA256
1d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5

SHA512
b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9953098.exe

Filesize
140KB

MD5
46f215514d38705332b16b516228162d

SHA1
bbd96986d09536c7c40a28db347fc736fb56fb6a

SHA256
1d681aa43c72770eb6fc74e573f17778ba71fb602d5c0e9c7b17e6b904baefc5

SHA512
b68ad2a0b194f18f542f00b3f99d18782e50b1e39f559fd1a3e6adee1decd1ed2dfdaff1b161d5dd246967917165e7ec3c5ddf44e651ab27c0613dfcd04884ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8498691.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8498691.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/3736-166-0x00000000057F0000-0x0000000005E08000-memory.dmp

Filesize
6.1MB

Download
memory/3736-164-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/3736-165-0x0000000000850000-0x0000000000880000-memory.dmp

Filesize
192KB

Download
memory/3736-167-0x00000000052E0000-0x00000000053EA000-memory.dmp

Filesize
1.0MB

Download
memory/3736-168-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/3736-169-0x00000000051F0000-0x0000000005202000-memory.dmp

Filesize
72KB

Download
memory/3736-170-0x0000000005250000-0x000000000528C000-memory.dmp

Filesize
240KB

Download
memory/3736-171-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/3736-172-0x00000000051C0000-0x00000000051D0000-memory.dmp

Filesize
64KB

Download
memory/5056-160-0x00007FFD3EFB0000-0x00007FFD3FA71000-memory.dmp

Filesize
10.8MB

Download
memory/5056-158-0x00007FFD3EFB0000-0x00007FFD3FA71000-memory.dmp

Filesize
10.8MB

Download
memory/5056-157-0x0000000000810000-0x000000000081A000-memory.dmp

Filesize
40KB

Download