healer | 98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499

Analysis

max time kernel
146s
max time network
157s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
20/08/2023, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe
Size

741KB
MD5

ddf122221d42677c05ef04a08567fb76
SHA1

53ba05ba4158a12f5caf0c287a1b289068e6b249
SHA256

98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499
SHA512

a0d09e6b6a3409b6341ac2d8f3ac7c226f9a066302e2c01f92da9e9a7202088d7cbc59738578cbab8893ff996f03b8911a9a8b3ad761c9c738d3c7e6fa0486d5
SSDEEP

12288:mMrKy9031bLUakQlqez64MuveulPzs9iuPRXehLHhPiX6o0gyoB:oyq7lqez6ulXoehDhq60

Score

10^/10

healer redline chang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

chang

77.91.124.73:19071

Attributes

auth_value
92b880db64e691d6bb290d1536ce7688

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/3992-151-0x00000000001E0000-0x00000000001EA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r0042912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r0042912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r0042912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r0042912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r0042912.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
600	z4990998.exe
4928	z4826169.exe
4704	z2848690.exe
3992	r0042912.exe
3308	s1002460.exe
2396	t8876970.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	r0042912.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	r0042912.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4990998.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4826169.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2848690.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3992	r0042912.exe
3992	r0042912.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3992	r0042912.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3176 wrote to memory of 600	3176	98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe	70
PID 3176 wrote to memory of 600	3176	98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe	70
PID 3176 wrote to memory of 600	3176	98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe	70
PID 600 wrote to memory of 4928	600	z4990998.exe	71
PID 600 wrote to memory of 4928	600	z4990998.exe	71
PID 600 wrote to memory of 4928	600	z4990998.exe	71
PID 4928 wrote to memory of 4704	4928	z4826169.exe	72
PID 4928 wrote to memory of 4704	4928	z4826169.exe	72
PID 4928 wrote to memory of 4704	4928	z4826169.exe	72
PID 4704 wrote to memory of 3992	4704	z2848690.exe	73
PID 4704 wrote to memory of 3992	4704	z2848690.exe	73
PID 4704 wrote to memory of 3992	4704	z2848690.exe	73
PID 4704 wrote to memory of 3308	4704	z2848690.exe	75
PID 4704 wrote to memory of 3308	4704	z2848690.exe	75
PID 4704 wrote to memory of 3308	4704	z2848690.exe	75
PID 4928 wrote to memory of 2396	4928	z4826169.exe	76
PID 4928 wrote to memory of 2396	4928	z4826169.exe	76
PID 4928 wrote to memory of 2396	4928	z4826169.exe	76

C:\Users\Admin\AppData\Local\Temp\98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe
"C:\Users\Admin\AppData\Local\Temp\98f029837e9c2306a1724504af641029af6968ab8c1e37017dae818fcbc00499.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3176
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4990998.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4990998.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4826169.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4826169.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4928
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2848690.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2848690.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4704
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0042912.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0042912.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1002460.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1002460.exe
        5⤵
        Executes dropped EXE
        
        PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8876970.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8876970.exe
      4⤵
      Executes dropped EXE
      PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4990998.exe

Filesize
625KB

MD5
4030cfbdf6a0628ea263889d67625334

SHA1
3e942b2c2bbcef6475ca716673977fbe1d9a900d

SHA256
bd925cf9242886c1466761bab3ca441e2351c2514d5b96b2c43b6a3e8e8568b2

SHA512
e54d952b559657b11bcf080c532d5d7c93ceda04f83ae477724681215dffd6dedb704db39f65826620361f85e122cb6b97b6b0131b123e09fd5f65e8014c00b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4990998.exe

Filesize
625KB

MD5
4030cfbdf6a0628ea263889d67625334

SHA1
3e942b2c2bbcef6475ca716673977fbe1d9a900d

SHA256
bd925cf9242886c1466761bab3ca441e2351c2514d5b96b2c43b6a3e8e8568b2

SHA512
e54d952b559657b11bcf080c532d5d7c93ceda04f83ae477724681215dffd6dedb704db39f65826620361f85e122cb6b97b6b0131b123e09fd5f65e8014c00b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4826169.exe

Filesize
399KB

MD5
2a165dd81455230ffbd5e1c788d81cd0

SHA1
3787d63b943567dc75af0d9444c90ac2df1dd390

SHA256
c5773693807826c2fec8a76f81125435590a76ef7fef002b0b295d91184b3158

SHA512
4f154ae3a23d87bb78fcdb5af6a08919b39b29c66017f6f30454d6a0c8c17a448599fd7204fd62e44903823132216993157aa0a2b58c186edebc04bc17b93324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4826169.exe

Filesize
399KB

MD5
2a165dd81455230ffbd5e1c788d81cd0

SHA1
3787d63b943567dc75af0d9444c90ac2df1dd390

SHA256
c5773693807826c2fec8a76f81125435590a76ef7fef002b0b295d91184b3158

SHA512
4f154ae3a23d87bb78fcdb5af6a08919b39b29c66017f6f30454d6a0c8c17a448599fd7204fd62e44903823132216993157aa0a2b58c186edebc04bc17b93324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8876970.exe

Filesize
174KB

MD5
ba7ccc72aa67637e5edb5af9bbe211ac

SHA1
929978860f7dd30263c428a305f532e3c3a5f2c6

SHA256
ea177be5cced9b3bf25d2680785cf51cfa6c53262082011af489d95128380638

SHA512
08bc55fb78a0e291a3af4d1dda50841e8c64869816a86c5c7db277d3057e5d3bf75aff829e4f6065ba3b10beab40d225a3950fcda531f2869ffde41559bac9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t8876970.exe

Filesize
174KB

MD5
ba7ccc72aa67637e5edb5af9bbe211ac

SHA1
929978860f7dd30263c428a305f532e3c3a5f2c6

SHA256
ea177be5cced9b3bf25d2680785cf51cfa6c53262082011af489d95128380638

SHA512
08bc55fb78a0e291a3af4d1dda50841e8c64869816a86c5c7db277d3057e5d3bf75aff829e4f6065ba3b10beab40d225a3950fcda531f2869ffde41559bac9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2848690.exe

Filesize
243KB

MD5
82bc02353c1deee3ed7e267549a13612

SHA1
56f4769e51f7085d36aa894db66e292c9a8c1643

SHA256
c08fec2215243d6526a0e7ac6536c7addabe31ee1d468c0659a06a05f86ff3e2

SHA512
497fd7802aff142fabfb9fd24dd12abfaf3cc043b28f52096dd2726169ba3ab55dcf4f8c45d5772259ea0a8b557906c47c1afbd4a6ee704cbd5e7eb3332f5028

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2848690.exe

Filesize
243KB

MD5
82bc02353c1deee3ed7e267549a13612

SHA1
56f4769e51f7085d36aa894db66e292c9a8c1643

SHA256
c08fec2215243d6526a0e7ac6536c7addabe31ee1d468c0659a06a05f86ff3e2

SHA512
497fd7802aff142fabfb9fd24dd12abfaf3cc043b28f52096dd2726169ba3ab55dcf4f8c45d5772259ea0a8b557906c47c1afbd4a6ee704cbd5e7eb3332f5028

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0042912.exe

Filesize
69KB

MD5
83336680e8dafd97fcaf1203ef680e77

SHA1
e7b0d9cb13812a6055e163756c171a4b384fbfea

SHA256
55008cc30e074251484e09de0fdd6494de27b6cb2734c6b4c15d7257af82c8c6

SHA512
f06215c3569deaafee6fef7d5df836949cbf8f66c966c8313f1f4bd5ec7a5ae715f05b8b1101310358cfe86f400a7c2cbffaf0f12e142fadf1a1c0863429475f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r0042912.exe

Filesize
69KB

MD5
83336680e8dafd97fcaf1203ef680e77

SHA1
e7b0d9cb13812a6055e163756c171a4b384fbfea

SHA256
55008cc30e074251484e09de0fdd6494de27b6cb2734c6b4c15d7257af82c8c6

SHA512
f06215c3569deaafee6fef7d5df836949cbf8f66c966c8313f1f4bd5ec7a5ae715f05b8b1101310358cfe86f400a7c2cbffaf0f12e142fadf1a1c0863429475f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1002460.exe

Filesize
140KB

MD5
04e54b20f2288875f129b2aa2852d11a

SHA1
55bab3e9fb5c2915e2800bdc677ea3faf4a2995d

SHA256
634cf5cf315542200f5fcd6b81a90eb67904fd7c45d8398efc5041ee60537270

SHA512
dadb03f8142d0d32f44254d74d772efa189b721c19e85792bc07bc64fc505cd54135805b8a90ec9caab63954bae6bc517d2b069e826a460d1ff71017d8f6b66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1002460.exe

Filesize
140KB

MD5
04e54b20f2288875f129b2aa2852d11a

SHA1
55bab3e9fb5c2915e2800bdc677ea3faf4a2995d

SHA256
634cf5cf315542200f5fcd6b81a90eb67904fd7c45d8398efc5041ee60537270

SHA512
dadb03f8142d0d32f44254d74d772efa189b721c19e85792bc07bc64fc505cd54135805b8a90ec9caab63954bae6bc517d2b069e826a460d1ff71017d8f6b66e

Download Submit
memory/2396-167-0x0000000073510000-0x0000000073BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2396-171-0x000000000A4B0000-0x000000000A4C2000-memory.dmp

Filesize
72KB

Download
memory/2396-174-0x0000000073510000-0x0000000073BFE000-memory.dmp

Filesize
6.9MB

Download
memory/2396-173-0x000000000A560000-0x000000000A5AB000-memory.dmp

Filesize
300KB

Download
memory/2396-172-0x000000000A510000-0x000000000A54E000-memory.dmp

Filesize
248KB

Download
memory/2396-166-0x0000000000770000-0x00000000007A0000-memory.dmp

Filesize
192KB

Download
memory/2396-170-0x000000000A5C0000-0x000000000A6CA000-memory.dmp

Filesize
1.0MB

Download
memory/2396-168-0x0000000004F30000-0x0000000004F36000-memory.dmp

Filesize
24KB

Download
memory/2396-169-0x000000000AAC0000-0x000000000B0C6000-memory.dmp

Filesize
6.0MB

Download
memory/3992-150-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3992-159-0x0000000072D00000-0x00000000733EE000-memory.dmp

Filesize
6.9MB

Download
memory/3992-151-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/3992-155-0x0000000072D00000-0x00000000733EE000-memory.dmp

Filesize
6.9MB

Download
memory/3992-156-0x0000000072D00000-0x00000000733EE000-memory.dmp

Filesize
6.9MB

Download