healer | 0909baaf53e6a619c59a38ed97abdca6a71349c2934347302fcd8a6ab680a2b9

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 12:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0909baaf53e6a619c59a38ed97abdca6a71349c2934347302fcd8a6ab680a2b9.exe
Size

838KB
MD5

06e34c8370ceced829d51f2d4e5fb63e
SHA1

d22a2ca9e64e3e1e9347c97a3b8cdd6fa202ad57
SHA256

0909baaf53e6a619c59a38ed97abdca6a71349c2934347302fcd8a6ab680a2b9
SHA512

32c7ddb41087bf398e6ecfbc9e3454d243b68b21289c9519529da7ccba7849305803fb7794db660a8113d6c97eed4b70beb7558a1eeb6dc04a339fc0739ba739
SSDEEP

24576:ryYjRJ30P7469Szbue2KbmEBDIV6CGahw:eKkzdu32KbW6CGah

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023099-170.dat	healer
behavioral1/files/0x0007000000023099-169.dat	healer
behavioral1/memory/2116-171-0x0000000000A50000-0x0000000000A5A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a3423840.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3423840.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3423840.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3423840.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3423840.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3423840.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2468	v7572476.exe
3152	v0304305.exe
4496	v3088817.exe
1200	v9498926.exe
2116	a3423840.exe
2300	b3791398.exe
3948	c1855511.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3423840.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0909baaf53e6a619c59a38ed97abdca6a71349c2934347302fcd8a6ab680a2b9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7572476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0304305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3088817.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9498926.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2116	a3423840.exe
2116	a3423840.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	a3423840.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2468	2304	0909baaf53e6a619c59a38ed97abdca6a71349c2934347302fcd8a6ab680a2b9.exe	81
PID 2304 wrote to memory of 2468	2304	0909baaf53e6a619c59a38ed97abdca6a71349c2934347302fcd8a6ab680a2b9.exe	81
PID 2304 wrote to memory of 2468	2304	0909baaf53e6a619c59a38ed97abdca6a71349c2934347302fcd8a6ab680a2b9.exe	81
PID 2468 wrote to memory of 3152	2468	v7572476.exe	82
PID 2468 wrote to memory of 3152	2468	v7572476.exe	82
PID 2468 wrote to memory of 3152	2468	v7572476.exe	82
PID 3152 wrote to memory of 4496	3152	v0304305.exe	83
PID 3152 wrote to memory of 4496	3152	v0304305.exe	83
PID 3152 wrote to memory of 4496	3152	v0304305.exe	83
PID 4496 wrote to memory of 1200	4496	v3088817.exe	84
PID 4496 wrote to memory of 1200	4496	v3088817.exe	84
PID 4496 wrote to memory of 1200	4496	v3088817.exe	84
PID 1200 wrote to memory of 2116	1200	v9498926.exe	85
PID 1200 wrote to memory of 2116	1200	v9498926.exe	85
PID 1200 wrote to memory of 2300	1200	v9498926.exe	87
PID 1200 wrote to memory of 2300	1200	v9498926.exe	87
PID 1200 wrote to memory of 2300	1200	v9498926.exe	87
PID 4496 wrote to memory of 3948	4496	v3088817.exe	88
PID 4496 wrote to memory of 3948	4496	v3088817.exe	88
PID 4496 wrote to memory of 3948	4496	v3088817.exe	88

C:\Users\Admin\AppData\Local\Temp\0909baaf53e6a619c59a38ed97abdca6a71349c2934347302fcd8a6ab680a2b9.exe
"C:\Users\Admin\AppData\Local\Temp\0909baaf53e6a619c59a38ed97abdca6a71349c2934347302fcd8a6ab680a2b9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7572476.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7572476.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0304305.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0304305.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3088817.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3088817.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9498926.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9498926.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3423840.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3423840.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3791398.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3791398.exe
        6⤵
        Executes dropped EXE
        
        PID:2300
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1855511.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1855511.exe
        5⤵
        Executes dropped EXE
        
        PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7572476.exe

Filesize
723KB

MD5
e923594f75adfa07e114f4e8e6232ace

SHA1
530fa2446fa1298e9808419e64722b0fc22d8312

SHA256
05e86e1efe33d719d531e92db46c84b9b7f22ebaa984f526ce4cc934edf34c01

SHA512
9206f5d84a18b11ac9390c0dab84c8ee2e50da0fd984c465d62d45eee2c9bd5694fd7aa8dd1a876f8fa4344c3687ac278d592c8da8318352febc08f9ed1a6dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7572476.exe

Filesize
723KB

MD5
e923594f75adfa07e114f4e8e6232ace

SHA1
530fa2446fa1298e9808419e64722b0fc22d8312

SHA256
05e86e1efe33d719d531e92db46c84b9b7f22ebaa984f526ce4cc934edf34c01

SHA512
9206f5d84a18b11ac9390c0dab84c8ee2e50da0fd984c465d62d45eee2c9bd5694fd7aa8dd1a876f8fa4344c3687ac278d592c8da8318352febc08f9ed1a6dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0304305.exe

Filesize
497KB

MD5
b86be89f15e17ede1ad37fd5de8bde30

SHA1
b94ea7676ad892b4bb2e55afb57bc78c1fcfa35b

SHA256
9e59744d9f52ee2bcaa3890d827aa3a62b3a1803fc39f4c0518057ca875c9573

SHA512
7c1faaf3399f239fe6af9fcb82e2feaab176f7b82f4b640e346259347dac72ef4231db2f2b40a7db272989f8c477479ec910748f59a98bbfbcd3660f1ab0de06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0304305.exe

Filesize
497KB

MD5
b86be89f15e17ede1ad37fd5de8bde30

SHA1
b94ea7676ad892b4bb2e55afb57bc78c1fcfa35b

SHA256
9e59744d9f52ee2bcaa3890d827aa3a62b3a1803fc39f4c0518057ca875c9573

SHA512
7c1faaf3399f239fe6af9fcb82e2feaab176f7b82f4b640e346259347dac72ef4231db2f2b40a7db272989f8c477479ec910748f59a98bbfbcd3660f1ab0de06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3088817.exe

Filesize
372KB

MD5
a665c510210922abcab4b1a9def50fd2

SHA1
9c36ef6d34dedec197aed0a996bea9fd13e277dc

SHA256
11cc55f43cbc8e1a29b3c1fad66faa6b190d91efc049283621d72abde75ff7fc

SHA512
131b3d97870e922c2cf449f722824137cf16ee75f298d78bb4ad25b435d9bec1df30fba24b53e69b3e9d748e2d19388070f6253feba0b04f5aa85537648f5ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3088817.exe

Filesize
372KB

MD5
a665c510210922abcab4b1a9def50fd2

SHA1
9c36ef6d34dedec197aed0a996bea9fd13e277dc

SHA256
11cc55f43cbc8e1a29b3c1fad66faa6b190d91efc049283621d72abde75ff7fc

SHA512
131b3d97870e922c2cf449f722824137cf16ee75f298d78bb4ad25b435d9bec1df30fba24b53e69b3e9d748e2d19388070f6253feba0b04f5aa85537648f5ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1855511.exe

Filesize
174KB

MD5
909d1ba6b2b07238a6eeaf2abaa5dc3f

SHA1
448549530e023032eba5890796760332ee2c31a6

SHA256
4ab744763a9ca5c2de13ad85341587b2bb0010837ddcb62e54f0f010673a3629

SHA512
a3ab9a6e272b67220420123acb2e3f11688b64517aa0df52e114027037175fcec527b931f05705189c9029d06e4b790dfd17ead40536726606401c676bae1092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1855511.exe

Filesize
174KB

MD5
909d1ba6b2b07238a6eeaf2abaa5dc3f

SHA1
448549530e023032eba5890796760332ee2c31a6

SHA256
4ab744763a9ca5c2de13ad85341587b2bb0010837ddcb62e54f0f010673a3629

SHA512
a3ab9a6e272b67220420123acb2e3f11688b64517aa0df52e114027037175fcec527b931f05705189c9029d06e4b790dfd17ead40536726606401c676bae1092

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9498926.exe

Filesize
216KB

MD5
389de40da684d91fd5185a0ab701ce4f

SHA1
b2fc5da4426f0bd80ef85de36ec037e116695b90

SHA256
db0176ba94b21becdbf319125f3f9373a2f928e8c60b4f6a20c2e5de715fdc66

SHA512
06271705b2570b75bb5a1c485ab52552b75a089c793298c0af420423e1b96bfc1a78252ed2c510b5789e2581387e7f76353de74fc17b153b1f383e39082ad2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9498926.exe

Filesize
216KB

MD5
389de40da684d91fd5185a0ab701ce4f

SHA1
b2fc5da4426f0bd80ef85de36ec037e116695b90

SHA256
db0176ba94b21becdbf319125f3f9373a2f928e8c60b4f6a20c2e5de715fdc66

SHA512
06271705b2570b75bb5a1c485ab52552b75a089c793298c0af420423e1b96bfc1a78252ed2c510b5789e2581387e7f76353de74fc17b153b1f383e39082ad2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3423840.exe

Filesize
11KB

MD5
2bcd94362feb3339cc7f2d48324e257b

SHA1
69ce99be3026c1fc425d1e053e7c1e4c885a8552

SHA256
e33d5b75634a650d1025726c4a862bd0a1234b7ca8227c57c8ae8604eec8710a

SHA512
f8cc1ef25c9099da17f3e772e4ea52a9d6eb254ea1d4aa76b4a7391efa1cabf31ffb10556dfefc6b4c607de22180adc1824a983157f166f39b631bcaf0589ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3423840.exe

Filesize
11KB

MD5
2bcd94362feb3339cc7f2d48324e257b

SHA1
69ce99be3026c1fc425d1e053e7c1e4c885a8552

SHA256
e33d5b75634a650d1025726c4a862bd0a1234b7ca8227c57c8ae8604eec8710a

SHA512
f8cc1ef25c9099da17f3e772e4ea52a9d6eb254ea1d4aa76b4a7391efa1cabf31ffb10556dfefc6b4c607de22180adc1824a983157f166f39b631bcaf0589ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3791398.exe

Filesize
140KB

MD5
e0337bfc0ab9a5471e14a209133fd2f5

SHA1
3b3f726a0e1039e04e3d0c0589ca75c44681f907

SHA256
91ce4add4db9a6fd1dce9688b5a3904e88744dee76678d5d6cb8d9c92647bf20

SHA512
9be70d3270b29547867cb05f014862b6306d6c7ee871b13bba42340ce9861755a1b68231d179b9bf7558693c3803e1c01f2f614a98b809af9171135d023b8399

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3791398.exe

Filesize
140KB

MD5
e0337bfc0ab9a5471e14a209133fd2f5

SHA1
3b3f726a0e1039e04e3d0c0589ca75c44681f907

SHA256
91ce4add4db9a6fd1dce9688b5a3904e88744dee76678d5d6cb8d9c92647bf20

SHA512
9be70d3270b29547867cb05f014862b6306d6c7ee871b13bba42340ce9861755a1b68231d179b9bf7558693c3803e1c01f2f614a98b809af9171135d023b8399

Download Submit
memory/2116-173-0x00007FFE12280000-0x00007FFE12D41000-memory.dmp

Filesize
10.8MB

Download
memory/2116-175-0x00007FFE12280000-0x00007FFE12D41000-memory.dmp

Filesize
10.8MB

Download
memory/2116-172-0x00007FFE12280000-0x00007FFE12D41000-memory.dmp

Filesize
10.8MB

Download
memory/2116-171-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download
memory/3948-182-0x00000000740B0000-0x0000000074860000-memory.dmp

Filesize
7.7MB

Download
memory/3948-183-0x0000000000480000-0x00000000004B0000-memory.dmp

Filesize
192KB

Download
memory/3948-184-0x000000000A8F0000-0x000000000AF08000-memory.dmp

Filesize
6.1MB

Download
memory/3948-185-0x000000000A430000-0x000000000A53A000-memory.dmp

Filesize
1.0MB

Download
memory/3948-186-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/3948-187-0x000000000A370000-0x000000000A382000-memory.dmp

Filesize
72KB

Download
memory/3948-188-0x000000000A3D0000-0x000000000A40C000-memory.dmp

Filesize
240KB

Download
memory/3948-189-0x00000000740B0000-0x0000000074860000-memory.dmp

Filesize
7.7MB

Download
memory/3948-190-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download