healer | 37de1c26ca67d0efa6d4f23082a7105f3708a448f6a232f228f03b0ba4115a6d

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2023 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37de1c26ca67d0efa6d4f23082a7105f3708a448f6a232f228f03b0ba4115a6d.exe
Size

829KB
MD5

81ed2e6adf62fd80c2ec97bffa12a0cb
SHA1

9d3e31711fe1ed23dd0e469faa894a71e1039eb0
SHA256

37de1c26ca67d0efa6d4f23082a7105f3708a448f6a232f228f03b0ba4115a6d
SHA512

853abaf0298bc394c74a6eae43300841f1301c9fa50e43239a09d68fd57278963ef19acd4b2cffc006654db97ac67c871a61bdd32249f51978dc0107f92f3f81
SSDEEP

12288:HMroy90AdOxTvxdVOX1JI9yApGNezZQP8VLygR2o0ZyYHDwi9CzwKKie0Gb:vy/dIz+HIAAw1kygRAwpwltb

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023252-166.dat	healer
behavioral1/files/0x0008000000023252-167.dat	healer
behavioral1/memory/4668-168-0x0000000000C70000-0x0000000000C7A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1403561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1403561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1403561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1403561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1403561.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1403561.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
652	v7862769.exe
4564	v9057927.exe
2588	v3485619.exe
1872	v3864196.exe
4668	a1403561.exe
1568	b0483729.exe
2404	c5500694.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1403561.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	37de1c26ca67d0efa6d4f23082a7105f3708a448f6a232f228f03b0ba4115a6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7862769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9057927.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3485619.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3864196.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4668	a1403561.exe
4668	a1403561.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	a1403561.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 652	4068	37de1c26ca67d0efa6d4f23082a7105f3708a448f6a232f228f03b0ba4115a6d.exe	83
PID 4068 wrote to memory of 652	4068	37de1c26ca67d0efa6d4f23082a7105f3708a448f6a232f228f03b0ba4115a6d.exe	83
PID 4068 wrote to memory of 652	4068	37de1c26ca67d0efa6d4f23082a7105f3708a448f6a232f228f03b0ba4115a6d.exe	83
PID 652 wrote to memory of 4564	652	v7862769.exe	84
PID 652 wrote to memory of 4564	652	v7862769.exe	84
PID 652 wrote to memory of 4564	652	v7862769.exe	84
PID 4564 wrote to memory of 2588	4564	v9057927.exe	85
PID 4564 wrote to memory of 2588	4564	v9057927.exe	85
PID 4564 wrote to memory of 2588	4564	v9057927.exe	85
PID 2588 wrote to memory of 1872	2588	v3485619.exe	86
PID 2588 wrote to memory of 1872	2588	v3485619.exe	86
PID 2588 wrote to memory of 1872	2588	v3485619.exe	86
PID 1872 wrote to memory of 4668	1872	v3864196.exe	87
PID 1872 wrote to memory of 4668	1872	v3864196.exe	87
PID 1872 wrote to memory of 1568	1872	v3864196.exe	93
PID 1872 wrote to memory of 1568	1872	v3864196.exe	93
PID 1872 wrote to memory of 1568	1872	v3864196.exe	93
PID 2588 wrote to memory of 2404	2588	v3485619.exe	96
PID 2588 wrote to memory of 2404	2588	v3485619.exe	96
PID 2588 wrote to memory of 2404	2588	v3485619.exe	96

C:\Users\Admin\AppData\Local\Temp\37de1c26ca67d0efa6d4f23082a7105f3708a448f6a232f228f03b0ba4115a6d.exe
"C:\Users\Admin\AppData\Local\Temp\37de1c26ca67d0efa6d4f23082a7105f3708a448f6a232f228f03b0ba4115a6d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7862769.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7862769.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9057927.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9057927.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3485619.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3485619.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3864196.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3864196.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1872
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1403561.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1403561.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0483729.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0483729.exe
        6⤵
        Executes dropped EXE
        
        PID:1568
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5500694.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5500694.exe
        5⤵
        Executes dropped EXE
        
        PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7862769.exe

Filesize
723KB

MD5
6033673670361d53069e7f9724ce2fa0

SHA1
683550ca1dae4603cf5b0a9aa24baef7d5e448e7

SHA256
b53c90a450b9c58662875ae9bded3b506327a1abba6bed9a0c388c8e40cafa00

SHA512
a99b3e917475ab977d834e87735c9bfae0ac6c7098f2896769174e6fd6292a7b2d33749b2b4abbf16a1386bf086ab6f1fd14991ca72de0dbc4269334d76d8fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7862769.exe

Filesize
723KB

MD5
6033673670361d53069e7f9724ce2fa0

SHA1
683550ca1dae4603cf5b0a9aa24baef7d5e448e7

SHA256
b53c90a450b9c58662875ae9bded3b506327a1abba6bed9a0c388c8e40cafa00

SHA512
a99b3e917475ab977d834e87735c9bfae0ac6c7098f2896769174e6fd6292a7b2d33749b2b4abbf16a1386bf086ab6f1fd14991ca72de0dbc4269334d76d8fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9057927.exe

Filesize
497KB

MD5
9f4cea24b84b3e92dbd26ccfb39e4f3d

SHA1
44804c5a09add77d790a394760fe6371bc28a17d

SHA256
5e8fff0d74e34aad149371fcee725445640779a190173c3894182ce06b3eeb10

SHA512
f05679a8d074608c640e65189c97cfaa0df5e42e21912ddd08c1b14c25bb6b6f3a36922a3118312fbe25e65c9c28016a3ddd72c5f8b86f9442ddd0476bda1bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9057927.exe

Filesize
497KB

MD5
9f4cea24b84b3e92dbd26ccfb39e4f3d

SHA1
44804c5a09add77d790a394760fe6371bc28a17d

SHA256
5e8fff0d74e34aad149371fcee725445640779a190173c3894182ce06b3eeb10

SHA512
f05679a8d074608c640e65189c97cfaa0df5e42e21912ddd08c1b14c25bb6b6f3a36922a3118312fbe25e65c9c28016a3ddd72c5f8b86f9442ddd0476bda1bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3485619.exe

Filesize
373KB

MD5
e8423c0fb4330b603960e9082b2e580f

SHA1
41bf0ed79c9889242b6375d2d6c4a08993ca4ac7

SHA256
84150557c340b5828d5d2e6aefb11de2447bd69ba78797f8339b96dd65332189

SHA512
3d2fd5ff3de8bcc162248d9d8e20a09618f19c0c6a4611cd392a6ec7f89cf60153d52e7931193a6a5347bafb66de42a848d545f127cc080c7df2748d11412ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3485619.exe

Filesize
373KB

MD5
e8423c0fb4330b603960e9082b2e580f

SHA1
41bf0ed79c9889242b6375d2d6c4a08993ca4ac7

SHA256
84150557c340b5828d5d2e6aefb11de2447bd69ba78797f8339b96dd65332189

SHA512
3d2fd5ff3de8bcc162248d9d8e20a09618f19c0c6a4611cd392a6ec7f89cf60153d52e7931193a6a5347bafb66de42a848d545f127cc080c7df2748d11412ffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5500694.exe

Filesize
174KB

MD5
fac93fb029a56d6185fc6a818b155ed9

SHA1
0ac4d80fc53730685e1ba9c91c847e62544a8203

SHA256
560ed95af37134f610bea469c7e8332c55f41052199032c1c00f468d4f1be9a2

SHA512
2f2f199c51dd683bf5fc9dd31226d697ab59b4d35597e5626bbe16f111bc51b055778762f7154aba570605b4ce4f2d9453bf4bf0a33dc57719bd65521fef5287

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5500694.exe

Filesize
174KB

MD5
fac93fb029a56d6185fc6a818b155ed9

SHA1
0ac4d80fc53730685e1ba9c91c847e62544a8203

SHA256
560ed95af37134f610bea469c7e8332c55f41052199032c1c00f468d4f1be9a2

SHA512
2f2f199c51dd683bf5fc9dd31226d697ab59b4d35597e5626bbe16f111bc51b055778762f7154aba570605b4ce4f2d9453bf4bf0a33dc57719bd65521fef5287

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3864196.exe

Filesize
216KB

MD5
1c221c30005895291be7e9c63a52e8a4

SHA1
af2a5bad5e0f027f3261ea35c46c1307f0f9fb2d

SHA256
cb7c618ab561964091a4eff66c483e111dcc13b2907bfe90f5525a03976bd780

SHA512
a240b29a80d6bc2903fc650884017af887c90f1138885da89093223d90c177d10c8463513f1c7a80d9d71921a7d2c833b80f6a3ad0a9981e1fde3efd99e791ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3864196.exe

Filesize
216KB

MD5
1c221c30005895291be7e9c63a52e8a4

SHA1
af2a5bad5e0f027f3261ea35c46c1307f0f9fb2d

SHA256
cb7c618ab561964091a4eff66c483e111dcc13b2907bfe90f5525a03976bd780

SHA512
a240b29a80d6bc2903fc650884017af887c90f1138885da89093223d90c177d10c8463513f1c7a80d9d71921a7d2c833b80f6a3ad0a9981e1fde3efd99e791ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1403561.exe

Filesize
12KB

MD5
15ad6bf32583751500dedec71386f53c

SHA1
304fbfad35937f575763c3502cd7c5b2257c822f

SHA256
450298787ef268f949d72cafd0fd2fbee43e7d2204dd959f2ec97befd6594cd0

SHA512
0bbc7c6a4ad50237d79d7fd5f6c650b63e7bc7bdba72ceb49634ea488e6dcbbb02b2acb86f004320deac8b74bfe1917d0c22db2dffde6e9a490ee975e8d317cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1403561.exe

Filesize
12KB

MD5
15ad6bf32583751500dedec71386f53c

SHA1
304fbfad35937f575763c3502cd7c5b2257c822f

SHA256
450298787ef268f949d72cafd0fd2fbee43e7d2204dd959f2ec97befd6594cd0

SHA512
0bbc7c6a4ad50237d79d7fd5f6c650b63e7bc7bdba72ceb49634ea488e6dcbbb02b2acb86f004320deac8b74bfe1917d0c22db2dffde6e9a490ee975e8d317cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0483729.exe

Filesize
140KB

MD5
1a5db69b3b57904e3df898d22bdff21b

SHA1
6c9501efeeaab2edbcc8e9adef56fc9b3f7a7b54

SHA256
83caf3ee65f23584e9731f0e6dcee8451e5c5138520d7800f785353812451753

SHA512
bb81c0fcb8bc7b0dec38c5fe1ec48e8d3628a26f1bc6d09608b76ad8cdcf01eec4931b161776e08ec4703b37f33d992bccd656c732949a5ad023689c79c4f6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0483729.exe

Filesize
140KB

MD5
1a5db69b3b57904e3df898d22bdff21b

SHA1
6c9501efeeaab2edbcc8e9adef56fc9b3f7a7b54

SHA256
83caf3ee65f23584e9731f0e6dcee8451e5c5138520d7800f785353812451753

SHA512
bb81c0fcb8bc7b0dec38c5fe1ec48e8d3628a26f1bc6d09608b76ad8cdcf01eec4931b161776e08ec4703b37f33d992bccd656c732949a5ad023689c79c4f6d6

Download Submit
memory/2404-178-0x0000000000380000-0x00000000003B0000-memory.dmp

Filesize
192KB

Download
memory/2404-179-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2404-180-0x000000000A7E0000-0x000000000ADF8000-memory.dmp

Filesize
6.1MB

Download
memory/2404-181-0x000000000A330000-0x000000000A43A000-memory.dmp

Filesize
1.0MB

Download
memory/2404-182-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/2404-183-0x000000000A270000-0x000000000A282000-memory.dmp

Filesize
72KB

Download
memory/2404-184-0x000000000A2D0000-0x000000000A30C000-memory.dmp

Filesize
240KB

Download
memory/2404-185-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2404-186-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4668-171-0x00007FFE9FF60000-0x00007FFEA0A21000-memory.dmp

Filesize
10.8MB

Download
memory/4668-169-0x00007FFE9FF60000-0x00007FFEA0A21000-memory.dmp

Filesize
10.8MB

Download
memory/4668-168-0x0000000000C70000-0x0000000000C7A000-memory.dmp

Filesize
40KB

Download