healer | 6b4f70dd378951fab795d2db5f9e7dcc8b0ab0f0603cb0926b7fea8f15c5e3fd

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2023, 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b4f70dd378951fab795d2db5f9e7dcc8b0ab0f0603cb0926b7fea8f15c5e3fd.exe
Size

839KB
MD5

90ce9339b86b2041a6805e4b37f5bf00
SHA1

937696856fd132128b2130b40581515b198e0c1a
SHA256

6b4f70dd378951fab795d2db5f9e7dcc8b0ab0f0603cb0926b7fea8f15c5e3fd
SHA512

74f27d7b094d264e37451f11c31067cf30ddffcb3811acd394347bc007b540ac3dbaf78775f2c47c7abdf97bea8cf1d4c9d29dfac7c318a8058460466e9416e1
SSDEEP

12288:LMrLy90Y3XTzeTBewCe9z6FQWQZO6lRxlRBom++sv+Oqe5cxvWr+zGq0mho7hQz0:gyVvbeAFKI6LDBQAOr+zGq0n7i0

Score

10^/10

healer redline lang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lang

77.91.124.73:19071

Attributes

auth_value
92c0fc2b7a8b3fc5a01baa1abf31c42a

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023289-166.dat	healer
behavioral1/files/0x0007000000023289-167.dat	healer
behavioral1/memory/944-168-0x0000000000140000-0x000000000014A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0772541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0772541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0772541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0772541.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0772541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0772541.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3664	v9196719.exe
1068	v8522071.exe
2324	v1129971.exe
4676	v2422999.exe
944	a0772541.exe
1360	b9927181.exe
3580	c9984010.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0772541.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9196719.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8522071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1129971.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2422999.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6b4f70dd378951fab795d2db5f9e7dcc8b0ab0f0603cb0926b7fea8f15c5e3fd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
944	a0772541.exe
944	a0772541.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	944	a0772541.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 3664	5052	6b4f70dd378951fab795d2db5f9e7dcc8b0ab0f0603cb0926b7fea8f15c5e3fd.exe	83
PID 5052 wrote to memory of 3664	5052	6b4f70dd378951fab795d2db5f9e7dcc8b0ab0f0603cb0926b7fea8f15c5e3fd.exe	83
PID 5052 wrote to memory of 3664	5052	6b4f70dd378951fab795d2db5f9e7dcc8b0ab0f0603cb0926b7fea8f15c5e3fd.exe	83
PID 3664 wrote to memory of 1068	3664	v9196719.exe	84
PID 3664 wrote to memory of 1068	3664	v9196719.exe	84
PID 3664 wrote to memory of 1068	3664	v9196719.exe	84
PID 1068 wrote to memory of 2324	1068	v8522071.exe	85
PID 1068 wrote to memory of 2324	1068	v8522071.exe	85
PID 1068 wrote to memory of 2324	1068	v8522071.exe	85
PID 2324 wrote to memory of 4676	2324	v1129971.exe	86
PID 2324 wrote to memory of 4676	2324	v1129971.exe	86
PID 2324 wrote to memory of 4676	2324	v1129971.exe	86
PID 4676 wrote to memory of 944	4676	v2422999.exe	87
PID 4676 wrote to memory of 944	4676	v2422999.exe	87
PID 4676 wrote to memory of 1360	4676	v2422999.exe	93
PID 4676 wrote to memory of 1360	4676	v2422999.exe	93
PID 4676 wrote to memory of 1360	4676	v2422999.exe	93
PID 2324 wrote to memory of 3580	2324	v1129971.exe	94
PID 2324 wrote to memory of 3580	2324	v1129971.exe	94
PID 2324 wrote to memory of 3580	2324	v1129971.exe	94

C:\Users\Admin\AppData\Local\Temp\6b4f70dd378951fab795d2db5f9e7dcc8b0ab0f0603cb0926b7fea8f15c5e3fd.exe
"C:\Users\Admin\AppData\Local\Temp\6b4f70dd378951fab795d2db5f9e7dcc8b0ab0f0603cb0926b7fea8f15c5e3fd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9196719.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9196719.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3664
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8522071.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8522071.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1129971.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1129971.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2422999.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2422999.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0772541.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0772541.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9927181.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9927181.exe
        6⤵
        Executes dropped EXE
        
        PID:1360
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9984010.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9984010.exe
        5⤵
        Executes dropped EXE
        
        PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9196719.exe

Filesize
723KB

MD5
c31cc0b1508b3f6d7c61b34a38f88455

SHA1
4bc995af2568067d0754aa092a3ea298a7cb16b9

SHA256
a388bf72834efd7c199bc83acb6d46b77dd8a7b38162ea74608a47e74ca207f9

SHA512
5969b6b4c8c075d59a209b7986270cec0922c3fdd805bc77c6110f0c0d53bf9980ee2d1575900d4ed4499164a0f982becb21d2158dbfbaf542bf4f48ef9638c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9196719.exe

Filesize
723KB

MD5
c31cc0b1508b3f6d7c61b34a38f88455

SHA1
4bc995af2568067d0754aa092a3ea298a7cb16b9

SHA256
a388bf72834efd7c199bc83acb6d46b77dd8a7b38162ea74608a47e74ca207f9

SHA512
5969b6b4c8c075d59a209b7986270cec0922c3fdd805bc77c6110f0c0d53bf9980ee2d1575900d4ed4499164a0f982becb21d2158dbfbaf542bf4f48ef9638c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8522071.exe

Filesize
497KB

MD5
db02b17ffaa8932d2ab60ab65bcfaee7

SHA1
462401521f58a8836ad7bee2313ba715d4e87bdf

SHA256
d974b0006fb1fea1f6dd50ca50efbebe1cb4003a6e4ba978fbdd2939a03759dd

SHA512
8d7123e94bf630eeffbbe45d40bb5616f3c5d985d3206e1945f67a2d17ba800edfeed98292178cc7a28d6baccfdd0f755c52e54279f955b4111ab9076ac2b570

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8522071.exe

Filesize
497KB

MD5
db02b17ffaa8932d2ab60ab65bcfaee7

SHA1
462401521f58a8836ad7bee2313ba715d4e87bdf

SHA256
d974b0006fb1fea1f6dd50ca50efbebe1cb4003a6e4ba978fbdd2939a03759dd

SHA512
8d7123e94bf630eeffbbe45d40bb5616f3c5d985d3206e1945f67a2d17ba800edfeed98292178cc7a28d6baccfdd0f755c52e54279f955b4111ab9076ac2b570

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1129971.exe

Filesize
373KB

MD5
25fc51de74459d01319dcfed527bf5d7

SHA1
5f34cc19c9bea48a3d370c5a0607340a5b9548a4

SHA256
8fb23757e10318a1ab744c76cfc586298727065603bcdc2565ec60c1a36ced99

SHA512
a7c3d6fe143ef87127121ae9f618c2f4433d47fc067032a94d9d619542b08637c8b7c161df746fd5b4dc44368bd43f6d109994e0c97a9181d182f18ca27fa973

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1129971.exe

Filesize
373KB

MD5
25fc51de74459d01319dcfed527bf5d7

SHA1
5f34cc19c9bea48a3d370c5a0607340a5b9548a4

SHA256
8fb23757e10318a1ab744c76cfc586298727065603bcdc2565ec60c1a36ced99

SHA512
a7c3d6fe143ef87127121ae9f618c2f4433d47fc067032a94d9d619542b08637c8b7c161df746fd5b4dc44368bd43f6d109994e0c97a9181d182f18ca27fa973

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9984010.exe

Filesize
174KB

MD5
adc4142d31f47e134531b608777e5d40

SHA1
5779ea1828b79ed427b7521353f2542fd489b2f3

SHA256
004cd7d918d79e78de588acc3e3b323c2b469287222e71f1b5c678417dd7993d

SHA512
b3ce0f106520fdacb4bce63310b13877a66c9436ff0888d9c58fc6e5f5f765413ee339b4d39174f7c93269611416a82d5496033b2c4763d044666d458e8207bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9984010.exe

Filesize
174KB

MD5
adc4142d31f47e134531b608777e5d40

SHA1
5779ea1828b79ed427b7521353f2542fd489b2f3

SHA256
004cd7d918d79e78de588acc3e3b323c2b469287222e71f1b5c678417dd7993d

SHA512
b3ce0f106520fdacb4bce63310b13877a66c9436ff0888d9c58fc6e5f5f765413ee339b4d39174f7c93269611416a82d5496033b2c4763d044666d458e8207bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2422999.exe

Filesize
217KB

MD5
14df0b45c9d4307aa55b8e96d7b1e7d5

SHA1
02cdabc1ad0924c3c7d6beed95fdce41d71c0f22

SHA256
ae9758a8ec01f48be42527102e57ffeb71d608dd1b45462a244aaf89585b1717

SHA512
57517cd95c957fde5d018447c939780957f495022030807f609168cf5559422219dc4374c9fc0369d60eea7463729257f6d29eb54479492a7c2755af24f144ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2422999.exe

Filesize
217KB

MD5
14df0b45c9d4307aa55b8e96d7b1e7d5

SHA1
02cdabc1ad0924c3c7d6beed95fdce41d71c0f22

SHA256
ae9758a8ec01f48be42527102e57ffeb71d608dd1b45462a244aaf89585b1717

SHA512
57517cd95c957fde5d018447c939780957f495022030807f609168cf5559422219dc4374c9fc0369d60eea7463729257f6d29eb54479492a7c2755af24f144ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0772541.exe

Filesize
11KB

MD5
a87db25947f98760e433004d6127f481

SHA1
d576d77b1f267858131bc4461c8d10b454f111b0

SHA256
3d48d07a6ee35740e5bd0a897123325ef3a9a8aa326a93fd46e168f7bd6ff20f

SHA512
0f0a1879e346154de165e282c982992c6b787bcb20dad1123d3aaf126345b9d04f02f7297991b314cd557d198d35c02388bb123e209591e2b63d1b9b19037eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0772541.exe

Filesize
11KB

MD5
a87db25947f98760e433004d6127f481

SHA1
d576d77b1f267858131bc4461c8d10b454f111b0

SHA256
3d48d07a6ee35740e5bd0a897123325ef3a9a8aa326a93fd46e168f7bd6ff20f

SHA512
0f0a1879e346154de165e282c982992c6b787bcb20dad1123d3aaf126345b9d04f02f7297991b314cd557d198d35c02388bb123e209591e2b63d1b9b19037eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9927181.exe

Filesize
140KB

MD5
4a6725426e11e0e51dea9de97e3c3bd1

SHA1
c338080282ba69bfdc2430b5bc80d740f057cc00

SHA256
f915b22cd20010be40a52701c67686dbd69e62ca7a22c9e82c5f8af481a8b03f

SHA512
7b1a524ddaa29198f7743614ff69ee67aba8c15d4c1e870908004c5f85d03ea5058ffc7103a799113963855c6d3725273fdbad432ecf4b00d7dd53dd923d2765

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9927181.exe

Filesize
140KB

MD5
4a6725426e11e0e51dea9de97e3c3bd1

SHA1
c338080282ba69bfdc2430b5bc80d740f057cc00

SHA256
f915b22cd20010be40a52701c67686dbd69e62ca7a22c9e82c5f8af481a8b03f

SHA512
7b1a524ddaa29198f7743614ff69ee67aba8c15d4c1e870908004c5f85d03ea5058ffc7103a799113963855c6d3725273fdbad432ecf4b00d7dd53dd923d2765

Download Submit
memory/944-171-0x00007FFBF3FD0000-0x00007FFBF4A91000-memory.dmp

Filesize
10.8MB

Download
memory/944-169-0x00007FFBF3FD0000-0x00007FFBF4A91000-memory.dmp

Filesize
10.8MB

Download
memory/944-168-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/3580-178-0x0000000000C50000-0x0000000000C80000-memory.dmp

Filesize
192KB

Download
memory/3580-179-0x0000000073F50000-0x0000000074700000-memory.dmp

Filesize
7.7MB

Download
memory/3580-180-0x0000000005DA0000-0x00000000063B8000-memory.dmp

Filesize
6.1MB

Download
memory/3580-181-0x0000000005890000-0x000000000599A000-memory.dmp

Filesize
1.0MB

Download
memory/3580-182-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/3580-183-0x0000000005710000-0x0000000005722000-memory.dmp

Filesize
72KB

Download
memory/3580-184-0x0000000005780000-0x00000000057BC000-memory.dmp

Filesize
240KB

Download
memory/3580-185-0x0000000073F50000-0x0000000074700000-memory.dmp

Filesize
7.7MB

Download
memory/3580-186-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download