healer | f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c

Analysis

max time kernel
145s
max time network
157s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22/08/2023, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe
Size

929KB
MD5

db487af037096a79fb9522633939d8c9
SHA1

a65e9bb7d7faec68f63c5a11b6c59f54d35631f0
SHA256

f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c
SHA512

a3e057d1b3c46c511c191fa76e3a9eabac043ebefbcd11d2ff6f5c3bd69bf01aaf1f0adeb2ff57c249c4b16cd8a5b7236f70cee0a1aaf0fc2fd46968dffe2dcf
SSDEEP

12288:9Mr6y90KNr3Mrw9dzk3h3OJH1h0V69PRZ+AxU1EUFXWIU6TZwI0FiCrtF/+3anff:Tyl9dzmh3ihi4+AOKUFU+xIx+3an

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afc4-153.dat	healer
behavioral1/files/0x000700000001afc4-154.dat	healer
behavioral1/memory/4148-155-0x0000000000710000-0x000000000071A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q2577469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q2577469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q2577469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q2577469.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q2577469.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
820	z5822812.exe
1804	z4860573.exe
3020	z6511964.exe
2764	z0174663.exe
4148	q2577469.exe
4212	r9877009.exe
2600	s0411629.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q2577469.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z0174663.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5822812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4860573.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z6511964.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4148	q2577469.exe
4148	q2577469.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4148	q2577469.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 820	4976	f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe	70
PID 4976 wrote to memory of 820	4976	f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe	70
PID 4976 wrote to memory of 820	4976	f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe	70
PID 820 wrote to memory of 1804	820	z5822812.exe	71
PID 820 wrote to memory of 1804	820	z5822812.exe	71
PID 820 wrote to memory of 1804	820	z5822812.exe	71
PID 1804 wrote to memory of 3020	1804	z4860573.exe	72
PID 1804 wrote to memory of 3020	1804	z4860573.exe	72
PID 1804 wrote to memory of 3020	1804	z4860573.exe	72
PID 3020 wrote to memory of 2764	3020	z6511964.exe	73
PID 3020 wrote to memory of 2764	3020	z6511964.exe	73
PID 3020 wrote to memory of 2764	3020	z6511964.exe	73
PID 2764 wrote to memory of 4148	2764	z0174663.exe	74
PID 2764 wrote to memory of 4148	2764	z0174663.exe	74
PID 2764 wrote to memory of 4212	2764	z0174663.exe	75
PID 2764 wrote to memory of 4212	2764	z0174663.exe	75
PID 2764 wrote to memory of 4212	2764	z0174663.exe	75
PID 3020 wrote to memory of 2600	3020	z6511964.exe	76
PID 3020 wrote to memory of 2600	3020	z6511964.exe	76
PID 3020 wrote to memory of 2600	3020	z6511964.exe	76

C:\Users\Admin\AppData\Local\Temp\f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe
"C:\Users\Admin\AppData\Local\Temp\f1742e820c9db758498c2611f4e0c89e9fedbde946a51d1bd1aff4c832b9162c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5822812.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5822812.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4860573.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4860573.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6511964.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6511964.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0174663.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0174663.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2577469.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2577469.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4148
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9877009.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9877009.exe
        6⤵
        Executes dropped EXE
        
        PID:4212
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0411629.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0411629.exe
        5⤵
        Executes dropped EXE
        
        PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5822812.exe

Filesize
823KB

MD5
feee9f2381e2084f1f9caa4f3cc156b2

SHA1
6f92da056e833b9a938cb2a89b3b912d9355ffb6

SHA256
d0d3ab21c6c306f10215472bb11a65ef0510d96ad38275937ce433db2be027c4

SHA512
42e340a6aade809a98feda94e753e9cce4f818c2de6de5cbda64f1b2f04c4dfe53a080505e9595e0751963281a3a677ba949512467eae752bdde30aac12c2e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5822812.exe

Filesize
823KB

MD5
feee9f2381e2084f1f9caa4f3cc156b2

SHA1
6f92da056e833b9a938cb2a89b3b912d9355ffb6

SHA256
d0d3ab21c6c306f10215472bb11a65ef0510d96ad38275937ce433db2be027c4

SHA512
42e340a6aade809a98feda94e753e9cce4f818c2de6de5cbda64f1b2f04c4dfe53a080505e9595e0751963281a3a677ba949512467eae752bdde30aac12c2e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4860573.exe

Filesize
597KB

MD5
d0fccbe15a12cddf47a13eaad6c32206

SHA1
489b0d4ab2427585a3c1da1590df57fd6693740b

SHA256
47b9555d8be7da5b15bd83f752433a4182be8134777be6e361c904dd1fe037d2

SHA512
3e0bc2e4ee5fd45dd4c1009ca0de806aa7ce375291747be727e25d49600e3f045bc2bff67c03ef5658bbf399fa2b61c4cfba5b1b6071654be569b24460496b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4860573.exe

Filesize
597KB

MD5
d0fccbe15a12cddf47a13eaad6c32206

SHA1
489b0d4ab2427585a3c1da1590df57fd6693740b

SHA256
47b9555d8be7da5b15bd83f752433a4182be8134777be6e361c904dd1fe037d2

SHA512
3e0bc2e4ee5fd45dd4c1009ca0de806aa7ce375291747be727e25d49600e3f045bc2bff67c03ef5658bbf399fa2b61c4cfba5b1b6071654be569b24460496b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6511964.exe

Filesize
372KB

MD5
19421a856c031bbd401a27ff8ea32723

SHA1
284b5e37e87bd37664a3b9a40086056108050d54

SHA256
a13a0575f2e41598227321875ecf58d4b6a02139ccac883f4e78f09b38217ada

SHA512
915b76f583e81eba546c1478796fa3c973727a194c84ecc547e6472ad82d6aa87fad008ac688e43f64070bbc344034f4d0f207f9bd508ebf9e7947650bf522c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6511964.exe

Filesize
372KB

MD5
19421a856c031bbd401a27ff8ea32723

SHA1
284b5e37e87bd37664a3b9a40086056108050d54

SHA256
a13a0575f2e41598227321875ecf58d4b6a02139ccac883f4e78f09b38217ada

SHA512
915b76f583e81eba546c1478796fa3c973727a194c84ecc547e6472ad82d6aa87fad008ac688e43f64070bbc344034f4d0f207f9bd508ebf9e7947650bf522c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0411629.exe

Filesize
174KB

MD5
2cb20c2cdda2d45480c87abc646650c8

SHA1
465d8675921d33727b12193b541b795246db23c7

SHA256
6393561930f2ba1f2fd2338e054c13d9c3c805a6f1476fe9a0ac805c8509aca3

SHA512
3305abcf2088b86caf38f4b13dcac6cf23d23689a6e5b9f90e692c6384980648ab8663de0de5d9b79601347b8172b0c0e61cb3c59ce6edfa537064d8b2d87ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0411629.exe

Filesize
174KB

MD5
2cb20c2cdda2d45480c87abc646650c8

SHA1
465d8675921d33727b12193b541b795246db23c7

SHA256
6393561930f2ba1f2fd2338e054c13d9c3c805a6f1476fe9a0ac805c8509aca3

SHA512
3305abcf2088b86caf38f4b13dcac6cf23d23689a6e5b9f90e692c6384980648ab8663de0de5d9b79601347b8172b0c0e61cb3c59ce6edfa537064d8b2d87ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0174663.exe

Filesize
216KB

MD5
0a557843bc6e1cfc89339194cb774aba

SHA1
7059b3b0d11b979abc6e07a71334eebbdd45cff4

SHA256
cd92c3c0014c9f7f47152fe84c0e0a33210e9eee8f9d97da43e558eac235ba57

SHA512
2d383f9699e73e1eade189b823764cfe76ec3db56ef07160f1310b55ba9d867712bb5c271c93031b9e53c3376860f22787841d99d04014dfd85c07fe5a6ac7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0174663.exe

Filesize
216KB

MD5
0a557843bc6e1cfc89339194cb774aba

SHA1
7059b3b0d11b979abc6e07a71334eebbdd45cff4

SHA256
cd92c3c0014c9f7f47152fe84c0e0a33210e9eee8f9d97da43e558eac235ba57

SHA512
2d383f9699e73e1eade189b823764cfe76ec3db56ef07160f1310b55ba9d867712bb5c271c93031b9e53c3376860f22787841d99d04014dfd85c07fe5a6ac7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2577469.exe

Filesize
12KB

MD5
8a9361a09fd374eff29367c39e370fd7

SHA1
dd112ee5baba20e5cccc1effd86075642f00b2ef

SHA256
d5db2e6c48054ed72258e305607cb41d45d548e3f0b2f67a114d23064b4587a9

SHA512
a5496e33bb425382f82bc8cda56c6641b1079ed4efb52d77057447f9452c5eacbc5344dd31696c96582d757d92c4c777c23cdcc5d1e0d6619a9a91316c0b6d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2577469.exe

Filesize
12KB

MD5
8a9361a09fd374eff29367c39e370fd7

SHA1
dd112ee5baba20e5cccc1effd86075642f00b2ef

SHA256
d5db2e6c48054ed72258e305607cb41d45d548e3f0b2f67a114d23064b4587a9

SHA512
a5496e33bb425382f82bc8cda56c6641b1079ed4efb52d77057447f9452c5eacbc5344dd31696c96582d757d92c4c777c23cdcc5d1e0d6619a9a91316c0b6d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9877009.exe

Filesize
140KB

MD5
65e865556d1597efb5f1ba6937f47bdd

SHA1
3cb28eb801033d519b2f90bfcbd11b47d353e136

SHA256
3e4c6f4bc452651365c393a4bec64e5e54fb607d5ca327ce23a170beebe64a55

SHA512
cab4d8e3e7cae5611fb275dfcbdb87708b0c1a4788754636ba81404d34e269eb66568d97d841be3f9b6fb0c81d7223429eda80bb3cd538e155656ac0621adfec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9877009.exe

Filesize
140KB

MD5
65e865556d1597efb5f1ba6937f47bdd

SHA1
3cb28eb801033d519b2f90bfcbd11b47d353e136

SHA256
3e4c6f4bc452651365c393a4bec64e5e54fb607d5ca327ce23a170beebe64a55

SHA512
cab4d8e3e7cae5611fb275dfcbdb87708b0c1a4788754636ba81404d34e269eb66568d97d841be3f9b6fb0c81d7223429eda80bb3cd538e155656ac0621adfec

Download Submit
memory/2600-166-0x00000000736E0000-0x0000000073DCE000-memory.dmp

Filesize
6.9MB

Download
memory/2600-165-0x0000000000720000-0x0000000000750000-memory.dmp

Filesize
192KB

Download
memory/2600-167-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/2600-168-0x000000000AB40000-0x000000000B146000-memory.dmp

Filesize
6.0MB

Download
memory/2600-169-0x000000000A680000-0x000000000A78A000-memory.dmp

Filesize
1.0MB

Download
memory/2600-170-0x000000000A5A0000-0x000000000A5B2000-memory.dmp

Filesize
72KB

Download
memory/2600-171-0x000000000A600000-0x000000000A63E000-memory.dmp

Filesize
248KB

Download
memory/2600-172-0x000000000A790000-0x000000000A7DB000-memory.dmp

Filesize
300KB

Download
memory/2600-173-0x00000000736E0000-0x0000000073DCE000-memory.dmp

Filesize
6.9MB

Download
memory/4148-158-0x00007FFF8E9A0000-0x00007FFF8F38C000-memory.dmp

Filesize
9.9MB

Download
memory/4148-156-0x00007FFF8E9A0000-0x00007FFF8F38C000-memory.dmp

Filesize
9.9MB

Download
memory/4148-155-0x0000000000710000-0x000000000071A000-memory.dmp

Filesize
40KB

Download