healer | 0331ef85577598e1dcde45f2358d19718cf18612f3d8779809a9fb67ed0fd9e0

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0331ef85577598e1dcde45f2358d19718cf18612f3d8779809a9fb67ed0fd9e0.exe
Size

714KB
MD5

2571521c4f22828cf0a7aa57f6e1e9fd
SHA1

736bb597dd6601b7b12a4d23db711aa84cc0547a
SHA256

0331ef85577598e1dcde45f2358d19718cf18612f3d8779809a9fb67ed0fd9e0
SHA512

a302790bf071c6e95e2604edb83ea36da90196d6bb41b8cec13918536f0b4aefa027f376687bf1fa80948cfd2972e906eb7ee8ce15656db7d8a004fe0d5da81e
SSDEEP

12288:UMrJy904rFYU/dGKFT8O7/aU5lxZdkmpYyC0XM/50uHxSB15fhmLt/P:lyhrDvZ8OTaUJZRpYrDRSBbhsn

Score

10^/10

healer redline piter dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

piter

77.91.124.73:19071

Attributes

auth_value
7f92ff466423bb35edbfbc22f78b0bb9

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000230ab-159.dat	healer
behavioral1/files/0x00070000000230ab-160.dat	healer
behavioral1/memory/220-161-0x0000000000010000-0x000000000001A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r2794361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r2794361.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	r2794361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r2794361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r2794361.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r2794361.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
2912	z4154450.exe
4532	z6557255.exe
4568	z3902972.exe
220	r2794361.exe
324	s3569311.exe
2004	t3905161.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	r2794361.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0331ef85577598e1dcde45f2358d19718cf18612f3d8779809a9fb67ed0fd9e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4154450.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6557255.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3902972.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
220	r2794361.exe
220	r2794361.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	r2794361.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 2912	1148	0331ef85577598e1dcde45f2358d19718cf18612f3d8779809a9fb67ed0fd9e0.exe	81
PID 1148 wrote to memory of 2912	1148	0331ef85577598e1dcde45f2358d19718cf18612f3d8779809a9fb67ed0fd9e0.exe	81
PID 1148 wrote to memory of 2912	1148	0331ef85577598e1dcde45f2358d19718cf18612f3d8779809a9fb67ed0fd9e0.exe	81
PID 2912 wrote to memory of 4532	2912	z4154450.exe	82
PID 2912 wrote to memory of 4532	2912	z4154450.exe	82
PID 2912 wrote to memory of 4532	2912	z4154450.exe	82
PID 4532 wrote to memory of 4568	4532	z6557255.exe	83
PID 4532 wrote to memory of 4568	4532	z6557255.exe	83
PID 4532 wrote to memory of 4568	4532	z6557255.exe	83
PID 4568 wrote to memory of 220	4568	z3902972.exe	84
PID 4568 wrote to memory of 220	4568	z3902972.exe	84
PID 4568 wrote to memory of 324	4568	z3902972.exe	91
PID 4568 wrote to memory of 324	4568	z3902972.exe	91
PID 4568 wrote to memory of 324	4568	z3902972.exe	91
PID 4532 wrote to memory of 2004	4532	z6557255.exe	94
PID 4532 wrote to memory of 2004	4532	z6557255.exe	94
PID 4532 wrote to memory of 2004	4532	z6557255.exe	94

C:\Users\Admin\AppData\Local\Temp\0331ef85577598e1dcde45f2358d19718cf18612f3d8779809a9fb67ed0fd9e0.exe
"C:\Users\Admin\AppData\Local\Temp\0331ef85577598e1dcde45f2358d19718cf18612f3d8779809a9fb67ed0fd9e0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4154450.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4154450.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6557255.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6557255.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3902972.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3902972.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r2794361.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r2794361.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:220
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3569311.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3569311.exe
        5⤵
        Executes dropped EXE
        
        PID:324
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3905161.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3905161.exe
      4⤵
      Executes dropped EXE
      PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4154450.exe

Filesize
598KB

MD5
548b0b46c32cbdd21b0f1f5b4ed165d9

SHA1
365c0b3c42d887469f5a02c44f6c0bba55edd21f

SHA256
4aa1ad8d643abdea738795874e01ec5722fce7280901cdb96d91801d9a2b352e

SHA512
33ede4fa1726cdb8511ac81383b6222469cc2c8db706495a31943027f15ac55bdec40ff58799831bdb64ab7a4b6ce434aa23af6c6de6ee77e630cc8077a3f6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4154450.exe

Filesize
598KB

MD5
548b0b46c32cbdd21b0f1f5b4ed165d9

SHA1
365c0b3c42d887469f5a02c44f6c0bba55edd21f

SHA256
4aa1ad8d643abdea738795874e01ec5722fce7280901cdb96d91801d9a2b352e

SHA512
33ede4fa1726cdb8511ac81383b6222469cc2c8db706495a31943027f15ac55bdec40ff58799831bdb64ab7a4b6ce434aa23af6c6de6ee77e630cc8077a3f6d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6557255.exe

Filesize
372KB

MD5
84fb551e208a5a22279dcd07ff9e8f9d

SHA1
27fa25aa59a8c877548d665510d41f42cfb62b80

SHA256
00c36e722003f498d8e31eafb73ed55b1d21ffd9fc0a8c19607877616ad64526

SHA512
fccd9592941329742a74d2feedce610956320961c210c85a84bc674a1ff1090f3661142ff1bcab8c2d36d4f6f94c5dad864ed0a09e387920edf425ece5a49948

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6557255.exe

Filesize
372KB

MD5
84fb551e208a5a22279dcd07ff9e8f9d

SHA1
27fa25aa59a8c877548d665510d41f42cfb62b80

SHA256
00c36e722003f498d8e31eafb73ed55b1d21ffd9fc0a8c19607877616ad64526

SHA512
fccd9592941329742a74d2feedce610956320961c210c85a84bc674a1ff1090f3661142ff1bcab8c2d36d4f6f94c5dad864ed0a09e387920edf425ece5a49948

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3905161.exe

Filesize
174KB

MD5
e278ff6d7977efa1c8496eb42efdb406

SHA1
28c6ed1ddc41a75772b6be4439758c53ff3ee4c0

SHA256
c63132c02051eaa70b388e666c383cc4673ec16ae10a425d8d6b9a8c46e0e158

SHA512
38a763a3475f426711f765dae0d772e888cc91e522fff0853d4fc5abf810decb42ff7c2ac60a1ac72b2fbd02d00db94cf8bce9d727ba311e1737bcc8d92c8163

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t3905161.exe

Filesize
174KB

MD5
e278ff6d7977efa1c8496eb42efdb406

SHA1
28c6ed1ddc41a75772b6be4439758c53ff3ee4c0

SHA256
c63132c02051eaa70b388e666c383cc4673ec16ae10a425d8d6b9a8c46e0e158

SHA512
38a763a3475f426711f765dae0d772e888cc91e522fff0853d4fc5abf810decb42ff7c2ac60a1ac72b2fbd02d00db94cf8bce9d727ba311e1737bcc8d92c8163

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3902972.exe

Filesize
216KB

MD5
eb03f2b1a32c12310012dd2704ab040b

SHA1
333e4c092c7e8319e88d37224c9869b6baeb9d8c

SHA256
e6d5a52abf6069faff45f6e4d43138ec342151d856bbf485a28d39e9a3a7fb6d

SHA512
1585dcdaafbf62d2f0c7c2cc1233c24698ddbe8c238fe633535d9a1e1f6eb1c2612741aa0c3976241f94c59987353f0d673ae2fe2b6b58837a614c086b64b3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3902972.exe

Filesize
216KB

MD5
eb03f2b1a32c12310012dd2704ab040b

SHA1
333e4c092c7e8319e88d37224c9869b6baeb9d8c

SHA256
e6d5a52abf6069faff45f6e4d43138ec342151d856bbf485a28d39e9a3a7fb6d

SHA512
1585dcdaafbf62d2f0c7c2cc1233c24698ddbe8c238fe633535d9a1e1f6eb1c2612741aa0c3976241f94c59987353f0d673ae2fe2b6b58837a614c086b64b3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r2794361.exe

Filesize
11KB

MD5
96453ece97c4c73df430e1fa169562ea

SHA1
1005f54616f3988b12b221e6341315ada7ced16c

SHA256
bf5b62087ff64770f2f41daf976861918250912e5a03dd38c8fb9d91b79eb263

SHA512
b5a4b4ac2ac2831160a3df3c28151303b42a2573aed1b423ea1fcd622f5965a85e98388e68b01ff184441960d7ab2c93275f0d081001d0b2205d51616f475725

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\r2794361.exe

Filesize
11KB

MD5
96453ece97c4c73df430e1fa169562ea

SHA1
1005f54616f3988b12b221e6341315ada7ced16c

SHA256
bf5b62087ff64770f2f41daf976861918250912e5a03dd38c8fb9d91b79eb263

SHA512
b5a4b4ac2ac2831160a3df3c28151303b42a2573aed1b423ea1fcd622f5965a85e98388e68b01ff184441960d7ab2c93275f0d081001d0b2205d51616f475725

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3569311.exe

Filesize
140KB

MD5
ffdee059f60186b2180921fd6dd2b90e

SHA1
cf4d3a6e31427b4e3b7a8dfec0916319433c6495

SHA256
a07e97016450cb36922ceb7a3036502e5c22fb2b3dc9de3fdcb0e3d1c7867e9b

SHA512
59b48ccba8be7b3da5beffd7eef3456d674fadc168591e2d312130e838c18e0a061d940c0d72effd0797d0103224755d95990029e53e65b965249a75cdab5a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3569311.exe

Filesize
140KB

MD5
ffdee059f60186b2180921fd6dd2b90e

SHA1
cf4d3a6e31427b4e3b7a8dfec0916319433c6495

SHA256
a07e97016450cb36922ceb7a3036502e5c22fb2b3dc9de3fdcb0e3d1c7867e9b

SHA512
59b48ccba8be7b3da5beffd7eef3456d674fadc168591e2d312130e838c18e0a061d940c0d72effd0797d0103224755d95990029e53e65b965249a75cdab5a2b

Download Submit
memory/220-167-0x00007FFEE8200000-0x00007FFEE8CC1000-memory.dmp

Filesize
10.8MB

Download
memory/220-162-0x00007FFEE8200000-0x00007FFEE8CC1000-memory.dmp

Filesize
10.8MB

Download
memory/220-161-0x0000000000010000-0x000000000001A000-memory.dmp

Filesize
40KB

Download
memory/2004-171-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/2004-172-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/2004-173-0x000000000A610000-0x000000000AC28000-memory.dmp

Filesize
6.1MB

Download
memory/2004-174-0x000000000A170000-0x000000000A27A000-memory.dmp

Filesize
1.0MB

Download
memory/2004-175-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download
memory/2004-176-0x000000000A0B0000-0x000000000A0C2000-memory.dmp

Filesize
72KB

Download
memory/2004-177-0x000000000A110000-0x000000000A14C000-memory.dmp

Filesize
240KB

Download
memory/2004-178-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/2004-179-0x0000000004B20000-0x0000000004B30000-memory.dmp

Filesize
64KB

Download