healer | 844e1d852d6e53ee6d479e42799d6e0ef6d57e7af3361c59b5c5d60439894dee

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22/08/2023, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

844e1d852d6e53ee6d479e42799d6e0ef6d57e7af3361c59b5c5d60439894dee.exe
Size

827KB
MD5

edab32600cb669c7c9f9f08284835e57
SHA1

f36b2dd569a020b61db0d3593cf21f4da8213e4c
SHA256

844e1d852d6e53ee6d479e42799d6e0ef6d57e7af3361c59b5c5d60439894dee
SHA512

f190546fa2d67eb229ca5a525e05509d86b42fe0cb7f3f6d4cb4e87a95f79a6df4b0c41efc4da8eaf70562586efc4d8f59d52c900c73d191e7bf7259baed7435
SSDEEP

12288:TMr4y908tFPcQRyHdfVYDb5XXtpFpeVaxO8PDtpG/PqwQYl8GuyWLdKr:PytFCdfVYDb5XXtjp12iqmGAs

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af83-153.dat	healer
behavioral1/files/0x000700000001af83-154.dat	healer
behavioral1/memory/876-155-0x00000000006D0000-0x00000000006DA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8412421.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8412421.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8412421.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8412421.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8412421.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2200	v5816188.exe
3828	v3280457.exe
3460	v2833744.exe
1948	v5365053.exe
876	a8412421.exe
3516	b4126262.exe
1060	c7932140.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8412421.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5816188.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3280457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2833744.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5365053.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	844e1d852d6e53ee6d479e42799d6e0ef6d57e7af3361c59b5c5d60439894dee.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
876	a8412421.exe
876	a8412421.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	a8412421.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2200	5060	844e1d852d6e53ee6d479e42799d6e0ef6d57e7af3361c59b5c5d60439894dee.exe	70
PID 5060 wrote to memory of 2200	5060	844e1d852d6e53ee6d479e42799d6e0ef6d57e7af3361c59b5c5d60439894dee.exe	70
PID 5060 wrote to memory of 2200	5060	844e1d852d6e53ee6d479e42799d6e0ef6d57e7af3361c59b5c5d60439894dee.exe	70
PID 2200 wrote to memory of 3828	2200	v5816188.exe	71
PID 2200 wrote to memory of 3828	2200	v5816188.exe	71
PID 2200 wrote to memory of 3828	2200	v5816188.exe	71
PID 3828 wrote to memory of 3460	3828	v3280457.exe	72
PID 3828 wrote to memory of 3460	3828	v3280457.exe	72
PID 3828 wrote to memory of 3460	3828	v3280457.exe	72
PID 3460 wrote to memory of 1948	3460	v2833744.exe	73
PID 3460 wrote to memory of 1948	3460	v2833744.exe	73
PID 3460 wrote to memory of 1948	3460	v2833744.exe	73
PID 1948 wrote to memory of 876	1948	v5365053.exe	74
PID 1948 wrote to memory of 876	1948	v5365053.exe	74
PID 1948 wrote to memory of 3516	1948	v5365053.exe	75
PID 1948 wrote to memory of 3516	1948	v5365053.exe	75
PID 1948 wrote to memory of 3516	1948	v5365053.exe	75
PID 3460 wrote to memory of 1060	3460	v2833744.exe	76
PID 3460 wrote to memory of 1060	3460	v2833744.exe	76
PID 3460 wrote to memory of 1060	3460	v2833744.exe	76

C:\Users\Admin\AppData\Local\Temp\844e1d852d6e53ee6d479e42799d6e0ef6d57e7af3361c59b5c5d60439894dee.exe
"C:\Users\Admin\AppData\Local\Temp\844e1d852d6e53ee6d479e42799d6e0ef6d57e7af3361c59b5c5d60439894dee.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5816188.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5816188.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3280457.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3280457.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2833744.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2833744.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3460
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5365053.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5365053.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1948
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8412421.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8412421.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4126262.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4126262.exe
        6⤵
        Executes dropped EXE
        
        PID:3516
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7932140.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7932140.exe
        5⤵
        Executes dropped EXE
        
        PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5816188.exe

Filesize
723KB

MD5
98f1c201b3c06c9039ec3ab713573a08

SHA1
33d3d266c91bdaababa00546f5aa93f31c89e2cc

SHA256
2630d67a952795df6035b0a30227b4c0505ac834538e24b636d3ecda1e045c08

SHA512
1c59eed4257b396f13f1dcf626850b3c24856264676fbb691b607e2bcd6afd77238d6242f32465f52effc90cb1868a7331a6899a1b71a32f3650836a498fe077

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5816188.exe

Filesize
723KB

MD5
98f1c201b3c06c9039ec3ab713573a08

SHA1
33d3d266c91bdaababa00546f5aa93f31c89e2cc

SHA256
2630d67a952795df6035b0a30227b4c0505ac834538e24b636d3ecda1e045c08

SHA512
1c59eed4257b396f13f1dcf626850b3c24856264676fbb691b607e2bcd6afd77238d6242f32465f52effc90cb1868a7331a6899a1b71a32f3650836a498fe077

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3280457.exe

Filesize
497KB

MD5
aee9083d580265388ee43ff5cfd86044

SHA1
28b274f43d45a0d71b7c5ab1c669706590a0633b

SHA256
98348c0337ae0a718c6340755bd4016c933d3507f362351f9de846bd1d57327c

SHA512
8da53976795efb6e51cf2c4e8e1118a27e686d49dcbb85d04206371c88b241a2b553ce2aba5d28a838fdc611a5f1a967a87c9ed4e4b73c157c2e0b2a4243e82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3280457.exe

Filesize
497KB

MD5
aee9083d580265388ee43ff5cfd86044

SHA1
28b274f43d45a0d71b7c5ab1c669706590a0633b

SHA256
98348c0337ae0a718c6340755bd4016c933d3507f362351f9de846bd1d57327c

SHA512
8da53976795efb6e51cf2c4e8e1118a27e686d49dcbb85d04206371c88b241a2b553ce2aba5d28a838fdc611a5f1a967a87c9ed4e4b73c157c2e0b2a4243e82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2833744.exe

Filesize
372KB

MD5
f6709ff5b2fc3855af030f86d77db73d

SHA1
0cfcef315e4dcf0d77022b1c9548bca49043442f

SHA256
dd6f856414be9a3949b18e94210c5a27bf40bc460424463db7248991e529486a

SHA512
2ad6443ccb852f8efb97bc41468b222966d99faad63e9df0375f1ce86ad31fb0dca6927f1407da023162131a0f74ad7cd350cdcd702c208b7633ace61b93f6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2833744.exe

Filesize
372KB

MD5
f6709ff5b2fc3855af030f86d77db73d

SHA1
0cfcef315e4dcf0d77022b1c9548bca49043442f

SHA256
dd6f856414be9a3949b18e94210c5a27bf40bc460424463db7248991e529486a

SHA512
2ad6443ccb852f8efb97bc41468b222966d99faad63e9df0375f1ce86ad31fb0dca6927f1407da023162131a0f74ad7cd350cdcd702c208b7633ace61b93f6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7932140.exe

Filesize
174KB

MD5
f9ca94d35f0df374cba0f6e9047b835e

SHA1
9b92fde4107a4de8fb72fdfdad7bc7cce9a19ac7

SHA256
81a01c874c5dcda4ce49bc4efffdf8d86948678518e60d593a187ec0775aeaf7

SHA512
2a0b08b3f867877dd21284f6913bcb1f39742fbf96007158707395cd3487bf2ce30d3e2fd1d4324bd157ecc352af28b2e7a547b3d834ceb7293f5d52b55dbb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7932140.exe

Filesize
174KB

MD5
f9ca94d35f0df374cba0f6e9047b835e

SHA1
9b92fde4107a4de8fb72fdfdad7bc7cce9a19ac7

SHA256
81a01c874c5dcda4ce49bc4efffdf8d86948678518e60d593a187ec0775aeaf7

SHA512
2a0b08b3f867877dd21284f6913bcb1f39742fbf96007158707395cd3487bf2ce30d3e2fd1d4324bd157ecc352af28b2e7a547b3d834ceb7293f5d52b55dbb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5365053.exe

Filesize
216KB

MD5
b5ef6520ce0f14fe886bcab4458bbeed

SHA1
4b1a6f6a0a565607969628fbf4a7f9fa5a8a494d

SHA256
fd850d3544f0bda4c8e89295f517de09f098f9eed130ecd645fed87fbadc1d84

SHA512
913ac12d99327690ac444577372e892f137ce71020a5fdf614cfdc8ab33489e2fb27f35ac22f00586cb8f7481e6b88cef7b7c7e316bcf0f2e01325e04b7e13eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5365053.exe

Filesize
216KB

MD5
b5ef6520ce0f14fe886bcab4458bbeed

SHA1
4b1a6f6a0a565607969628fbf4a7f9fa5a8a494d

SHA256
fd850d3544f0bda4c8e89295f517de09f098f9eed130ecd645fed87fbadc1d84

SHA512
913ac12d99327690ac444577372e892f137ce71020a5fdf614cfdc8ab33489e2fb27f35ac22f00586cb8f7481e6b88cef7b7c7e316bcf0f2e01325e04b7e13eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8412421.exe

Filesize
11KB

MD5
63ad89a9a8af000b4e51d0f893aad085

SHA1
21f1e059d707e49f48331b13ab8332395d2821a5

SHA256
b00ec97cdf7d31f31c4b35bd2ef8cf500373d642e7e3d13a326f26443e0c4808

SHA512
0794e9fdc53c0f56af4e2fb4597facf387d302b25fd04d5b11aa687846327cb723007c020bb744102f7211142e8d9a3bd2fe28604d248bd7d15eeb93cde9418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8412421.exe

Filesize
11KB

MD5
63ad89a9a8af000b4e51d0f893aad085

SHA1
21f1e059d707e49f48331b13ab8332395d2821a5

SHA256
b00ec97cdf7d31f31c4b35bd2ef8cf500373d642e7e3d13a326f26443e0c4808

SHA512
0794e9fdc53c0f56af4e2fb4597facf387d302b25fd04d5b11aa687846327cb723007c020bb744102f7211142e8d9a3bd2fe28604d248bd7d15eeb93cde9418c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4126262.exe

Filesize
140KB

MD5
baa54c415943f8b33bc70eacbd7ec03e

SHA1
8a5d7608484f1eea6713fbd43c0698574fa9419c

SHA256
788fd529e3832b2411bedd92cfed66c9b785be33e6c079011e46a9f2fda7f5af

SHA512
530dfaae8057ecfda31568cef78f9512acfcf75e7e48d36281b9413ebc62bf1562a5bb42661e66fb2f89e0c12fbacebf5884fd855d721df4ae757e55330f3adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4126262.exe

Filesize
140KB

MD5
baa54c415943f8b33bc70eacbd7ec03e

SHA1
8a5d7608484f1eea6713fbd43c0698574fa9419c

SHA256
788fd529e3832b2411bedd92cfed66c9b785be33e6c079011e46a9f2fda7f5af

SHA512
530dfaae8057ecfda31568cef78f9512acfcf75e7e48d36281b9413ebc62bf1562a5bb42661e66fb2f89e0c12fbacebf5884fd855d721df4ae757e55330f3adc

Download Submit
memory/876-158-0x00007FFA02640000-0x00007FFA0302C000-memory.dmp

Filesize
9.9MB

Download
memory/876-156-0x00007FFA02640000-0x00007FFA0302C000-memory.dmp

Filesize
9.9MB

Download
memory/876-155-0x00000000006D0000-0x00000000006DA000-memory.dmp

Filesize
40KB

Download
memory/1060-165-0x0000000000920000-0x0000000000950000-memory.dmp

Filesize
192KB

Download
memory/1060-166-0x0000000073B00000-0x00000000741EE000-memory.dmp

Filesize
6.9MB

Download
memory/1060-167-0x0000000002BB0000-0x0000000002BB6000-memory.dmp

Filesize
24KB

Download
memory/1060-168-0x000000000ACE0000-0x000000000B2E6000-memory.dmp

Filesize
6.0MB

Download
memory/1060-169-0x000000000A870000-0x000000000A97A000-memory.dmp

Filesize
1.0MB

Download
memory/1060-170-0x000000000A7A0000-0x000000000A7B2000-memory.dmp

Filesize
72KB

Download
memory/1060-171-0x000000000A800000-0x000000000A83E000-memory.dmp

Filesize
248KB

Download
memory/1060-172-0x000000000A980000-0x000000000A9CB000-memory.dmp

Filesize
300KB

Download
memory/1060-173-0x0000000073B00000-0x00000000741EE000-memory.dmp

Filesize
6.9MB

Download