healer | a7e9830a55797aa72f21e55eab5babc79ddabd52e9d6be70a23fec8a8bc4e64e

Analysis

max time kernel
148s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22-08-2023 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7e9830a55797aa72f21e55eab5babc79ddabd52e9d6be70a23fec8a8bc4e64e.exe
Size

838KB
MD5

63889d20fa85cb24cf19f47ffefbe991
SHA1

c99e4ec9f2c9fd8b0f0c1c21aec1b79fe1e1a2b0
SHA256

a7e9830a55797aa72f21e55eab5babc79ddabd52e9d6be70a23fec8a8bc4e64e
SHA512

b21cbe8c576694165c92938b8f3f078aeb58ecd5c28a16519a0069a8a02e12adacaab8497e45e53faf648c1e696eda74a45e05fe107241ec2249da53769578d5
SSDEEP

24576:0yd9GjQKQwjm4+WqEsibOmZ3CBboUg6/:Dd0jQKLm4j4AOme

Score

10^/10

healer redline piter dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

piter

77.91.124.73:19071

Attributes

auth_value
7f92ff466423bb35edbfbc22f78b0bb9

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afb5-150.dat	healer
behavioral1/files/0x000700000001afb5-151.dat	healer
behavioral1/memory/4788-152-0x00000000005E0000-0x00000000005EA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9705618.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9705618.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9705618.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9705618.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9705618.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4300	v7908739.exe
4148	v4234303.exe
2836	v7638665.exe
2592	v5076470.exe
4788	a9705618.exe
2400	b0396363.exe
5116	c3024943.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9705618.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5076470.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a7e9830a55797aa72f21e55eab5babc79ddabd52e9d6be70a23fec8a8bc4e64e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7908739.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4234303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7638665.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4788	a9705618.exe
4788	a9705618.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4788	a9705618.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4300	2748	a7e9830a55797aa72f21e55eab5babc79ddabd52e9d6be70a23fec8a8bc4e64e.exe	70
PID 2748 wrote to memory of 4300	2748	a7e9830a55797aa72f21e55eab5babc79ddabd52e9d6be70a23fec8a8bc4e64e.exe	70
PID 2748 wrote to memory of 4300	2748	a7e9830a55797aa72f21e55eab5babc79ddabd52e9d6be70a23fec8a8bc4e64e.exe	70
PID 4300 wrote to memory of 4148	4300	v7908739.exe	71
PID 4300 wrote to memory of 4148	4300	v7908739.exe	71
PID 4300 wrote to memory of 4148	4300	v7908739.exe	71
PID 4148 wrote to memory of 2836	4148	v4234303.exe	72
PID 4148 wrote to memory of 2836	4148	v4234303.exe	72
PID 4148 wrote to memory of 2836	4148	v4234303.exe	72
PID 2836 wrote to memory of 2592	2836	v7638665.exe	73
PID 2836 wrote to memory of 2592	2836	v7638665.exe	73
PID 2836 wrote to memory of 2592	2836	v7638665.exe	73
PID 2592 wrote to memory of 4788	2592	v5076470.exe	74
PID 2592 wrote to memory of 4788	2592	v5076470.exe	74
PID 2592 wrote to memory of 2400	2592	v5076470.exe	75
PID 2592 wrote to memory of 2400	2592	v5076470.exe	75
PID 2592 wrote to memory of 2400	2592	v5076470.exe	75
PID 2836 wrote to memory of 5116	2836	v7638665.exe	76
PID 2836 wrote to memory of 5116	2836	v7638665.exe	76
PID 2836 wrote to memory of 5116	2836	v7638665.exe	76

C:\Users\Admin\AppData\Local\Temp\a7e9830a55797aa72f21e55eab5babc79ddabd52e9d6be70a23fec8a8bc4e64e.exe
"C:\Users\Admin\AppData\Local\Temp\a7e9830a55797aa72f21e55eab5babc79ddabd52e9d6be70a23fec8a8bc4e64e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7908739.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7908739.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4300
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4234303.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4234303.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7638665.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7638665.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5076470.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5076470.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2592
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9705618.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9705618.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4788
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0396363.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0396363.exe
        6⤵
        Executes dropped EXE
        
        PID:2400
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3024943.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3024943.exe
        5⤵
        Executes dropped EXE
        
        PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7908739.exe

Filesize
722KB

MD5
0dad8d2acfd0c5af8c63f117773afa51

SHA1
440b4be04e33f6aa9058653bb1c13908578ee8a6

SHA256
a3574415dde9b9e8d6664d144fce33214e81f23edb1f63c8b033aff8499a860c

SHA512
8ff33b89ef299c5059268aaae521b3eea7f6183876f986cfb134ac0307bc58662d3c7c461a454069d78abcad12dfc699528de6d3311c62d574e3d7f1f41d11a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7908739.exe

Filesize
722KB

MD5
0dad8d2acfd0c5af8c63f117773afa51

SHA1
440b4be04e33f6aa9058653bb1c13908578ee8a6

SHA256
a3574415dde9b9e8d6664d144fce33214e81f23edb1f63c8b033aff8499a860c

SHA512
8ff33b89ef299c5059268aaae521b3eea7f6183876f986cfb134ac0307bc58662d3c7c461a454069d78abcad12dfc699528de6d3311c62d574e3d7f1f41d11a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4234303.exe

Filesize
497KB

MD5
38dc1e5c64c4090dda19ba26e21bb032

SHA1
202ee306dc4bd8252f01537cc3ce3a6a3e047cab

SHA256
ddfff9f17051861e88af38e5c611516aa75f5b989c352d078554cb80347dbe73

SHA512
22a8c5c6abcecda16e0d7db81c5a74cda65a3669a1b373c6a8a558e2fd2243338507173a212fdc36525d71621c2baded6f01a5c1bb4146bf6b54437fbb382d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4234303.exe

Filesize
497KB

MD5
38dc1e5c64c4090dda19ba26e21bb032

SHA1
202ee306dc4bd8252f01537cc3ce3a6a3e047cab

SHA256
ddfff9f17051861e88af38e5c611516aa75f5b989c352d078554cb80347dbe73

SHA512
22a8c5c6abcecda16e0d7db81c5a74cda65a3669a1b373c6a8a558e2fd2243338507173a212fdc36525d71621c2baded6f01a5c1bb4146bf6b54437fbb382d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7638665.exe

Filesize
372KB

MD5
9c406845287e4b56334e72fe8d5e01ef

SHA1
b096c154e53eb52b9cf6a39b040ffa9201698cba

SHA256
28f22aef5af25dd8f7304a6481c17d0b2c14d5f6c6ccc16cce34bf8349929832

SHA512
b6074020d943c8579254c93086c655d3713f3613c771749cac7de7679d3b2d0b653a10009885b3fa72ca29f4479cae3db635103e3a2bc8af92729133ebaa3a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7638665.exe

Filesize
372KB

MD5
9c406845287e4b56334e72fe8d5e01ef

SHA1
b096c154e53eb52b9cf6a39b040ffa9201698cba

SHA256
28f22aef5af25dd8f7304a6481c17d0b2c14d5f6c6ccc16cce34bf8349929832

SHA512
b6074020d943c8579254c93086c655d3713f3613c771749cac7de7679d3b2d0b653a10009885b3fa72ca29f4479cae3db635103e3a2bc8af92729133ebaa3a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3024943.exe

Filesize
174KB

MD5
fadd6ab56f3ab0c5dc9d4b35e43d0935

SHA1
82028f368dc20df2bf6d6a9a27f2bab7dbd33965

SHA256
d5e6be41c26bc69ff18a6e561c236765e46f67cbaaa74d3f5434432d8459650b

SHA512
20ae19499da3d5534495e66ebcd51946b710fdd581b49dff1a9462b9cc9f9a9260aefd492046783f8c23cff9329fab86f337d81eff45a74b6ead8e839ed90281

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3024943.exe

Filesize
174KB

MD5
fadd6ab56f3ab0c5dc9d4b35e43d0935

SHA1
82028f368dc20df2bf6d6a9a27f2bab7dbd33965

SHA256
d5e6be41c26bc69ff18a6e561c236765e46f67cbaaa74d3f5434432d8459650b

SHA512
20ae19499da3d5534495e66ebcd51946b710fdd581b49dff1a9462b9cc9f9a9260aefd492046783f8c23cff9329fab86f337d81eff45a74b6ead8e839ed90281

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5076470.exe

Filesize
216KB

MD5
b5b232589cf05f6de1a4a520511ba187

SHA1
bfe71d51bb1bae3784eb4d596d93ac5bbd734c03

SHA256
84217da5e4ef398a55783af02d03e30457bc526985597cdf53ba05e2fc493b38

SHA512
73fc0fa00ca8a2c1d4eb4342092c670a05c7f7d0fee1a16fa7ef3c78f5b3159d7e2226b5b35e582e894f97e57c54bbf6e3be55c33cebe9e877bfbe8189d65227

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5076470.exe

Filesize
216KB

MD5
b5b232589cf05f6de1a4a520511ba187

SHA1
bfe71d51bb1bae3784eb4d596d93ac5bbd734c03

SHA256
84217da5e4ef398a55783af02d03e30457bc526985597cdf53ba05e2fc493b38

SHA512
73fc0fa00ca8a2c1d4eb4342092c670a05c7f7d0fee1a16fa7ef3c78f5b3159d7e2226b5b35e582e894f97e57c54bbf6e3be55c33cebe9e877bfbe8189d65227

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9705618.exe

Filesize
11KB

MD5
03d86c92af21b48d916cd6b0ec486e59

SHA1
7c6d54181ace51e349a2ca5a888907fb9d3a7afe

SHA256
7557c511062c30db37837aa2d3d1b24c36149bf2f24ed90d161b3799021caf14

SHA512
951f96f48e620af0f22d59aa4348de1b47114c93a1d0a7d1add0f3c508bc9812f341e026ff0c91a7b2ca4482fe0c0ac6aa9fa4f2a4998f55e0f02f14dde4d818

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9705618.exe

Filesize
11KB

MD5
03d86c92af21b48d916cd6b0ec486e59

SHA1
7c6d54181ace51e349a2ca5a888907fb9d3a7afe

SHA256
7557c511062c30db37837aa2d3d1b24c36149bf2f24ed90d161b3799021caf14

SHA512
951f96f48e620af0f22d59aa4348de1b47114c93a1d0a7d1add0f3c508bc9812f341e026ff0c91a7b2ca4482fe0c0ac6aa9fa4f2a4998f55e0f02f14dde4d818

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0396363.exe

Filesize
140KB

MD5
10eeaf04c674d873e00bf51a23351003

SHA1
8a61c4a4bf9566d672d50fff72702d0921cca123

SHA256
b5629abe1d83eaf4d5d55d3735ca5701a2b7c63ef6a2f5c0c1a51c237ad95197

SHA512
28839387a8ef9e81c8f774c41dc3641474cb9a9bf87ac33488c24f3e80dc3777c37883bf77bbb76ce4c89b4f68269354d85cd0a4e866343361cd6a176945c096

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0396363.exe

Filesize
140KB

MD5
10eeaf04c674d873e00bf51a23351003

SHA1
8a61c4a4bf9566d672d50fff72702d0921cca123

SHA256
b5629abe1d83eaf4d5d55d3735ca5701a2b7c63ef6a2f5c0c1a51c237ad95197

SHA512
28839387a8ef9e81c8f774c41dc3641474cb9a9bf87ac33488c24f3e80dc3777c37883bf77bbb76ce4c89b4f68269354d85cd0a4e866343361cd6a176945c096

Download Submit
memory/4788-155-0x00007FF8E2D60000-0x00007FF8E374C000-memory.dmp

Filesize
9.9MB

Download
memory/4788-153-0x00007FF8E2D60000-0x00007FF8E374C000-memory.dmp

Filesize
9.9MB

Download
memory/4788-152-0x00000000005E0000-0x00000000005EA000-memory.dmp

Filesize
40KB

Download
memory/5116-162-0x0000000000700000-0x0000000000730000-memory.dmp

Filesize
192KB

Download
memory/5116-163-0x0000000073330000-0x0000000073A1E000-memory.dmp

Filesize
6.9MB

Download
memory/5116-164-0x0000000000D50000-0x0000000000D56000-memory.dmp

Filesize
24KB

Download
memory/5116-165-0x000000000AB80000-0x000000000B186000-memory.dmp

Filesize
6.0MB

Download
memory/5116-166-0x000000000A680000-0x000000000A78A000-memory.dmp

Filesize
1.0MB

Download
memory/5116-167-0x000000000A590000-0x000000000A5A2000-memory.dmp

Filesize
72KB

Download
memory/5116-168-0x000000000A5F0000-0x000000000A62E000-memory.dmp

Filesize
248KB

Download
memory/5116-169-0x000000000A630000-0x000000000A67B000-memory.dmp

Filesize
300KB

Download
memory/5116-170-0x0000000073330000-0x0000000073A1E000-memory.dmp

Filesize
6.9MB

Download