healer | f0dde02eac341810f321aafe030a3ee0444ad0ff4f8a9ff99114d2fabd2533a5

Analysis

max time kernel
145s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21/08/2023, 18:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f0dde02eac341810f321aafe030a3ee0444ad0ff4f8a9ff99114d2fabd2533a5.exe
Size

714KB
MD5

b022f9f9914cd21e9e80522f58228371
SHA1

fc5ee1b039cb553540b5a4d070e0ff734449f5e7
SHA256

f0dde02eac341810f321aafe030a3ee0444ad0ff4f8a9ff99114d2fabd2533a5
SHA512

7fadd7daa2e792d209ec95217433d91fd8e5fb2f9aadc8b3edaecee6ea95b1b380bc2539622a7a8dfa4c2838c369699cbfce47d0941afeb4bac8544987cffcf2
SSDEEP

12288:yMrly906R/mBC6iaQ0zfaWRpfnexHVUHgbDdtznaJB2hM0961Gsuqfnume/S:vy3X6iaQ0DamyFaQ96VuqfnumZ

Score

10^/10

healer redline lang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lang

77.91.124.73:19071

Attributes

auth_value
92c0fc2b7a8b3fc5a01baa1abf31c42a

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b069-148.dat	healer
behavioral1/files/0x000700000001b069-149.dat	healer
behavioral1/memory/616-150-0x0000000000B30000-0x0000000000B3A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r6365623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r6365623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r6365623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r6365623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r6365623.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
4844	z6752584.exe
1524	z7771862.exe
4540	z9399797.exe
616	r6365623.exe
2132	s6464225.exe
4996	t7354197.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	r6365623.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f0dde02eac341810f321aafe030a3ee0444ad0ff4f8a9ff99114d2fabd2533a5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6752584.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7771862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z9399797.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
616	r6365623.exe
616	r6365623.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	616	r6365623.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 4844	2092	f0dde02eac341810f321aafe030a3ee0444ad0ff4f8a9ff99114d2fabd2533a5.exe	70
PID 2092 wrote to memory of 4844	2092	f0dde02eac341810f321aafe030a3ee0444ad0ff4f8a9ff99114d2fabd2533a5.exe	70
PID 2092 wrote to memory of 4844	2092	f0dde02eac341810f321aafe030a3ee0444ad0ff4f8a9ff99114d2fabd2533a5.exe	70
PID 4844 wrote to memory of 1524	4844	z6752584.exe	71
PID 4844 wrote to memory of 1524	4844	z6752584.exe	71
PID 4844 wrote to memory of 1524	4844	z6752584.exe	71
PID 1524 wrote to memory of 4540	1524	z7771862.exe	72
PID 1524 wrote to memory of 4540	1524	z7771862.exe	72
PID 1524 wrote to memory of 4540	1524	z7771862.exe	72
PID 4540 wrote to memory of 616	4540	z9399797.exe	73
PID 4540 wrote to memory of 616	4540	z9399797.exe	73
PID 4540 wrote to memory of 2132	4540	z9399797.exe	74
PID 4540 wrote to memory of 2132	4540	z9399797.exe	74
PID 4540 wrote to memory of 2132	4540	z9399797.exe	74
PID 1524 wrote to memory of 4996	1524	z7771862.exe	75
PID 1524 wrote to memory of 4996	1524	z7771862.exe	75
PID 1524 wrote to memory of 4996	1524	z7771862.exe	75

C:\Users\Admin\AppData\Local\Temp\f0dde02eac341810f321aafe030a3ee0444ad0ff4f8a9ff99114d2fabd2533a5.exe
"C:\Users\Admin\AppData\Local\Temp\f0dde02eac341810f321aafe030a3ee0444ad0ff4f8a9ff99114d2fabd2533a5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6752584.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6752584.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7771862.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7771862.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9399797.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9399797.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4540
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6365623.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6365623.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6464225.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6464225.exe
        5⤵
        Executes dropped EXE
        
        PID:2132
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7354197.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7354197.exe
      4⤵
      Executes dropped EXE
      PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6752584.exe

Filesize
599KB

MD5
6d415602fadaad9964f387ad8638cd22

SHA1
0fc8a3666f6aac3750928a195d11ee5840d7ecf9

SHA256
454edd09c6cfa13fa36a61506bdcd0abf93ff043c5ef1e8f989d4b6942dc94a6

SHA512
564bd6025acfc0f43a2f038b3390d634dc66d62049e38a0616f1df9c8cd22dd246b798dd4e88ba644b5a842ea4dfbf5e32d1386e2a2629ce58de563079db44eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6752584.exe

Filesize
599KB

MD5
6d415602fadaad9964f387ad8638cd22

SHA1
0fc8a3666f6aac3750928a195d11ee5840d7ecf9

SHA256
454edd09c6cfa13fa36a61506bdcd0abf93ff043c5ef1e8f989d4b6942dc94a6

SHA512
564bd6025acfc0f43a2f038b3390d634dc66d62049e38a0616f1df9c8cd22dd246b798dd4e88ba644b5a842ea4dfbf5e32d1386e2a2629ce58de563079db44eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7771862.exe

Filesize
373KB

MD5
a5488678b215976baa1a0f52ae5eef89

SHA1
bfdce4729f8034d2654690fd34463d28d1478eeb

SHA256
8310b8ad4d75ae4db9fa1d17773040ff16deb5d6e009a23b54cb5285bb776497

SHA512
01fcd3d218a6be9f6ee7582936329c69f941f4a98891c6a1d98b2ea239ced0e365bd9a46bcf846871b40b6def56c1670598fc3f7bcd52de1bf63f9088f3e501a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7771862.exe

Filesize
373KB

MD5
a5488678b215976baa1a0f52ae5eef89

SHA1
bfdce4729f8034d2654690fd34463d28d1478eeb

SHA256
8310b8ad4d75ae4db9fa1d17773040ff16deb5d6e009a23b54cb5285bb776497

SHA512
01fcd3d218a6be9f6ee7582936329c69f941f4a98891c6a1d98b2ea239ced0e365bd9a46bcf846871b40b6def56c1670598fc3f7bcd52de1bf63f9088f3e501a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7354197.exe

Filesize
174KB

MD5
d8d3ec5b2526cdb06acb87f3983b5195

SHA1
814b40580d4a3e3924eb1f00fef207027185c5c4

SHA256
999ca722cfacae970d325005d5b090dc4eaac6242454f80c4893430ad0261d7d

SHA512
213db137c416be0104af18920a7756bebaba636d62287629b87c02475d428efd9dba27abcb4a619226d0c99e818af0f40fa3d09f2e596b879a3023ffe7a7293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t7354197.exe

Filesize
174KB

MD5
d8d3ec5b2526cdb06acb87f3983b5195

SHA1
814b40580d4a3e3924eb1f00fef207027185c5c4

SHA256
999ca722cfacae970d325005d5b090dc4eaac6242454f80c4893430ad0261d7d

SHA512
213db137c416be0104af18920a7756bebaba636d62287629b87c02475d428efd9dba27abcb4a619226d0c99e818af0f40fa3d09f2e596b879a3023ffe7a7293a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9399797.exe

Filesize
217KB

MD5
a3a5da8e98fea1f59b4892059f19f6c9

SHA1
2a1f713ee8a81b4dffa14134b0e160ee1a8705e9

SHA256
6db8a5bc460d82f97fabefa3bbb1a2ad5f3e964a61bdca01ecb371e9c7a535d5

SHA512
0babcbf5bc9e22760981ae611d532f5728bee7d90b3bcc562b40a29ecd81aa9cf285ba30d9845e351c4c967b112484233cd54b37be666741cd33ba041b686440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9399797.exe

Filesize
217KB

MD5
a3a5da8e98fea1f59b4892059f19f6c9

SHA1
2a1f713ee8a81b4dffa14134b0e160ee1a8705e9

SHA256
6db8a5bc460d82f97fabefa3bbb1a2ad5f3e964a61bdca01ecb371e9c7a535d5

SHA512
0babcbf5bc9e22760981ae611d532f5728bee7d90b3bcc562b40a29ecd81aa9cf285ba30d9845e351c4c967b112484233cd54b37be666741cd33ba041b686440

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6365623.exe

Filesize
11KB

MD5
299231cb5aa7387acba039725b52f6af

SHA1
4d66492072929aa56df495a928f98ce8225e0901

SHA256
300f44a09d74ac717bf5a12e59262a048638dabdf99c86c1c9908bdfa6e4c60b

SHA512
71957e882d6f5459c24435341bd5e0247572419bb2c654d0e8fa08a0dfffa4706fd20089c1930ba6d5bf9b903679db443fb40ffc01a2562636d441fb6a3dff84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r6365623.exe

Filesize
11KB

MD5
299231cb5aa7387acba039725b52f6af

SHA1
4d66492072929aa56df495a928f98ce8225e0901

SHA256
300f44a09d74ac717bf5a12e59262a048638dabdf99c86c1c9908bdfa6e4c60b

SHA512
71957e882d6f5459c24435341bd5e0247572419bb2c654d0e8fa08a0dfffa4706fd20089c1930ba6d5bf9b903679db443fb40ffc01a2562636d441fb6a3dff84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6464225.exe

Filesize
140KB

MD5
805657b9cce13f77ab2d76c4c03823d1

SHA1
67016007738f753886748a1b731d9e436249db30

SHA256
f085d356ff7e3bbd86de53cec21b95214fea61d01544f09099d5450758dba47e

SHA512
6195317da885c26d1a85be1fa2507c9f03e41c5f4f049bbc5fe4d4cbcebc3a23d2da51d2dd232311d72869703f796ac60963221b66ccd4f51a982ace9914a3d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6464225.exe

Filesize
140KB

MD5
805657b9cce13f77ab2d76c4c03823d1

SHA1
67016007738f753886748a1b731d9e436249db30

SHA256
f085d356ff7e3bbd86de53cec21b95214fea61d01544f09099d5450758dba47e

SHA512
6195317da885c26d1a85be1fa2507c9f03e41c5f4f049bbc5fe4d4cbcebc3a23d2da51d2dd232311d72869703f796ac60963221b66ccd4f51a982ace9914a3d7

Download Submit
memory/616-153-0x00007FFAF9470000-0x00007FFAF9E5C000-memory.dmp

Filesize
9.9MB

Download
memory/616-151-0x00007FFAF9470000-0x00007FFAF9E5C000-memory.dmp

Filesize
9.9MB

Download
memory/616-150-0x0000000000B30000-0x0000000000B3A000-memory.dmp

Filesize
40KB

Download
memory/4996-160-0x0000000000550000-0x0000000000580000-memory.dmp

Filesize
192KB

Download
memory/4996-161-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download
memory/4996-162-0x00000000071A0000-0x00000000071A6000-memory.dmp

Filesize
24KB

Download
memory/4996-163-0x0000000005430000-0x0000000005A36000-memory.dmp

Filesize
6.0MB

Download
memory/4996-164-0x0000000004F30000-0x000000000503A000-memory.dmp

Filesize
1.0MB

Download
memory/4996-165-0x0000000004E60000-0x0000000004E72000-memory.dmp

Filesize
72KB

Download
memory/4996-166-0x0000000004EC0000-0x0000000004EFE000-memory.dmp

Filesize
248KB

Download
memory/4996-167-0x0000000005040000-0x000000000508B000-memory.dmp

Filesize
300KB

Download
memory/4996-168-0x0000000072EE0000-0x00000000735CE000-memory.dmp

Filesize
6.9MB

Download