healer | 7ca2049c6ade7ca2685370194c33c402c3ce5380063bea32e2b1e955f8f96c5d

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22-08-2023 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ca2049c6ade7ca2685370194c33c402c3ce5380063bea32e2b1e955f8f96c5d.exe
Size

838KB
MD5

d98737253c0d310b479382602ddfbd3a
SHA1

b413eef7bf73b436a22fb6e8ede756811b62e7fc
SHA256

7ca2049c6ade7ca2685370194c33c402c3ce5380063bea32e2b1e955f8f96c5d
SHA512

3758ee6fce4522ecdfb95ffe12f06e705e668742cc792ccdbf35bcd305e4f18bb096b9ff12abea4cd0ad4203e50bb7f1b5d2792f41da2e2a014d6eac2f970ad9
SSDEEP

12288:mMrLy90+bdKYpHoF5A2t8B+zGTxxaSj3H4igQERcXB78hH47HbEzM8tjh2FAoao8:hy7zoFzjS9cSj0QERcXeqHbrEjhBQ2J

Score

10^/10

healer redline piter dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

piter

77.91.124.73:19071

Attributes

auth_value
7f92ff466423bb35edbfbc22f78b0bb9

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b01f-150.dat	healer
behavioral1/files/0x000700000001b01f-151.dat	healer
behavioral1/memory/704-152-0x0000000000D50000-0x0000000000D5A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2606208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2606208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2606208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2606208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2606208.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3108	v2985769.exe
4908	v5663462.exe
408	v9208393.exe
4244	v0542306.exe
704	a2606208.exe
2512	b3321398.exe
4416	c3398107.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2606208.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5663462.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9208393.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v0542306.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7ca2049c6ade7ca2685370194c33c402c3ce5380063bea32e2b1e955f8f96c5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2985769.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
704	a2606208.exe
704	a2606208.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	704	a2606208.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3108	1712	7ca2049c6ade7ca2685370194c33c402c3ce5380063bea32e2b1e955f8f96c5d.exe	70
PID 1712 wrote to memory of 3108	1712	7ca2049c6ade7ca2685370194c33c402c3ce5380063bea32e2b1e955f8f96c5d.exe	70
PID 1712 wrote to memory of 3108	1712	7ca2049c6ade7ca2685370194c33c402c3ce5380063bea32e2b1e955f8f96c5d.exe	70
PID 3108 wrote to memory of 4908	3108	v2985769.exe	71
PID 3108 wrote to memory of 4908	3108	v2985769.exe	71
PID 3108 wrote to memory of 4908	3108	v2985769.exe	71
PID 4908 wrote to memory of 408	4908	v5663462.exe	72
PID 4908 wrote to memory of 408	4908	v5663462.exe	72
PID 4908 wrote to memory of 408	4908	v5663462.exe	72
PID 408 wrote to memory of 4244	408	v9208393.exe	73
PID 408 wrote to memory of 4244	408	v9208393.exe	73
PID 408 wrote to memory of 4244	408	v9208393.exe	73
PID 4244 wrote to memory of 704	4244	v0542306.exe	74
PID 4244 wrote to memory of 704	4244	v0542306.exe	74
PID 4244 wrote to memory of 2512	4244	v0542306.exe	75
PID 4244 wrote to memory of 2512	4244	v0542306.exe	75
PID 4244 wrote to memory of 2512	4244	v0542306.exe	75
PID 408 wrote to memory of 4416	408	v9208393.exe	76
PID 408 wrote to memory of 4416	408	v9208393.exe	76
PID 408 wrote to memory of 4416	408	v9208393.exe	76

C:\Users\Admin\AppData\Local\Temp\7ca2049c6ade7ca2685370194c33c402c3ce5380063bea32e2b1e955f8f96c5d.exe
"C:\Users\Admin\AppData\Local\Temp\7ca2049c6ade7ca2685370194c33c402c3ce5380063bea32e2b1e955f8f96c5d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2985769.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2985769.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5663462.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5663462.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9208393.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9208393.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:408
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0542306.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0542306.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4244
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2606208.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2606208.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3321398.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3321398.exe
        6⤵
        Executes dropped EXE
        
        PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3398107.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3398107.exe
        5⤵
        Executes dropped EXE
        
        PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2985769.exe

Filesize
722KB

MD5
d7af053cbda964fd1bcce51d142468d8

SHA1
428233262a397fd2e74407bb3e7fc28949279f13

SHA256
3dc52d6ae38b8ac74f8e6f3322aaf591f42958003dce38844f79429a546829f7

SHA512
48df2f62aae716fcbbf4445f3371ed066ef436633a1feeea587938d2ba5f2a9c4b5f41acc84857a769ce967b0880db408ba1207d523736269fea322bc65668a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2985769.exe

Filesize
722KB

MD5
d7af053cbda964fd1bcce51d142468d8

SHA1
428233262a397fd2e74407bb3e7fc28949279f13

SHA256
3dc52d6ae38b8ac74f8e6f3322aaf591f42958003dce38844f79429a546829f7

SHA512
48df2f62aae716fcbbf4445f3371ed066ef436633a1feeea587938d2ba5f2a9c4b5f41acc84857a769ce967b0880db408ba1207d523736269fea322bc65668a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5663462.exe

Filesize
496KB

MD5
7c933ab9854061ac91f6a97f7f72ed5d

SHA1
fc77a792e303035fef40a573a6cf14a758bcb43c

SHA256
c0771da9e2478b2e714a14453a04bb23b206842fe580d13f1f252cc16db82568

SHA512
7d10bd5e21a0aa3c84766b41af46a07f0b0f1884d66846d42391f40597e78f8f56a3b7963c9d440d357c0446a1cffc20ee2a91cba7820e86184fadc7b09ebc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5663462.exe

Filesize
496KB

MD5
7c933ab9854061ac91f6a97f7f72ed5d

SHA1
fc77a792e303035fef40a573a6cf14a758bcb43c

SHA256
c0771da9e2478b2e714a14453a04bb23b206842fe580d13f1f252cc16db82568

SHA512
7d10bd5e21a0aa3c84766b41af46a07f0b0f1884d66846d42391f40597e78f8f56a3b7963c9d440d357c0446a1cffc20ee2a91cba7820e86184fadc7b09ebc26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9208393.exe

Filesize
372KB

MD5
c286afd846c699704feec85952e03955

SHA1
3ab383a0e4063e7085ff1283864d1970cfd18d87

SHA256
2995517ee0acbce4ce63dedeaa9d745266bf290590f89862c011d82af55e4839

SHA512
bbe173590010ad403a79d893270778e2a9e0dce030b697a9ce12a3fa3c1fee8222a82d98f6f9bcb0d5693da8791a18c8b022185be907249959cee62c3bb3eddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9208393.exe

Filesize
372KB

MD5
c286afd846c699704feec85952e03955

SHA1
3ab383a0e4063e7085ff1283864d1970cfd18d87

SHA256
2995517ee0acbce4ce63dedeaa9d745266bf290590f89862c011d82af55e4839

SHA512
bbe173590010ad403a79d893270778e2a9e0dce030b697a9ce12a3fa3c1fee8222a82d98f6f9bcb0d5693da8791a18c8b022185be907249959cee62c3bb3eddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3398107.exe

Filesize
174KB

MD5
2e39345cf2afc3452b0d1559bd0ba87b

SHA1
d2c6ae0000915e3849a7a60cc6baae35fcc5b114

SHA256
e1d651f6f57d51fa0c5fb852930334668a9808f5dd06eb7ed9fb0689f12f6bc4

SHA512
3f7472bd1381fe36232c050042ec01c83ce3cc3513dcca8131794d006afde8ca010e8cf2be3151a1aa2ef32fa1741f8f3c363a6e62f7ac4fa2a8dd7263004384

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3398107.exe

Filesize
174KB

MD5
2e39345cf2afc3452b0d1559bd0ba87b

SHA1
d2c6ae0000915e3849a7a60cc6baae35fcc5b114

SHA256
e1d651f6f57d51fa0c5fb852930334668a9808f5dd06eb7ed9fb0689f12f6bc4

SHA512
3f7472bd1381fe36232c050042ec01c83ce3cc3513dcca8131794d006afde8ca010e8cf2be3151a1aa2ef32fa1741f8f3c363a6e62f7ac4fa2a8dd7263004384

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0542306.exe

Filesize
216KB

MD5
409efe74626309d432b71b1f28775530

SHA1
935721c03656acb5b8f58d824dcca07bd7028971

SHA256
aedb80a02181286e725553f6b1469cafa92052db28de6e9feb730d698a4510d9

SHA512
76111a0e30c6c6e937e1466c7b8808acc65646e2806c16c0cc575a86d3ac9d176eb3d1b16cabe844ea192037b4e8ea7a913ee21f4b7e368178d8e0c22b1d737c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0542306.exe

Filesize
216KB

MD5
409efe74626309d432b71b1f28775530

SHA1
935721c03656acb5b8f58d824dcca07bd7028971

SHA256
aedb80a02181286e725553f6b1469cafa92052db28de6e9feb730d698a4510d9

SHA512
76111a0e30c6c6e937e1466c7b8808acc65646e2806c16c0cc575a86d3ac9d176eb3d1b16cabe844ea192037b4e8ea7a913ee21f4b7e368178d8e0c22b1d737c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2606208.exe

Filesize
11KB

MD5
46bc2ec112e6603454761cd76c2be6d6

SHA1
199ebea81a631d64f040611b39c740200e7154a9

SHA256
a41e61463876c72d1b78617a3757a6ca22f79915223bddf2dc8546b1710e11c7

SHA512
ed53a574c7aa346fb92069502ceb8e329b4eb4e3af7ba7f48042db85de26d54281caae09e6c7e50dc2a2774dde80a797e4090739b46d561626ef425bcfaa9988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2606208.exe

Filesize
11KB

MD5
46bc2ec112e6603454761cd76c2be6d6

SHA1
199ebea81a631d64f040611b39c740200e7154a9

SHA256
a41e61463876c72d1b78617a3757a6ca22f79915223bddf2dc8546b1710e11c7

SHA512
ed53a574c7aa346fb92069502ceb8e329b4eb4e3af7ba7f48042db85de26d54281caae09e6c7e50dc2a2774dde80a797e4090739b46d561626ef425bcfaa9988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3321398.exe

Filesize
140KB

MD5
06994456d2b044b13b55eebeaff4d939

SHA1
e4835bc8888d430114e05e682f650e2c70533454

SHA256
1e4deaa94d9b2ee82ceea0caf363fba2e36a741cb6f62205e4d770eba64cd390

SHA512
284d757829165797d6a1a66530a5d5e8e5e987906c94a9b69c552f911db8e383d0bf2a2710c5d69132dcb1300836c47014784e08517cb59d3d2fb2be4e3e2db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3321398.exe

Filesize
140KB

MD5
06994456d2b044b13b55eebeaff4d939

SHA1
e4835bc8888d430114e05e682f650e2c70533454

SHA256
1e4deaa94d9b2ee82ceea0caf363fba2e36a741cb6f62205e4d770eba64cd390

SHA512
284d757829165797d6a1a66530a5d5e8e5e987906c94a9b69c552f911db8e383d0bf2a2710c5d69132dcb1300836c47014784e08517cb59d3d2fb2be4e3e2db8

Download Submit
memory/704-155-0x00007FFED5430000-0x00007FFED5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/704-153-0x00007FFED5430000-0x00007FFED5E1C000-memory.dmp

Filesize
9.9MB

Download
memory/704-152-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/4416-162-0x0000000000A50000-0x0000000000A80000-memory.dmp

Filesize
192KB

Download
memory/4416-163-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download
memory/4416-164-0x0000000002DC0000-0x0000000002DC6000-memory.dmp

Filesize
24KB

Download
memory/4416-165-0x000000000AD10000-0x000000000B316000-memory.dmp

Filesize
6.0MB

Download
memory/4416-166-0x000000000A860000-0x000000000A96A000-memory.dmp

Filesize
1.0MB

Download
memory/4416-167-0x000000000A790000-0x000000000A7A2000-memory.dmp

Filesize
72KB

Download
memory/4416-168-0x000000000A7F0000-0x000000000A82E000-memory.dmp

Filesize
248KB

Download
memory/4416-169-0x000000000A970000-0x000000000A9BB000-memory.dmp

Filesize
300KB

Download
memory/4416-170-0x0000000072F10000-0x00000000735FE000-memory.dmp

Filesize
6.9MB

Download