healer | df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571

Analysis

max time kernel
145s
max time network
155s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21-08-2023 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571.exe
Size

838KB
MD5

2e88ed1b1b88eaa7f44cf2f29930d130
SHA1

548d56fd197f8fccf4ba981ad05ee9695a5c0da2
SHA256

df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571
SHA512

7bf9cf794e9edad4ce1eff1c8c17327b87cc923629b15961850c64cb8a33ac48b4183a0bff8d59688bb3722875151e765fe7ca50d342e99425608078714c432e
SSDEEP

12288:tMrdy9050kSlvF2P4BiHYoZNkvb4uSQyiWtsozDnDblaXcb9bkbO+Srca:gyi0JA4Bi44kcuSpsoPV4+9ca

Score

10^/10

healer redline lang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lang

77.91.124.73:19071

Attributes

auth_value
92c0fc2b7a8b3fc5a01baa1abf31c42a

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afd0-153.dat	healer
behavioral1/files/0x000700000001afd0-154.dat	healer
behavioral1/memory/2092-155-0x00000000001F0000-0x00000000001FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7486979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7486979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7486979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7486979.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7486979.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
5104	v9380082.exe
4108	v1660097.exe
4580	v9196762.exe
1868	v9398116.exe
2092	a7486979.exe
4908	b7271290.exe
4888	c9841968.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7486979.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9380082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1660097.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9196762.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9398116.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2092	a7486979.exe
2092	a7486979.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2092	a7486979.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3824 wrote to memory of 5104	3824	df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571.exe	70
PID 3824 wrote to memory of 5104	3824	df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571.exe	70
PID 3824 wrote to memory of 5104	3824	df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571.exe	70
PID 5104 wrote to memory of 4108	5104	v9380082.exe	71
PID 5104 wrote to memory of 4108	5104	v9380082.exe	71
PID 5104 wrote to memory of 4108	5104	v9380082.exe	71
PID 4108 wrote to memory of 4580	4108	v1660097.exe	72
PID 4108 wrote to memory of 4580	4108	v1660097.exe	72
PID 4108 wrote to memory of 4580	4108	v1660097.exe	72
PID 4580 wrote to memory of 1868	4580	v9196762.exe	73
PID 4580 wrote to memory of 1868	4580	v9196762.exe	73
PID 4580 wrote to memory of 1868	4580	v9196762.exe	73
PID 1868 wrote to memory of 2092	1868	v9398116.exe	74
PID 1868 wrote to memory of 2092	1868	v9398116.exe	74
PID 1868 wrote to memory of 4908	1868	v9398116.exe	75
PID 1868 wrote to memory of 4908	1868	v9398116.exe	75
PID 1868 wrote to memory of 4908	1868	v9398116.exe	75
PID 4580 wrote to memory of 4888	4580	v9196762.exe	76
PID 4580 wrote to memory of 4888	4580	v9196762.exe	76
PID 4580 wrote to memory of 4888	4580	v9196762.exe	76

C:\Users\Admin\AppData\Local\Temp\df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571.exe
"C:\Users\Admin\AppData\Local\Temp\df298de3a413061c479b66a5219302fe0da0b11a2c3a90e521b68f67219b0571.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3824
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9380082.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9380082.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1660097.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1660097.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4108
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9196762.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9196762.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398116.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398116.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7486979.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7486979.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7271290.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7271290.exe
        6⤵
        Executes dropped EXE
        
        PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9841968.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9841968.exe
        5⤵
        Executes dropped EXE
        
        PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9380082.exe

Filesize
723KB

MD5
f6e81de36d1ae9b9d5d16148dc18d5ec

SHA1
41f34290ef3a7b533b9efb6cf3bbbd44afb4aac8

SHA256
0bb8a3ffdfc717b9ea7589bcde109226653d3da9f000c045a72efed03729565f

SHA512
f1537a19919da13890f47362ea475e3617449545b78023a9159b3f1577bc9c7c6e79894d35e440e053d500cfff9f61a6d6a87d389672911321e16c5f9d9a5797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9380082.exe

Filesize
723KB

MD5
f6e81de36d1ae9b9d5d16148dc18d5ec

SHA1
41f34290ef3a7b533b9efb6cf3bbbd44afb4aac8

SHA256
0bb8a3ffdfc717b9ea7589bcde109226653d3da9f000c045a72efed03729565f

SHA512
f1537a19919da13890f47362ea475e3617449545b78023a9159b3f1577bc9c7c6e79894d35e440e053d500cfff9f61a6d6a87d389672911321e16c5f9d9a5797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1660097.exe

Filesize
497KB

MD5
d838d5f19206a71c6d21b8dad49313e1

SHA1
e7abc94e89771012e3d63fe9abed67d945c18d37

SHA256
8dd0c7ca37fbf7b02171a6b4be9c26292097b75c81528d77a4f9fcd8d218cc59

SHA512
19ec056d51a79b8bcde6770b088a3ea3807d6e98ecf25712b189abf245c996c9c904c244b57d9b6acbe0684ca4944616ecd0fb80a9d271c9af526070cbd614a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1660097.exe

Filesize
497KB

MD5
d838d5f19206a71c6d21b8dad49313e1

SHA1
e7abc94e89771012e3d63fe9abed67d945c18d37

SHA256
8dd0c7ca37fbf7b02171a6b4be9c26292097b75c81528d77a4f9fcd8d218cc59

SHA512
19ec056d51a79b8bcde6770b088a3ea3807d6e98ecf25712b189abf245c996c9c904c244b57d9b6acbe0684ca4944616ecd0fb80a9d271c9af526070cbd614a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9196762.exe

Filesize
373KB

MD5
fde6c292c59acb8eb28959380a978d67

SHA1
569167b9a5da70005e6c68e7e6b2af8f813d8cd9

SHA256
77754fd5b99892efc33cb2492a213bca70fbf00c3ff31bc5b865e4b9fa77cc1f

SHA512
d9ff06e0d97e34364afee11576f9ee7ed24e5dbc9edb0dcad06aaea7f720408a10bc0efc9dd6b120f57cf79999c85ed51057da3ae9d361a79901428b4f59226f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9196762.exe

Filesize
373KB

MD5
fde6c292c59acb8eb28959380a978d67

SHA1
569167b9a5da70005e6c68e7e6b2af8f813d8cd9

SHA256
77754fd5b99892efc33cb2492a213bca70fbf00c3ff31bc5b865e4b9fa77cc1f

SHA512
d9ff06e0d97e34364afee11576f9ee7ed24e5dbc9edb0dcad06aaea7f720408a10bc0efc9dd6b120f57cf79999c85ed51057da3ae9d361a79901428b4f59226f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9841968.exe

Filesize
174KB

MD5
ccad5b7b6606de8f1750aad530bf5000

SHA1
68456914673d99a614954eabffc23774d58110fb

SHA256
bed30abbf9cb3a60873db7178cf43bba3b30a74d12b46a0b8fb2f0fb32f305d9

SHA512
b13301f0486649f121d1005a1cb9b14efe05301a52c3d07fd53943e03c77d72c78c97cf82d973c2c38edf1b2c3577085210a82c742d66a8f9572ed3daa6ec7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9841968.exe

Filesize
174KB

MD5
ccad5b7b6606de8f1750aad530bf5000

SHA1
68456914673d99a614954eabffc23774d58110fb

SHA256
bed30abbf9cb3a60873db7178cf43bba3b30a74d12b46a0b8fb2f0fb32f305d9

SHA512
b13301f0486649f121d1005a1cb9b14efe05301a52c3d07fd53943e03c77d72c78c97cf82d973c2c38edf1b2c3577085210a82c742d66a8f9572ed3daa6ec7ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398116.exe

Filesize
216KB

MD5
82e0a2b5bb0a294723a0007337579b70

SHA1
6ca6360350ac3116f691aeeff7bcd88b15db4f61

SHA256
e8b16530ce366d5de0d2d288a28793bcaca82944eb1aedfc82bbfc9c3b3e4fed

SHA512
3cc2d7fd4b1783538f7bda284f79a6a780049e608320b360e521929fb9023e4d932a8d914c68beb6f4aacbe5349936866d011427e490ca4f1ed5592f41eb4e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9398116.exe

Filesize
216KB

MD5
82e0a2b5bb0a294723a0007337579b70

SHA1
6ca6360350ac3116f691aeeff7bcd88b15db4f61

SHA256
e8b16530ce366d5de0d2d288a28793bcaca82944eb1aedfc82bbfc9c3b3e4fed

SHA512
3cc2d7fd4b1783538f7bda284f79a6a780049e608320b360e521929fb9023e4d932a8d914c68beb6f4aacbe5349936866d011427e490ca4f1ed5592f41eb4e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7486979.exe

Filesize
11KB

MD5
0458441986a4112e5f730ab86c58defc

SHA1
2fef4b04cb5e09e4dbfc4ea5452f0b1b6282bb93

SHA256
e05a7c1141caab0974e3cfd38521d9baa45ad972c5f023b87da902271d0ed830

SHA512
452525d29682b7baf97243042f1c945a6128ee3b0952440731079dea0eb7a02aa5c093cce5c6ac0ace91a94fc388243e4e14507c817f667a31e7a08ebaeb3e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7486979.exe

Filesize
11KB

MD5
0458441986a4112e5f730ab86c58defc

SHA1
2fef4b04cb5e09e4dbfc4ea5452f0b1b6282bb93

SHA256
e05a7c1141caab0974e3cfd38521d9baa45ad972c5f023b87da902271d0ed830

SHA512
452525d29682b7baf97243042f1c945a6128ee3b0952440731079dea0eb7a02aa5c093cce5c6ac0ace91a94fc388243e4e14507c817f667a31e7a08ebaeb3e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7271290.exe

Filesize
140KB

MD5
86dddefde76bee519941ebd64ebf42d3

SHA1
6f8fb7e67b962fb179e732ea9a5456a7a4488ae8

SHA256
0a68806186ea863903468c787ddfb3d0ea084a2c6d86842f21735f453079ef20

SHA512
d44ca80467ce3a5cd8de07d163c636b0a8c08be7ba31d36e73daaa5884ef6d38ae2b5315c667042d36482cd6b1f4a5dc5897b16b8d3063cf79b55bac0e769295

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7271290.exe

Filesize
140KB

MD5
86dddefde76bee519941ebd64ebf42d3

SHA1
6f8fb7e67b962fb179e732ea9a5456a7a4488ae8

SHA256
0a68806186ea863903468c787ddfb3d0ea084a2c6d86842f21735f453079ef20

SHA512
d44ca80467ce3a5cd8de07d163c636b0a8c08be7ba31d36e73daaa5884ef6d38ae2b5315c667042d36482cd6b1f4a5dc5897b16b8d3063cf79b55bac0e769295

Download Submit
memory/2092-158-0x00007FFB32910000-0x00007FFB332FC000-memory.dmp

Filesize
9.9MB

Download
memory/2092-156-0x00007FFB32910000-0x00007FFB332FC000-memory.dmp

Filesize
9.9MB

Download
memory/2092-155-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/4888-165-0x0000000000CD0000-0x0000000000D00000-memory.dmp

Filesize
192KB

Download
memory/4888-166-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download
memory/4888-167-0x0000000002EF0000-0x0000000002EF6000-memory.dmp

Filesize
24KB

Download
memory/4888-168-0x000000000B130000-0x000000000B736000-memory.dmp

Filesize
6.0MB

Download
memory/4888-169-0x000000000AC30000-0x000000000AD3A000-memory.dmp

Filesize
1.0MB

Download
memory/4888-170-0x000000000AB50000-0x000000000AB62000-memory.dmp

Filesize
72KB

Download
memory/4888-171-0x000000000ABB0000-0x000000000ABEE000-memory.dmp

Filesize
248KB

Download
memory/4888-172-0x000000000AD40000-0x000000000AD8B000-memory.dmp

Filesize
300KB

Download
memory/4888-173-0x00000000730E0000-0x00000000737CE000-memory.dmp

Filesize
6.9MB

Download