healer | 570fd937e3843137c153d06825015af3c0bb720ba243d8b36ff650edb5a152ae

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2023 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

570fd937e3843137c153d06825015af3c0bb720ba243d8b36ff650edb5a152ae.exe
Size

836KB
MD5

10b3922278907019b3c379abd49ab4ae
SHA1

779b33818aec52120a462372451684d312fd8514
SHA256

570fd937e3843137c153d06825015af3c0bb720ba243d8b36ff650edb5a152ae
SHA512

4899551bccbbaf9a666afc3743b6dba307eaa21e581e70980ff9b80764ab89aaf412087d12eee01479d7f6146c147fac56f5c0131451342fdb06ecb23df4bf28
SSDEEP

12288:dMryy90f2szxvwfkEux6bqi40fR4xz9q4iF1Ryyz4CSqz1nMC/tcQC:LyW2awfkNAb80fR4vq4ilT4CnMQC

Score

10^/10

healer redline piter dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

piter

77.91.124.73:19071

Attributes

auth_value
7f92ff466423bb35edbfbc22f78b0bb9

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000231ee-167.dat	healer
behavioral1/files/0x00080000000231ee-166.dat	healer
behavioral1/memory/4596-168-0x0000000000E40000-0x0000000000E4A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1536146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1536146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1536146.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1536146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1536146.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1536146.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3696	v1019513.exe
3484	v7855872.exe
3700	v8906463.exe
4976	v2548140.exe
4596	a1536146.exe
2164	b7968411.exe
3420	c3041099.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1536146.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1019513.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7855872.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8906463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2548140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	570fd937e3843137c153d06825015af3c0bb720ba243d8b36ff650edb5a152ae.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4596	a1536146.exe
4596	a1536146.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	a1536146.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3696	2168	570fd937e3843137c153d06825015af3c0bb720ba243d8b36ff650edb5a152ae.exe	81
PID 2168 wrote to memory of 3696	2168	570fd937e3843137c153d06825015af3c0bb720ba243d8b36ff650edb5a152ae.exe	81
PID 2168 wrote to memory of 3696	2168	570fd937e3843137c153d06825015af3c0bb720ba243d8b36ff650edb5a152ae.exe	81
PID 3696 wrote to memory of 3484	3696	v1019513.exe	82
PID 3696 wrote to memory of 3484	3696	v1019513.exe	82
PID 3696 wrote to memory of 3484	3696	v1019513.exe	82
PID 3484 wrote to memory of 3700	3484	v7855872.exe	83
PID 3484 wrote to memory of 3700	3484	v7855872.exe	83
PID 3484 wrote to memory of 3700	3484	v7855872.exe	83
PID 3700 wrote to memory of 4976	3700	v8906463.exe	84
PID 3700 wrote to memory of 4976	3700	v8906463.exe	84
PID 3700 wrote to memory of 4976	3700	v8906463.exe	84
PID 4976 wrote to memory of 4596	4976	v2548140.exe	85
PID 4976 wrote to memory of 4596	4976	v2548140.exe	85
PID 4976 wrote to memory of 2164	4976	v2548140.exe	90
PID 4976 wrote to memory of 2164	4976	v2548140.exe	90
PID 4976 wrote to memory of 2164	4976	v2548140.exe	90
PID 3700 wrote to memory of 3420	3700	v8906463.exe	91
PID 3700 wrote to memory of 3420	3700	v8906463.exe	91
PID 3700 wrote to memory of 3420	3700	v8906463.exe	91

C:\Users\Admin\AppData\Local\Temp\570fd937e3843137c153d06825015af3c0bb720ba243d8b36ff650edb5a152ae.exe
"C:\Users\Admin\AppData\Local\Temp\570fd937e3843137c153d06825015af3c0bb720ba243d8b36ff650edb5a152ae.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1019513.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1019513.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7855872.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7855872.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8906463.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8906463.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3700
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2548140.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2548140.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1536146.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1536146.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4596
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7968411.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7968411.exe
        6⤵
        Executes dropped EXE
        
        PID:2164
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3041099.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3041099.exe
        5⤵
        Executes dropped EXE
        
        PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1019513.exe

Filesize
720KB

MD5
8935ff2cc896f8332eff46904eeed080

SHA1
963943f1305db0a15bb34b43713f3cdabc9735b6

SHA256
4866cab9d150a875ebff5e3bcb91841a04e709e7fe30516a8abcdf64fdd7ff68

SHA512
f31e34a92b1923c0d4c07f8c45fa0a6eed95766afeb177e5ae423b06a7e8a0681d0b0deab141e8e1c6d7bb1d179cc306009aa32a0d0d591832a66e4d69c4bb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1019513.exe

Filesize
720KB

MD5
8935ff2cc896f8332eff46904eeed080

SHA1
963943f1305db0a15bb34b43713f3cdabc9735b6

SHA256
4866cab9d150a875ebff5e3bcb91841a04e709e7fe30516a8abcdf64fdd7ff68

SHA512
f31e34a92b1923c0d4c07f8c45fa0a6eed95766afeb177e5ae423b06a7e8a0681d0b0deab141e8e1c6d7bb1d179cc306009aa32a0d0d591832a66e4d69c4bb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7855872.exe

Filesize
497KB

MD5
b505e9371feea7235e83f110c48786f8

SHA1
482502292bf6cb1c8af2765aac7f4856b747d80c

SHA256
490221e3acdc04196ea113d9330c6bf190e6a51e3861e726130cbde2c2a3fa40

SHA512
f04f69d066d0284e4b59741f1353d934dcfeb060df25159f500177ee9cd21dbe42fdcca80eaf10148a544ee9086c98c7a6c0f5f2a8539e70fc4b5e6d5f0179ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7855872.exe

Filesize
497KB

MD5
b505e9371feea7235e83f110c48786f8

SHA1
482502292bf6cb1c8af2765aac7f4856b747d80c

SHA256
490221e3acdc04196ea113d9330c6bf190e6a51e3861e726130cbde2c2a3fa40

SHA512
f04f69d066d0284e4b59741f1353d934dcfeb060df25159f500177ee9cd21dbe42fdcca80eaf10148a544ee9086c98c7a6c0f5f2a8539e70fc4b5e6d5f0179ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8906463.exe

Filesize
372KB

MD5
b82556ad75f17abb36be01cb809c9c81

SHA1
bedcff1106557257d7e8f3cf5d2a712d148aec01

SHA256
28748d0846dfa512fd7c78bf4f7baf5765085dbe0d43b86bc176b6790f104cfa

SHA512
6202dbd85a03f8c23b4866ee8ad2cd35b1b9b8c6a2242b987e23692b600e1475230ebdfe0b7f5436fc74e8259eb3244dddb9a2d4c73a82cdb9860fe62f369c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8906463.exe

Filesize
372KB

MD5
b82556ad75f17abb36be01cb809c9c81

SHA1
bedcff1106557257d7e8f3cf5d2a712d148aec01

SHA256
28748d0846dfa512fd7c78bf4f7baf5765085dbe0d43b86bc176b6790f104cfa

SHA512
6202dbd85a03f8c23b4866ee8ad2cd35b1b9b8c6a2242b987e23692b600e1475230ebdfe0b7f5436fc74e8259eb3244dddb9a2d4c73a82cdb9860fe62f369c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3041099.exe

Filesize
174KB

MD5
521be867ba93f423813ec590356fbe5d

SHA1
4e5f70168786a20e4403c9745ce43d4fda627cca

SHA256
36f4016d2878b89048888a66f36e589482226c6781d47ddd2a8ac425511b5f0e

SHA512
5bb3b3f271a01fd4ff60042e135a935a2d5d2f788cc6488cc7573b04bd7d557ad53c4494ff23e4d99fbbf2d0dbdc90a5c7e26243e7158c07f2dae8452995237d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3041099.exe

Filesize
174KB

MD5
521be867ba93f423813ec590356fbe5d

SHA1
4e5f70168786a20e4403c9745ce43d4fda627cca

SHA256
36f4016d2878b89048888a66f36e589482226c6781d47ddd2a8ac425511b5f0e

SHA512
5bb3b3f271a01fd4ff60042e135a935a2d5d2f788cc6488cc7573b04bd7d557ad53c4494ff23e4d99fbbf2d0dbdc90a5c7e26243e7158c07f2dae8452995237d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2548140.exe

Filesize
216KB

MD5
bc2eec57671363ec12f526ae966a6b3e

SHA1
9a11becc18a873204cd9e07878f95039be7b7fd3

SHA256
1c519bcbc16af4d33b540a2e85be95e13260ce39c74feac740d16f224fb55012

SHA512
3505b65473f61c667fb4a6c0edcdbc47670c468c7d05e949df3b3e1cea674df3dc4d6907f4e42cd55e90fa3e92b78163885f321da1ac1f80fdef9fc0afa6b40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2548140.exe

Filesize
216KB

MD5
bc2eec57671363ec12f526ae966a6b3e

SHA1
9a11becc18a873204cd9e07878f95039be7b7fd3

SHA256
1c519bcbc16af4d33b540a2e85be95e13260ce39c74feac740d16f224fb55012

SHA512
3505b65473f61c667fb4a6c0edcdbc47670c468c7d05e949df3b3e1cea674df3dc4d6907f4e42cd55e90fa3e92b78163885f321da1ac1f80fdef9fc0afa6b40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1536146.exe

Filesize
11KB

MD5
effe5a67f14be8a070b54168e881d97a

SHA1
83ce5edead7a247d1e496388d9561aab86f0cf5c

SHA256
dfb52255ffde84f3d39ffc874084cacce3a6f552e2835555da420bcbecc89686

SHA512
6ff9f00351781d756d94d961178603f0e191ca4ae2bfef7c41b73438825745d7783e1f7536443eed9ebf0474841af8be3af589386b9c4ca6f88bef6a50be869a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1536146.exe

Filesize
11KB

MD5
effe5a67f14be8a070b54168e881d97a

SHA1
83ce5edead7a247d1e496388d9561aab86f0cf5c

SHA256
dfb52255ffde84f3d39ffc874084cacce3a6f552e2835555da420bcbecc89686

SHA512
6ff9f00351781d756d94d961178603f0e191ca4ae2bfef7c41b73438825745d7783e1f7536443eed9ebf0474841af8be3af589386b9c4ca6f88bef6a50be869a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7968411.exe

Filesize
140KB

MD5
f676295e10b64e05a20e5165727a6c34

SHA1
4bd7d0466b679a629e216ddc66886e94e4776140

SHA256
a97a574df8d1e8c573f54cc84c971a99e4e2c34e7145ec86246abc0ee4e33ec6

SHA512
120ec4d8b38d78c8005dacabc30ac8f38fae91467d12ec08283c4bb04186c6f1dbf9edfa212b87a9394e5c11bdad78d03719bb4f3bca8c33a26f2f585755f4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7968411.exe

Filesize
140KB

MD5
f676295e10b64e05a20e5165727a6c34

SHA1
4bd7d0466b679a629e216ddc66886e94e4776140

SHA256
a97a574df8d1e8c573f54cc84c971a99e4e2c34e7145ec86246abc0ee4e33ec6

SHA512
120ec4d8b38d78c8005dacabc30ac8f38fae91467d12ec08283c4bb04186c6f1dbf9edfa212b87a9394e5c11bdad78d03719bb4f3bca8c33a26f2f585755f4d0

Download Submit
memory/3420-179-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/3420-178-0x0000000000800000-0x0000000000830000-memory.dmp

Filesize
192KB

Download
memory/3420-180-0x000000000AB40000-0x000000000B158000-memory.dmp

Filesize
6.1MB

Download
memory/3420-181-0x000000000A670000-0x000000000A77A000-memory.dmp

Filesize
1.0MB

Download
memory/3420-182-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/3420-183-0x000000000A5B0000-0x000000000A5C2000-memory.dmp

Filesize
72KB

Download
memory/3420-184-0x000000000A610000-0x000000000A64C000-memory.dmp

Filesize
240KB

Download
memory/3420-185-0x0000000073C40000-0x00000000743F0000-memory.dmp

Filesize
7.7MB

Download
memory/3420-186-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4596-171-0x00007FF9A8500000-0x00007FF9A8FC1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-169-0x00007FF9A8500000-0x00007FF9A8FC1000-memory.dmp

Filesize
10.8MB

Download
memory/4596-168-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download