healer | 8567b6e192c9cc59473e671bed8dbadffd2c3bf4372f5a65e2c8ca0390b3bfbb

Analysis

max time kernel
146s
max time network
155s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21/08/2023, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8567b6e192c9cc59473e671bed8dbadffd2c3bf4372f5a65e2c8ca0390b3bfbb.exe
Size

830KB
MD5

c1ab3d743c1e68bba7c576c4d4ff9abe
SHA1

3a0cdd77af567674527e581b3f549c2a8b537ffa
SHA256

8567b6e192c9cc59473e671bed8dbadffd2c3bf4372f5a65e2c8ca0390b3bfbb
SHA512

2b49460509c0c03f0b79b0ef48dbb92152d454d1d0062b489a73b4b44f5a8e4e9a1ee77c2c2e2e8574a8014eaf8dc63453fe0dd0cd67a49431c745b779705a28
SSDEEP

24576:EyC0cYIOfaMlFKkmmwK9AU8SN0nsP4DWsVJcFqt92ge:TCrOfkkKKmTSvsIFq

Score

10^/10

healer redline lang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lang

77.91.124.73:19071

Attributes

auth_value
92c0fc2b7a8b3fc5a01baa1abf31c42a

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afd6-150.dat	healer
behavioral1/files/0x000700000001afd6-151.dat	healer
behavioral1/memory/2500-152-0x00000000004F0000-0x00000000004FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6984599.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6984599.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6984599.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6984599.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6984599.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3676	v3259006.exe
4164	v3932963.exe
4152	v2969111.exe
5040	v8438895.exe
2500	a6984599.exe
2452	b4655908.exe
2104	c0843939.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6984599.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8567b6e192c9cc59473e671bed8dbadffd2c3bf4372f5a65e2c8ca0390b3bfbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3259006.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3932963.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2969111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8438895.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2500	a6984599.exe
2500	a6984599.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	a6984599.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3676	4956	8567b6e192c9cc59473e671bed8dbadffd2c3bf4372f5a65e2c8ca0390b3bfbb.exe	70
PID 4956 wrote to memory of 3676	4956	8567b6e192c9cc59473e671bed8dbadffd2c3bf4372f5a65e2c8ca0390b3bfbb.exe	70
PID 4956 wrote to memory of 3676	4956	8567b6e192c9cc59473e671bed8dbadffd2c3bf4372f5a65e2c8ca0390b3bfbb.exe	70
PID 3676 wrote to memory of 4164	3676	v3259006.exe	71
PID 3676 wrote to memory of 4164	3676	v3259006.exe	71
PID 3676 wrote to memory of 4164	3676	v3259006.exe	71
PID 4164 wrote to memory of 4152	4164	v3932963.exe	72
PID 4164 wrote to memory of 4152	4164	v3932963.exe	72
PID 4164 wrote to memory of 4152	4164	v3932963.exe	72
PID 4152 wrote to memory of 5040	4152	v2969111.exe	73
PID 4152 wrote to memory of 5040	4152	v2969111.exe	73
PID 4152 wrote to memory of 5040	4152	v2969111.exe	73
PID 5040 wrote to memory of 2500	5040	v8438895.exe	74
PID 5040 wrote to memory of 2500	5040	v8438895.exe	74
PID 5040 wrote to memory of 2452	5040	v8438895.exe	75
PID 5040 wrote to memory of 2452	5040	v8438895.exe	75
PID 5040 wrote to memory of 2452	5040	v8438895.exe	75
PID 4152 wrote to memory of 2104	4152	v2969111.exe	76
PID 4152 wrote to memory of 2104	4152	v2969111.exe	76
PID 4152 wrote to memory of 2104	4152	v2969111.exe	76

C:\Users\Admin\AppData\Local\Temp\8567b6e192c9cc59473e671bed8dbadffd2c3bf4372f5a65e2c8ca0390b3bfbb.exe
"C:\Users\Admin\AppData\Local\Temp\8567b6e192c9cc59473e671bed8dbadffd2c3bf4372f5a65e2c8ca0390b3bfbb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3259006.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3259006.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3932963.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3932963.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2969111.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2969111.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4152
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8438895.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8438895.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6984599.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6984599.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4655908.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4655908.exe
        6⤵
        Executes dropped EXE
        
        PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0843939.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0843939.exe
        5⤵
        Executes dropped EXE
        
        PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3259006.exe

Filesize
724KB

MD5
4813502acb5d1703517d97f5b9221ba4

SHA1
a19c44bc1dfb57fb7c72be9158cfbd32eb06b6d1

SHA256
dbd3d5f0886d7886a4b03984108c2d3e8638c9a2792b8f7444cb9513f68b1354

SHA512
02fde2225b36838d7d335003cabee07ae4d87fc00b04a9258f196654876fa826fb42f690141d2b6b1f552efbbb624ac9faf42f95b6c00640bb11830375413a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3259006.exe

Filesize
724KB

MD5
4813502acb5d1703517d97f5b9221ba4

SHA1
a19c44bc1dfb57fb7c72be9158cfbd32eb06b6d1

SHA256
dbd3d5f0886d7886a4b03984108c2d3e8638c9a2792b8f7444cb9513f68b1354

SHA512
02fde2225b36838d7d335003cabee07ae4d87fc00b04a9258f196654876fa826fb42f690141d2b6b1f552efbbb624ac9faf42f95b6c00640bb11830375413a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3932963.exe

Filesize
497KB

MD5
e54f08c9cc90733da604b7001815f4ed

SHA1
a100755ca42dcf85f844eeb63872a9e593caabe7

SHA256
f71a7824f4189dc073be60c012473ed6e12e9aa53a912a9d8e8c2f561256cdcc

SHA512
c6dea37e9dd2baf286d5d7b7b3171ed1bf2c4c181dcc81de53f9cbd329a9454982e1edccd3e5bdc8864e618e110372b3901593cb731b08c8b912859818af1438

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3932963.exe

Filesize
497KB

MD5
e54f08c9cc90733da604b7001815f4ed

SHA1
a100755ca42dcf85f844eeb63872a9e593caabe7

SHA256
f71a7824f4189dc073be60c012473ed6e12e9aa53a912a9d8e8c2f561256cdcc

SHA512
c6dea37e9dd2baf286d5d7b7b3171ed1bf2c4c181dcc81de53f9cbd329a9454982e1edccd3e5bdc8864e618e110372b3901593cb731b08c8b912859818af1438

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2969111.exe

Filesize
373KB

MD5
a2cfe59cd1274250becc6313563ff2ac

SHA1
d9f71ed0986959553bb46dfc69d2047c018eb8f1

SHA256
57ff0e066e8febeb239267d4c74de1b109da9c743d94e41d8f7b044b900a9982

SHA512
2dbb57d6bbd526d3de28b9fa79104cd1c2baa527fe8a450a9e745fc0b16fddf024e11e4897eeccfc6819f2c82f9ab2482c8c8bc866b3d9ec845d4de6ffae51c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2969111.exe

Filesize
373KB

MD5
a2cfe59cd1274250becc6313563ff2ac

SHA1
d9f71ed0986959553bb46dfc69d2047c018eb8f1

SHA256
57ff0e066e8febeb239267d4c74de1b109da9c743d94e41d8f7b044b900a9982

SHA512
2dbb57d6bbd526d3de28b9fa79104cd1c2baa527fe8a450a9e745fc0b16fddf024e11e4897eeccfc6819f2c82f9ab2482c8c8bc866b3d9ec845d4de6ffae51c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0843939.exe

Filesize
174KB

MD5
5e550a3b4dae6b44826fe05269ba5cba

SHA1
666ef0de25b594412cd7a16b3dbb4d78adda8ab8

SHA256
5f7d02299cdc557e38c9c35a4c1e93f6136b747b60deca2fa3d61027be18d7c9

SHA512
30c23fce7115dbd65a3b232d69da3fdb4e9e05bb7f9206de660a4f85080de0e753fc6ef89ec5bac3442f16dc92ab37bce13d00c96e884e02b2acf0235e1ff089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0843939.exe

Filesize
174KB

MD5
5e550a3b4dae6b44826fe05269ba5cba

SHA1
666ef0de25b594412cd7a16b3dbb4d78adda8ab8

SHA256
5f7d02299cdc557e38c9c35a4c1e93f6136b747b60deca2fa3d61027be18d7c9

SHA512
30c23fce7115dbd65a3b232d69da3fdb4e9e05bb7f9206de660a4f85080de0e753fc6ef89ec5bac3442f16dc92ab37bce13d00c96e884e02b2acf0235e1ff089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8438895.exe

Filesize
217KB

MD5
80e1b7da750529821a4e4e18cae3b101

SHA1
fea7595e07d1707053b846fb35ad980700d0bb89

SHA256
a52aada4bbf1982faaa38bec853c5b9ce4faacddba9d392241e6a58029b63ecd

SHA512
337351113d6e803258058114437cdf072f0f7ea66018d890d965d49c8a55b588aded55539dcde8d8dd8a9cc6dbc21049e9d5731060f53b138ab3e448d8db2377

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8438895.exe

Filesize
217KB

MD5
80e1b7da750529821a4e4e18cae3b101

SHA1
fea7595e07d1707053b846fb35ad980700d0bb89

SHA256
a52aada4bbf1982faaa38bec853c5b9ce4faacddba9d392241e6a58029b63ecd

SHA512
337351113d6e803258058114437cdf072f0f7ea66018d890d965d49c8a55b588aded55539dcde8d8dd8a9cc6dbc21049e9d5731060f53b138ab3e448d8db2377

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6984599.exe

Filesize
11KB

MD5
47d5c86e75767f13480f9baf67b522d4

SHA1
073fcc4f1ebedd251981c2d2f9643984701fb186

SHA256
105235b53041f057a0304f1b4f4973ce8259b289e47bd6e727cd2580b10ca7c2

SHA512
7f74a1387eaa283cd8c85e68a2e49f422da5a350b5bb74eff1339912071e05a280b648a3431948aac6534c686f1f8ea1b07913c4ebdb697484f35b2d7fbf5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6984599.exe

Filesize
11KB

MD5
47d5c86e75767f13480f9baf67b522d4

SHA1
073fcc4f1ebedd251981c2d2f9643984701fb186

SHA256
105235b53041f057a0304f1b4f4973ce8259b289e47bd6e727cd2580b10ca7c2

SHA512
7f74a1387eaa283cd8c85e68a2e49f422da5a350b5bb74eff1339912071e05a280b648a3431948aac6534c686f1f8ea1b07913c4ebdb697484f35b2d7fbf5fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4655908.exe

Filesize
140KB

MD5
1f42e9a77fc630f33e7a8458a57052f4

SHA1
4369bfdd19d6371100e2590f6abd654e57c12825

SHA256
5b31cf8c76cf4b29a87c2af1a4ac9d23a3c9dcaa50512ec9698250462476fd6f

SHA512
f45231dbe9de16d205a0e298ea338d835f3e109a1d484ba9e9800fb0e0693162be224878b4ec52b44a543e3c5c1c8934f2fe34d7832b7dac3a9d584c2c836425

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4655908.exe

Filesize
140KB

MD5
1f42e9a77fc630f33e7a8458a57052f4

SHA1
4369bfdd19d6371100e2590f6abd654e57c12825

SHA256
5b31cf8c76cf4b29a87c2af1a4ac9d23a3c9dcaa50512ec9698250462476fd6f

SHA512
f45231dbe9de16d205a0e298ea338d835f3e109a1d484ba9e9800fb0e0693162be224878b4ec52b44a543e3c5c1c8934f2fe34d7832b7dac3a9d584c2c836425

Download Submit
memory/2104-163-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2104-162-0x0000000000920000-0x0000000000950000-memory.dmp

Filesize
192KB

Download
memory/2104-164-0x0000000002B60000-0x0000000002B66000-memory.dmp

Filesize
24KB

Download
memory/2104-165-0x000000000AC30000-0x000000000B236000-memory.dmp

Filesize
6.0MB

Download
memory/2104-166-0x000000000A730000-0x000000000A83A000-memory.dmp

Filesize
1.0MB

Download
memory/2104-167-0x000000000A660000-0x000000000A672000-memory.dmp

Filesize
72KB

Download
memory/2104-168-0x000000000A6C0000-0x000000000A6FE000-memory.dmp

Filesize
248KB

Download
memory/2104-169-0x000000000A840000-0x000000000A88B000-memory.dmp

Filesize
300KB

Download
memory/2104-170-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2500-155-0x00007FFCB18E0000-0x00007FFCB22CC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-153-0x00007FFCB18E0000-0x00007FFCB22CC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-152-0x00000000004F0000-0x00000000004FA000-memory.dmp

Filesize
40KB

Download