healer | 80bdbb1d7d80163509a0e31efca690c9c12295cefa84b24c2f8a70915b3bd6fa

Analysis

max time kernel
137s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 23:57

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

80bdbb1d7d80163509a0e31efca690c9c12295cefa84b24c2f8a70915b3bd6fa.exe
Size

929KB
MD5

4943ff8c4bcff4813d3172ded91f6833
SHA1

23313f23c924eadd0bebc87b9cf7815c351df43c
SHA256

80bdbb1d7d80163509a0e31efca690c9c12295cefa84b24c2f8a70915b3bd6fa
SHA512

3ba58cc6c8cd8bb4fe895f54db83869f99d76bacbe08f575e9a7f40079b344754171179f19fdc4a36cd6fea7b120f55a5381b054359c9dae71e27a2f882a5f23
SSDEEP

24576:AyWIIF6hNA1U8SH3gZ+4dDYj9st9YW8H:HU6rvrw9SYY

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000230a1-169.dat	healer
behavioral1/files/0x00070000000230a1-170.dat	healer
behavioral1/memory/1560-171-0x0000000000F70000-0x0000000000F7A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q5491372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q5491372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q5491372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q5491372.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q5491372.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q5491372.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2480	z2111837.exe
2268	z7481269.exe
2572	z3485405.exe
2440	z0666287.exe
1560	q5491372.exe
3960	r0280579.exe
4580	s1257734.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q5491372.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2111837.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7481269.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3485405.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z0666287.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	80bdbb1d7d80163509a0e31efca690c9c12295cefa84b24c2f8a70915b3bd6fa.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1560	q5491372.exe
1560	q5491372.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	q5491372.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 2480	3260	80bdbb1d7d80163509a0e31efca690c9c12295cefa84b24c2f8a70915b3bd6fa.exe	81
PID 3260 wrote to memory of 2480	3260	80bdbb1d7d80163509a0e31efca690c9c12295cefa84b24c2f8a70915b3bd6fa.exe	81
PID 3260 wrote to memory of 2480	3260	80bdbb1d7d80163509a0e31efca690c9c12295cefa84b24c2f8a70915b3bd6fa.exe	81
PID 2480 wrote to memory of 2268	2480	z2111837.exe	82
PID 2480 wrote to memory of 2268	2480	z2111837.exe	82
PID 2480 wrote to memory of 2268	2480	z2111837.exe	82
PID 2268 wrote to memory of 2572	2268	z7481269.exe	83
PID 2268 wrote to memory of 2572	2268	z7481269.exe	83
PID 2268 wrote to memory of 2572	2268	z7481269.exe	83
PID 2572 wrote to memory of 2440	2572	z3485405.exe	84
PID 2572 wrote to memory of 2440	2572	z3485405.exe	84
PID 2572 wrote to memory of 2440	2572	z3485405.exe	84
PID 2440 wrote to memory of 1560	2440	z0666287.exe	85
PID 2440 wrote to memory of 1560	2440	z0666287.exe	85
PID 2440 wrote to memory of 3960	2440	z0666287.exe	93
PID 2440 wrote to memory of 3960	2440	z0666287.exe	93
PID 2440 wrote to memory of 3960	2440	z0666287.exe	93
PID 2572 wrote to memory of 4580	2572	z3485405.exe	95
PID 2572 wrote to memory of 4580	2572	z3485405.exe	95
PID 2572 wrote to memory of 4580	2572	z3485405.exe	95

C:\Users\Admin\AppData\Local\Temp\80bdbb1d7d80163509a0e31efca690c9c12295cefa84b24c2f8a70915b3bd6fa.exe
"C:\Users\Admin\AppData\Local\Temp\80bdbb1d7d80163509a0e31efca690c9c12295cefa84b24c2f8a70915b3bd6fa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3260
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2111837.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2111837.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7481269.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7481269.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3485405.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3485405.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0666287.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0666287.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5491372.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5491372.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0280579.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0280579.exe
        6⤵
        Executes dropped EXE
        
        PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1257734.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1257734.exe
        5⤵
        Executes dropped EXE
        
        PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2111837.exe

Filesize
824KB

MD5
f256f4de6ad41045f0b249a3ef7d6b61

SHA1
1717cca4442f7a11f9d7db75f12c3ba6cb9385f4

SHA256
34f4b6704df03d952d978e22468339c3b9ddec2621e47e61a7427335793d888a

SHA512
a4ff9820f9a4b2cb3dd1343d88a52b2d8a6e691f917fd155ca489563414ccbd32a743d11c126aa36b9092377d9554a0b0a53bd198202fccfc0b7885ab54c8a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2111837.exe

Filesize
824KB

MD5
f256f4de6ad41045f0b249a3ef7d6b61

SHA1
1717cca4442f7a11f9d7db75f12c3ba6cb9385f4

SHA256
34f4b6704df03d952d978e22468339c3b9ddec2621e47e61a7427335793d888a

SHA512
a4ff9820f9a4b2cb3dd1343d88a52b2d8a6e691f917fd155ca489563414ccbd32a743d11c126aa36b9092377d9554a0b0a53bd198202fccfc0b7885ab54c8a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7481269.exe

Filesize
598KB

MD5
ae84f44dba74a624c2e5f3bcb0adbdb6

SHA1
c0b655b929fc5ce8d92c5b181f42721b38d00d44

SHA256
8777cde88f1cd552e9fe09d679d8cd5f861c34d8bc05ced458bb7b7feb90f07b

SHA512
5f2f050b5ce9b10b4e68f6b2ff5905805d25e8c428db9537c07ab0e7af9a9de9175a0ed879a67b199eab1aa31a5553e7a076150690ad12a554542972ed1d2807

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7481269.exe

Filesize
598KB

MD5
ae84f44dba74a624c2e5f3bcb0adbdb6

SHA1
c0b655b929fc5ce8d92c5b181f42721b38d00d44

SHA256
8777cde88f1cd552e9fe09d679d8cd5f861c34d8bc05ced458bb7b7feb90f07b

SHA512
5f2f050b5ce9b10b4e68f6b2ff5905805d25e8c428db9537c07ab0e7af9a9de9175a0ed879a67b199eab1aa31a5553e7a076150690ad12a554542972ed1d2807

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3485405.exe

Filesize
372KB

MD5
ca1bcd378d4a0a962293214f557ae8aa

SHA1
12009ddc4e48ed94817cc0fd85de69f95bda5390

SHA256
9f4767e276a57f9140fe9bf053ac5d9fa411d1b98e34764524ce02ede2a30cfc

SHA512
1af9e040b384bd023ae9d3f07d8a4e4a2b42b806d6d08e6c58c5b337933cecb4b4266bc22f88c980e24dd991b1cd8631174a236895ee1f547f8cb4f463defe2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3485405.exe

Filesize
372KB

MD5
ca1bcd378d4a0a962293214f557ae8aa

SHA1
12009ddc4e48ed94817cc0fd85de69f95bda5390

SHA256
9f4767e276a57f9140fe9bf053ac5d9fa411d1b98e34764524ce02ede2a30cfc

SHA512
1af9e040b384bd023ae9d3f07d8a4e4a2b42b806d6d08e6c58c5b337933cecb4b4266bc22f88c980e24dd991b1cd8631174a236895ee1f547f8cb4f463defe2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1257734.exe

Filesize
174KB

MD5
201072e66459e95e701300ed36389dad

SHA1
6a55abd3f43e9228fce6c5b3b83c9b7428465458

SHA256
81f48a349229cd61e22fc80d32d5a0923118026a743204cc9e62fb7603f5c070

SHA512
96c043df79758877612a0356d0e78e3c6b4734dd5880c04fd29c1c5c8cf5b79b84879570757f81521c4bdf7bc8a8f1746a5387b6702a3e1e39f163296f0294dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1257734.exe

Filesize
174KB

MD5
201072e66459e95e701300ed36389dad

SHA1
6a55abd3f43e9228fce6c5b3b83c9b7428465458

SHA256
81f48a349229cd61e22fc80d32d5a0923118026a743204cc9e62fb7603f5c070

SHA512
96c043df79758877612a0356d0e78e3c6b4734dd5880c04fd29c1c5c8cf5b79b84879570757f81521c4bdf7bc8a8f1746a5387b6702a3e1e39f163296f0294dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0666287.exe

Filesize
217KB

MD5
d2e2fb9d4c4dd496ff40cfa75fd6bb72

SHA1
75c7837289ffc0b1df9b90155fb2aecd6ebab623

SHA256
081ea63499b95c427f49c3fb2306a3654f40bb37153001c75f2c5d2b81f6021c

SHA512
fdcbf3cb0a71983a42175efdcacf30bf58519392bd4b23053a6054fe696e25462720929228ec65c4f992c97ea81c782e538379ac76d73ec3ee3a32305e379dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0666287.exe

Filesize
217KB

MD5
d2e2fb9d4c4dd496ff40cfa75fd6bb72

SHA1
75c7837289ffc0b1df9b90155fb2aecd6ebab623

SHA256
081ea63499b95c427f49c3fb2306a3654f40bb37153001c75f2c5d2b81f6021c

SHA512
fdcbf3cb0a71983a42175efdcacf30bf58519392bd4b23053a6054fe696e25462720929228ec65c4f992c97ea81c782e538379ac76d73ec3ee3a32305e379dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5491372.exe

Filesize
12KB

MD5
f744e7df8b9822a26f70b0e83286482e

SHA1
a3e6bb3fc93b04993aea4143d40403f8b3735a06

SHA256
719a862a5ce07324d205d34c45dd99c78a05307d8baeec7683400fa25fe34e9d

SHA512
1c2bf25342eb4f30ce6676b60c348fe5135b26410305722cf00454dda80a1ab7314343920e726275b7d6e78347440da2114a1a6ad07be8dc60a13f10f6dbd8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5491372.exe

Filesize
12KB

MD5
f744e7df8b9822a26f70b0e83286482e

SHA1
a3e6bb3fc93b04993aea4143d40403f8b3735a06

SHA256
719a862a5ce07324d205d34c45dd99c78a05307d8baeec7683400fa25fe34e9d

SHA512
1c2bf25342eb4f30ce6676b60c348fe5135b26410305722cf00454dda80a1ab7314343920e726275b7d6e78347440da2114a1a6ad07be8dc60a13f10f6dbd8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0280579.exe

Filesize
140KB

MD5
e326a9bd3e309570a46e132b6b2d8c88

SHA1
28eda6a47fb26aa336fe22286ba0cc7e675df701

SHA256
540b4240b3b499c91a0d26a118bb4610c5e35a0f2a7095e66656ae845315a4cd

SHA512
5424e5bb80afff437c00651976162885cf5f42d8562878519fcd6510d8013e86c033c6badb718025af3c2983e5b078d0860ff13d90b18c36c140ceb7684fe078

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0280579.exe

Filesize
140KB

MD5
e326a9bd3e309570a46e132b6b2d8c88

SHA1
28eda6a47fb26aa336fe22286ba0cc7e675df701

SHA256
540b4240b3b499c91a0d26a118bb4610c5e35a0f2a7095e66656ae845315a4cd

SHA512
5424e5bb80afff437c00651976162885cf5f42d8562878519fcd6510d8013e86c033c6badb718025af3c2983e5b078d0860ff13d90b18c36c140ceb7684fe078

Download Submit
memory/1560-173-0x00007FF9EDA80000-0x00007FF9EE541000-memory.dmp

Filesize
10.8MB

Download
memory/1560-175-0x00007FF9EDA80000-0x00007FF9EE541000-memory.dmp

Filesize
10.8MB

Download
memory/1560-172-0x00007FF9EDA80000-0x00007FF9EE541000-memory.dmp

Filesize
10.8MB

Download
memory/1560-171-0x0000000000F70000-0x0000000000F7A000-memory.dmp

Filesize
40KB

Download
memory/4580-182-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/4580-183-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/4580-184-0x0000000005070000-0x0000000005688000-memory.dmp

Filesize
6.1MB

Download
memory/4580-185-0x0000000004B70000-0x0000000004C7A000-memory.dmp

Filesize
1.0MB

Download
memory/4580-186-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download
memory/4580-187-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

Filesize
72KB

Download
memory/4580-188-0x0000000004B10000-0x0000000004B4C000-memory.dmp

Filesize
240KB

Download
memory/4580-189-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/4580-190-0x0000000004A40000-0x0000000004A50000-memory.dmp

Filesize
64KB

Download