healer | 3a3a580cf9e8fc5f4b0baf33facb039a4d5aba11c7e5e20c795690c84d91eba3

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
21/08/2023, 20:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3a3a580cf9e8fc5f4b0baf33facb039a4d5aba11c7e5e20c795690c84d91eba3.exe
Size

839KB
MD5

4d45a0728ea3a3125f52cf07ef2cdd94
SHA1

7283fa26bdf8295e9de7c0ff07e6def61184b32d
SHA256

3a3a580cf9e8fc5f4b0baf33facb039a4d5aba11c7e5e20c795690c84d91eba3
SHA512

b207bf53a6e5f7dd66e54dd1c368990eddef3b04a84688b5d952506d7d7d7bc64fb1c1813201a5d9843e74df2d68ddc2b2bcdb52de2e02af551d452eaf0b58e4
SSDEEP

24576:LyuwYkrTkXmQiLtceW1yFqGEfU9qP724:+DYkPkYeeW1K6U9M2

Score

10^/10

healer redline lang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lang

77.91.124.73:19071

Attributes

auth_value
92c0fc2b7a8b3fc5a01baa1abf31c42a

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afbc-153.dat	healer
behavioral1/files/0x000700000001afbc-154.dat	healer
behavioral1/memory/2520-155-0x0000000000990000-0x000000000099A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9181675.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9181675.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9181675.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9181675.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9181675.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4900	v2186984.exe
4612	v4518413.exe
3116	v0573103.exe
4520	v3460062.exe
2520	a9181675.exe
3904	b0636441.exe
4484	c5566122.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9181675.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a3a580cf9e8fc5f4b0baf33facb039a4d5aba11c7e5e20c795690c84d91eba3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2186984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4518413.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0573103.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3460062.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2520	a9181675.exe
2520	a9181675.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2520	a9181675.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 4900	4456	3a3a580cf9e8fc5f4b0baf33facb039a4d5aba11c7e5e20c795690c84d91eba3.exe	69
PID 4456 wrote to memory of 4900	4456	3a3a580cf9e8fc5f4b0baf33facb039a4d5aba11c7e5e20c795690c84d91eba3.exe	69
PID 4456 wrote to memory of 4900	4456	3a3a580cf9e8fc5f4b0baf33facb039a4d5aba11c7e5e20c795690c84d91eba3.exe	69
PID 4900 wrote to memory of 4612	4900	v2186984.exe	70
PID 4900 wrote to memory of 4612	4900	v2186984.exe	70
PID 4900 wrote to memory of 4612	4900	v2186984.exe	70
PID 4612 wrote to memory of 3116	4612	v4518413.exe	71
PID 4612 wrote to memory of 3116	4612	v4518413.exe	71
PID 4612 wrote to memory of 3116	4612	v4518413.exe	71
PID 3116 wrote to memory of 4520	3116	v0573103.exe	72
PID 3116 wrote to memory of 4520	3116	v0573103.exe	72
PID 3116 wrote to memory of 4520	3116	v0573103.exe	72
PID 4520 wrote to memory of 2520	4520	v3460062.exe	73
PID 4520 wrote to memory of 2520	4520	v3460062.exe	73
PID 4520 wrote to memory of 3904	4520	v3460062.exe	74
PID 4520 wrote to memory of 3904	4520	v3460062.exe	74
PID 4520 wrote to memory of 3904	4520	v3460062.exe	74
PID 3116 wrote to memory of 4484	3116	v0573103.exe	75
PID 3116 wrote to memory of 4484	3116	v0573103.exe	75
PID 3116 wrote to memory of 4484	3116	v0573103.exe	75

C:\Users\Admin\AppData\Local\Temp\3a3a580cf9e8fc5f4b0baf33facb039a4d5aba11c7e5e20c795690c84d91eba3.exe
"C:\Users\Admin\AppData\Local\Temp\3a3a580cf9e8fc5f4b0baf33facb039a4d5aba11c7e5e20c795690c84d91eba3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2186984.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2186984.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4518413.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4518413.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0573103.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0573103.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3116
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3460062.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3460062.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4520
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9181675.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9181675.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0636441.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0636441.exe
        6⤵
        Executes dropped EXE
        
        PID:3904
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5566122.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5566122.exe
        5⤵
        Executes dropped EXE
        
        PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2186984.exe

Filesize
723KB

MD5
2626c0fa417625013bf25b9ab469f7b5

SHA1
f10f5c6709bd2c37ad06f0682f9b24fd7ce88c52

SHA256
d50656cbf596b72e8fbb3e08cf2e7e7a73779555a01d09f07af98c6f29961d1d

SHA512
0dc1478cb91e2d003836dc4143332dae82215d4d76841122ea5a40b39d6dcaeaba60bbe27f29b4d8162ae20a650edb87c5241bf81a83021f8ad2c7eb10f354fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2186984.exe

Filesize
723KB

MD5
2626c0fa417625013bf25b9ab469f7b5

SHA1
f10f5c6709bd2c37ad06f0682f9b24fd7ce88c52

SHA256
d50656cbf596b72e8fbb3e08cf2e7e7a73779555a01d09f07af98c6f29961d1d

SHA512
0dc1478cb91e2d003836dc4143332dae82215d4d76841122ea5a40b39d6dcaeaba60bbe27f29b4d8162ae20a650edb87c5241bf81a83021f8ad2c7eb10f354fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4518413.exe

Filesize
497KB

MD5
26a3ef6759559d544ea36854d334cb0a

SHA1
b8c84e9c53d4637447a90a352529a354eb0aaaa6

SHA256
1ac65e95c08a0041656c0b2d26d40bfdd69629d242008a867d585474971b5fae

SHA512
ee7e952e556a77ccb67ea0cdd98a5957a56a8ae0fc7a0209fd3b920050ca5bde4cb26c2c9edd1ce2eb60446c34e957535666b51da5afc8e9b5cabbd707acc11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4518413.exe

Filesize
497KB

MD5
26a3ef6759559d544ea36854d334cb0a

SHA1
b8c84e9c53d4637447a90a352529a354eb0aaaa6

SHA256
1ac65e95c08a0041656c0b2d26d40bfdd69629d242008a867d585474971b5fae

SHA512
ee7e952e556a77ccb67ea0cdd98a5957a56a8ae0fc7a0209fd3b920050ca5bde4cb26c2c9edd1ce2eb60446c34e957535666b51da5afc8e9b5cabbd707acc11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0573103.exe

Filesize
373KB

MD5
9bdffaa6c53c851e1dc3332fd541ee7b

SHA1
88ace8cca1c20a7051883e901b4ea0c4bbeb63e0

SHA256
304ce0cae209ba07ea1f656b11e9b56db65ef90f206bd22172cbc8e7a55ea3a4

SHA512
f49ec701b7f67f58b3b230c998bb226fb6973bc453ac4218c02bb986f787f8b92567a193825cd5e05052eaf7aefe414571df84b742d4fbe5678a8151bc5125ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0573103.exe

Filesize
373KB

MD5
9bdffaa6c53c851e1dc3332fd541ee7b

SHA1
88ace8cca1c20a7051883e901b4ea0c4bbeb63e0

SHA256
304ce0cae209ba07ea1f656b11e9b56db65ef90f206bd22172cbc8e7a55ea3a4

SHA512
f49ec701b7f67f58b3b230c998bb226fb6973bc453ac4218c02bb986f787f8b92567a193825cd5e05052eaf7aefe414571df84b742d4fbe5678a8151bc5125ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5566122.exe

Filesize
174KB

MD5
329c7b3c86a3b6259bc281e1502a866f

SHA1
9a2b1f996e458d70bb9fe8246e3c7cb6e00bcb82

SHA256
027b3ea03e7c661e97f29da036a05b9819030027999d4bc38eca7935a579f2de

SHA512
69e7578ccd594bd97e2406fb1a93d332d3bfef9a8554c633c9894b0664cbb4e889e33f1506961088ee81d6cbb8e2827c6287badf6989f00a3b3d240eb1fa55e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5566122.exe

Filesize
174KB

MD5
329c7b3c86a3b6259bc281e1502a866f

SHA1
9a2b1f996e458d70bb9fe8246e3c7cb6e00bcb82

SHA256
027b3ea03e7c661e97f29da036a05b9819030027999d4bc38eca7935a579f2de

SHA512
69e7578ccd594bd97e2406fb1a93d332d3bfef9a8554c633c9894b0664cbb4e889e33f1506961088ee81d6cbb8e2827c6287badf6989f00a3b3d240eb1fa55e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3460062.exe

Filesize
217KB

MD5
f86945bd6e1e7ec4dcff5738d9f7f690

SHA1
41a3993984fe994a98e2a1e2c27f6ae2f3379de0

SHA256
1ae282fb83176b7f188e3637c75bb0f56e62c014cbd6628ef5703b72a6b483eb

SHA512
398d68ff29c84e0695d794d2fec9e45a3d73ef0c7e743d118e8c2b8a67b626347a58be0e855e00a8b29f64a4e547c9bbcb04fa53b5b7b09afd2f9d8d7efa278f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3460062.exe

Filesize
217KB

MD5
f86945bd6e1e7ec4dcff5738d9f7f690

SHA1
41a3993984fe994a98e2a1e2c27f6ae2f3379de0

SHA256
1ae282fb83176b7f188e3637c75bb0f56e62c014cbd6628ef5703b72a6b483eb

SHA512
398d68ff29c84e0695d794d2fec9e45a3d73ef0c7e743d118e8c2b8a67b626347a58be0e855e00a8b29f64a4e547c9bbcb04fa53b5b7b09afd2f9d8d7efa278f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9181675.exe

Filesize
11KB

MD5
05b282d5b4815a8e2c88576138f1824c

SHA1
e49c98cc0964dccc1380da194cf082913cd8ea70

SHA256
9bbcf4ff67e303ab189b0b53120b79c6d1c891ebc1f8c2bf98b5f9ea560777cd

SHA512
398f9483c287f02bf91a17374cb00bfbfb3cce7a8a5cda2827e75f1f94b9fb0afc1cdc845323a43134e5f7d2d4f33952aa73767ac82a2313242913d07fcf769d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9181675.exe

Filesize
11KB

MD5
05b282d5b4815a8e2c88576138f1824c

SHA1
e49c98cc0964dccc1380da194cf082913cd8ea70

SHA256
9bbcf4ff67e303ab189b0b53120b79c6d1c891ebc1f8c2bf98b5f9ea560777cd

SHA512
398f9483c287f02bf91a17374cb00bfbfb3cce7a8a5cda2827e75f1f94b9fb0afc1cdc845323a43134e5f7d2d4f33952aa73767ac82a2313242913d07fcf769d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0636441.exe

Filesize
140KB

MD5
2ba0d37803f2d312ab6bc4c92c8caf2c

SHA1
ac929c3fe0c1eede8b4a92eafc3663e1c2faedbd

SHA256
ec56f4a8faea7d7d04ad73c2c41afdb335fee06638604eb1b34426459fe694d1

SHA512
e54e1fbb602dc3eb2d942f274122e722633e94a1f47eb80118da71f0e9ad3d501764fb78998f0b92c867cf3827eb0c79e4b88606a7f873923840a9708844a68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0636441.exe

Filesize
140KB

MD5
2ba0d37803f2d312ab6bc4c92c8caf2c

SHA1
ac929c3fe0c1eede8b4a92eafc3663e1c2faedbd

SHA256
ec56f4a8faea7d7d04ad73c2c41afdb335fee06638604eb1b34426459fe694d1

SHA512
e54e1fbb602dc3eb2d942f274122e722633e94a1f47eb80118da71f0e9ad3d501764fb78998f0b92c867cf3827eb0c79e4b88606a7f873923840a9708844a68e

Download Submit
memory/2520-158-0x00007FFF859B0000-0x00007FFF8639C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-156-0x00007FFF859B0000-0x00007FFF8639C000-memory.dmp

Filesize
9.9MB

Download
memory/2520-155-0x0000000000990000-0x000000000099A000-memory.dmp

Filesize
40KB

Download
memory/4484-165-0x00000000005A0000-0x00000000005D0000-memory.dmp

Filesize
192KB

Download
memory/4484-166-0x0000000073340000-0x0000000073A2E000-memory.dmp

Filesize
6.9MB

Download
memory/4484-167-0x0000000004E60000-0x0000000004E66000-memory.dmp

Filesize
24KB

Download
memory/4484-168-0x000000000A840000-0x000000000AE46000-memory.dmp

Filesize
6.0MB

Download
memory/4484-169-0x000000000A3B0000-0x000000000A4BA000-memory.dmp

Filesize
1.0MB

Download
memory/4484-170-0x000000000A2E0000-0x000000000A2F2000-memory.dmp

Filesize
72KB

Download
memory/4484-171-0x000000000A340000-0x000000000A37E000-memory.dmp

Filesize
248KB

Download
memory/4484-172-0x000000000A4C0000-0x000000000A50B000-memory.dmp

Filesize
300KB

Download
memory/4484-173-0x0000000073340000-0x0000000073A2E000-memory.dmp

Filesize
6.9MB

Download