healer | cb3f146bab39cc96503281fcc36cda76c2fd9aac41b4b198969133b9dd3f7ddf

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2023, 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb3f146bab39cc96503281fcc36cda76c2fd9aac41b4b198969133b9dd3f7ddf.exe
Size

864KB
MD5

35742711659fb4ef7e6e1705aed996ff
SHA1

3e065994261584c3428fd52b7143a7fb985af259
SHA256

cb3f146bab39cc96503281fcc36cda76c2fd9aac41b4b198969133b9dd3f7ddf
SHA512

9d35d72ade68f9b89363cc5188d64825c198628573caaba45a95fe16d5df2a6ce144d62da74b86370d7b21db645bc59b45e0faabd29658d7e13ee83f2b9da38f
SSDEEP

12288:RMrGy90zob5uqhlH3A9dZLFqX0JK/4Li8ORVnf+VveL9wAGPN4GJQTs+/l2f8KUj:XyXnaHJ4Ai8AV2RiCp0QyU8KUWjZu

Score

10^/10

healer redline chang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

chang

77.91.124.73:19071

Attributes

auth_value
92b880db64e691d6bb290d1536ce7688

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/1112-169-0x00000000004A0000-0x00000000004AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4236597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4236597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4236597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4236597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4236597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4236597.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3516	v4001774.exe
3172	v9885628.exe
384	v1381171.exe
4856	v7768817.exe
1112	a4236597.exe
1664	b5078537.exe
1944	c7169557.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4236597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4236597.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cb3f146bab39cc96503281fcc36cda76c2fd9aac41b4b198969133b9dd3f7ddf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4001774.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9885628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1381171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7768817.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1112	a4236597.exe
1112	a4236597.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1112	a4236597.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3516	2776	cb3f146bab39cc96503281fcc36cda76c2fd9aac41b4b198969133b9dd3f7ddf.exe	81
PID 2776 wrote to memory of 3516	2776	cb3f146bab39cc96503281fcc36cda76c2fd9aac41b4b198969133b9dd3f7ddf.exe	81
PID 2776 wrote to memory of 3516	2776	cb3f146bab39cc96503281fcc36cda76c2fd9aac41b4b198969133b9dd3f7ddf.exe	81
PID 3516 wrote to memory of 3172	3516	v4001774.exe	82
PID 3516 wrote to memory of 3172	3516	v4001774.exe	82
PID 3516 wrote to memory of 3172	3516	v4001774.exe	82
PID 3172 wrote to memory of 384	3172	v9885628.exe	83
PID 3172 wrote to memory of 384	3172	v9885628.exe	83
PID 3172 wrote to memory of 384	3172	v9885628.exe	83
PID 384 wrote to memory of 4856	384	v1381171.exe	84
PID 384 wrote to memory of 4856	384	v1381171.exe	84
PID 384 wrote to memory of 4856	384	v1381171.exe	84
PID 4856 wrote to memory of 1112	4856	v7768817.exe	85
PID 4856 wrote to memory of 1112	4856	v7768817.exe	85
PID 4856 wrote to memory of 1112	4856	v7768817.exe	85
PID 4856 wrote to memory of 1664	4856	v7768817.exe	91
PID 4856 wrote to memory of 1664	4856	v7768817.exe	91
PID 4856 wrote to memory of 1664	4856	v7768817.exe	91
PID 384 wrote to memory of 1944	384	v1381171.exe	92
PID 384 wrote to memory of 1944	384	v1381171.exe	92
PID 384 wrote to memory of 1944	384	v1381171.exe	92

C:\Users\Admin\AppData\Local\Temp\cb3f146bab39cc96503281fcc36cda76c2fd9aac41b4b198969133b9dd3f7ddf.exe
"C:\Users\Admin\AppData\Local\Temp\cb3f146bab39cc96503281fcc36cda76c2fd9aac41b4b198969133b9dd3f7ddf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4001774.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4001774.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9885628.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9885628.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1381171.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1381171.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:384
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7768817.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7768817.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4236597.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4236597.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5078537.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5078537.exe
        6⤵
        Executes dropped EXE
        
        PID:1664
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7169557.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7169557.exe
        5⤵
        Executes dropped EXE
        
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4001774.exe

Filesize
750KB

MD5
1cb4b0672b8b168703b1a66d07e92fab

SHA1
85c5a0c1af1e00725d9273f2eaabdba1b2c63818

SHA256
9e16700005a16e7bcaac0df883810871054c5977299173d8ebef4f4e7bc3c8b6

SHA512
53542b2be13097774e8a90f5ea140ebb0fc03a1e0b296d75d87765e1ac954ff1c47a60922c065bfd8f4a4387ea5641e128b5b37807ea5e525c59b13816a26be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4001774.exe

Filesize
750KB

MD5
1cb4b0672b8b168703b1a66d07e92fab

SHA1
85c5a0c1af1e00725d9273f2eaabdba1b2c63818

SHA256
9e16700005a16e7bcaac0df883810871054c5977299173d8ebef4f4e7bc3c8b6

SHA512
53542b2be13097774e8a90f5ea140ebb0fc03a1e0b296d75d87765e1ac954ff1c47a60922c065bfd8f4a4387ea5641e128b5b37807ea5e525c59b13816a26be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9885628.exe

Filesize
524KB

MD5
635fea7f0d029a27a4a457b4a85284b7

SHA1
f31f9e1289127a2f2405dad1b08417589c94530d

SHA256
8eb4d05be6039902181cfec5874b0422e31fa9292dc0d6770a2493654be92805

SHA512
5d4be02d8d84413f593d3c4e0922a6992de50b522d305941851eab315dc95e07fd2087681c0a717cd52c898b63b4b03a1927a26c359765fbb58bb902f6a9b85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9885628.exe

Filesize
524KB

MD5
635fea7f0d029a27a4a457b4a85284b7

SHA1
f31f9e1289127a2f2405dad1b08417589c94530d

SHA256
8eb4d05be6039902181cfec5874b0422e31fa9292dc0d6770a2493654be92805

SHA512
5d4be02d8d84413f593d3c4e0922a6992de50b522d305941851eab315dc95e07fd2087681c0a717cd52c898b63b4b03a1927a26c359765fbb58bb902f6a9b85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1381171.exe

Filesize
399KB

MD5
05fa7fedb949e249f2a23fee82bf1b37

SHA1
9a4686611d55a62f3c2997bdc3bd5cb05fd5daaf

SHA256
c17daa75935041551167bfb68786342e9cc6e00aeaa3bee90cdcf24f4fbd052a

SHA512
3540c4e7950605557d0a674480aee4d517454fccb5d0b6f022f88e0ee68d52240e548208c5e3f9b8b9572b88a035c83d862d23fc95465fb9873db1c64b4c3f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1381171.exe

Filesize
399KB

MD5
05fa7fedb949e249f2a23fee82bf1b37

SHA1
9a4686611d55a62f3c2997bdc3bd5cb05fd5daaf

SHA256
c17daa75935041551167bfb68786342e9cc6e00aeaa3bee90cdcf24f4fbd052a

SHA512
3540c4e7950605557d0a674480aee4d517454fccb5d0b6f022f88e0ee68d52240e548208c5e3f9b8b9572b88a035c83d862d23fc95465fb9873db1c64b4c3f14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7169557.exe

Filesize
174KB

MD5
ba7ccc72aa67637e5edb5af9bbe211ac

SHA1
929978860f7dd30263c428a305f532e3c3a5f2c6

SHA256
ea177be5cced9b3bf25d2680785cf51cfa6c53262082011af489d95128380638

SHA512
08bc55fb78a0e291a3af4d1dda50841e8c64869816a86c5c7db277d3057e5d3bf75aff829e4f6065ba3b10beab40d225a3950fcda531f2869ffde41559bac9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7169557.exe

Filesize
174KB

MD5
ba7ccc72aa67637e5edb5af9bbe211ac

SHA1
929978860f7dd30263c428a305f532e3c3a5f2c6

SHA256
ea177be5cced9b3bf25d2680785cf51cfa6c53262082011af489d95128380638

SHA512
08bc55fb78a0e291a3af4d1dda50841e8c64869816a86c5c7db277d3057e5d3bf75aff829e4f6065ba3b10beab40d225a3950fcda531f2869ffde41559bac9e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7768817.exe

Filesize
243KB

MD5
9191f3b77e70ceca3962f33b67b5e707

SHA1
688f8109eec9c014e7a0f6416d1b6ad366eb6efc

SHA256
88be8f30760d50362db0a283cd61f4852b195f2d177ff8f2eb0a12acc98dece6

SHA512
d10aefa0f3a1700f3cc76e97b9bd51503715266e884676b346502c3b0f4cb6bc86fed8e06f4df277439ffc78e9d9851c6367a8a95e4adab13f792689b5d588eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7768817.exe

Filesize
243KB

MD5
9191f3b77e70ceca3962f33b67b5e707

SHA1
688f8109eec9c014e7a0f6416d1b6ad366eb6efc

SHA256
88be8f30760d50362db0a283cd61f4852b195f2d177ff8f2eb0a12acc98dece6

SHA512
d10aefa0f3a1700f3cc76e97b9bd51503715266e884676b346502c3b0f4cb6bc86fed8e06f4df277439ffc78e9d9851c6367a8a95e4adab13f792689b5d588eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4236597.exe

Filesize
69KB

MD5
83336680e8dafd97fcaf1203ef680e77

SHA1
e7b0d9cb13812a6055e163756c171a4b384fbfea

SHA256
55008cc30e074251484e09de0fdd6494de27b6cb2734c6b4c15d7257af82c8c6

SHA512
f06215c3569deaafee6fef7d5df836949cbf8f66c966c8313f1f4bd5ec7a5ae715f05b8b1101310358cfe86f400a7c2cbffaf0f12e142fadf1a1c0863429475f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4236597.exe

Filesize
69KB

MD5
83336680e8dafd97fcaf1203ef680e77

SHA1
e7b0d9cb13812a6055e163756c171a4b384fbfea

SHA256
55008cc30e074251484e09de0fdd6494de27b6cb2734c6b4c15d7257af82c8c6

SHA512
f06215c3569deaafee6fef7d5df836949cbf8f66c966c8313f1f4bd5ec7a5ae715f05b8b1101310358cfe86f400a7c2cbffaf0f12e142fadf1a1c0863429475f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5078537.exe

Filesize
140KB

MD5
04e54b20f2288875f129b2aa2852d11a

SHA1
55bab3e9fb5c2915e2800bdc677ea3faf4a2995d

SHA256
634cf5cf315542200f5fcd6b81a90eb67904fd7c45d8398efc5041ee60537270

SHA512
dadb03f8142d0d32f44254d74d772efa189b721c19e85792bc07bc64fc505cd54135805b8a90ec9caab63954bae6bc517d2b069e826a460d1ff71017d8f6b66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5078537.exe

Filesize
140KB

MD5
04e54b20f2288875f129b2aa2852d11a

SHA1
55bab3e9fb5c2915e2800bdc677ea3faf4a2995d

SHA256
634cf5cf315542200f5fcd6b81a90eb67904fd7c45d8398efc5041ee60537270

SHA512
dadb03f8142d0d32f44254d74d772efa189b721c19e85792bc07bc64fc505cd54135805b8a90ec9caab63954bae6bc517d2b069e826a460d1ff71017d8f6b66e

Download Submit
memory/1112-177-0x0000000073D00000-0x00000000744B0000-memory.dmp

Filesize
7.7MB

Download
memory/1112-174-0x0000000073D00000-0x00000000744B0000-memory.dmp

Filesize
7.7MB

Download
memory/1112-173-0x0000000073D00000-0x00000000744B0000-memory.dmp

Filesize
7.7MB

Download
memory/1112-169-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1112-168-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1944-184-0x0000000000FF0000-0x0000000001020000-memory.dmp

Filesize
192KB

Download
memory/1944-185-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/1944-186-0x00000000060F0000-0x0000000006708000-memory.dmp

Filesize
6.1MB

Download
memory/1944-187-0x0000000005BE0000-0x0000000005CEA000-memory.dmp

Filesize
1.0MB

Download
memory/1944-188-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download
memory/1944-189-0x0000000005AD0000-0x0000000005AE2000-memory.dmp

Filesize
72KB

Download
memory/1944-190-0x0000000005B30000-0x0000000005B6C000-memory.dmp

Filesize
240KB

Download
memory/1944-191-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/1944-192-0x0000000005AC0000-0x0000000005AD0000-memory.dmp

Filesize
64KB

Download