healer | 2577c052789bce3a5d72d4e9cea33b945f99b20000ea1f1cbb1b61e72f687c85

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2577c052789bce3a5d72d4e9cea33b945f99b20000ea1f1cbb1b61e72f687c85.exe
Size

829KB
MD5

6bebc5fe020296ea13590e9dc549e14f
SHA1

7da48756262282edfa872d6b69b12a96e41909e6
SHA256

2577c052789bce3a5d72d4e9cea33b945f99b20000ea1f1cbb1b61e72f687c85
SHA512

7967bda309bf80e76da70c6db080719695d2cd5e01481af9724add20d9696e4e8a0d48725eb81f9c2ca6d84cd6d3d01b9062cb9611c99d69135850e7288bb3bf
SSDEEP

24576:xyzHBPeWkppXC80ze2DkAjhTFHyu89uJP:kzHBPrk6jnhFXL

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000002322a-167.dat	healer
behavioral1/files/0x000800000002322a-166.dat	healer
behavioral1/memory/4248-168-0x0000000000170000-0x000000000017A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1379871.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1379871.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1379871.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1379871.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1379871.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1379871.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2860	v0215415.exe
1656	v8762767.exe
1736	v2389784.exe
1664	v5089979.exe
4248	a1379871.exe
980	b2004640.exe
2540	c3014458.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1379871.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2577c052789bce3a5d72d4e9cea33b945f99b20000ea1f1cbb1b61e72f687c85.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0215415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8762767.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2389784.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5089979.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4248	a1379871.exe
4248	a1379871.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	a1379871.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2860	2080	2577c052789bce3a5d72d4e9cea33b945f99b20000ea1f1cbb1b61e72f687c85.exe	80
PID 2080 wrote to memory of 2860	2080	2577c052789bce3a5d72d4e9cea33b945f99b20000ea1f1cbb1b61e72f687c85.exe	80
PID 2080 wrote to memory of 2860	2080	2577c052789bce3a5d72d4e9cea33b945f99b20000ea1f1cbb1b61e72f687c85.exe	80
PID 2860 wrote to memory of 1656	2860	v0215415.exe	81
PID 2860 wrote to memory of 1656	2860	v0215415.exe	81
PID 2860 wrote to memory of 1656	2860	v0215415.exe	81
PID 1656 wrote to memory of 1736	1656	v8762767.exe	82
PID 1656 wrote to memory of 1736	1656	v8762767.exe	82
PID 1656 wrote to memory of 1736	1656	v8762767.exe	82
PID 1736 wrote to memory of 1664	1736	v2389784.exe	83
PID 1736 wrote to memory of 1664	1736	v2389784.exe	83
PID 1736 wrote to memory of 1664	1736	v2389784.exe	83
PID 1664 wrote to memory of 4248	1664	v5089979.exe	84
PID 1664 wrote to memory of 4248	1664	v5089979.exe	84
PID 1664 wrote to memory of 980	1664	v5089979.exe	90
PID 1664 wrote to memory of 980	1664	v5089979.exe	90
PID 1664 wrote to memory of 980	1664	v5089979.exe	90
PID 1736 wrote to memory of 2540	1736	v2389784.exe	91
PID 1736 wrote to memory of 2540	1736	v2389784.exe	91
PID 1736 wrote to memory of 2540	1736	v2389784.exe	91

C:\Users\Admin\AppData\Local\Temp\2577c052789bce3a5d72d4e9cea33b945f99b20000ea1f1cbb1b61e72f687c85.exe
"C:\Users\Admin\AppData\Local\Temp\2577c052789bce3a5d72d4e9cea33b945f99b20000ea1f1cbb1b61e72f687c85.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0215415.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0215415.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8762767.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8762767.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2389784.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2389784.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5089979.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5089979.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1379871.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1379871.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2004640.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2004640.exe
        6⤵
        Executes dropped EXE
        
        PID:980
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3014458.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3014458.exe
        5⤵
        Executes dropped EXE
        
        PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0215415.exe

Filesize
723KB

MD5
4ae241917047316274dc8d1152979579

SHA1
20656d8c22565677c487022d51519776aa0b0678

SHA256
8db7636d08ad5c393d60b8e38a675314c863f96bf99897061a475d54b6431c81

SHA512
dae76e613ff464ae292bff498e023968d2d4333cf789bc5a8bb3e4e0d1c1128ff13d3cd2c32f5e2bdb8a931c83ae27e3214f566b5f6f15161a93d88bd9befb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0215415.exe

Filesize
723KB

MD5
4ae241917047316274dc8d1152979579

SHA1
20656d8c22565677c487022d51519776aa0b0678

SHA256
8db7636d08ad5c393d60b8e38a675314c863f96bf99897061a475d54b6431c81

SHA512
dae76e613ff464ae292bff498e023968d2d4333cf789bc5a8bb3e4e0d1c1128ff13d3cd2c32f5e2bdb8a931c83ae27e3214f566b5f6f15161a93d88bd9befb7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8762767.exe

Filesize
497KB

MD5
5f9a4c9971c0ef49d5a2c4b4bcc14f8a

SHA1
71b284952a02937434f3a4803eca882360b429ea

SHA256
97d318c03b11878610bb84655bb321a814cd10ae6c948504cb1570e939dffeb4

SHA512
deae6e42bbf00d8199b4e08d926d5de70eff305ec0e92d4e37d56ca230786d86109c4f2bb1b82bcab28339ebd863adaafd909fafee704068edf5d279a3ba3ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8762767.exe

Filesize
497KB

MD5
5f9a4c9971c0ef49d5a2c4b4bcc14f8a

SHA1
71b284952a02937434f3a4803eca882360b429ea

SHA256
97d318c03b11878610bb84655bb321a814cd10ae6c948504cb1570e939dffeb4

SHA512
deae6e42bbf00d8199b4e08d926d5de70eff305ec0e92d4e37d56ca230786d86109c4f2bb1b82bcab28339ebd863adaafd909fafee704068edf5d279a3ba3ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2389784.exe

Filesize
372KB

MD5
ea99de04a591693db1dd7c6f70d25287

SHA1
038b69d65e4623cafa69531cba8948d98a5752dd

SHA256
badcdf1258fd8740fce5bf1f3577d493aa9f36acb692364c4396566d6ab4502b

SHA512
9e0a6a38fc3d07e111530dd49a06afff50965ab5f48c07636956e35fd52b60795d48c5e1cb934b603a8f55a3995debcf4df0190617351ef0cde02d1bb7095de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2389784.exe

Filesize
372KB

MD5
ea99de04a591693db1dd7c6f70d25287

SHA1
038b69d65e4623cafa69531cba8948d98a5752dd

SHA256
badcdf1258fd8740fce5bf1f3577d493aa9f36acb692364c4396566d6ab4502b

SHA512
9e0a6a38fc3d07e111530dd49a06afff50965ab5f48c07636956e35fd52b60795d48c5e1cb934b603a8f55a3995debcf4df0190617351ef0cde02d1bb7095de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3014458.exe

Filesize
174KB

MD5
b64e513de7cca244458d794b12c49374

SHA1
ca7c5393de85ab8e8bbdb2e9c7475a628391c30a

SHA256
7477e62530c788878e92f1441896ab9023f45a247a302fbee06dee1676fea880

SHA512
6e2a2ce08599b3853aa0eb376b359cccd3ac4d04d4b077b3f7a26532480c2e38020f52ac2a94bf499fcb9258ae86dfd7d3e595e9ffccb72c6eff62e286360327

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3014458.exe

Filesize
174KB

MD5
b64e513de7cca244458d794b12c49374

SHA1
ca7c5393de85ab8e8bbdb2e9c7475a628391c30a

SHA256
7477e62530c788878e92f1441896ab9023f45a247a302fbee06dee1676fea880

SHA512
6e2a2ce08599b3853aa0eb376b359cccd3ac4d04d4b077b3f7a26532480c2e38020f52ac2a94bf499fcb9258ae86dfd7d3e595e9ffccb72c6eff62e286360327

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5089979.exe

Filesize
216KB

MD5
4f6adee351b89f7ce61890588ffabe03

SHA1
066258083c258cf6fe8a0048659a1e199ba0fd6f

SHA256
67e0b8a0db582f81d9a1f5a4159f8e479f9fee0fd5610dc436338b350068bca4

SHA512
d8c5ca817eadb2e176d240e90c6e165169ddec761c7fa960e2c00dcf16fbf59a78dc3cb2f7b0ad8201c5bec92ca0db0cbcab876790faa15a515da16a3bfb3b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5089979.exe

Filesize
216KB

MD5
4f6adee351b89f7ce61890588ffabe03

SHA1
066258083c258cf6fe8a0048659a1e199ba0fd6f

SHA256
67e0b8a0db582f81d9a1f5a4159f8e479f9fee0fd5610dc436338b350068bca4

SHA512
d8c5ca817eadb2e176d240e90c6e165169ddec761c7fa960e2c00dcf16fbf59a78dc3cb2f7b0ad8201c5bec92ca0db0cbcab876790faa15a515da16a3bfb3b89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1379871.exe

Filesize
11KB

MD5
79e4d8d3c0a43fe16ba8c7c1fac1e1dc

SHA1
a3171339ad7f4fb382363e6faa1593341821909e

SHA256
e7d51007282866e3cb4efb9aad2df131e21a915f448e3eb5213a1a3052e8ab94

SHA512
fcac778177ff9425edca0d458bd4f720213fc8a0de119a1f1d4600517b875b0fe8478acc23c066adc32bae907571e9d67cd0322e59f39eb60798a06a669dde08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1379871.exe

Filesize
11KB

MD5
79e4d8d3c0a43fe16ba8c7c1fac1e1dc

SHA1
a3171339ad7f4fb382363e6faa1593341821909e

SHA256
e7d51007282866e3cb4efb9aad2df131e21a915f448e3eb5213a1a3052e8ab94

SHA512
fcac778177ff9425edca0d458bd4f720213fc8a0de119a1f1d4600517b875b0fe8478acc23c066adc32bae907571e9d67cd0322e59f39eb60798a06a669dde08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2004640.exe

Filesize
140KB

MD5
cc3cf969dbc3176cee04153b9ce5d713

SHA1
365c419e5ba0dd8674012ea7109d1d20c99bd417

SHA256
58dcedb0824f71315e38f509dab84cad5c7c6d404bb2f1167ec3716080547e9a

SHA512
e60316342b26b8cd75be91f237c52ffa748908f788221baeb02f1ac495f0bc3fbc73be9b110434d1f0d978a7485690aa27d383aa285709ce26ecd3affe7333dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2004640.exe

Filesize
140KB

MD5
cc3cf969dbc3176cee04153b9ce5d713

SHA1
365c419e5ba0dd8674012ea7109d1d20c99bd417

SHA256
58dcedb0824f71315e38f509dab84cad5c7c6d404bb2f1167ec3716080547e9a

SHA512
e60316342b26b8cd75be91f237c52ffa748908f788221baeb02f1ac495f0bc3fbc73be9b110434d1f0d978a7485690aa27d383aa285709ce26ecd3affe7333dd

Download Submit
memory/2540-179-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2540-178-0x0000000000A70000-0x0000000000AA0000-memory.dmp

Filesize
192KB

Download
memory/2540-180-0x000000000AED0000-0x000000000B4E8000-memory.dmp

Filesize
6.1MB

Download
memory/2540-181-0x000000000AA20000-0x000000000AB2A000-memory.dmp

Filesize
1.0MB

Download
memory/2540-182-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/2540-183-0x000000000A960000-0x000000000A972000-memory.dmp

Filesize
72KB

Download
memory/2540-184-0x000000000A9C0000-0x000000000A9FC000-memory.dmp

Filesize
240KB

Download
memory/2540-185-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2540-186-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/4248-171-0x00007FFAE3440000-0x00007FFAE3F01000-memory.dmp

Filesize
10.8MB

Download
memory/4248-169-0x00007FFAE3440000-0x00007FFAE3F01000-memory.dmp

Filesize
10.8MB

Download
memory/4248-168-0x0000000000170000-0x000000000017A000-memory.dmp

Filesize
40KB

Download