healer | 30c777ea0cb0b873447727b17e38aeed38f27d64e59137670dea80fe02928660

Analysis

max time kernel
145s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22/08/2023, 16:42

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

30c777ea0cb0b873447727b17e38aeed38f27d64e59137670dea80fe02928660.exe
Size

828KB
MD5

282a97054c0c7457c9a6e25cc5b373bb
SHA1

0c64fc02ab56bdf6f7399d53b23f0537c2ab6c32
SHA256

30c777ea0cb0b873447727b17e38aeed38f27d64e59137670dea80fe02928660
SHA512

24e6ecc7196f3eefac8e02bda3a50ee2c2649c644e550d44e9892c7a0df1270817d5add82251d9e7002541efe286c7b1d96b763a6b309ed198cf04b0f278475f
SSDEEP

12288:NMrKy90M/WuGwV9AvSkUpQvYgUH1NqMvNpwTOn3+PafICB4I5d5TJoguaWkEV201:vyVuuGwVuEpEYdETOnKawaZ5T98d1

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afb0-151.dat	healer
behavioral1/files/0x000700000001afb0-152.dat	healer
behavioral1/memory/1360-153-0x0000000000E30000-0x0000000000E3A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9961131.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9961131.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9961131.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9961131.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9961131.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4568	v8632665.exe
4160	v5230562.exe
2772	v9294917.exe
3988	v2287344.exe
1360	a9961131.exe
2436	b2846843.exe
2120	c4941948.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9961131.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	30c777ea0cb0b873447727b17e38aeed38f27d64e59137670dea80fe02928660.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8632665.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5230562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9294917.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2287344.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1360	a9961131.exe
1360	a9961131.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	a9961131.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 4568	1392	30c777ea0cb0b873447727b17e38aeed38f27d64e59137670dea80fe02928660.exe	69
PID 1392 wrote to memory of 4568	1392	30c777ea0cb0b873447727b17e38aeed38f27d64e59137670dea80fe02928660.exe	69
PID 1392 wrote to memory of 4568	1392	30c777ea0cb0b873447727b17e38aeed38f27d64e59137670dea80fe02928660.exe	69
PID 4568 wrote to memory of 4160	4568	v8632665.exe	70
PID 4568 wrote to memory of 4160	4568	v8632665.exe	70
PID 4568 wrote to memory of 4160	4568	v8632665.exe	70
PID 4160 wrote to memory of 2772	4160	v5230562.exe	71
PID 4160 wrote to memory of 2772	4160	v5230562.exe	71
PID 4160 wrote to memory of 2772	4160	v5230562.exe	71
PID 2772 wrote to memory of 3988	2772	v9294917.exe	72
PID 2772 wrote to memory of 3988	2772	v9294917.exe	72
PID 2772 wrote to memory of 3988	2772	v9294917.exe	72
PID 3988 wrote to memory of 1360	3988	v2287344.exe	73
PID 3988 wrote to memory of 1360	3988	v2287344.exe	73
PID 3988 wrote to memory of 2436	3988	v2287344.exe	74
PID 3988 wrote to memory of 2436	3988	v2287344.exe	74
PID 3988 wrote to memory of 2436	3988	v2287344.exe	74
PID 2772 wrote to memory of 2120	2772	v9294917.exe	75
PID 2772 wrote to memory of 2120	2772	v9294917.exe	75
PID 2772 wrote to memory of 2120	2772	v9294917.exe	75

C:\Users\Admin\AppData\Local\Temp\30c777ea0cb0b873447727b17e38aeed38f27d64e59137670dea80fe02928660.exe
"C:\Users\Admin\AppData\Local\Temp\30c777ea0cb0b873447727b17e38aeed38f27d64e59137670dea80fe02928660.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8632665.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8632665.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5230562.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5230562.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9294917.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9294917.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2287344.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2287344.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3988
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9961131.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9961131.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2846843.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2846843.exe
        6⤵
        Executes dropped EXE
        
        PID:2436
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4941948.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4941948.exe
        5⤵
        Executes dropped EXE
        
        PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8632665.exe

Filesize
722KB

MD5
dad50666a5aba67437a209f5f9269949

SHA1
1d6deb840fd726b95915aa7c81e214b063f50f61

SHA256
68e906f3cad2890d8413ebfcf9e77738ef100acee09da4a8e178dd0fd3c17391

SHA512
9b017ea7ba8ad4f72e6b862d5205bce13604a31fea1042914f1e22a657a7f9ed52747452e6205894df38803b20a599efaa42ce18985b4adeb9ef9fee952ee78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8632665.exe

Filesize
722KB

MD5
dad50666a5aba67437a209f5f9269949

SHA1
1d6deb840fd726b95915aa7c81e214b063f50f61

SHA256
68e906f3cad2890d8413ebfcf9e77738ef100acee09da4a8e178dd0fd3c17391

SHA512
9b017ea7ba8ad4f72e6b862d5205bce13604a31fea1042914f1e22a657a7f9ed52747452e6205894df38803b20a599efaa42ce18985b4adeb9ef9fee952ee78d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5230562.exe

Filesize
497KB

MD5
e0993b3d247036b6317e809fa7c7a7d7

SHA1
668624b0cc55e173b8ce524f7d8c39d3b5b8cb4d

SHA256
f6e0d15c8a61ff5740c80278422413066e4d120fc3d8a8ecf80aa5d6cdf45821

SHA512
a20567cd7595142f9ff1496564e6899bd1e1a897bb161ea4b589e7ba2e5ddbbfdae2c4a83371da879f90e8b470c393a8ed980a573800f35415287cfbcb01143b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5230562.exe

Filesize
497KB

MD5
e0993b3d247036b6317e809fa7c7a7d7

SHA1
668624b0cc55e173b8ce524f7d8c39d3b5b8cb4d

SHA256
f6e0d15c8a61ff5740c80278422413066e4d120fc3d8a8ecf80aa5d6cdf45821

SHA512
a20567cd7595142f9ff1496564e6899bd1e1a897bb161ea4b589e7ba2e5ddbbfdae2c4a83371da879f90e8b470c393a8ed980a573800f35415287cfbcb01143b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9294917.exe

Filesize
372KB

MD5
f9e00249569de01168352f901e46f1d5

SHA1
5f4ef45f86e08956c6b7a0e02341a1991669f4d2

SHA256
80a832515942ef89e1013f272c2b0e36e41cb9c85353dfc37556c0dbbde79d9d

SHA512
584ab54e5677892d0e77822de1e79b789fb4549284a5aca239c4c0419e6f72d751bc13f0582eb101530747f4e3d4767a4f7610b2f53ec992c2b3a8a5485239f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9294917.exe

Filesize
372KB

MD5
f9e00249569de01168352f901e46f1d5

SHA1
5f4ef45f86e08956c6b7a0e02341a1991669f4d2

SHA256
80a832515942ef89e1013f272c2b0e36e41cb9c85353dfc37556c0dbbde79d9d

SHA512
584ab54e5677892d0e77822de1e79b789fb4549284a5aca239c4c0419e6f72d751bc13f0582eb101530747f4e3d4767a4f7610b2f53ec992c2b3a8a5485239f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4941948.exe

Filesize
174KB

MD5
625d306e8788b684e4dc1dd4f9ba2ea5

SHA1
c86621ef826c964cc6c9c7f7a62c6c3639d86839

SHA256
4b1bd580169187c449e22315585f851befdc3a2d5b61e29b749b4fdce6c514d0

SHA512
c95498baedba671496edffec0fa00a6b240207ab95391687d122ebc8f38a343e4b01d9efe2c83040da7b5a9f82be7f83c5ce7412341664a46041dcf2a85c22e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4941948.exe

Filesize
174KB

MD5
625d306e8788b684e4dc1dd4f9ba2ea5

SHA1
c86621ef826c964cc6c9c7f7a62c6c3639d86839

SHA256
4b1bd580169187c449e22315585f851befdc3a2d5b61e29b749b4fdce6c514d0

SHA512
c95498baedba671496edffec0fa00a6b240207ab95391687d122ebc8f38a343e4b01d9efe2c83040da7b5a9f82be7f83c5ce7412341664a46041dcf2a85c22e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2287344.exe

Filesize
216KB

MD5
d78f7adee6733e00ec8e718247f945d4

SHA1
5f1933f61e23d66b33a4b5e9b176d06800afd996

SHA256
2200e654dcf8a58aeca83c4fbe870977705721c75e89bbc0cff6e26f88a9c6eb

SHA512
bdca3d9bad58be793721219aac5c83ab065f21f60cfca61b92caccd827c6b99f8077bed93076bee58cd64f974e3e9febbab43adc02ede55bd143c70bb02526fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2287344.exe

Filesize
216KB

MD5
d78f7adee6733e00ec8e718247f945d4

SHA1
5f1933f61e23d66b33a4b5e9b176d06800afd996

SHA256
2200e654dcf8a58aeca83c4fbe870977705721c75e89bbc0cff6e26f88a9c6eb

SHA512
bdca3d9bad58be793721219aac5c83ab065f21f60cfca61b92caccd827c6b99f8077bed93076bee58cd64f974e3e9febbab43adc02ede55bd143c70bb02526fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9961131.exe

Filesize
11KB

MD5
8d69f17bbfa105c7a696c13ceeb3cc9d

SHA1
58b47b91b0bf2e136767896906d9225b3043dda0

SHA256
05b3de805412ab8e325c457bc315de7325e23214660b57adbfe9745d7c2ef992

SHA512
d5046d1defa657c68f393e75cf524e81506034ce9963d043f37da82bed8ebc19a681904d656df03500912f9d7cace22701d027e5090dcd76c59d9abdcbec7864

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9961131.exe

Filesize
11KB

MD5
8d69f17bbfa105c7a696c13ceeb3cc9d

SHA1
58b47b91b0bf2e136767896906d9225b3043dda0

SHA256
05b3de805412ab8e325c457bc315de7325e23214660b57adbfe9745d7c2ef992

SHA512
d5046d1defa657c68f393e75cf524e81506034ce9963d043f37da82bed8ebc19a681904d656df03500912f9d7cace22701d027e5090dcd76c59d9abdcbec7864

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2846843.exe

Filesize
140KB

MD5
a44a802abdcbb57345acb8f3200a1e4c

SHA1
c31586cb0e778295ea0062d6aa2dc2e0286be9f7

SHA256
590bfaec609823a3663152647483fef445070906941cdf2a541ac4287b30586c

SHA512
8817ec096f37a2920b77567ed2332c92c2ff73035c74ff4efe311ac81b6d80fa404fb6d715ddf2e35909306b1f6c77e9b24b43c9c50f48b02e9eed1e0585fed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2846843.exe

Filesize
140KB

MD5
a44a802abdcbb57345acb8f3200a1e4c

SHA1
c31586cb0e778295ea0062d6aa2dc2e0286be9f7

SHA256
590bfaec609823a3663152647483fef445070906941cdf2a541ac4287b30586c

SHA512
8817ec096f37a2920b77567ed2332c92c2ff73035c74ff4efe311ac81b6d80fa404fb6d715ddf2e35909306b1f6c77e9b24b43c9c50f48b02e9eed1e0585fed8

Download Submit
memory/1360-156-0x00007FF83B460000-0x00007FF83BE4C000-memory.dmp

Filesize
9.9MB

Download
memory/1360-154-0x00007FF83B460000-0x00007FF83BE4C000-memory.dmp

Filesize
9.9MB

Download
memory/1360-153-0x0000000000E30000-0x0000000000E3A000-memory.dmp

Filesize
40KB

Download
memory/2120-163-0x00000000000F0000-0x0000000000120000-memory.dmp

Filesize
192KB

Download
memory/2120-164-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download
memory/2120-165-0x00000000049B0000-0x00000000049B6000-memory.dmp

Filesize
24KB

Download
memory/2120-166-0x000000000A3A0000-0x000000000A9A6000-memory.dmp

Filesize
6.0MB

Download
memory/2120-167-0x0000000009F00000-0x000000000A00A000-memory.dmp

Filesize
1.0MB

Download
memory/2120-168-0x0000000009E30000-0x0000000009E42000-memory.dmp

Filesize
72KB

Download
memory/2120-169-0x0000000009E90000-0x0000000009ECE000-memory.dmp

Filesize
248KB

Download
memory/2120-170-0x000000000A010000-0x000000000A05B000-memory.dmp

Filesize
300KB

Download
memory/2120-171-0x0000000072C80000-0x000000007336E000-memory.dmp

Filesize
6.9MB

Download