healer | c24e8d48bc4436acda90186c5126c7ff6a497823bda35318dcf6adf49eab3f23

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c24e8d48bc4436acda90186c5126c7ff6a497823bda35318dcf6adf49eab3f23.exe
Size

829KB
MD5

8f4f6b0c2d87f4b0f3eb019fdcf3635c
SHA1

7b53e7cc50d53b6de1c30d51fcc6ff7245936828
SHA256

c24e8d48bc4436acda90186c5126c7ff6a497823bda35318dcf6adf49eab3f23
SHA512

bad63c4efdc1b2d19b939ead08ed5e0c5c6c6fe00f68f96c884c9f292b0e35495e382364fac916b9e9c97f5fce2560ab901c241365ecee6cd257c5f8606546d0
SSDEEP

12288:eMr8y90fwetrOJcBCOtn72lXXpZyJBvn+knZ+nUEBTZ9uHzUovWsMLUcqvrrF:2y7KrOECOtoXXXyLwnUEj9UFWG

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000002320e-166.dat	healer
behavioral1/files/0x000700000002320e-167.dat	healer
behavioral1/memory/3860-168-0x0000000000D00000-0x0000000000D0A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7524872.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7524872.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7524872.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7524872.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7524872.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7524872.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4728	v8815066.exe
4960	v9093892.exe
1916	v7973924.exe
2156	v3444565.exe
3860	a7524872.exe
4556	b0272366.exe
3060	c9898352.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7524872.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c24e8d48bc4436acda90186c5126c7ff6a497823bda35318dcf6adf49eab3f23.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8815066.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9093892.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7973924.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3444565.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3860	a7524872.exe
3860	a7524872.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3860	a7524872.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 4728	4996	c24e8d48bc4436acda90186c5126c7ff6a497823bda35318dcf6adf49eab3f23.exe	83
PID 4996 wrote to memory of 4728	4996	c24e8d48bc4436acda90186c5126c7ff6a497823bda35318dcf6adf49eab3f23.exe	83
PID 4996 wrote to memory of 4728	4996	c24e8d48bc4436acda90186c5126c7ff6a497823bda35318dcf6adf49eab3f23.exe	83
PID 4728 wrote to memory of 4960	4728	v8815066.exe	84
PID 4728 wrote to memory of 4960	4728	v8815066.exe	84
PID 4728 wrote to memory of 4960	4728	v8815066.exe	84
PID 4960 wrote to memory of 1916	4960	v9093892.exe	85
PID 4960 wrote to memory of 1916	4960	v9093892.exe	85
PID 4960 wrote to memory of 1916	4960	v9093892.exe	85
PID 1916 wrote to memory of 2156	1916	v7973924.exe	86
PID 1916 wrote to memory of 2156	1916	v7973924.exe	86
PID 1916 wrote to memory of 2156	1916	v7973924.exe	86
PID 2156 wrote to memory of 3860	2156	v3444565.exe	87
PID 2156 wrote to memory of 3860	2156	v3444565.exe	87
PID 2156 wrote to memory of 4556	2156	v3444565.exe	92
PID 2156 wrote to memory of 4556	2156	v3444565.exe	92
PID 2156 wrote to memory of 4556	2156	v3444565.exe	92
PID 1916 wrote to memory of 3060	1916	v7973924.exe	93
PID 1916 wrote to memory of 3060	1916	v7973924.exe	93
PID 1916 wrote to memory of 3060	1916	v7973924.exe	93

C:\Users\Admin\AppData\Local\Temp\c24e8d48bc4436acda90186c5126c7ff6a497823bda35318dcf6adf49eab3f23.exe
"C:\Users\Admin\AppData\Local\Temp\c24e8d48bc4436acda90186c5126c7ff6a497823bda35318dcf6adf49eab3f23.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8815066.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8815066.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9093892.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9093892.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7973924.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7973924.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3444565.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3444565.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7524872.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7524872.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3860
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0272366.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0272366.exe
        6⤵
        Executes dropped EXE
        
        PID:4556
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9898352.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9898352.exe
        5⤵
        Executes dropped EXE
        
        PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8815066.exe

Filesize
723KB

MD5
48f788008b8dff68996669f61550498f

SHA1
b9bc52ba6464df0d9b1f222783a1ba28266cb779

SHA256
94747025fb1b5bc4cf54c35bc4a7b8168cd0a1827aae4bde3437ceb9ab6e04ed

SHA512
7e4b4a6b1f7391979a30c8bde2314798fb5d4a3c4b975bbee0221cb33b38016b7f72bde997aadd3823ff4b015cae6b6ed1a9fa3080cf9766b2d177c011f5df82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8815066.exe

Filesize
723KB

MD5
48f788008b8dff68996669f61550498f

SHA1
b9bc52ba6464df0d9b1f222783a1ba28266cb779

SHA256
94747025fb1b5bc4cf54c35bc4a7b8168cd0a1827aae4bde3437ceb9ab6e04ed

SHA512
7e4b4a6b1f7391979a30c8bde2314798fb5d4a3c4b975bbee0221cb33b38016b7f72bde997aadd3823ff4b015cae6b6ed1a9fa3080cf9766b2d177c011f5df82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9093892.exe

Filesize
497KB

MD5
ab4d2f051b84948750de0381b7ebc1d4

SHA1
79e29b8bf6c35286a65c6a8ac781d42e66dd2ff5

SHA256
8a5b3ad5d1665b3e84058581c8e80ced9468728b0cc4def38a2702cf36355347

SHA512
c50611a92ad93b83a27c293f6fa62a36ffcbf020f52ca3ad20ab1191507bae10d1bf919b0b1e3255dd1df9c51c891fc0f2bdc9db9db64a33786e48a8e9834b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9093892.exe

Filesize
497KB

MD5
ab4d2f051b84948750de0381b7ebc1d4

SHA1
79e29b8bf6c35286a65c6a8ac781d42e66dd2ff5

SHA256
8a5b3ad5d1665b3e84058581c8e80ced9468728b0cc4def38a2702cf36355347

SHA512
c50611a92ad93b83a27c293f6fa62a36ffcbf020f52ca3ad20ab1191507bae10d1bf919b0b1e3255dd1df9c51c891fc0f2bdc9db9db64a33786e48a8e9834b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7973924.exe

Filesize
372KB

MD5
837cdb06b3afc4abc462e5578c017adc

SHA1
b1ba838a6ba2669aba24d39d5dc54f03e9b2a1d9

SHA256
26034c56b7be6d89603d032139c7182087f2f65ea4787ab4cfd74240bafcd711

SHA512
071eeee40283602eb061e387d08746eb23cd0067233288b17fa1a811f8d776950b181b02455ce46be98cd1d1d01b67abab6ef27b850d0337d9a177ec3c308cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7973924.exe

Filesize
372KB

MD5
837cdb06b3afc4abc462e5578c017adc

SHA1
b1ba838a6ba2669aba24d39d5dc54f03e9b2a1d9

SHA256
26034c56b7be6d89603d032139c7182087f2f65ea4787ab4cfd74240bafcd711

SHA512
071eeee40283602eb061e387d08746eb23cd0067233288b17fa1a811f8d776950b181b02455ce46be98cd1d1d01b67abab6ef27b850d0337d9a177ec3c308cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9898352.exe

Filesize
174KB

MD5
ad52e5eb05b02ba94ab9b77364bc44f3

SHA1
5196feb990372b4efcefb68cf732722911a65236

SHA256
d0016f0476bcf26b08eebc778a1ce4031ac41a564ac8e50f3f065d092ad5a461

SHA512
8989e0ba9bbb7efab41c84b2062d9d9b70188e647a516932036cb8842adc190761e14dd5f30b87e4992c7b58b2528494934dc96d6b2c57823c8a652038040817

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9898352.exe

Filesize
174KB

MD5
ad52e5eb05b02ba94ab9b77364bc44f3

SHA1
5196feb990372b4efcefb68cf732722911a65236

SHA256
d0016f0476bcf26b08eebc778a1ce4031ac41a564ac8e50f3f065d092ad5a461

SHA512
8989e0ba9bbb7efab41c84b2062d9d9b70188e647a516932036cb8842adc190761e14dd5f30b87e4992c7b58b2528494934dc96d6b2c57823c8a652038040817

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3444565.exe

Filesize
216KB

MD5
e0a46243c65f5b2c917410e946730c90

SHA1
52ea4c5d0d09ea0592f3a2efcc2bfb2926ad2026

SHA256
97a4cc6323f63f4277b029d0c8d21cb71271b5413d9f7a368d5b6fa06259ff7c

SHA512
2c26c682db21ce08868445b34b0795f994e2b9ba24c746d25fbd24ae78bffa7fc3d143c47fbf6b7bb516916cd34ddd02c5e209b65252654cc702d531d2493698

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3444565.exe

Filesize
216KB

MD5
e0a46243c65f5b2c917410e946730c90

SHA1
52ea4c5d0d09ea0592f3a2efcc2bfb2926ad2026

SHA256
97a4cc6323f63f4277b029d0c8d21cb71271b5413d9f7a368d5b6fa06259ff7c

SHA512
2c26c682db21ce08868445b34b0795f994e2b9ba24c746d25fbd24ae78bffa7fc3d143c47fbf6b7bb516916cd34ddd02c5e209b65252654cc702d531d2493698

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7524872.exe

Filesize
12KB

MD5
fe464b723c1d06f490afa3015cb1866d

SHA1
ac79ed60a62ffb0c111c67059b7e55a3bcd08365

SHA256
764a355d9fdd7b8d389039c6abd24a25e1bb28390e421f1205cfe6c0a88cd48f

SHA512
85b4b0edea191cd61a0e88e9498ecb08c7b5bcd64741ca0118d1cef8acba4b4a8f4d2d3495aa54cd8742b643be952849589ca8606ab0302a77a9337cba7e9573

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7524872.exe

Filesize
12KB

MD5
fe464b723c1d06f490afa3015cb1866d

SHA1
ac79ed60a62ffb0c111c67059b7e55a3bcd08365

SHA256
764a355d9fdd7b8d389039c6abd24a25e1bb28390e421f1205cfe6c0a88cd48f

SHA512
85b4b0edea191cd61a0e88e9498ecb08c7b5bcd64741ca0118d1cef8acba4b4a8f4d2d3495aa54cd8742b643be952849589ca8606ab0302a77a9337cba7e9573

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0272366.exe

Filesize
140KB

MD5
946bf36df95f1d38cd5e0c51432146b8

SHA1
50e7c5fc6ae4e53658815e30d7a04b15b286f29b

SHA256
abf9db049e40c9f564a686e0e84ea3923e4e55768228b9991eacdbec7fd73ce7

SHA512
1e5bbc2ca14838cd4e286df733c4a85521382874328a9249b37f6fcfa39f96a5e371d1e12124f7aea19623aceabb9a0e7aace6e5c1b4fbb36fea41d8b50e051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0272366.exe

Filesize
140KB

MD5
946bf36df95f1d38cd5e0c51432146b8

SHA1
50e7c5fc6ae4e53658815e30d7a04b15b286f29b

SHA256
abf9db049e40c9f564a686e0e84ea3923e4e55768228b9991eacdbec7fd73ce7

SHA512
1e5bbc2ca14838cd4e286df733c4a85521382874328a9249b37f6fcfa39f96a5e371d1e12124f7aea19623aceabb9a0e7aace6e5c1b4fbb36fea41d8b50e051e

Download Submit
memory/3060-179-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/3060-178-0x0000000000160000-0x0000000000190000-memory.dmp

Filesize
192KB

Download
memory/3060-180-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/3060-181-0x0000000004D20000-0x0000000004E2A000-memory.dmp

Filesize
1.0MB

Download
memory/3060-183-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/3060-182-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3060-184-0x0000000004C90000-0x0000000004CCC000-memory.dmp

Filesize
240KB

Download
memory/3060-185-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/3060-186-0x0000000004B00000-0x0000000004B10000-memory.dmp

Filesize
64KB

Download
memory/3860-171-0x00007FFA0B1C0000-0x00007FFA0BC81000-memory.dmp

Filesize
10.8MB

Download
memory/3860-169-0x00007FFA0B1C0000-0x00007FFA0BC81000-memory.dmp

Filesize
10.8MB

Download
memory/3860-168-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download