healer | b27a6d841380f2dc3e011b8dc60fd30524898675d5fe3f0070d594330b3ea5f4

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 23:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f44ce948fb795200e49a385da663fdf.exe
Size

828KB
MD5

0f44ce948fb795200e49a385da663fdf
SHA1

9d9efbc7a363f5ebda0e8b70dca669712aa20c34
SHA256

b27a6d841380f2dc3e011b8dc60fd30524898675d5fe3f0070d594330b3ea5f4
SHA512

cb569b3761c46c7f5bb6108e95d365de02b91f31e0c90acf008ac4c56d58e79765ca9099196a6d205c043dc25c82e79c73eed469403d4654494b613474373d57
SSDEEP

24576:gyvFGW10ijG8t9hqB285b/4wW/vbBWIvdM3:ntGW6L8tnq0Mi/jBtvy

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023229-166.dat	healer
behavioral2/files/0x0008000000023229-167.dat	healer
behavioral2/memory/2344-168-0x00000000006B0000-0x00000000006BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9684430.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9684430.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9684430.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9684430.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9684430.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9684430.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1792	v0062399.exe
2124	v9482544.exe
4072	v4804613.exe
368	v6132357.exe
2344	a9684430.exe
4800	b1903169.exe
1532	c7353275.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9684430.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0f44ce948fb795200e49a385da663fdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0062399.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9482544.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4804613.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6132357.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2344	a9684430.exe
2344	a9684430.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	a9684430.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 1792	4020	0f44ce948fb795200e49a385da663fdf.exe	81
PID 4020 wrote to memory of 1792	4020	0f44ce948fb795200e49a385da663fdf.exe	81
PID 4020 wrote to memory of 1792	4020	0f44ce948fb795200e49a385da663fdf.exe	81
PID 1792 wrote to memory of 2124	1792	v0062399.exe	82
PID 1792 wrote to memory of 2124	1792	v0062399.exe	82
PID 1792 wrote to memory of 2124	1792	v0062399.exe	82
PID 2124 wrote to memory of 4072	2124	v9482544.exe	83
PID 2124 wrote to memory of 4072	2124	v9482544.exe	83
PID 2124 wrote to memory of 4072	2124	v9482544.exe	83
PID 4072 wrote to memory of 368	4072	v4804613.exe	84
PID 4072 wrote to memory of 368	4072	v4804613.exe	84
PID 4072 wrote to memory of 368	4072	v4804613.exe	84
PID 368 wrote to memory of 2344	368	v6132357.exe	85
PID 368 wrote to memory of 2344	368	v6132357.exe	85
PID 368 wrote to memory of 4800	368	v6132357.exe	90
PID 368 wrote to memory of 4800	368	v6132357.exe	90
PID 368 wrote to memory of 4800	368	v6132357.exe	90
PID 4072 wrote to memory of 1532	4072	v4804613.exe	91
PID 4072 wrote to memory of 1532	4072	v4804613.exe	91
PID 4072 wrote to memory of 1532	4072	v4804613.exe	91

C:\Users\Admin\AppData\Local\Temp\0f44ce948fb795200e49a385da663fdf.exe
"C:\Users\Admin\AppData\Local\Temp\0f44ce948fb795200e49a385da663fdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0062399.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0062399.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1792
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9482544.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9482544.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4804613.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4804613.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4072
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6132357.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6132357.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:368
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9684430.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9684430.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1903169.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1903169.exe
        6⤵
        Executes dropped EXE
        
        PID:4800
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7353275.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7353275.exe
        5⤵
        Executes dropped EXE
        
        PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0062399.exe

Filesize
723KB

MD5
648b45bac0ef22a4aa5de901eddaeb93

SHA1
a522a63106478acb89d4cac593a8924b2076dcc5

SHA256
883690d9dbe95f8f2ec325b642245ca4f9229399188d524252496096115c0a90

SHA512
e0879623b95d3e200204fb86c6d2ad801c7c4b1bffd131385d7878bc4516783943b261a503f20e3a3bfa8b8bcab05ca3b294e42d61e1a1493d2928e661b6c45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0062399.exe

Filesize
723KB

MD5
648b45bac0ef22a4aa5de901eddaeb93

SHA1
a522a63106478acb89d4cac593a8924b2076dcc5

SHA256
883690d9dbe95f8f2ec325b642245ca4f9229399188d524252496096115c0a90

SHA512
e0879623b95d3e200204fb86c6d2ad801c7c4b1bffd131385d7878bc4516783943b261a503f20e3a3bfa8b8bcab05ca3b294e42d61e1a1493d2928e661b6c45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9482544.exe

Filesize
497KB

MD5
01ecbf2471c02eae5ee403b6585d1db6

SHA1
01dcb743fcc21cc14e4d9e62a14b9cd2adaa8b14

SHA256
1717a2329c6246b1c4b855a05ec394f50dd1da780e3a584172f46d44f5bdf818

SHA512
b5ce3679e35cba0056382ed2916aea778cb4917d2c436fbf2bb3f6e87c8c0fb6f2caaffdebc107c684de33c04403d994c4d8470cd4fbae29059fb4eabe0330cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9482544.exe

Filesize
497KB

MD5
01ecbf2471c02eae5ee403b6585d1db6

SHA1
01dcb743fcc21cc14e4d9e62a14b9cd2adaa8b14

SHA256
1717a2329c6246b1c4b855a05ec394f50dd1da780e3a584172f46d44f5bdf818

SHA512
b5ce3679e35cba0056382ed2916aea778cb4917d2c436fbf2bb3f6e87c8c0fb6f2caaffdebc107c684de33c04403d994c4d8470cd4fbae29059fb4eabe0330cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4804613.exe

Filesize
372KB

MD5
45742acbe5e4205dd38a44e3aff49c79

SHA1
0defc21f77c715e4023be5602611b15006adbe22

SHA256
55867012651de6ff836de85c28dd95c3085b8e319ed9b2b99dcd48726e57d5eb

SHA512
f0d9d4b2ba97e8df1aeb0faa6d7244f2e75d79d339dfd33d8dc833ea1ae344bc9b482707f8b5395d5e13e257720f547086c3447a526911e28d0513785acacf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4804613.exe

Filesize
372KB

MD5
45742acbe5e4205dd38a44e3aff49c79

SHA1
0defc21f77c715e4023be5602611b15006adbe22

SHA256
55867012651de6ff836de85c28dd95c3085b8e319ed9b2b99dcd48726e57d5eb

SHA512
f0d9d4b2ba97e8df1aeb0faa6d7244f2e75d79d339dfd33d8dc833ea1ae344bc9b482707f8b5395d5e13e257720f547086c3447a526911e28d0513785acacf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7353275.exe

Filesize
174KB

MD5
50c192550539bcb1faeb0f0261d0a630

SHA1
fd8278cf1dfe38efd85b4e0e6b73361a25cb6089

SHA256
008cae4ecd034cd616a156e3d1cf9dacbb73dfa26a85e0f10299900685c55a30

SHA512
cfdefa04d5b2dc2b3316c8c67f766a066513d62d7ca13c59f698e5d7a55a27815a0fa545d5a8e93a3f81d1a56a954f28d71d32d9e3ee72ff1f4eb9d69e99bc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7353275.exe

Filesize
174KB

MD5
50c192550539bcb1faeb0f0261d0a630

SHA1
fd8278cf1dfe38efd85b4e0e6b73361a25cb6089

SHA256
008cae4ecd034cd616a156e3d1cf9dacbb73dfa26a85e0f10299900685c55a30

SHA512
cfdefa04d5b2dc2b3316c8c67f766a066513d62d7ca13c59f698e5d7a55a27815a0fa545d5a8e93a3f81d1a56a954f28d71d32d9e3ee72ff1f4eb9d69e99bc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6132357.exe

Filesize
216KB

MD5
c5cf12838cb21e51ba6011b134b18314

SHA1
cbcd8f438c8ef8aa0786b1f43437feff0eacf35b

SHA256
b353890c49640dfa9dd677a313a6c2571d24a8180ba1f8b5bdfb1a74d61c05c4

SHA512
83010f8afbe3a9ecaf3690a1d97af0c234647a5a6b915191169ded49f7d105484ab15d65bcdd017af442450dbde1fb5a980a85e7b494a35830e5f58efd635170

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6132357.exe

Filesize
216KB

MD5
c5cf12838cb21e51ba6011b134b18314

SHA1
cbcd8f438c8ef8aa0786b1f43437feff0eacf35b

SHA256
b353890c49640dfa9dd677a313a6c2571d24a8180ba1f8b5bdfb1a74d61c05c4

SHA512
83010f8afbe3a9ecaf3690a1d97af0c234647a5a6b915191169ded49f7d105484ab15d65bcdd017af442450dbde1fb5a980a85e7b494a35830e5f58efd635170

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9684430.exe

Filesize
12KB

MD5
8d2dbd550c2bb46da77407b87fd48007

SHA1
214413865fbbc796dd550f46bf93b54f492a9697

SHA256
8bf63a8fb8526a3028d0870d825dd1ff86a9671b26581f1c39f1bede3048c5e4

SHA512
0d90104b9775f59f606a8d4d7d526af57e369df178a93fa757614c4f2b7ea43da307bd0bc63aef9222708dd09838966efe697a9477117adf532481d3ef19cd9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9684430.exe

Filesize
12KB

MD5
8d2dbd550c2bb46da77407b87fd48007

SHA1
214413865fbbc796dd550f46bf93b54f492a9697

SHA256
8bf63a8fb8526a3028d0870d825dd1ff86a9671b26581f1c39f1bede3048c5e4

SHA512
0d90104b9775f59f606a8d4d7d526af57e369df178a93fa757614c4f2b7ea43da307bd0bc63aef9222708dd09838966efe697a9477117adf532481d3ef19cd9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1903169.exe

Filesize
140KB

MD5
1f12fc2fe096c25f67ad988356ed2e5d

SHA1
fcea968954bed3916923191abe629bdfae0d2bf6

SHA256
80205d48b2878121445a846f9e6bd473886d702b44e8c84a10143ad8f11b4faa

SHA512
ce4ead4b0cfa7ba5c1d5ab2d45a8c17516cea6fb503d8c15ece1abe57304f20aaad76f2b994a6c0faf94739447c01f2dd6b91a73f09ae8b0bf5beb08768ed540

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1903169.exe

Filesize
140KB

MD5
1f12fc2fe096c25f67ad988356ed2e5d

SHA1
fcea968954bed3916923191abe629bdfae0d2bf6

SHA256
80205d48b2878121445a846f9e6bd473886d702b44e8c84a10143ad8f11b4faa

SHA512
ce4ead4b0cfa7ba5c1d5ab2d45a8c17516cea6fb503d8c15ece1abe57304f20aaad76f2b994a6c0faf94739447c01f2dd6b91a73f09ae8b0bf5beb08768ed540

Download Submit
memory/1532-179-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/1532-178-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/1532-180-0x0000000005670000-0x0000000005C88000-memory.dmp

Filesize
6.1MB

Download
memory/1532-181-0x0000000005160000-0x000000000526A000-memory.dmp

Filesize
1.0MB

Download
memory/1532-182-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/1532-183-0x00000000050A0000-0x00000000050B2000-memory.dmp

Filesize
72KB

Download
memory/1532-184-0x0000000005100000-0x000000000513C000-memory.dmp

Filesize
240KB

Download
memory/1532-185-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/1532-186-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2344-171-0x00007FF914D40000-0x00007FF915801000-memory.dmp

Filesize
10.8MB

Download
memory/2344-169-0x00007FF914D40000-0x00007FF915801000-memory.dmp

Filesize
10.8MB

Download
memory/2344-168-0x00000000006B0000-0x00000000006BA000-memory.dmp

Filesize
40KB

Download