healer | b84736f6f1507c3aea46c7246c34fb68b3589f5937abb84247d345699bfa57bd

Analysis

max time kernel
147s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2023, 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b84736f6f1507c3aea46c7246c34fb68b3589f5937abb84247d345699bfa57bd.exe
Size

929KB
MD5

143a69d9d019811ddca1e58ec9805ff0
SHA1

0150e77ab6d2a4ac5c034134bade02798b9be9a2
SHA256

b84736f6f1507c3aea46c7246c34fb68b3589f5937abb84247d345699bfa57bd
SHA512

115fe2dbea8cdb33edf0bfecd2fd6b7df84a0ea113228f6af9dede24cf89851b0bcffb944216318426bac55915bf7490465e304b98b73467b61c8a183beff67a
SSDEEP

12288:EMrwy902F02v4e7c1C7EpCORXF3Z8/ZTrmEVC+g+oOyYnb880rByoCCq+5tOL:UyBbv4p12RakRTrzVhtXLIBBq+5W

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000002312e-166.dat	healer
behavioral1/files/0x000800000002312e-167.dat	healer
behavioral1/memory/2504-168-0x0000000000760000-0x000000000076A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q4059075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q4059075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q4059075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q4059075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q4059075.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q4059075.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2328	z6559069.exe
408	z1328712.exe
1492	z2719964.exe
5020	z4543014.exe
2504	q4059075.exe
1136	r3951249.exe
1980	s2081227.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q4059075.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6559069.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1328712.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2719964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4543014.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b84736f6f1507c3aea46c7246c34fb68b3589f5937abb84247d345699bfa57bd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2504	q4059075.exe
2504	q4059075.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	q4059075.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2328	2852	b84736f6f1507c3aea46c7246c34fb68b3589f5937abb84247d345699bfa57bd.exe	81
PID 2852 wrote to memory of 2328	2852	b84736f6f1507c3aea46c7246c34fb68b3589f5937abb84247d345699bfa57bd.exe	81
PID 2852 wrote to memory of 2328	2852	b84736f6f1507c3aea46c7246c34fb68b3589f5937abb84247d345699bfa57bd.exe	81
PID 2328 wrote to memory of 408	2328	z6559069.exe	82
PID 2328 wrote to memory of 408	2328	z6559069.exe	82
PID 2328 wrote to memory of 408	2328	z6559069.exe	82
PID 408 wrote to memory of 1492	408	z1328712.exe	83
PID 408 wrote to memory of 1492	408	z1328712.exe	83
PID 408 wrote to memory of 1492	408	z1328712.exe	83
PID 1492 wrote to memory of 5020	1492	z2719964.exe	84
PID 1492 wrote to memory of 5020	1492	z2719964.exe	84
PID 1492 wrote to memory of 5020	1492	z2719964.exe	84
PID 5020 wrote to memory of 2504	5020	z4543014.exe	85
PID 5020 wrote to memory of 2504	5020	z4543014.exe	85
PID 5020 wrote to memory of 1136	5020	z4543014.exe	92
PID 5020 wrote to memory of 1136	5020	z4543014.exe	92
PID 5020 wrote to memory of 1136	5020	z4543014.exe	92
PID 1492 wrote to memory of 1980	1492	z2719964.exe	95
PID 1492 wrote to memory of 1980	1492	z2719964.exe	95
PID 1492 wrote to memory of 1980	1492	z2719964.exe	95

C:\Users\Admin\AppData\Local\Temp\b84736f6f1507c3aea46c7246c34fb68b3589f5937abb84247d345699bfa57bd.exe
"C:\Users\Admin\AppData\Local\Temp\b84736f6f1507c3aea46c7246c34fb68b3589f5937abb84247d345699bfa57bd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6559069.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6559069.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1328712.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1328712.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2719964.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2719964.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1492
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4543014.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4543014.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5020
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4059075.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4059075.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3951249.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3951249.exe
        6⤵
        Executes dropped EXE
        
        PID:1136
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2081227.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2081227.exe
        5⤵
        Executes dropped EXE
        
        PID:1980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6559069.exe

Filesize
823KB

MD5
f85ca0d83a133213e1ebf0a647c87998

SHA1
70941e6807e6dc62c408ae75835ab9bb85f9dfbf

SHA256
336bfba73109ff37e60e06efa1908757609551b8b17d503e91bf49401ecd26f1

SHA512
7c51facbc3979f39a67ee93ae3748126f1d7aebbb2abeddb4b7b3cbaa42b4e03026c95d36b93cb6e9f321588c837bb5eee8a62c313b2be7af21dadf56c410a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6559069.exe

Filesize
823KB

MD5
f85ca0d83a133213e1ebf0a647c87998

SHA1
70941e6807e6dc62c408ae75835ab9bb85f9dfbf

SHA256
336bfba73109ff37e60e06efa1908757609551b8b17d503e91bf49401ecd26f1

SHA512
7c51facbc3979f39a67ee93ae3748126f1d7aebbb2abeddb4b7b3cbaa42b4e03026c95d36b93cb6e9f321588c837bb5eee8a62c313b2be7af21dadf56c410a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1328712.exe

Filesize
598KB

MD5
74b0c0353208094ad493d99a511ebb85

SHA1
46aa6759a60bc639c366b600997825307418240b

SHA256
349f4d009e64bd5581e08d7aaab61a8daa00b0e9dc0ee3d8e84c080642c8f198

SHA512
fb6c6f455c0c704801432e8a2fca08735169253b2ceb0ece457c350ced29f8ff496bd69f6145eeccee43c1cc7e39759d79f15d287c5c2eda4de37e9de00ebbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1328712.exe

Filesize
598KB

MD5
74b0c0353208094ad493d99a511ebb85

SHA1
46aa6759a60bc639c366b600997825307418240b

SHA256
349f4d009e64bd5581e08d7aaab61a8daa00b0e9dc0ee3d8e84c080642c8f198

SHA512
fb6c6f455c0c704801432e8a2fca08735169253b2ceb0ece457c350ced29f8ff496bd69f6145eeccee43c1cc7e39759d79f15d287c5c2eda4de37e9de00ebbb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2719964.exe

Filesize
372KB

MD5
6636ae15bd9b639804be0374a169b437

SHA1
a25939721b1c06421da553de738f0c1fc1d87aa1

SHA256
8586406e4a56809b347138251b1d8a7389894509893eb60359fecd57b4c6a416

SHA512
f6b3114d770a706cd4b8c6efbd711bb40ff7b132fe16b4eec364400bbb83d50b9c639bcbf680ca939ddbba440204a3c2ad661a35c1a8f6bffb4231eb725253c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2719964.exe

Filesize
372KB

MD5
6636ae15bd9b639804be0374a169b437

SHA1
a25939721b1c06421da553de738f0c1fc1d87aa1

SHA256
8586406e4a56809b347138251b1d8a7389894509893eb60359fecd57b4c6a416

SHA512
f6b3114d770a706cd4b8c6efbd711bb40ff7b132fe16b4eec364400bbb83d50b9c639bcbf680ca939ddbba440204a3c2ad661a35c1a8f6bffb4231eb725253c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2081227.exe

Filesize
174KB

MD5
fa1808a5f8a0a4c5adf850ad21bced89

SHA1
d7bacad84423a8d18a072dc5b38b6671cabce425

SHA256
d5732710348bb3365a77a7f561f7854b951eb4c59142c381c335244b29cfe282

SHA512
8b3c45dee554bfab30ee23eecb3ad15f8893b8f435795cbc57bbfd0e3ca3eadc9c0e57754fab041911a38fe575bcc9252f7d33067b18ffeacec5b7e63455cb1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2081227.exe

Filesize
174KB

MD5
fa1808a5f8a0a4c5adf850ad21bced89

SHA1
d7bacad84423a8d18a072dc5b38b6671cabce425

SHA256
d5732710348bb3365a77a7f561f7854b951eb4c59142c381c335244b29cfe282

SHA512
8b3c45dee554bfab30ee23eecb3ad15f8893b8f435795cbc57bbfd0e3ca3eadc9c0e57754fab041911a38fe575bcc9252f7d33067b18ffeacec5b7e63455cb1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4543014.exe

Filesize
216KB

MD5
59a4af1baca6f66645e60e327d25e797

SHA1
e7ca3d178158167347806725c6e414698f18843d

SHA256
cc1a7c81189171d4757aa2d6b9730afb6140bcbc28d9e48376ede325d2c1bb66

SHA512
85bd941866cafe0a0c6a5d50ede17c2be7da2ee0eebe1785a4b8f6b174d85be5383b18e83372d58e64bed8bd7bec9e6c32b1715b4ba32072e018985dda999b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4543014.exe

Filesize
216KB

MD5
59a4af1baca6f66645e60e327d25e797

SHA1
e7ca3d178158167347806725c6e414698f18843d

SHA256
cc1a7c81189171d4757aa2d6b9730afb6140bcbc28d9e48376ede325d2c1bb66

SHA512
85bd941866cafe0a0c6a5d50ede17c2be7da2ee0eebe1785a4b8f6b174d85be5383b18e83372d58e64bed8bd7bec9e6c32b1715b4ba32072e018985dda999b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4059075.exe

Filesize
12KB

MD5
d992a50d35503669deab5e78c9c0cfbc

SHA1
34c5b257cf937569e876a8173332d109902f5c7a

SHA256
3215011960b66d9fd7c955dd8b208ec06ed32ad2563dc1d1fa7e1bc47d5dd21e

SHA512
032b68585f93efc15af0ef2a9a09b5757294ee1521406b89f901bc9f4fe7092ebf1ff369a72236aca468a71438686d3a2fd1f851d0d750d458af83e0c87bb2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4059075.exe

Filesize
12KB

MD5
d992a50d35503669deab5e78c9c0cfbc

SHA1
34c5b257cf937569e876a8173332d109902f5c7a

SHA256
3215011960b66d9fd7c955dd8b208ec06ed32ad2563dc1d1fa7e1bc47d5dd21e

SHA512
032b68585f93efc15af0ef2a9a09b5757294ee1521406b89f901bc9f4fe7092ebf1ff369a72236aca468a71438686d3a2fd1f851d0d750d458af83e0c87bb2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3951249.exe

Filesize
140KB

MD5
0f16150e9c3e63931f9e1132d0ef8c8b

SHA1
226aaab497343491041e9575722f902f6d274b41

SHA256
b23edfab45671cda60fd6ad57b11760d8c690e4285774c56d78726475b34870c

SHA512
45c95c2ffeb34b978b30d740048a3e08cb9e2235f91f260d2f6e56d62a8ea8bad87101c5c056187467685783a183bd36142e48ea21c781316c5fc6e84dfdf667

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3951249.exe

Filesize
140KB

MD5
0f16150e9c3e63931f9e1132d0ef8c8b

SHA1
226aaab497343491041e9575722f902f6d274b41

SHA256
b23edfab45671cda60fd6ad57b11760d8c690e4285774c56d78726475b34870c

SHA512
45c95c2ffeb34b978b30d740048a3e08cb9e2235f91f260d2f6e56d62a8ea8bad87101c5c056187467685783a183bd36142e48ea21c781316c5fc6e84dfdf667

Download Submit
memory/1980-179-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1980-178-0x00000000001D0000-0x0000000000200000-memory.dmp

Filesize
192KB

Download
memory/1980-180-0x000000000A640000-0x000000000AC58000-memory.dmp

Filesize
6.1MB

Download
memory/1980-181-0x000000000A180000-0x000000000A28A000-memory.dmp

Filesize
1.0MB

Download
memory/1980-182-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/1980-183-0x000000000A0C0000-0x000000000A0D2000-memory.dmp

Filesize
72KB

Download
memory/1980-184-0x000000000A120000-0x000000000A15C000-memory.dmp

Filesize
240KB

Download
memory/1980-185-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1980-186-0x0000000004B10000-0x0000000004B20000-memory.dmp

Filesize
64KB

Download
memory/2504-171-0x00007FF934EE0000-0x00007FF9359A1000-memory.dmp

Filesize
10.8MB

Download
memory/2504-169-0x00007FF934EE0000-0x00007FF9359A1000-memory.dmp

Filesize
10.8MB

Download
memory/2504-168-0x0000000000760000-0x000000000076A000-memory.dmp

Filesize
40KB

Download