healer | 3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6

Analysis

max time kernel
145s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
22/08/2023, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe
Size

828KB
MD5

dc2aefdbe2b21a6d7865b8f438871f33
SHA1

8e005f2c7a8a855f83cf6c1c35bace96e36292d0
SHA256

3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6
SHA512

a78f22eebb96bd3ebaf53c9d3dc2a16bf7ea0875ed9f1d8ce8bf899404fd80540094917e31887af544cd4e61084b6373b86984c7cb20a4c23f944498a324116d
SSDEEP

24576:2ypwS3F9IJIdrc+B5mzm31HrfKDwbjUn:Fh3XImcum6lZbj

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af65-153.dat	healer
behavioral1/files/0x000700000001af65-154.dat	healer
behavioral1/memory/3776-155-0x00000000008A0000-0x00000000008AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6451350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6451350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6451350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6451350.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6451350.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3684	v3203667.exe
4904	v5968010.exe
516	v3545529.exe
3780	v4580221.exe
3776	a6451350.exe
2736	b7690303.exe
4316	c6237853.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6451350.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3203667.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5968010.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3545529.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v4580221.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3776	a6451350.exe
3776	a6451350.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3776	a6451350.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 3684	4368	3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe	69
PID 4368 wrote to memory of 3684	4368	3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe	69
PID 4368 wrote to memory of 3684	4368	3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe	69
PID 3684 wrote to memory of 4904	3684	v3203667.exe	70
PID 3684 wrote to memory of 4904	3684	v3203667.exe	70
PID 3684 wrote to memory of 4904	3684	v3203667.exe	70
PID 4904 wrote to memory of 516	4904	v5968010.exe	71
PID 4904 wrote to memory of 516	4904	v5968010.exe	71
PID 4904 wrote to memory of 516	4904	v5968010.exe	71
PID 516 wrote to memory of 3780	516	v3545529.exe	72
PID 516 wrote to memory of 3780	516	v3545529.exe	72
PID 516 wrote to memory of 3780	516	v3545529.exe	72
PID 3780 wrote to memory of 3776	3780	v4580221.exe	73
PID 3780 wrote to memory of 3776	3780	v4580221.exe	73
PID 3780 wrote to memory of 2736	3780	v4580221.exe	74
PID 3780 wrote to memory of 2736	3780	v4580221.exe	74
PID 3780 wrote to memory of 2736	3780	v4580221.exe	74
PID 516 wrote to memory of 4316	516	v3545529.exe	75
PID 516 wrote to memory of 4316	516	v3545529.exe	75
PID 516 wrote to memory of 4316	516	v3545529.exe	75

C:\Users\Admin\AppData\Local\Temp\3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe
"C:\Users\Admin\AppData\Local\Temp\3e0b7cd292d5a715f078301281db4e0af93c845bcd016c8b89604997424a4ca6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3203667.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3203667.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5968010.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5968010.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3545529.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3545529.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:516
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4580221.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4580221.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3780
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6451350.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6451350.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7690303.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7690303.exe
        6⤵
        Executes dropped EXE
        
        PID:2736
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6237853.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6237853.exe
        5⤵
        Executes dropped EXE
        
        PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3203667.exe

Filesize
722KB

MD5
4b352ddd3cfc630029d52956954ad7bb

SHA1
dc04bb1d8e647dd34ef917fa448164bfb6f4fd2e

SHA256
93d5a617c17cc2ea72707073c5c8c9cda065f54ba2c1f72a3c20be584b114d67

SHA512
8b4b824ccd520e497c8f7af5d7736cdf085db42e8e84e4a6c6b9391fca8763e4975a8a6dae078f933dafae91ac31ce24701d88c0c17eb4b97d0dd27add31336a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3203667.exe

Filesize
722KB

MD5
4b352ddd3cfc630029d52956954ad7bb

SHA1
dc04bb1d8e647dd34ef917fa448164bfb6f4fd2e

SHA256
93d5a617c17cc2ea72707073c5c8c9cda065f54ba2c1f72a3c20be584b114d67

SHA512
8b4b824ccd520e497c8f7af5d7736cdf085db42e8e84e4a6c6b9391fca8763e4975a8a6dae078f933dafae91ac31ce24701d88c0c17eb4b97d0dd27add31336a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5968010.exe

Filesize
496KB

MD5
ccbe078ae292c78ab38241d311c522ba

SHA1
2017bfd168ee8a22c409e330265bb4b8cb3d0b51

SHA256
b4aa14d3c19406c5db1599b1b921fe1eec693d159bc69981ee48f5b729fdb2d0

SHA512
488fe7024b99d6f15e5b703a8d0d103ff3543f1abcb8bdc425a0872dcc56762cf05671c1c2a03904651ff573aff1c7d73b0486e0ce534508ece5da539f53f369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5968010.exe

Filesize
496KB

MD5
ccbe078ae292c78ab38241d311c522ba

SHA1
2017bfd168ee8a22c409e330265bb4b8cb3d0b51

SHA256
b4aa14d3c19406c5db1599b1b921fe1eec693d159bc69981ee48f5b729fdb2d0

SHA512
488fe7024b99d6f15e5b703a8d0d103ff3543f1abcb8bdc425a0872dcc56762cf05671c1c2a03904651ff573aff1c7d73b0486e0ce534508ece5da539f53f369

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3545529.exe

Filesize
372KB

MD5
9c37ea924bb3980f94e4523d22d06da1

SHA1
c3276b7117542f5d3bf1411a5b20979b5a85f9ba

SHA256
6e73c4c80e6ac81bdc4e74492a7a4985f6b716f158327f0bb1f7ae3b9e029768

SHA512
04f498aff6c09d471a4ea6911a92bea6b3d647925d483cf3f1cae624ad2a38aae12fa85ab149e989c4aa50be9f4d9ea4833f26550fa93b953d794dc9a7c847de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3545529.exe

Filesize
372KB

MD5
9c37ea924bb3980f94e4523d22d06da1

SHA1
c3276b7117542f5d3bf1411a5b20979b5a85f9ba

SHA256
6e73c4c80e6ac81bdc4e74492a7a4985f6b716f158327f0bb1f7ae3b9e029768

SHA512
04f498aff6c09d471a4ea6911a92bea6b3d647925d483cf3f1cae624ad2a38aae12fa85ab149e989c4aa50be9f4d9ea4833f26550fa93b953d794dc9a7c847de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6237853.exe

Filesize
174KB

MD5
cd629b653f39093f7c2bed971c291e2c

SHA1
9c326b5cecd52176d66face605b935332ade3065

SHA256
489529f24c7cd84ed4688d7f63811e0c027597d71ecf1697cd9ced51bc22abca

SHA512
5b1779aca51efce9853d2738b2c3965bea6c1cbaf8650745ac13fbdafdc41a0af186e6d02129ce4d3cdacdbf7395512cd3e7dfc6ff191150f7fa2618b736f59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6237853.exe

Filesize
174KB

MD5
cd629b653f39093f7c2bed971c291e2c

SHA1
9c326b5cecd52176d66face605b935332ade3065

SHA256
489529f24c7cd84ed4688d7f63811e0c027597d71ecf1697cd9ced51bc22abca

SHA512
5b1779aca51efce9853d2738b2c3965bea6c1cbaf8650745ac13fbdafdc41a0af186e6d02129ce4d3cdacdbf7395512cd3e7dfc6ff191150f7fa2618b736f59e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4580221.exe

Filesize
216KB

MD5
cdff6fc9721e00fc4afdfe1077850518

SHA1
6af317fdae3eb7dc466527c0182e86174a6a6dac

SHA256
329f989a8568209716c8d0fa690850744ae67835b813a7a396e1b031f3806e65

SHA512
d9e02eedc11372f8b91644a7c5e53f28d926ee9c400f8521fe1759e53718cbe3f23dee093aab2edb0b12e8105b681414bf92b7d5edd8da59af96494ed71520fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4580221.exe

Filesize
216KB

MD5
cdff6fc9721e00fc4afdfe1077850518

SHA1
6af317fdae3eb7dc466527c0182e86174a6a6dac

SHA256
329f989a8568209716c8d0fa690850744ae67835b813a7a396e1b031f3806e65

SHA512
d9e02eedc11372f8b91644a7c5e53f28d926ee9c400f8521fe1759e53718cbe3f23dee093aab2edb0b12e8105b681414bf92b7d5edd8da59af96494ed71520fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6451350.exe

Filesize
12KB

MD5
6b891ea43a97cd5a36f75e6858f68561

SHA1
7812ef9c3fcd666236a6c61c5ce4fc629afa3837

SHA256
5cb3320fd689b5bdc905614c6672124ad1986f0c9d6c3c40c5c80f126d0b92fa

SHA512
095cf08967416175fa62dd3e4c1dc465166ec170e073d9be12a84509b2ef04b6d7083c464bae81d3725e7ffefcc7be6f012a78c9ef63e73189fa3dd9625760c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6451350.exe

Filesize
12KB

MD5
6b891ea43a97cd5a36f75e6858f68561

SHA1
7812ef9c3fcd666236a6c61c5ce4fc629afa3837

SHA256
5cb3320fd689b5bdc905614c6672124ad1986f0c9d6c3c40c5c80f126d0b92fa

SHA512
095cf08967416175fa62dd3e4c1dc465166ec170e073d9be12a84509b2ef04b6d7083c464bae81d3725e7ffefcc7be6f012a78c9ef63e73189fa3dd9625760c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7690303.exe

Filesize
140KB

MD5
c325cddef9e62d653aa704678b44c9c6

SHA1
ce36cfdd7a8757bb19a4d30bae2b30cb90ba5fd6

SHA256
3bf4b02e7c649562af535e9978f4560cf3b4d1fb88ab4eda78dbe733bf9abacd

SHA512
e3b1c1c54497df14223883514457aa48ece921155bd968cf8dedc4b23aa13e0eb3ed3c0155276e9daa044aaf0f8cab5fc1ce44f9f85641793e79ccec8d516d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7690303.exe

Filesize
140KB

MD5
c325cddef9e62d653aa704678b44c9c6

SHA1
ce36cfdd7a8757bb19a4d30bae2b30cb90ba5fd6

SHA256
3bf4b02e7c649562af535e9978f4560cf3b4d1fb88ab4eda78dbe733bf9abacd

SHA512
e3b1c1c54497df14223883514457aa48ece921155bd968cf8dedc4b23aa13e0eb3ed3c0155276e9daa044aaf0f8cab5fc1ce44f9f85641793e79ccec8d516d23

Download Submit
memory/3776-158-0x00007FFCF65B0000-0x00007FFCF6F9C000-memory.dmp

Filesize
9.9MB

Download
memory/3776-156-0x00007FFCF65B0000-0x00007FFCF6F9C000-memory.dmp

Filesize
9.9MB

Download
memory/3776-155-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/4316-165-0x00000000006D0000-0x0000000000700000-memory.dmp

Filesize
192KB

Download
memory/4316-166-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download
memory/4316-167-0x0000000002960000-0x0000000002966000-memory.dmp

Filesize
24KB

Download
memory/4316-168-0x000000000AA90000-0x000000000B096000-memory.dmp

Filesize
6.0MB

Download
memory/4316-169-0x000000000A620000-0x000000000A72A000-memory.dmp

Filesize
1.0MB

Download
memory/4316-170-0x000000000A550000-0x000000000A562000-memory.dmp

Filesize
72KB

Download
memory/4316-171-0x000000000A5B0000-0x000000000A5EE000-memory.dmp

Filesize
248KB

Download
memory/4316-172-0x000000000A730000-0x000000000A77B000-memory.dmp

Filesize
300KB

Download
memory/4316-173-0x0000000073870000-0x0000000073F5E000-memory.dmp

Filesize
6.9MB

Download