healer | bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb

Analysis

max time kernel
138s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe
Size

828KB
MD5

8b5019f7eeb01c17088e92b98b5e953c
SHA1

d64e1762cec1af4d2d39155725707479077531af
SHA256

bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb
SHA512

9bd607c4612f0d70b1e94484a7a9f8eb39e19d10b88d19079c1bdd5a2c1b34dfde9b959054ab80f521dbde04325857ceda7859f462d027565fc43b93493084dc
SSDEEP

12288:GMrwy90FCcA+hql0H9mkDvSyqiptHNm8XLNFzj4eICgMeHKWgnP6ZsBY1qBpsf:ay0CcvMGkkrSyfnIu5KeIC7HWgycq

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000002308d-166.dat	healer
behavioral1/files/0x000700000002308d-167.dat	healer
behavioral1/memory/4868-168-0x00000000000D0000-0x00000000000DA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0742905.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0742905.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0742905.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0742905.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0742905.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0742905.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
224	v3080858.exe
1152	v5406472.exe
2312	v8345698.exe
4608	v9670626.exe
4868	a0742905.exe
3896	b4576786.exe
3848	c3632568.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0742905.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9670626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3080858.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5406472.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8345698.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4868	a0742905.exe
4868	a0742905.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4868	a0742905.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 224	2936	bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe	81
PID 2936 wrote to memory of 224	2936	bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe	81
PID 2936 wrote to memory of 224	2936	bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe	81
PID 224 wrote to memory of 1152	224	v3080858.exe	82
PID 224 wrote to memory of 1152	224	v3080858.exe	82
PID 224 wrote to memory of 1152	224	v3080858.exe	82
PID 1152 wrote to memory of 2312	1152	v5406472.exe	83
PID 1152 wrote to memory of 2312	1152	v5406472.exe	83
PID 1152 wrote to memory of 2312	1152	v5406472.exe	83
PID 2312 wrote to memory of 4608	2312	v8345698.exe	84
PID 2312 wrote to memory of 4608	2312	v8345698.exe	84
PID 2312 wrote to memory of 4608	2312	v8345698.exe	84
PID 4608 wrote to memory of 4868	4608	v9670626.exe	85
PID 4608 wrote to memory of 4868	4608	v9670626.exe	85
PID 4608 wrote to memory of 3896	4608	v9670626.exe	93
PID 4608 wrote to memory of 3896	4608	v9670626.exe	93
PID 4608 wrote to memory of 3896	4608	v9670626.exe	93
PID 2312 wrote to memory of 3848	2312	v8345698.exe	96
PID 2312 wrote to memory of 3848	2312	v8345698.exe	96
PID 2312 wrote to memory of 3848	2312	v8345698.exe	96

C:\Users\Admin\AppData\Local\Temp\bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe
"C:\Users\Admin\AppData\Local\Temp\bde92e696d3184b5f4b7a35200dcb08ae4e97db9337f51dd88219349ff86adeb.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3080858.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3080858.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5406472.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5406472.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8345698.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8345698.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9670626.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9670626.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4608
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0742905.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0742905.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4576786.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4576786.exe
        6⤵
        Executes dropped EXE
        
        PID:3896
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3632568.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3632568.exe
        5⤵
        Executes dropped EXE
        
        PID:3848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3080858.exe

Filesize
723KB

MD5
ba005c81001bf693b01931b3c3bdf887

SHA1
e9ea3a0d4482118dd18bdc0e4182009d07881936

SHA256
0b8361eb62faa23d77e6ada373a785cd440207be1e7db33a498bca235a56e152

SHA512
43007ebfc2f1fb95a8c75fea785073c06d78c03b081568df8f51232821ac78ee0199bee9cf42764268d971332e75365c43570dcea05ec70db18a96486a97c701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3080858.exe

Filesize
723KB

MD5
ba005c81001bf693b01931b3c3bdf887

SHA1
e9ea3a0d4482118dd18bdc0e4182009d07881936

SHA256
0b8361eb62faa23d77e6ada373a785cd440207be1e7db33a498bca235a56e152

SHA512
43007ebfc2f1fb95a8c75fea785073c06d78c03b081568df8f51232821ac78ee0199bee9cf42764268d971332e75365c43570dcea05ec70db18a96486a97c701

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5406472.exe

Filesize
497KB

MD5
0fbdb59a87a9d8a7a0e353f983854a0e

SHA1
b271f84696fb0191c90412b088f254346a0ec5ed

SHA256
3959669fd2a88b07b1421ac46badaba111fe6473d7f96e2100cd732f2c75be02

SHA512
d5468d9463a476e074087eff7a526785500452226da06d9a2a3473b4772588b3c0ccad2a953a7cc85d7893df1ba4a532ad89e2f0e74dfcd6ce008188ada74d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5406472.exe

Filesize
497KB

MD5
0fbdb59a87a9d8a7a0e353f983854a0e

SHA1
b271f84696fb0191c90412b088f254346a0ec5ed

SHA256
3959669fd2a88b07b1421ac46badaba111fe6473d7f96e2100cd732f2c75be02

SHA512
d5468d9463a476e074087eff7a526785500452226da06d9a2a3473b4772588b3c0ccad2a953a7cc85d7893df1ba4a532ad89e2f0e74dfcd6ce008188ada74d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8345698.exe

Filesize
373KB

MD5
d3d3ffe7d568ee2b503b7385fa9b333f

SHA1
dd63215b85f29ed94e0f9c7f2aa0629018e38c4b

SHA256
e80bb85dc13bea244a39c5a11da80a92ec2ce09d70af6535eda42ec8d48ec48f

SHA512
76379af2b5da304b5bca82de5674c248596171c9a531070aeb944774891da2d2db59aabf335ae18a79c71c042f99c4c135262624d80f67162940c031f429b651

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8345698.exe

Filesize
373KB

MD5
d3d3ffe7d568ee2b503b7385fa9b333f

SHA1
dd63215b85f29ed94e0f9c7f2aa0629018e38c4b

SHA256
e80bb85dc13bea244a39c5a11da80a92ec2ce09d70af6535eda42ec8d48ec48f

SHA512
76379af2b5da304b5bca82de5674c248596171c9a531070aeb944774891da2d2db59aabf335ae18a79c71c042f99c4c135262624d80f67162940c031f429b651

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3632568.exe

Filesize
174KB

MD5
2aceaafadce879304008c4f748bf75c0

SHA1
8dc206154ccd960fabb096ae14bd4a52b8d76f4d

SHA256
312a45b0833ee8e4a7ce1aa3715e423b171c8bce04f028c420dab7dd98f1a075

SHA512
37cf0c88b52c3cf809d90383719400832ea033549e6718db3084bcacfb3c5bd80dc91a5305dc854849e5aa3451868b9ceca5a057734b33c2a46f014e2c4f76f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3632568.exe

Filesize
174KB

MD5
2aceaafadce879304008c4f748bf75c0

SHA1
8dc206154ccd960fabb096ae14bd4a52b8d76f4d

SHA256
312a45b0833ee8e4a7ce1aa3715e423b171c8bce04f028c420dab7dd98f1a075

SHA512
37cf0c88b52c3cf809d90383719400832ea033549e6718db3084bcacfb3c5bd80dc91a5305dc854849e5aa3451868b9ceca5a057734b33c2a46f014e2c4f76f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9670626.exe

Filesize
217KB

MD5
68aa7edc326eb9cd786eb8e42bfc8187

SHA1
97bbbab1885136b35fddcc07e4bc8a1e436c52ed

SHA256
aa17fe7e454a84eb97e15b5c25118cc8e961dab50e3428c5018158a3cd19eab5

SHA512
81adfaae144a820ee173761403a692eaeece487e0f69b2316aba189eb22a6f1e6ef16f3ab8848df0b11470612f0334ea742c98c427626e376a538c3783172ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9670626.exe

Filesize
217KB

MD5
68aa7edc326eb9cd786eb8e42bfc8187

SHA1
97bbbab1885136b35fddcc07e4bc8a1e436c52ed

SHA256
aa17fe7e454a84eb97e15b5c25118cc8e961dab50e3428c5018158a3cd19eab5

SHA512
81adfaae144a820ee173761403a692eaeece487e0f69b2316aba189eb22a6f1e6ef16f3ab8848df0b11470612f0334ea742c98c427626e376a538c3783172ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0742905.exe

Filesize
12KB

MD5
e21655984ac4965a66fb6ebce909fa6a

SHA1
4403e518d735bcec50091198f58da02216a12539

SHA256
54582dc9c5f438f7704448d228253518ac1e51591b193a4d97d07523b22f39ba

SHA512
ddd9d29aa2dda98f51399af4991c7aaba636f87d142dd93f6145ac7f562f2561c440a93d2b70df4401bfde09cec565fc547b11b9eda1a72f899eedbaa7ed9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0742905.exe

Filesize
12KB

MD5
e21655984ac4965a66fb6ebce909fa6a

SHA1
4403e518d735bcec50091198f58da02216a12539

SHA256
54582dc9c5f438f7704448d228253518ac1e51591b193a4d97d07523b22f39ba

SHA512
ddd9d29aa2dda98f51399af4991c7aaba636f87d142dd93f6145ac7f562f2561c440a93d2b70df4401bfde09cec565fc547b11b9eda1a72f899eedbaa7ed9137

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4576786.exe

Filesize
140KB

MD5
402480df7ed54a94ebffb96cb38023fe

SHA1
4f25922b073878390dabb41de7cef2f3e3bce9c5

SHA256
1db5c527c3330ef430c4def8f282df895396a11a61a734ade82db313415b79c0

SHA512
2daa3b6782e3d977413cbbedc4020cff6091f83a8f558d2ff18b2aae6d464584bb30a69876fa16e0210eec9396ef66eaca91ed18e34c44f72c533f3d5ecc40cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4576786.exe

Filesize
140KB

MD5
402480df7ed54a94ebffb96cb38023fe

SHA1
4f25922b073878390dabb41de7cef2f3e3bce9c5

SHA256
1db5c527c3330ef430c4def8f282df895396a11a61a734ade82db313415b79c0

SHA512
2daa3b6782e3d977413cbbedc4020cff6091f83a8f558d2ff18b2aae6d464584bb30a69876fa16e0210eec9396ef66eaca91ed18e34c44f72c533f3d5ecc40cf

Download Submit
memory/3848-179-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3848-180-0x00000000006D0000-0x0000000000700000-memory.dmp

Filesize
192KB

Download
memory/3848-181-0x000000000ABA0000-0x000000000B1B8000-memory.dmp

Filesize
6.1MB

Download
memory/3848-182-0x000000000A690000-0x000000000A79A000-memory.dmp

Filesize
1.0MB

Download
memory/3848-183-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/3848-184-0x000000000A5C0000-0x000000000A5D2000-memory.dmp

Filesize
72KB

Download
memory/3848-185-0x000000000A620000-0x000000000A65C000-memory.dmp

Filesize
240KB

Download
memory/3848-186-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3848-187-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/4868-172-0x00007FFEEA960000-0x00007FFEEB421000-memory.dmp

Filesize
10.8MB

Download
memory/4868-170-0x00007FFEEA960000-0x00007FFEEB421000-memory.dmp

Filesize
10.8MB

Download
memory/4868-169-0x00007FFEEA960000-0x00007FFEEB421000-memory.dmp

Filesize
10.8MB

Download
memory/4868-168-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download