healer | f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d

Analysis

max time kernel
146s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22/08/2023, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe
Size

838KB
MD5

7ca0b75c7b8687e9239349629d25ae29
SHA1

457bef3412101c45275f28ae79dc2271d810a601
SHA256

f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d
SHA512

1e2e4c4da9e92a5504eb52ffcfcf6b2a8d0408dee97b9b1c878482a70e89cf3caddbcc2eff26ade3f7bc95e0e9c5adf59e13b2ff55610e66185e2e1a253fdc82
SSDEEP

24576:RyT9ClFjD/Gw5m26ISFHWcY4zcfdw9uDxw:E5ClF//Ld6v2Z5wm

Score

10^/10

healer redline piter dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

piter

77.91.124.73:19071

Attributes

auth_value
7f92ff466423bb35edbfbc22f78b0bb9

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afe9-150.dat	healer
behavioral1/files/0x000700000001afe9-151.dat	healer
behavioral1/memory/3676-152-0x00000000002C0000-0x00000000002CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8109277.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8109277.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8109277.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8109277.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8109277.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3420	v6338451.exe
4884	v3499594.exe
4940	v5729729.exe
2324	v5710865.exe
3676	a8109277.exe
3012	b9033014.exe
4204	c4927028.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8109277.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5729729.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5710865.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6338451.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3499594.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3676	a8109277.exe
3676	a8109277.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3676	a8109277.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 3420	4516	f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe	70
PID 4516 wrote to memory of 3420	4516	f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe	70
PID 4516 wrote to memory of 3420	4516	f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe	70
PID 3420 wrote to memory of 4884	3420	v6338451.exe	71
PID 3420 wrote to memory of 4884	3420	v6338451.exe	71
PID 3420 wrote to memory of 4884	3420	v6338451.exe	71
PID 4884 wrote to memory of 4940	4884	v3499594.exe	72
PID 4884 wrote to memory of 4940	4884	v3499594.exe	72
PID 4884 wrote to memory of 4940	4884	v3499594.exe	72
PID 4940 wrote to memory of 2324	4940	v5729729.exe	73
PID 4940 wrote to memory of 2324	4940	v5729729.exe	73
PID 4940 wrote to memory of 2324	4940	v5729729.exe	73
PID 2324 wrote to memory of 3676	2324	v5710865.exe	74
PID 2324 wrote to memory of 3676	2324	v5710865.exe	74
PID 2324 wrote to memory of 3012	2324	v5710865.exe	75
PID 2324 wrote to memory of 3012	2324	v5710865.exe	75
PID 2324 wrote to memory of 3012	2324	v5710865.exe	75
PID 4940 wrote to memory of 4204	4940	v5729729.exe	76
PID 4940 wrote to memory of 4204	4940	v5729729.exe	76
PID 4940 wrote to memory of 4204	4940	v5729729.exe	76

C:\Users\Admin\AppData\Local\Temp\f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe
"C:\Users\Admin\AppData\Local\Temp\f80213c08d7fa8b854d50c03c25930ace80317c5b2d86e64bfba86f05bb65c5d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6338451.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6338451.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3499594.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3499594.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5729729.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5729729.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5710865.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5710865.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8109277.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8109277.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9033014.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9033014.exe
        6⤵
        Executes dropped EXE
        
        PID:3012
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4927028.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4927028.exe
        5⤵
        Executes dropped EXE
        
        PID:4204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6338451.exe

Filesize
723KB

MD5
9950fd8be40c2ff2cd7430ee852b209c

SHA1
50d67b2a8703ff1e6bbd2bd23eab8b6b0304eb04

SHA256
a6a51003b04a2bc45f466b533d4502950e78821c1241da82110d2e6be7302487

SHA512
72041bd4869d25766fcbccffb0486c8420dcea9bfbe44d7da165f45ed46b89c53017ef7577ab9ee3ce912676e4bcaae5f5fcdb1d00911b0b31394581a2bb20d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6338451.exe

Filesize
723KB

MD5
9950fd8be40c2ff2cd7430ee852b209c

SHA1
50d67b2a8703ff1e6bbd2bd23eab8b6b0304eb04

SHA256
a6a51003b04a2bc45f466b533d4502950e78821c1241da82110d2e6be7302487

SHA512
72041bd4869d25766fcbccffb0486c8420dcea9bfbe44d7da165f45ed46b89c53017ef7577ab9ee3ce912676e4bcaae5f5fcdb1d00911b0b31394581a2bb20d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3499594.exe

Filesize
496KB

MD5
1768819ac4e74ff899b07e867de4de6f

SHA1
adf94e09949fba7f48f742fe2b0f00577daa7990

SHA256
d94e8315c8a123692396bf5fda0e261aa5b0d4425d2b706c4338504fdf660ac4

SHA512
5af92e810c6da415d72f5e017c45dcc707fff1115d1f7e77ca8d573696f9d9d8ce4c9dab24e7ebf1f08ca8df60e26befc39260e5f28ce01ab761a990acc4e8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3499594.exe

Filesize
496KB

MD5
1768819ac4e74ff899b07e867de4de6f

SHA1
adf94e09949fba7f48f742fe2b0f00577daa7990

SHA256
d94e8315c8a123692396bf5fda0e261aa5b0d4425d2b706c4338504fdf660ac4

SHA512
5af92e810c6da415d72f5e017c45dcc707fff1115d1f7e77ca8d573696f9d9d8ce4c9dab24e7ebf1f08ca8df60e26befc39260e5f28ce01ab761a990acc4e8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5729729.exe

Filesize
372KB

MD5
8b3b07a385117da3eb66ade18a06c3f2

SHA1
aada874876b0907219d2bd3eb6e46d5b62ff8fd9

SHA256
bc631a87c6f991a2d39531ddea4979fee4fe62523e0c78c531e1a5baec9117c8

SHA512
bb0b7f0446390c75497cb9034dec16d821ca8993ec921ad86f7b5e69767f70ab1c3d0d04c81ed62c1a97e00c9cc313ec18f35a71b01741c2cf16bb3e572fb24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5729729.exe

Filesize
372KB

MD5
8b3b07a385117da3eb66ade18a06c3f2

SHA1
aada874876b0907219d2bd3eb6e46d5b62ff8fd9

SHA256
bc631a87c6f991a2d39531ddea4979fee4fe62523e0c78c531e1a5baec9117c8

SHA512
bb0b7f0446390c75497cb9034dec16d821ca8993ec921ad86f7b5e69767f70ab1c3d0d04c81ed62c1a97e00c9cc313ec18f35a71b01741c2cf16bb3e572fb24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4927028.exe

Filesize
174KB

MD5
4d2f6da85fcff6f3c3055e2280cd0d9f

SHA1
d2c5e04a7171f51aa773a5a67da02558062bd6dc

SHA256
6605d827d8502a87b4c1739826ecf5ee8176946fa78dda0743b38c223f2bab89

SHA512
f7a97960cd5c7fd19d638b4dac62664a513c7f803c92e71620326c3d255b10df86a5d44f7170414a2aaa34e848e2a862f4eae2945439ba2370d1a337c62903ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4927028.exe

Filesize
174KB

MD5
4d2f6da85fcff6f3c3055e2280cd0d9f

SHA1
d2c5e04a7171f51aa773a5a67da02558062bd6dc

SHA256
6605d827d8502a87b4c1739826ecf5ee8176946fa78dda0743b38c223f2bab89

SHA512
f7a97960cd5c7fd19d638b4dac62664a513c7f803c92e71620326c3d255b10df86a5d44f7170414a2aaa34e848e2a862f4eae2945439ba2370d1a337c62903ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5710865.exe

Filesize
216KB

MD5
5403918dbe566b906365d9d5f3b6a4ba

SHA1
e31fb1a53c42b40101abdbd0f284cfae6e792cc6

SHA256
893c86cbf079c2b64ddb0052a9e6d5f8025717ca399a0edef9af59e582165d07

SHA512
bbdfb5479432cc8b7c03f6a0de17c961bf19a527b6590ccebe60f79793310e91544056801ce0c4e65732203618741a3977ca9dc578807fea2dc48c6871f43b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5710865.exe

Filesize
216KB

MD5
5403918dbe566b906365d9d5f3b6a4ba

SHA1
e31fb1a53c42b40101abdbd0f284cfae6e792cc6

SHA256
893c86cbf079c2b64ddb0052a9e6d5f8025717ca399a0edef9af59e582165d07

SHA512
bbdfb5479432cc8b7c03f6a0de17c961bf19a527b6590ccebe60f79793310e91544056801ce0c4e65732203618741a3977ca9dc578807fea2dc48c6871f43b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8109277.exe

Filesize
11KB

MD5
5218a7dbc8aab1821e52e9c0549a2e87

SHA1
b31566a5eaf34466580a7ebc984177b1625bc00b

SHA256
87613146f627ac2d1a733f5963943c65efa33c2c8a81167d9905413d32c882a9

SHA512
5c79e3ab7eca8cdb01e4a9c5666eaab3f45505b44aaac7ebd37b558c530b423a488e77d6b1bf3293bac01250f08e0cb73c1226ab9d8af513f5c7b4d7742bcee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8109277.exe

Filesize
11KB

MD5
5218a7dbc8aab1821e52e9c0549a2e87

SHA1
b31566a5eaf34466580a7ebc984177b1625bc00b

SHA256
87613146f627ac2d1a733f5963943c65efa33c2c8a81167d9905413d32c882a9

SHA512
5c79e3ab7eca8cdb01e4a9c5666eaab3f45505b44aaac7ebd37b558c530b423a488e77d6b1bf3293bac01250f08e0cb73c1226ab9d8af513f5c7b4d7742bcee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9033014.exe

Filesize
140KB

MD5
705edcb21068a26c07941e1e1a7b36fe

SHA1
6a392b0457b715b2e87a450bc745de1cd9c5963c

SHA256
1e44a48d8d72228bee8e65e137721d4a6c95d74eda649efb4275c3935ea1e3f0

SHA512
614d454cbe410c49e6cfd2eaf48bebf7bf080b9f0b8090203bc5bf480724356fec51d18570ac13f7c7f14ac12023e83a7267bd603ef3d815b7ea9553e9c9c67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9033014.exe

Filesize
140KB

MD5
705edcb21068a26c07941e1e1a7b36fe

SHA1
6a392b0457b715b2e87a450bc745de1cd9c5963c

SHA256
1e44a48d8d72228bee8e65e137721d4a6c95d74eda649efb4275c3935ea1e3f0

SHA512
614d454cbe410c49e6cfd2eaf48bebf7bf080b9f0b8090203bc5bf480724356fec51d18570ac13f7c7f14ac12023e83a7267bd603ef3d815b7ea9553e9c9c67c

Download Submit
memory/3676-155-0x00007FF8EBA70000-0x00007FF8EC45C000-memory.dmp

Filesize
9.9MB

Download
memory/3676-153-0x00007FF8EBA70000-0x00007FF8EC45C000-memory.dmp

Filesize
9.9MB

Download
memory/3676-152-0x00000000002C0000-0x00000000002CA000-memory.dmp

Filesize
40KB

Download
memory/4204-162-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download
memory/4204-163-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/4204-164-0x0000000000DC0000-0x0000000000DC6000-memory.dmp

Filesize
24KB

Download
memory/4204-165-0x000000000A7A0000-0x000000000ADA6000-memory.dmp

Filesize
6.0MB

Download
memory/4204-166-0x000000000A2F0000-0x000000000A3FA000-memory.dmp

Filesize
1.0MB

Download
memory/4204-167-0x000000000A220000-0x000000000A232000-memory.dmp

Filesize
72KB

Download
memory/4204-168-0x000000000A280000-0x000000000A2BE000-memory.dmp

Filesize
248KB

Download
memory/4204-169-0x000000000A400000-0x000000000A44B000-memory.dmp

Filesize
300KB

Download
memory/4204-170-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download