healer | a2c3515b8df1b020147b60d3ad967e8d21f2ebad40629a212ddded9ac08bbdcc

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21/08/2023, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2c3515b8df1b020147b60d3ad967e8d21f2ebad40629a212ddded9ac08bbdcc.exe
Size

714KB
MD5

ca50f647d114b82f4cffa2aec2ffff3b
SHA1

daf2134fa7422475d8e2be71eb69266f189fb6b3
SHA256

a2c3515b8df1b020147b60d3ad967e8d21f2ebad40629a212ddded9ac08bbdcc
SHA512

3982515475610fa4e5f0a34e32f6ad91ae356212f130b465f03218cce11a0a85142edd92ea084e6dc8d169a67b9c2b012d5f77e8c2eafe0f72fb9610f4fa4bf6
SSDEEP

12288:0Mr3y90XtL/Hx+1Yk3i8EKdJczfvW4WydyjkXBh0CTwEconfONU3J4X9:zyWEJ3i8E9vdyj8rTHtmEk

Score

10^/10

healer redline lang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lang

77.91.124.73:19071

Attributes

auth_value
92c0fc2b7a8b3fc5a01baa1abf31c42a

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afe8-147.dat	healer
behavioral1/files/0x000700000001afe8-148.dat	healer
behavioral1/memory/4964-149-0x00000000007B0000-0x00000000007BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r5086221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r5086221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r5086221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r5086221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r5086221.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2116	z6296875.exe
4700	z2688912.exe
3008	z2065776.exe
4964	r5086221.exe
1724	s0909164.exe
4876	t4383198.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	r5086221.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a2c3515b8df1b020147b60d3ad967e8d21f2ebad40629a212ddded9ac08bbdcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6296875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2688912.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2065776.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4964	r5086221.exe
4964	r5086221.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4964	r5086221.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2116	3060	a2c3515b8df1b020147b60d3ad967e8d21f2ebad40629a212ddded9ac08bbdcc.exe	69
PID 3060 wrote to memory of 2116	3060	a2c3515b8df1b020147b60d3ad967e8d21f2ebad40629a212ddded9ac08bbdcc.exe	69
PID 3060 wrote to memory of 2116	3060	a2c3515b8df1b020147b60d3ad967e8d21f2ebad40629a212ddded9ac08bbdcc.exe	69
PID 2116 wrote to memory of 4700	2116	z6296875.exe	70
PID 2116 wrote to memory of 4700	2116	z6296875.exe	70
PID 2116 wrote to memory of 4700	2116	z6296875.exe	70
PID 4700 wrote to memory of 3008	4700	z2688912.exe	71
PID 4700 wrote to memory of 3008	4700	z2688912.exe	71
PID 4700 wrote to memory of 3008	4700	z2688912.exe	71
PID 3008 wrote to memory of 4964	3008	z2065776.exe	72
PID 3008 wrote to memory of 4964	3008	z2065776.exe	72
PID 3008 wrote to memory of 1724	3008	z2065776.exe	73
PID 3008 wrote to memory of 1724	3008	z2065776.exe	73
PID 3008 wrote to memory of 1724	3008	z2065776.exe	73
PID 4700 wrote to memory of 4876	4700	z2688912.exe	74
PID 4700 wrote to memory of 4876	4700	z2688912.exe	74
PID 4700 wrote to memory of 4876	4700	z2688912.exe	74

C:\Users\Admin\AppData\Local\Temp\a2c3515b8df1b020147b60d3ad967e8d21f2ebad40629a212ddded9ac08bbdcc.exe
"C:\Users\Admin\AppData\Local\Temp\a2c3515b8df1b020147b60d3ad967e8d21f2ebad40629a212ddded9ac08bbdcc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6296875.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6296875.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2688912.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2688912.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2065776.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2065776.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r5086221.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r5086221.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0909164.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0909164.exe
        5⤵
        Executes dropped EXE
        
        PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4383198.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4383198.exe
      4⤵
      Executes dropped EXE
      PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6296875.exe

Filesize
599KB

MD5
757949dfe8aa146314c53fff0aba6cd6

SHA1
036cabc7ce974b91964586d9b3c2814c1591779d

SHA256
c591f8b15a843bfba2701622cf05c5fd1fea93cebce86885fab2584b52d857c2

SHA512
ff5cc4809d87f9cea039a33f6cf1897694cca10872420587799beb4a1a693eef02ac82d6a9a38f84e96a172ad63bc04e95889b93900806fa7b013c50c642832b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6296875.exe

Filesize
599KB

MD5
757949dfe8aa146314c53fff0aba6cd6

SHA1
036cabc7ce974b91964586d9b3c2814c1591779d

SHA256
c591f8b15a843bfba2701622cf05c5fd1fea93cebce86885fab2584b52d857c2

SHA512
ff5cc4809d87f9cea039a33f6cf1897694cca10872420587799beb4a1a693eef02ac82d6a9a38f84e96a172ad63bc04e95889b93900806fa7b013c50c642832b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2688912.exe

Filesize
373KB

MD5
da948c3682b49f15eef36905830cd2ee

SHA1
3b42fece76c937db514cc3fb78f9d6d7305970dc

SHA256
3037e3fcd99205e20eff8b9ddf7c4b1e6039d7022d2d2a63c94adbb5a8f4b39f

SHA512
fe59e42cb5933a3ca6150ff2fbfbf72f75c11902dc8287785945ca9ab9c51b1924b016c42c66143a8cc5176162c79d25655272af66a28fed26a8c4ad8797b2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2688912.exe

Filesize
373KB

MD5
da948c3682b49f15eef36905830cd2ee

SHA1
3b42fece76c937db514cc3fb78f9d6d7305970dc

SHA256
3037e3fcd99205e20eff8b9ddf7c4b1e6039d7022d2d2a63c94adbb5a8f4b39f

SHA512
fe59e42cb5933a3ca6150ff2fbfbf72f75c11902dc8287785945ca9ab9c51b1924b016c42c66143a8cc5176162c79d25655272af66a28fed26a8c4ad8797b2da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4383198.exe

Filesize
174KB

MD5
44a4128cac270da2aaad57cd17182b8a

SHA1
642044121e2f495a85de1fecd1e82a46ace98479

SHA256
e54b0ec99bc372aa673068224248ebdb3ec78943496a6f925d821658e659394f

SHA512
0ce108446bc35358cde2878d33b77ee10487e30fc652e9abc3ae11844873a44fa5db16b377ccfe223aca2fdbf704945b98bb93cfb4ce376c85a8caddbcbc9bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4383198.exe

Filesize
174KB

MD5
44a4128cac270da2aaad57cd17182b8a

SHA1
642044121e2f495a85de1fecd1e82a46ace98479

SHA256
e54b0ec99bc372aa673068224248ebdb3ec78943496a6f925d821658e659394f

SHA512
0ce108446bc35358cde2878d33b77ee10487e30fc652e9abc3ae11844873a44fa5db16b377ccfe223aca2fdbf704945b98bb93cfb4ce376c85a8caddbcbc9bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2065776.exe

Filesize
217KB

MD5
5517ae34ae0013ed92ed94f1f7a84084

SHA1
6025498b0d4137ce0994dab88b69692ae2e26fda

SHA256
b6520952d6ad6c78a6ab757e8acf71acc412dbac2660ca27a4b91fba810f6e33

SHA512
41d0482411b1643202e9053e6b4f1b926a58f1b60a2f72494ce090e1221656ed02e7df4a4cf931ecde1340a0377d9dc2cc73428cda36450236fd477f70d41663

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2065776.exe

Filesize
217KB

MD5
5517ae34ae0013ed92ed94f1f7a84084

SHA1
6025498b0d4137ce0994dab88b69692ae2e26fda

SHA256
b6520952d6ad6c78a6ab757e8acf71acc412dbac2660ca27a4b91fba810f6e33

SHA512
41d0482411b1643202e9053e6b4f1b926a58f1b60a2f72494ce090e1221656ed02e7df4a4cf931ecde1340a0377d9dc2cc73428cda36450236fd477f70d41663

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r5086221.exe

Filesize
11KB

MD5
558abca574ce4da32f3a0f7c9d6380b4

SHA1
35d73a4bf2e5d5c023aef0ccc63e962519d88c9e

SHA256
3b59059bf1a4576877993bbcbdbe781abb3191188e40f97c1f84ce0066df95b2

SHA512
b133778c1f071073b7e34d3af4a2b801a40165d10f9d54a269858816fde33afd090563e62e17ce29e766eeb34dbf8da56ebf56245aa008803d639dced44bfa42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r5086221.exe

Filesize
11KB

MD5
558abca574ce4da32f3a0f7c9d6380b4

SHA1
35d73a4bf2e5d5c023aef0ccc63e962519d88c9e

SHA256
3b59059bf1a4576877993bbcbdbe781abb3191188e40f97c1f84ce0066df95b2

SHA512
b133778c1f071073b7e34d3af4a2b801a40165d10f9d54a269858816fde33afd090563e62e17ce29e766eeb34dbf8da56ebf56245aa008803d639dced44bfa42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0909164.exe

Filesize
140KB

MD5
1533be97b1d697eb2fe41e1d9fc73b58

SHA1
5f7ee523de2f4835f20cc54a04e7439b4a5bb534

SHA256
a57c455fc7033c38ef6211bb6fe9eabeb5d0acfecf92b63b16f41a66710162df

SHA512
2f1050cfe55c2b4492080845619f769749eed8e37a4250a5b7aefa1fc65ef08153d87466d21e4c2c2cdf6dc1835f204d71d48dbc04b13a09a1b8fb1a2fc4d216

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0909164.exe

Filesize
140KB

MD5
1533be97b1d697eb2fe41e1d9fc73b58

SHA1
5f7ee523de2f4835f20cc54a04e7439b4a5bb534

SHA256
a57c455fc7033c38ef6211bb6fe9eabeb5d0acfecf92b63b16f41a66710162df

SHA512
2f1050cfe55c2b4492080845619f769749eed8e37a4250a5b7aefa1fc65ef08153d87466d21e4c2c2cdf6dc1835f204d71d48dbc04b13a09a1b8fb1a2fc4d216

Download Submit
memory/4876-159-0x0000000000690000-0x00000000006C0000-memory.dmp

Filesize
192KB

Download
memory/4876-160-0x0000000073830000-0x0000000073F1E000-memory.dmp

Filesize
6.9MB

Download
memory/4876-161-0x00000000029C0000-0x00000000029C6000-memory.dmp

Filesize
24KB

Download
memory/4876-162-0x00000000055B0000-0x0000000005BB6000-memory.dmp

Filesize
6.0MB

Download
memory/4876-163-0x00000000050B0000-0x00000000051BA000-memory.dmp

Filesize
1.0MB

Download
memory/4876-164-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

Filesize
72KB

Download
memory/4876-165-0x0000000005020000-0x000000000505E000-memory.dmp

Filesize
248KB

Download
memory/4876-166-0x0000000005060000-0x00000000050AB000-memory.dmp

Filesize
300KB

Download
memory/4876-167-0x0000000073830000-0x0000000073F1E000-memory.dmp

Filesize
6.9MB

Download
memory/4964-152-0x00007FF9001D0000-0x00007FF900BBC000-memory.dmp

Filesize
9.9MB

Download
memory/4964-150-0x00007FF9001D0000-0x00007FF900BBC000-memory.dmp

Filesize
9.9MB

Download
memory/4964-149-0x00000000007B0000-0x00000000007BA000-memory.dmp

Filesize
40KB

Download