healer | fa8e408f51176c1f789b74992968eb838bc9ced07dd8887158c7dbb3df389d42

Analysis

max time kernel
146s
max time network
157s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21-08-2023 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa8e408f51176c1f789b74992968eb838bc9ced07dd8887158c7dbb3df389d42.exe
Size

838KB
MD5

db200f58235f96860d8f3bb501670bd8
SHA1

6a599c7e20d0d7d0256b080cd492285556d88ea8
SHA256

fa8e408f51176c1f789b74992968eb838bc9ced07dd8887158c7dbb3df389d42
SHA512

90d730bf9c7ab1204c3368e7dcd861cc627ec66c07f3141e2b0fe37d15a989e84b0f1f27d5b47bf4821f856f4e422bd25abf46192b3f64c307fd904914070ec4
SSDEEP

12288:JMrey90j4B28IOlUjQQJf7t7ayHts7Ng5LUr8ocAh3weibhdR0kbFUue/3bn:3yw4BtlqjBTNeQocr9tdqkPqb

Score

10^/10

healer redline lang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lang

77.91.124.73:19071

Attributes

auth_value
92c0fc2b7a8b3fc5a01baa1abf31c42a

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b03d-155.dat	healer
behavioral1/files/0x000700000001b03d-156.dat	healer
behavioral1/memory/1436-157-0x0000000000E60000-0x0000000000E6A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8318047.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8318047.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8318047.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8318047.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8318047.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1212	v2407731.exe
1112	v9329002.exe
2916	v5208295.exe
4444	v6312186.exe
1436	a8318047.exe
1440	b5398049.exe
4508	c6103708.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8318047.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fa8e408f51176c1f789b74992968eb838bc9ced07dd8887158c7dbb3df389d42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2407731.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9329002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5208295.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6312186.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1436	a8318047.exe
1436	a8318047.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1436	a8318047.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 1212	3736	fa8e408f51176c1f789b74992968eb838bc9ced07dd8887158c7dbb3df389d42.exe	70
PID 3736 wrote to memory of 1212	3736	fa8e408f51176c1f789b74992968eb838bc9ced07dd8887158c7dbb3df389d42.exe	70
PID 3736 wrote to memory of 1212	3736	fa8e408f51176c1f789b74992968eb838bc9ced07dd8887158c7dbb3df389d42.exe	70
PID 1212 wrote to memory of 1112	1212	v2407731.exe	71
PID 1212 wrote to memory of 1112	1212	v2407731.exe	71
PID 1212 wrote to memory of 1112	1212	v2407731.exe	71
PID 1112 wrote to memory of 2916	1112	v9329002.exe	72
PID 1112 wrote to memory of 2916	1112	v9329002.exe	72
PID 1112 wrote to memory of 2916	1112	v9329002.exe	72
PID 2916 wrote to memory of 4444	2916	v5208295.exe	73
PID 2916 wrote to memory of 4444	2916	v5208295.exe	73
PID 2916 wrote to memory of 4444	2916	v5208295.exe	73
PID 4444 wrote to memory of 1436	4444	v6312186.exe	74
PID 4444 wrote to memory of 1436	4444	v6312186.exe	74
PID 4444 wrote to memory of 1440	4444	v6312186.exe	75
PID 4444 wrote to memory of 1440	4444	v6312186.exe	75
PID 4444 wrote to memory of 1440	4444	v6312186.exe	75
PID 2916 wrote to memory of 4508	2916	v5208295.exe	76
PID 2916 wrote to memory of 4508	2916	v5208295.exe	76
PID 2916 wrote to memory of 4508	2916	v5208295.exe	76

C:\Users\Admin\AppData\Local\Temp\fa8e408f51176c1f789b74992968eb838bc9ced07dd8887158c7dbb3df389d42.exe
"C:\Users\Admin\AppData\Local\Temp\fa8e408f51176c1f789b74992968eb838bc9ced07dd8887158c7dbb3df389d42.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3736
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2407731.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2407731.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9329002.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9329002.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5208295.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5208295.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6312186.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6312186.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4444
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8318047.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8318047.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5398049.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5398049.exe
        6⤵
        Executes dropped EXE
        
        PID:1440
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6103708.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6103708.exe
        5⤵
        Executes dropped EXE
        
        PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2407731.exe

Filesize
722KB

MD5
648149a4a984b8e38a25f48a0a80fe06

SHA1
c68e07750f267473fbbf06909c410888f26b5b66

SHA256
6fe8ef894ca6666b59360f4ed4e064ef377bc510c5a32251cec264ee89a349d7

SHA512
77eb44c46b745222931f803c30d31848bb99eea6e3eff192555cd386cc38fe60728080798a23e4d88093e5be5dd0d218da6d1b6a608e6d00a04dae6d9bd08fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2407731.exe

Filesize
722KB

MD5
648149a4a984b8e38a25f48a0a80fe06

SHA1
c68e07750f267473fbbf06909c410888f26b5b66

SHA256
6fe8ef894ca6666b59360f4ed4e064ef377bc510c5a32251cec264ee89a349d7

SHA512
77eb44c46b745222931f803c30d31848bb99eea6e3eff192555cd386cc38fe60728080798a23e4d88093e5be5dd0d218da6d1b6a608e6d00a04dae6d9bd08fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9329002.exe

Filesize
497KB

MD5
45ba4448138f354b6778175575bf0721

SHA1
410f8cfbf92f672de0aa8a7377f47925efa0dbe8

SHA256
b3ad77ed002eda0452b98ec45a3a4629f3a00265cff53bc0140bb428546662e9

SHA512
35a86967eeef4187cf7150a4a06cd4ffec9844c1573b18341d8d3afaaf6824e813634bf9d218a0d8f73f7c6d9105c3475e91c0ebf090acb94af304ebecef1a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9329002.exe

Filesize
497KB

MD5
45ba4448138f354b6778175575bf0721

SHA1
410f8cfbf92f672de0aa8a7377f47925efa0dbe8

SHA256
b3ad77ed002eda0452b98ec45a3a4629f3a00265cff53bc0140bb428546662e9

SHA512
35a86967eeef4187cf7150a4a06cd4ffec9844c1573b18341d8d3afaaf6824e813634bf9d218a0d8f73f7c6d9105c3475e91c0ebf090acb94af304ebecef1a7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5208295.exe

Filesize
372KB

MD5
c51baf3457789a9273b544f90c439647

SHA1
52081e7379e80ed5b12d9be49efa962b2e32b2b6

SHA256
8256bea99b2b4fabe4a59894bd58bb24ae21c66a70fc42747100966f87364bd3

SHA512
210886cffab720984408347c0c86ac593636443e177cd15f1a66557ba50d653ed037580cd6f17f74e380db85274d0e1c855ffdf66183f1f7db17fa53cc1ad10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5208295.exe

Filesize
372KB

MD5
c51baf3457789a9273b544f90c439647

SHA1
52081e7379e80ed5b12d9be49efa962b2e32b2b6

SHA256
8256bea99b2b4fabe4a59894bd58bb24ae21c66a70fc42747100966f87364bd3

SHA512
210886cffab720984408347c0c86ac593636443e177cd15f1a66557ba50d653ed037580cd6f17f74e380db85274d0e1c855ffdf66183f1f7db17fa53cc1ad10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6103708.exe

Filesize
174KB

MD5
3c6da4b8666ff89a31bba255a9bc2219

SHA1
22217f5ae18a92ff883a152f7b6a9ffb789b0bdb

SHA256
a301cb4bf08494ca22979f6a79824452b31e5d54b56e3756a5d33b961780b5da

SHA512
208eaa9b3a15bc162e1488ed8a6cb8ea1cf0ca996b5a3ee25942f1c2c7ee1e64c3752fb82f2ac7fe36433587dd9de1509d874f6036d9c85a73090ab44670505e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6103708.exe

Filesize
174KB

MD5
3c6da4b8666ff89a31bba255a9bc2219

SHA1
22217f5ae18a92ff883a152f7b6a9ffb789b0bdb

SHA256
a301cb4bf08494ca22979f6a79824452b31e5d54b56e3756a5d33b961780b5da

SHA512
208eaa9b3a15bc162e1488ed8a6cb8ea1cf0ca996b5a3ee25942f1c2c7ee1e64c3752fb82f2ac7fe36433587dd9de1509d874f6036d9c85a73090ab44670505e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6312186.exe

Filesize
217KB

MD5
0ea4b8e91ecf9022dd54005470445703

SHA1
2c82084a8ea85901e47da882840361693016a651

SHA256
0b1c898cf0fb126f64444937b7cc5be9a18f2fd90a3e89a184a62b1b946f2643

SHA512
4141ee3a06024ec6294eeb8671f6148e275cc9ddabe4a6cfd7227dcf141f36b2edf18d91cf889cc6076b89e53e1652a43d4f7e333da8a4e641869f333927b3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6312186.exe

Filesize
217KB

MD5
0ea4b8e91ecf9022dd54005470445703

SHA1
2c82084a8ea85901e47da882840361693016a651

SHA256
0b1c898cf0fb126f64444937b7cc5be9a18f2fd90a3e89a184a62b1b946f2643

SHA512
4141ee3a06024ec6294eeb8671f6148e275cc9ddabe4a6cfd7227dcf141f36b2edf18d91cf889cc6076b89e53e1652a43d4f7e333da8a4e641869f333927b3e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8318047.exe

Filesize
11KB

MD5
ab494c8e359b9e9025d5b9fa7c5ae36e

SHA1
6450ee09d86e9be587e81532e161a6580653d30d

SHA256
7528ad8d806765594efe5f3b5c4888ad7b473c6e3dce4f5c69c58724e573c038

SHA512
148bc75170271de5cb49bc32d0a6ca6e61e662a69aea948709dc5c9329609f5d62810433691ce1859b0e7453ed1b36dcae124623b11d489b93c3f2680c0c4a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8318047.exe

Filesize
11KB

MD5
ab494c8e359b9e9025d5b9fa7c5ae36e

SHA1
6450ee09d86e9be587e81532e161a6580653d30d

SHA256
7528ad8d806765594efe5f3b5c4888ad7b473c6e3dce4f5c69c58724e573c038

SHA512
148bc75170271de5cb49bc32d0a6ca6e61e662a69aea948709dc5c9329609f5d62810433691ce1859b0e7453ed1b36dcae124623b11d489b93c3f2680c0c4a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5398049.exe

Filesize
140KB

MD5
36456e7e482b23734b1978853d38a50c

SHA1
fe5997d9cf0d602ec8727185a180dbf5abf860c1

SHA256
2dd6f688eb4ec6a80b2d462c9db6ae7870442ade8ffbfb93da7938ab9b538c4d

SHA512
38687b8642dbf0ca8c1b0557890189f67c7d4b2ad6db7f6cc14696ceb9251919bec328526ac8170f7350399fe39dc44a4ea65bb769491ccf151eb5af7fab1c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5398049.exe

Filesize
140KB

MD5
36456e7e482b23734b1978853d38a50c

SHA1
fe5997d9cf0d602ec8727185a180dbf5abf860c1

SHA256
2dd6f688eb4ec6a80b2d462c9db6ae7870442ade8ffbfb93da7938ab9b538c4d

SHA512
38687b8642dbf0ca8c1b0557890189f67c7d4b2ad6db7f6cc14696ceb9251919bec328526ac8170f7350399fe39dc44a4ea65bb769491ccf151eb5af7fab1c52

Download Submit
memory/1436-160-0x00007FFA63760000-0x00007FFA6414C000-memory.dmp

Filesize
9.9MB

Download
memory/1436-158-0x00007FFA63760000-0x00007FFA6414C000-memory.dmp

Filesize
9.9MB

Download
memory/1436-157-0x0000000000E60000-0x0000000000E6A000-memory.dmp

Filesize
40KB

Download
memory/4508-167-0x00000000009A0000-0x00000000009D0000-memory.dmp

Filesize
192KB

Download
memory/4508-168-0x0000000072E40000-0x000000007352E000-memory.dmp

Filesize
6.9MB

Download
memory/4508-169-0x0000000001030000-0x0000000001036000-memory.dmp

Filesize
24KB

Download
memory/4508-170-0x000000000AD70000-0x000000000B376000-memory.dmp

Filesize
6.0MB

Download
memory/4508-171-0x000000000A870000-0x000000000A97A000-memory.dmp

Filesize
1.0MB

Download
memory/4508-172-0x0000000005250000-0x0000000005262000-memory.dmp

Filesize
72KB

Download
memory/4508-173-0x000000000A760000-0x000000000A79E000-memory.dmp

Filesize
248KB

Download
memory/4508-174-0x000000000A7A0000-0x000000000A7EB000-memory.dmp

Filesize
300KB

Download
memory/4508-175-0x0000000072E40000-0x000000007352E000-memory.dmp

Filesize
6.9MB

Download