healer | d8a5128d9aa756452fff5e78ca54befd2d3b6fbbbf7c7a69c55dc784540b8568

Analysis

max time kernel
145s
max time network
157s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22/08/2023, 16:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d8a5128d9aa756452fff5e78ca54befd2d3b6fbbbf7c7a69c55dc784540b8568.exe
Size

828KB
MD5

727fec95641b24b9df9ab34da5744dba
SHA1

ab819bb053b2b8d22822ee878b5ca97b76bad460
SHA256

d8a5128d9aa756452fff5e78ca54befd2d3b6fbbbf7c7a69c55dc784540b8568
SHA512

912d0880ab7bce415de93304606edb0f83fe8f318b0abd8ac484e4b73fbc7483e0d9a39e80f5342fd4faebddf391572b20a64a60b2cbdde1a02276ccd4404cb9
SSDEEP

12288:CMriy90QNzDmlV8NcIbDKfAn0WLHZMiYrjvphrtvZRRQ2Htn4TyiTEwuM1Vm006P:8y5+8Uf0FQRJZRRQS4TjTEwD1Vmi5J

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b00b-153.dat	healer
behavioral1/files/0x000700000001b00b-154.dat	healer
behavioral1/memory/4648-155-0x0000000000F60000-0x0000000000F6A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0533780.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0533780.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0533780.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0533780.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0533780.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2564	v9803657.exe
892	v2821030.exe
4248	v3491240.exe
3432	v3643024.exe
4648	a0533780.exe
1396	b9240810.exe
4228	c3969971.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0533780.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d8a5128d9aa756452fff5e78ca54befd2d3b6fbbbf7c7a69c55dc784540b8568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9803657.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2821030.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3491240.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3643024.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4648	a0533780.exe
4648	a0533780.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	a0533780.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2564	2648	d8a5128d9aa756452fff5e78ca54befd2d3b6fbbbf7c7a69c55dc784540b8568.exe	70
PID 2648 wrote to memory of 2564	2648	d8a5128d9aa756452fff5e78ca54befd2d3b6fbbbf7c7a69c55dc784540b8568.exe	70
PID 2648 wrote to memory of 2564	2648	d8a5128d9aa756452fff5e78ca54befd2d3b6fbbbf7c7a69c55dc784540b8568.exe	70
PID 2564 wrote to memory of 892	2564	v9803657.exe	71
PID 2564 wrote to memory of 892	2564	v9803657.exe	71
PID 2564 wrote to memory of 892	2564	v9803657.exe	71
PID 892 wrote to memory of 4248	892	v2821030.exe	72
PID 892 wrote to memory of 4248	892	v2821030.exe	72
PID 892 wrote to memory of 4248	892	v2821030.exe	72
PID 4248 wrote to memory of 3432	4248	v3491240.exe	73
PID 4248 wrote to memory of 3432	4248	v3491240.exe	73
PID 4248 wrote to memory of 3432	4248	v3491240.exe	73
PID 3432 wrote to memory of 4648	3432	v3643024.exe	74
PID 3432 wrote to memory of 4648	3432	v3643024.exe	74
PID 3432 wrote to memory of 1396	3432	v3643024.exe	75
PID 3432 wrote to memory of 1396	3432	v3643024.exe	75
PID 3432 wrote to memory of 1396	3432	v3643024.exe	75
PID 4248 wrote to memory of 4228	4248	v3491240.exe	76
PID 4248 wrote to memory of 4228	4248	v3491240.exe	76
PID 4248 wrote to memory of 4228	4248	v3491240.exe	76

C:\Users\Admin\AppData\Local\Temp\d8a5128d9aa756452fff5e78ca54befd2d3b6fbbbf7c7a69c55dc784540b8568.exe
"C:\Users\Admin\AppData\Local\Temp\d8a5128d9aa756452fff5e78ca54befd2d3b6fbbbf7c7a69c55dc784540b8568.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9803657.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9803657.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2821030.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2821030.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:892
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3491240.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3491240.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4248
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3643024.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3643024.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3432
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0533780.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0533780.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9240810.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9240810.exe
        6⤵
        Executes dropped EXE
        
        PID:1396
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3969971.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3969971.exe
        5⤵
        Executes dropped EXE
        
        PID:4228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9803657.exe

Filesize
723KB

MD5
a0838b81d3362ddc1a0296aa6f9cb81b

SHA1
654142a2487d4be5b1e0dee0480ae9e691c1182a

SHA256
7c1617123874efff77dd252a19a57cffdf8e09ec65b89eae9b64a38d46228bfb

SHA512
4ee2a1614780d01d1d801feaf399bd6a54ff1ac30c01eb4b6676402da0f75cecb1780c7405468ae809843638236669f005a2cc215d01810e227c2cf33eee88fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9803657.exe

Filesize
723KB

MD5
a0838b81d3362ddc1a0296aa6f9cb81b

SHA1
654142a2487d4be5b1e0dee0480ae9e691c1182a

SHA256
7c1617123874efff77dd252a19a57cffdf8e09ec65b89eae9b64a38d46228bfb

SHA512
4ee2a1614780d01d1d801feaf399bd6a54ff1ac30c01eb4b6676402da0f75cecb1780c7405468ae809843638236669f005a2cc215d01810e227c2cf33eee88fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2821030.exe

Filesize
497KB

MD5
1152b15623cde852fdb6d9f2cf4f00e7

SHA1
17799a576fbd882b2d05c13298d88633348d9e70

SHA256
5e39a65ec7642dfedf214ce6015e11dede25f3cf4de0e1573d12f11028529253

SHA512
15ab0eb6216403d8f71a98ee8234f84eb3c08361e26c33e319302b44f32b4bd99eeb4437e6d7a6f3e88fecb2b700816bf0eb7cd63070d4273fea9d196dbae4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2821030.exe

Filesize
497KB

MD5
1152b15623cde852fdb6d9f2cf4f00e7

SHA1
17799a576fbd882b2d05c13298d88633348d9e70

SHA256
5e39a65ec7642dfedf214ce6015e11dede25f3cf4de0e1573d12f11028529253

SHA512
15ab0eb6216403d8f71a98ee8234f84eb3c08361e26c33e319302b44f32b4bd99eeb4437e6d7a6f3e88fecb2b700816bf0eb7cd63070d4273fea9d196dbae4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3491240.exe

Filesize
372KB

MD5
dd42f6c44eda6c41a4b673985d1e5da1

SHA1
feff473a4700810f1b846c27c7d7082cfac49022

SHA256
d2410a59a141b6dedd0cca4e5391a1bb0e59e7374d7be5c5386e65254a32662b

SHA512
e938d19327d679856a25def51343fb0fd8b6e5c149c37c6393aacf82bd4f07b5d10cc4c728954b38bf012b3bf05517d968f2231a0452aeea2cbd94c0137e1f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3491240.exe

Filesize
372KB

MD5
dd42f6c44eda6c41a4b673985d1e5da1

SHA1
feff473a4700810f1b846c27c7d7082cfac49022

SHA256
d2410a59a141b6dedd0cca4e5391a1bb0e59e7374d7be5c5386e65254a32662b

SHA512
e938d19327d679856a25def51343fb0fd8b6e5c149c37c6393aacf82bd4f07b5d10cc4c728954b38bf012b3bf05517d968f2231a0452aeea2cbd94c0137e1f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3969971.exe

Filesize
174KB

MD5
3755d370833b8d4d3627ce071086e25f

SHA1
0a4dde04299dda515576710752671e8bf5849fd1

SHA256
fe53d17d310ebbbd54bfe58e2e6ff7f71df47bf2f196fdd1eedc57c53a00362a

SHA512
5e2561ab0e286aa1c9b2952fb8b46ab8494b4a63d6641884efe5497a4fb49692611e63059b5db12dcda0fb9a73434d66f3c922f69fae609ed17a4605e53ccea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3969971.exe

Filesize
174KB

MD5
3755d370833b8d4d3627ce071086e25f

SHA1
0a4dde04299dda515576710752671e8bf5849fd1

SHA256
fe53d17d310ebbbd54bfe58e2e6ff7f71df47bf2f196fdd1eedc57c53a00362a

SHA512
5e2561ab0e286aa1c9b2952fb8b46ab8494b4a63d6641884efe5497a4fb49692611e63059b5db12dcda0fb9a73434d66f3c922f69fae609ed17a4605e53ccea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3643024.exe

Filesize
216KB

MD5
c137e791515db5176729e9e72ebd4818

SHA1
fd4c61d1c6331d545976cfc83d976e18c3fc9eb8

SHA256
a7a35a61f05b34115b5c7584f5b02f3b4a63ca6929a2cf18cd072021382011c8

SHA512
4a3a82a1018aae50d39b2cec55c6ade39f607c3201d110f4e0231753519ade55e2995164daa493e632f2c495a077d86312c6084a6e0e83244383055070cfed92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3643024.exe

Filesize
216KB

MD5
c137e791515db5176729e9e72ebd4818

SHA1
fd4c61d1c6331d545976cfc83d976e18c3fc9eb8

SHA256
a7a35a61f05b34115b5c7584f5b02f3b4a63ca6929a2cf18cd072021382011c8

SHA512
4a3a82a1018aae50d39b2cec55c6ade39f607c3201d110f4e0231753519ade55e2995164daa493e632f2c495a077d86312c6084a6e0e83244383055070cfed92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0533780.exe

Filesize
11KB

MD5
ec7de2ecc0a2bb44d98970f3b117924a

SHA1
329017e664553e429c143681c0284fc353b259ef

SHA256
f5d9b7587bc49b508b29622ef6d6e930ca5848c33687c9b46f7129babd48fe8f

SHA512
3e97716659139e4f4920ababcc5f607834c6954ded7a04ad6d0c387e90248e281b475629c010cf610ba6d8fa3bb948229c787858a496ca7938a991b23d4734d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0533780.exe

Filesize
11KB

MD5
ec7de2ecc0a2bb44d98970f3b117924a

SHA1
329017e664553e429c143681c0284fc353b259ef

SHA256
f5d9b7587bc49b508b29622ef6d6e930ca5848c33687c9b46f7129babd48fe8f

SHA512
3e97716659139e4f4920ababcc5f607834c6954ded7a04ad6d0c387e90248e281b475629c010cf610ba6d8fa3bb948229c787858a496ca7938a991b23d4734d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9240810.exe

Filesize
140KB

MD5
f4b6990d22eeca6f2268540eca062098

SHA1
5086c779b31ddf8128227a81e2227a0785ef2dde

SHA256
135d17638494b11959bbf82a8b7206a8f26bddf9083fe0583f33dca00b010601

SHA512
bd167b8071381339b3646c2a28ba3c3e0c8131942120e32307583106e66cbfe5428d476759348d1d6678f51bc86371d0a3ac6555c9216dc262da588ec5c8968d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9240810.exe

Filesize
140KB

MD5
f4b6990d22eeca6f2268540eca062098

SHA1
5086c779b31ddf8128227a81e2227a0785ef2dde

SHA256
135d17638494b11959bbf82a8b7206a8f26bddf9083fe0583f33dca00b010601

SHA512
bd167b8071381339b3646c2a28ba3c3e0c8131942120e32307583106e66cbfe5428d476759348d1d6678f51bc86371d0a3ac6555c9216dc262da588ec5c8968d

Download Submit
memory/4228-166-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/4228-165-0x0000000000C30000-0x0000000000C60000-memory.dmp

Filesize
192KB

Download
memory/4228-167-0x0000000001510000-0x0000000001516000-memory.dmp

Filesize
24KB

Download
memory/4228-168-0x000000000B0A0000-0x000000000B6A6000-memory.dmp

Filesize
6.0MB

Download
memory/4228-169-0x000000000ABA0000-0x000000000ACAA000-memory.dmp

Filesize
1.0MB

Download
memory/4228-170-0x000000000AAB0000-0x000000000AAC2000-memory.dmp

Filesize
72KB

Download
memory/4228-171-0x000000000AB10000-0x000000000AB4E000-memory.dmp

Filesize
248KB

Download
memory/4228-172-0x000000000ACB0000-0x000000000ACFB000-memory.dmp

Filesize
300KB

Download
memory/4228-173-0x00000000733C0000-0x0000000073AAE000-memory.dmp

Filesize
6.9MB

Download
memory/4648-158-0x00007FFE70FE0000-0x00007FFE719CC000-memory.dmp

Filesize
9.9MB

Download
memory/4648-156-0x00007FFE70FE0000-0x00007FFE719CC000-memory.dmp

Filesize
9.9MB

Download
memory/4648-155-0x0000000000F60000-0x0000000000F6A000-memory.dmp

Filesize
40KB

Download