healer | 033672b2b74532d7259bd6d4665c7211f11c5774fadb28c73e051a31fda76e99

Analysis

max time kernel
145s
max time network
155s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22/08/2023, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

033672b2b74532d7259bd6d4665c7211f11c5774fadb28c73e051a31fda76e99.exe
Size

828KB
MD5

95d7001ea74c030a925aa7156404230b
SHA1

c2c01a70ddd3ebd9d47cc252a0269c52914031f0
SHA256

033672b2b74532d7259bd6d4665c7211f11c5774fadb28c73e051a31fda76e99
SHA512

008f91bc0cf9d6493cdb14ac6cb655415a6176231150bbff779d07a4a3b9b0c6e59fd6bdf8e3428d598b235f1aadd8f5104f0b12edf1776c78b1f9c35c972bd0
SSDEEP

24576:2yP2IhVl9ZgTE2WI0hib1AVki2pHQcG0:FZpP2WI0hipAj+

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afb9-153.dat	healer
behavioral1/files/0x000700000001afb9-154.dat	healer
behavioral1/memory/68-155-0x0000000000030000-0x000000000003A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7192884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7192884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7192884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7192884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7192884.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4892	v6894176.exe
1816	v6329119.exe
2884	v7911867.exe
2988	v9247211.exe
68	a7192884.exe
4880	b1008950.exe
712	c3258177.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7192884.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	033672b2b74532d7259bd6d4665c7211f11c5774fadb28c73e051a31fda76e99.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6894176.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6329119.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7911867.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9247211.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
68	a7192884.exe
68	a7192884.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	68	a7192884.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 4892	4804	033672b2b74532d7259bd6d4665c7211f11c5774fadb28c73e051a31fda76e99.exe	70
PID 4804 wrote to memory of 4892	4804	033672b2b74532d7259bd6d4665c7211f11c5774fadb28c73e051a31fda76e99.exe	70
PID 4804 wrote to memory of 4892	4804	033672b2b74532d7259bd6d4665c7211f11c5774fadb28c73e051a31fda76e99.exe	70
PID 4892 wrote to memory of 1816	4892	v6894176.exe	71
PID 4892 wrote to memory of 1816	4892	v6894176.exe	71
PID 4892 wrote to memory of 1816	4892	v6894176.exe	71
PID 1816 wrote to memory of 2884	1816	v6329119.exe	72
PID 1816 wrote to memory of 2884	1816	v6329119.exe	72
PID 1816 wrote to memory of 2884	1816	v6329119.exe	72
PID 2884 wrote to memory of 2988	2884	v7911867.exe	73
PID 2884 wrote to memory of 2988	2884	v7911867.exe	73
PID 2884 wrote to memory of 2988	2884	v7911867.exe	73
PID 2988 wrote to memory of 68	2988	v9247211.exe	74
PID 2988 wrote to memory of 68	2988	v9247211.exe	74
PID 2988 wrote to memory of 4880	2988	v9247211.exe	75
PID 2988 wrote to memory of 4880	2988	v9247211.exe	75
PID 2988 wrote to memory of 4880	2988	v9247211.exe	75
PID 2884 wrote to memory of 712	2884	v7911867.exe	76
PID 2884 wrote to memory of 712	2884	v7911867.exe	76
PID 2884 wrote to memory of 712	2884	v7911867.exe	76

C:\Users\Admin\AppData\Local\Temp\033672b2b74532d7259bd6d4665c7211f11c5774fadb28c73e051a31fda76e99.exe
"C:\Users\Admin\AppData\Local\Temp\033672b2b74532d7259bd6d4665c7211f11c5774fadb28c73e051a31fda76e99.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6894176.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6894176.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6329119.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6329119.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7911867.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7911867.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9247211.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9247211.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7192884.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7192884.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:68
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1008950.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1008950.exe
        6⤵
        Executes dropped EXE
        
        PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3258177.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3258177.exe
        5⤵
        Executes dropped EXE
        
        PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6894176.exe

Filesize
723KB

MD5
c761ac0aa28c2c015dfec6c1f754a652

SHA1
dc201e2465c26f4eaa41825e7d545e5c6d29aed9

SHA256
edd2bbd586a9c6c78df76b8ce2dad36a1dfed3438c510512497d9059bdb9d004

SHA512
f51d6357733db850aec84ca80339d0406b5c86afefd1be5090e48aed758be0bbed7ade5e507d64deeac145487405a9ec060298d624fff51d7c9e424ca9a6a0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6894176.exe

Filesize
723KB

MD5
c761ac0aa28c2c015dfec6c1f754a652

SHA1
dc201e2465c26f4eaa41825e7d545e5c6d29aed9

SHA256
edd2bbd586a9c6c78df76b8ce2dad36a1dfed3438c510512497d9059bdb9d004

SHA512
f51d6357733db850aec84ca80339d0406b5c86afefd1be5090e48aed758be0bbed7ade5e507d64deeac145487405a9ec060298d624fff51d7c9e424ca9a6a0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6329119.exe

Filesize
497KB

MD5
fd6164602c0bf91a489dc9d34388201c

SHA1
190c4458f3d215f4d2ac325c82546d13ae93d73c

SHA256
2ed7f4b5ceb81227e94a8980a355ad137894416115391835773d3f1b5e17d65f

SHA512
6c6b6eaaf484c27141fa936201be7014ba0852f4768c7cf5d23042d81f250be56a98f38265590d7705f1401a663e36c51d96bba4f4e308ab7bf0d66ba3694a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6329119.exe

Filesize
497KB

MD5
fd6164602c0bf91a489dc9d34388201c

SHA1
190c4458f3d215f4d2ac325c82546d13ae93d73c

SHA256
2ed7f4b5ceb81227e94a8980a355ad137894416115391835773d3f1b5e17d65f

SHA512
6c6b6eaaf484c27141fa936201be7014ba0852f4768c7cf5d23042d81f250be56a98f38265590d7705f1401a663e36c51d96bba4f4e308ab7bf0d66ba3694a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7911867.exe

Filesize
372KB

MD5
246cb48026ee0451efc6235ab2ca726c

SHA1
55090469b1136ba4bc7695f1c88ad612bcbe2d84

SHA256
8abd8b6b55c0eae475a569f86056f0dae275247a19007ebea2e5c9339e908cb8

SHA512
8ee1e4915ebcd8c2706e76528a86fb1e21e32f98ed4e6d7a37f94b15e86c745720c6093f5bca9e1bd099950dda22a7f8efa69e12ead918c7e9d98c7e8132cd0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7911867.exe

Filesize
372KB

MD5
246cb48026ee0451efc6235ab2ca726c

SHA1
55090469b1136ba4bc7695f1c88ad612bcbe2d84

SHA256
8abd8b6b55c0eae475a569f86056f0dae275247a19007ebea2e5c9339e908cb8

SHA512
8ee1e4915ebcd8c2706e76528a86fb1e21e32f98ed4e6d7a37f94b15e86c745720c6093f5bca9e1bd099950dda22a7f8efa69e12ead918c7e9d98c7e8132cd0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3258177.exe

Filesize
174KB

MD5
669c96535f34e94de6f5098239094860

SHA1
51bd30db10cce74a8b597f5cb07a51dbc63d662e

SHA256
0cdc42b44851a10f71aebf8a03857b7233fb88eb9f7205ff43b2bef8a428eda6

SHA512
bb42f375f026c6bc58862418366131129cdfbe0860714eef91e7280b94ed9d6c327a9511aef52e63875d7b23ca705f06134944d2ede7cca20c5f008b4bca3b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3258177.exe

Filesize
174KB

MD5
669c96535f34e94de6f5098239094860

SHA1
51bd30db10cce74a8b597f5cb07a51dbc63d662e

SHA256
0cdc42b44851a10f71aebf8a03857b7233fb88eb9f7205ff43b2bef8a428eda6

SHA512
bb42f375f026c6bc58862418366131129cdfbe0860714eef91e7280b94ed9d6c327a9511aef52e63875d7b23ca705f06134944d2ede7cca20c5f008b4bca3b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9247211.exe

Filesize
216KB

MD5
714c3d2392c971eaa05f5cd11e96fadf

SHA1
0782fa3ac520ce506c2b0f9ed8d8181ac2345ac6

SHA256
f45efd5b7456424b4c3d0f738c053422545897d7b0fdb8d086850f6f24f8aaef

SHA512
3bf75c5421bac7a03cf3eea7960b37e10e8fcd7869d1f06e1281a1093eb76016c8700f3666ecdddc2fe8d94bc7ad7712307ae3c7cba11066e6cbd22029cffbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9247211.exe

Filesize
216KB

MD5
714c3d2392c971eaa05f5cd11e96fadf

SHA1
0782fa3ac520ce506c2b0f9ed8d8181ac2345ac6

SHA256
f45efd5b7456424b4c3d0f738c053422545897d7b0fdb8d086850f6f24f8aaef

SHA512
3bf75c5421bac7a03cf3eea7960b37e10e8fcd7869d1f06e1281a1093eb76016c8700f3666ecdddc2fe8d94bc7ad7712307ae3c7cba11066e6cbd22029cffbec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7192884.exe

Filesize
11KB

MD5
16f8579229657d995258518e971356e1

SHA1
e03cfa1d4f35954ed2c7c18ac3e8252508487fd5

SHA256
0ac7b69edc9a9182c44cdea2750500370432ca6d5cdd119c0062e80dd828eb68

SHA512
5be1153d855c7ee37370cc57e2bf27eab30bcbb38d712f6307f8edfdb02ae3601618ca97799f55d55914d8e25c34cfb9f9ecc16579a7bd7a985ee4aaac43c283

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7192884.exe

Filesize
11KB

MD5
16f8579229657d995258518e971356e1

SHA1
e03cfa1d4f35954ed2c7c18ac3e8252508487fd5

SHA256
0ac7b69edc9a9182c44cdea2750500370432ca6d5cdd119c0062e80dd828eb68

SHA512
5be1153d855c7ee37370cc57e2bf27eab30bcbb38d712f6307f8edfdb02ae3601618ca97799f55d55914d8e25c34cfb9f9ecc16579a7bd7a985ee4aaac43c283

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1008950.exe

Filesize
140KB

MD5
a3b0e3fb09c6d200d2d3d0380a170246

SHA1
8da3b825d05a2ad66608e743b73924015bc425b2

SHA256
5e45f6d22065e981fbe7db31543553b0803e49f1764ee84cad8adae54c42e492

SHA512
16667a8612b30dc3cc717c5163e645d83d3a2cb5e70d7c520fb8d9a4ec126f6b0a9ee847c243c490b9c6a5d111416720030c581e97f274b280456a1f489ddc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1008950.exe

Filesize
140KB

MD5
a3b0e3fb09c6d200d2d3d0380a170246

SHA1
8da3b825d05a2ad66608e743b73924015bc425b2

SHA256
5e45f6d22065e981fbe7db31543553b0803e49f1764ee84cad8adae54c42e492

SHA512
16667a8612b30dc3cc717c5163e645d83d3a2cb5e70d7c520fb8d9a4ec126f6b0a9ee847c243c490b9c6a5d111416720030c581e97f274b280456a1f489ddc74

Download Submit
memory/68-158-0x00007FFCC20B0000-0x00007FFCC2A9C000-memory.dmp

Filesize
9.9MB

Download
memory/68-156-0x00007FFCC20B0000-0x00007FFCC2A9C000-memory.dmp

Filesize
9.9MB

Download
memory/68-155-0x0000000000030000-0x000000000003A000-memory.dmp

Filesize
40KB

Download
memory/712-165-0x0000000000F70000-0x0000000000FA0000-memory.dmp

Filesize
192KB

Download
memory/712-166-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download
memory/712-167-0x00000000030F0000-0x00000000030F6000-memory.dmp

Filesize
24KB

Download
memory/712-168-0x000000000B230000-0x000000000B836000-memory.dmp

Filesize
6.0MB

Download
memory/712-169-0x000000000AD80000-0x000000000AE8A000-memory.dmp

Filesize
1.0MB

Download
memory/712-170-0x000000000ACB0000-0x000000000ACC2000-memory.dmp

Filesize
72KB

Download
memory/712-171-0x000000000AD10000-0x000000000AD4E000-memory.dmp

Filesize
248KB

Download
memory/712-172-0x000000000AE90000-0x000000000AEDB000-memory.dmp

Filesize
300KB

Download
memory/712-173-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download