healer | d916bf1665da1c460f426a2db4eac04c5b562f0a44da0e13caa1faf181c2efa6

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
16/08/2023, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d916bf1665da1c460f426a2db4eac04c5b562f0a44da0e13caa1faf181c2efa6.exe
Size

505KB
MD5

946c42431323d538f164c26c7da6d9f7
SHA1

8c4e2d77e88cafa40ff745c25b51b9e555229551
SHA256

d916bf1665da1c460f426a2db4eac04c5b562f0a44da0e13caa1faf181c2efa6
SHA512

ac6a0b2b8f6353e7c9202cd88fd92cbca45776cb08b5c90fb03212e843f5f85bd1c3b8a5dbecdf0560fcd21cd5363c1ae6a45bc44758e96cfef2335ab50e03f8
SSDEEP

12288:tMrOy90xBheqfUomHxCqemTDA8fTMNNDoMAouwuzUbYGS:Xy6uHMmXB7MNNuoHuzUEGS

Score

10^/10

healer redline dava dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dava

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001afd3-142.dat	healer
behavioral1/files/0x000600000001afd3-143.dat	healer
behavioral1/memory/2780-144-0x00000000005A0000-0x00000000005AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	h5665635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	h5665635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	h5665635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	h5665635.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	h5665635.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
5080	x2506052.exe
4400	x3383827.exe
3892	g8049406.exe
2780	h5665635.exe
60	i6510755.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	h5665635.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3383827.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d916bf1665da1c460f426a2db4eac04c5b562f0a44da0e13caa1faf181c2efa6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2506052.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2780	h5665635.exe
2780	h5665635.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	h5665635.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 5080	2032	d916bf1665da1c460f426a2db4eac04c5b562f0a44da0e13caa1faf181c2efa6.exe	69
PID 2032 wrote to memory of 5080	2032	d916bf1665da1c460f426a2db4eac04c5b562f0a44da0e13caa1faf181c2efa6.exe	69
PID 2032 wrote to memory of 5080	2032	d916bf1665da1c460f426a2db4eac04c5b562f0a44da0e13caa1faf181c2efa6.exe	69
PID 5080 wrote to memory of 4400	5080	x2506052.exe	70
PID 5080 wrote to memory of 4400	5080	x2506052.exe	70
PID 5080 wrote to memory of 4400	5080	x2506052.exe	70
PID 4400 wrote to memory of 3892	4400	x3383827.exe	71
PID 4400 wrote to memory of 3892	4400	x3383827.exe	71
PID 4400 wrote to memory of 3892	4400	x3383827.exe	71
PID 4400 wrote to memory of 2780	4400	x3383827.exe	72
PID 4400 wrote to memory of 2780	4400	x3383827.exe	72
PID 5080 wrote to memory of 60	5080	x2506052.exe	73
PID 5080 wrote to memory of 60	5080	x2506052.exe	73
PID 5080 wrote to memory of 60	5080	x2506052.exe	73

C:\Users\Admin\AppData\Local\Temp\d916bf1665da1c460f426a2db4eac04c5b562f0a44da0e13caa1faf181c2efa6.exe
"C:\Users\Admin\AppData\Local\Temp\d916bf1665da1c460f426a2db4eac04c5b562f0a44da0e13caa1faf181c2efa6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2506052.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2506052.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3383827.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3383827.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8049406.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8049406.exe
      4⤵
      Executes dropped EXE
      PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5665635.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5665635.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i6510755.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i6510755.exe
    3⤵
    - Executes dropped EXE
    PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2506052.exe

Filesize
372KB

MD5
0a21fb9e44c6a5571f1321ae875bac32

SHA1
65b86e83144d0cfe5060e1cda339ee1ead9176fb

SHA256
9ff3f127db0adb6af9572643eaf33e09c73cede4d19615838feba0b6c9fafe5e

SHA512
44d8311c69f90e9be382789abbc17e983534ba9fdf24b5989a991b495e6031e7e090f5dd48e78892e6abb49c4667004b73ae8a71dc8bd639229d6853e23da1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2506052.exe

Filesize
372KB

MD5
0a21fb9e44c6a5571f1321ae875bac32

SHA1
65b86e83144d0cfe5060e1cda339ee1ead9176fb

SHA256
9ff3f127db0adb6af9572643eaf33e09c73cede4d19615838feba0b6c9fafe5e

SHA512
44d8311c69f90e9be382789abbc17e983534ba9fdf24b5989a991b495e6031e7e090f5dd48e78892e6abb49c4667004b73ae8a71dc8bd639229d6853e23da1b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i6510755.exe

Filesize
174KB

MD5
acd24c77ac59d9b1373679d5e6ac68bf

SHA1
9c019dd5d6180a4fb350c7b142caf2b4a97e12b5

SHA256
92ad2265a27df447abc1d92ab10aee9489ff29be485b7d41843ae4ec91a2a28e

SHA512
ffe43b12968f934d1026280428a6bf7dc245bb402a96070a995f0a25f9e18cbf80b9f384064082ea98ebbea9627ad469e2d5e8f1265051231740e5facf16e4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i6510755.exe

Filesize
174KB

MD5
acd24c77ac59d9b1373679d5e6ac68bf

SHA1
9c019dd5d6180a4fb350c7b142caf2b4a97e12b5

SHA256
92ad2265a27df447abc1d92ab10aee9489ff29be485b7d41843ae4ec91a2a28e

SHA512
ffe43b12968f934d1026280428a6bf7dc245bb402a96070a995f0a25f9e18cbf80b9f384064082ea98ebbea9627ad469e2d5e8f1265051231740e5facf16e4bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3383827.exe

Filesize
217KB

MD5
aec38f21cb4cfa2f3dd3f42c3fd1c445

SHA1
e1e98d440525ae688a718f58c2b4ced5c8021a61

SHA256
1ccc6ccd724fca83672c90c90052ce350177a04b9c0402c9919a796a9facdd7c

SHA512
580c4c1bfd9c71add05b0bf7bbeb0374af41af88d44f663e2e5b4c8ea60d8986f1d888a4d2ead770560ceab9c2630b6acc2d77113fcb5c35afb9eb2f647f087c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3383827.exe

Filesize
217KB

MD5
aec38f21cb4cfa2f3dd3f42c3fd1c445

SHA1
e1e98d440525ae688a718f58c2b4ced5c8021a61

SHA256
1ccc6ccd724fca83672c90c90052ce350177a04b9c0402c9919a796a9facdd7c

SHA512
580c4c1bfd9c71add05b0bf7bbeb0374af41af88d44f663e2e5b4c8ea60d8986f1d888a4d2ead770560ceab9c2630b6acc2d77113fcb5c35afb9eb2f647f087c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8049406.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8049406.exe

Filesize
140KB

MD5
996d1beb2364bfcc4e268fecb495ce8d

SHA1
2f2ab0cf7336407e23a195e88c5a591f9a34af2b

SHA256
b1606e1f0a89927c61b2c0b4fa311313eec6df17038aac8ca8beb7b58c00d981

SHA512
66b22250ba63c4613f28d0f93699aa9c9954acb824ab5c17a331ecd4cb836e6530c516a47456e36b6650ac9abeca685011539643acc5398f23546cd56d57a111

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5665635.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h5665635.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/60-153-0x0000000002A10000-0x0000000002A16000-memory.dmp

Filesize
24KB

Download
memory/60-151-0x00000000006E0000-0x0000000000710000-memory.dmp

Filesize
192KB

Download
memory/60-152-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/60-154-0x000000000A960000-0x000000000AF66000-memory.dmp

Filesize
6.0MB

Download
memory/60-155-0x000000000A4F0000-0x000000000A5FA000-memory.dmp

Filesize
1.0MB

Download
memory/60-156-0x000000000A420000-0x000000000A432000-memory.dmp

Filesize
72KB

Download
memory/60-157-0x000000000A480000-0x000000000A4BE000-memory.dmp

Filesize
248KB

Download
memory/60-158-0x000000000A600000-0x000000000A64B000-memory.dmp

Filesize
300KB

Download
memory/60-159-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-147-0x00007FFCD0C10000-0x00007FFCD15FC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-145-0x00007FFCD0C10000-0x00007FFCD15FC000-memory.dmp

Filesize
9.9MB

Download
memory/2780-144-0x00000000005A0000-0x00000000005AA000-memory.dmp

Filesize
40KB

Download