healer | 74cee82f3d2163f8fc1e228f864e2e924cc859db7a1e6db38e1da05bc897ab8f

Analysis

max time kernel
147s
max time network
150s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
23/08/2023, 01:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74cee82f3d2163f8fc1e228f864e2e924cc859db7a1e6db38e1da05bc897ab8f.exe
Size

827KB
MD5

e03313b6dd67545300ab06cfed60a9a6
SHA1

c201612922e62240e0509db58ffa9ebc3c0962b5
SHA256

74cee82f3d2163f8fc1e228f864e2e924cc859db7a1e6db38e1da05bc897ab8f
SHA512

dd3110a82eb202906077ae9b7ac8a73978de73ad6c0689cc2994b058efe9b0b47cde385459ad7b23e48c0733d1dd674a2d602c09691ad1f3c81ea66e13119776
SSDEEP

12288:BMrfy90qF6l59wIa/2owh9u0pTaly844n2YpToGdiLitTN6WMq5idjRFS8j:2yxFxR2V9uQu4cn28TRiyEhDZ

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afd6-150.dat	healer
behavioral1/files/0x000700000001afd6-151.dat	healer
behavioral1/memory/608-152-0x0000000000BE0000-0x0000000000BEA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1075684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1075684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1075684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1075684.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1075684.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4536	v0938668.exe
3932	v9930550.exe
3112	v4467092.exe
3052	v1302080.exe
608	a1075684.exe
2460	b7679275.exe
2280	c3873798.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1075684.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	74cee82f3d2163f8fc1e228f864e2e924cc859db7a1e6db38e1da05bc897ab8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0938668.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9930550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4467092.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1302080.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
608	a1075684.exe
608	a1075684.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	608	a1075684.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4536	4956	74cee82f3d2163f8fc1e228f864e2e924cc859db7a1e6db38e1da05bc897ab8f.exe	70
PID 4956 wrote to memory of 4536	4956	74cee82f3d2163f8fc1e228f864e2e924cc859db7a1e6db38e1da05bc897ab8f.exe	70
PID 4956 wrote to memory of 4536	4956	74cee82f3d2163f8fc1e228f864e2e924cc859db7a1e6db38e1da05bc897ab8f.exe	70
PID 4536 wrote to memory of 3932	4536	v0938668.exe	71
PID 4536 wrote to memory of 3932	4536	v0938668.exe	71
PID 4536 wrote to memory of 3932	4536	v0938668.exe	71
PID 3932 wrote to memory of 3112	3932	v9930550.exe	72
PID 3932 wrote to memory of 3112	3932	v9930550.exe	72
PID 3932 wrote to memory of 3112	3932	v9930550.exe	72
PID 3112 wrote to memory of 3052	3112	v4467092.exe	73
PID 3112 wrote to memory of 3052	3112	v4467092.exe	73
PID 3112 wrote to memory of 3052	3112	v4467092.exe	73
PID 3052 wrote to memory of 608	3052	v1302080.exe	74
PID 3052 wrote to memory of 608	3052	v1302080.exe	74
PID 3052 wrote to memory of 2460	3052	v1302080.exe	75
PID 3052 wrote to memory of 2460	3052	v1302080.exe	75
PID 3052 wrote to memory of 2460	3052	v1302080.exe	75
PID 3112 wrote to memory of 2280	3112	v4467092.exe	76
PID 3112 wrote to memory of 2280	3112	v4467092.exe	76
PID 3112 wrote to memory of 2280	3112	v4467092.exe	76

C:\Users\Admin\AppData\Local\Temp\74cee82f3d2163f8fc1e228f864e2e924cc859db7a1e6db38e1da05bc897ab8f.exe
"C:\Users\Admin\AppData\Local\Temp\74cee82f3d2163f8fc1e228f864e2e924cc859db7a1e6db38e1da05bc897ab8f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0938668.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0938668.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9930550.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9930550.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4467092.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4467092.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1302080.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1302080.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3052
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1075684.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1075684.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7679275.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7679275.exe
        6⤵
        Executes dropped EXE
        
        PID:2460
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3873798.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3873798.exe
        5⤵
        Executes dropped EXE
        
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0938668.exe

Filesize
723KB

MD5
048bd02a98d23c1806f7ac03d7fe8a7e

SHA1
4132dfc52b16c1c2539b1c7895baf5fdd0cbfc57

SHA256
58528bf9f834780cc2832dc3c617072811140c56a7abde7b750e9dcd714bc64d

SHA512
e85bfd225212364c123e3db3aed406553a3f08e7c4c55f879f452701cabbc1592ee4796a80f074ed86314920e470ba87683b4170f4809772b4f2799cc46577c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0938668.exe

Filesize
723KB

MD5
048bd02a98d23c1806f7ac03d7fe8a7e

SHA1
4132dfc52b16c1c2539b1c7895baf5fdd0cbfc57

SHA256
58528bf9f834780cc2832dc3c617072811140c56a7abde7b750e9dcd714bc64d

SHA512
e85bfd225212364c123e3db3aed406553a3f08e7c4c55f879f452701cabbc1592ee4796a80f074ed86314920e470ba87683b4170f4809772b4f2799cc46577c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9930550.exe

Filesize
497KB

MD5
6fb2e6507d6a2aa362109debfb21ba1f

SHA1
0c375607652ec437a3c5daba403c0af3601117bd

SHA256
9c043c4a369cd5ae64a22ea3bcb6510f5397b703ec7243741fa02ce749c88696

SHA512
10d98b26bbb6cc4c16619e499da491eb14cf0209c8ea2b9dca6e32b909859738362fa8e899be1bea57705ba68d0550dd6ee2ebfa690bb742d88fdadd2d0bc89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9930550.exe

Filesize
497KB

MD5
6fb2e6507d6a2aa362109debfb21ba1f

SHA1
0c375607652ec437a3c5daba403c0af3601117bd

SHA256
9c043c4a369cd5ae64a22ea3bcb6510f5397b703ec7243741fa02ce749c88696

SHA512
10d98b26bbb6cc4c16619e499da491eb14cf0209c8ea2b9dca6e32b909859738362fa8e899be1bea57705ba68d0550dd6ee2ebfa690bb742d88fdadd2d0bc89d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4467092.exe

Filesize
373KB

MD5
b5a4d415c256824bfb9d333a4f44db77

SHA1
3790ce4fe34af8ac1d3970084ea9fa6fc34c6791

SHA256
703b3f157af153f0002aeb200c5510a07017a64dd00fbe6d5d389987c4178e3c

SHA512
761eb77237c92344e3e49ceef8151a8e766a1acf0e245ee525cf9333b00872803b8839cc9fd44daad26351b6ee6bd047def995978889e9e54ddbe202e31d856d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4467092.exe

Filesize
373KB

MD5
b5a4d415c256824bfb9d333a4f44db77

SHA1
3790ce4fe34af8ac1d3970084ea9fa6fc34c6791

SHA256
703b3f157af153f0002aeb200c5510a07017a64dd00fbe6d5d389987c4178e3c

SHA512
761eb77237c92344e3e49ceef8151a8e766a1acf0e245ee525cf9333b00872803b8839cc9fd44daad26351b6ee6bd047def995978889e9e54ddbe202e31d856d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3873798.exe

Filesize
174KB

MD5
9eaf9b9995397c031c79805404d8352e

SHA1
0bde7c6be2ff921f6fe2f5f145af55d27b844fe7

SHA256
aea1a7d88b9255d91f6fdb915125e53a51c5400acce3fb7831ad8ad8f4a56efa

SHA512
d9845f14820d24e7062233f920a92310b2130152850bb34ae2941fc9627f2e21095ef1d54f256f92ea73491712a7d2139fe63e886679d2a0b8415203b5ab5e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3873798.exe

Filesize
174KB

MD5
9eaf9b9995397c031c79805404d8352e

SHA1
0bde7c6be2ff921f6fe2f5f145af55d27b844fe7

SHA256
aea1a7d88b9255d91f6fdb915125e53a51c5400acce3fb7831ad8ad8f4a56efa

SHA512
d9845f14820d24e7062233f920a92310b2130152850bb34ae2941fc9627f2e21095ef1d54f256f92ea73491712a7d2139fe63e886679d2a0b8415203b5ab5e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1302080.exe

Filesize
217KB

MD5
6597531c5674578d78797b33f4b2877c

SHA1
f136ead4a50ce6b2cdb1f5521ca567712ba5ce44

SHA256
4e606c935bc1a7b47100ef915f4693e42f7629f35e7f186cc42535b9b93cfa9a

SHA512
11dee71be88fe2b9c7bcafbe18727bb2f71dc537f41994a27b6b80a8587fd49f710b7a588d442256ced82eda9b9f44df043dfa9b4e52b0470595602af37f38cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1302080.exe

Filesize
217KB

MD5
6597531c5674578d78797b33f4b2877c

SHA1
f136ead4a50ce6b2cdb1f5521ca567712ba5ce44

SHA256
4e606c935bc1a7b47100ef915f4693e42f7629f35e7f186cc42535b9b93cfa9a

SHA512
11dee71be88fe2b9c7bcafbe18727bb2f71dc537f41994a27b6b80a8587fd49f710b7a588d442256ced82eda9b9f44df043dfa9b4e52b0470595602af37f38cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1075684.exe

Filesize
12KB

MD5
d1672f7dfb8b99243e5d4fb20bbf313c

SHA1
b40f35a0b916c0ea8cf47d676da633005c66e105

SHA256
1ab322363956bdc4fe08c1a4f56308a4c306ea20cac129bc281fd2c1ac2cddb6

SHA512
196fe3b2d76dfc882ed87ae0be11d5db80b1ac98217243f28dc35a21096555e0382e9df93fb347821d560f171d5feb9cae0c160ef79cca98122981ab6f736911

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1075684.exe

Filesize
12KB

MD5
d1672f7dfb8b99243e5d4fb20bbf313c

SHA1
b40f35a0b916c0ea8cf47d676da633005c66e105

SHA256
1ab322363956bdc4fe08c1a4f56308a4c306ea20cac129bc281fd2c1ac2cddb6

SHA512
196fe3b2d76dfc882ed87ae0be11d5db80b1ac98217243f28dc35a21096555e0382e9df93fb347821d560f171d5feb9cae0c160ef79cca98122981ab6f736911

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7679275.exe

Filesize
140KB

MD5
c3dec4bcbc4da30e52ccc8d999ba0ced

SHA1
1be6f077bf22c8d1185df1bafcd47db1f557bb57

SHA256
8a41a91d449f06dcbd521e9dac9952e1aab4f1c74e52c65dc9436282d3bf17fc

SHA512
1d08667b51edf20df39d5ad3e29901d7d61998be07ddbfb8247839d328b2f8e28cbc9f4d1d1401cc2082f32349247bc4eadf5226c254a3284fe7d4d961bc8702

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7679275.exe

Filesize
140KB

MD5
c3dec4bcbc4da30e52ccc8d999ba0ced

SHA1
1be6f077bf22c8d1185df1bafcd47db1f557bb57

SHA256
8a41a91d449f06dcbd521e9dac9952e1aab4f1c74e52c65dc9436282d3bf17fc

SHA512
1d08667b51edf20df39d5ad3e29901d7d61998be07ddbfb8247839d328b2f8e28cbc9f4d1d1401cc2082f32349247bc4eadf5226c254a3284fe7d4d961bc8702

Download Submit
memory/608-155-0x00007FFCB18E0000-0x00007FFCB22CC000-memory.dmp

Filesize
9.9MB

Download
memory/608-153-0x00007FFCB18E0000-0x00007FFCB22CC000-memory.dmp

Filesize
9.9MB

Download
memory/608-152-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

Filesize
40KB

Download
memory/2280-162-0x00000000009F0000-0x0000000000A20000-memory.dmp

Filesize
192KB

Download
memory/2280-163-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2280-164-0x00000000051B0000-0x00000000051B6000-memory.dmp

Filesize
24KB

Download
memory/2280-165-0x000000000ACE0000-0x000000000B2E6000-memory.dmp

Filesize
6.0MB

Download
memory/2280-166-0x000000000A800000-0x000000000A90A000-memory.dmp

Filesize
1.0MB

Download
memory/2280-167-0x000000000A730000-0x000000000A742000-memory.dmp

Filesize
72KB

Download
memory/2280-168-0x000000000A790000-0x000000000A7CE000-memory.dmp

Filesize
248KB

Download
memory/2280-169-0x000000000A910000-0x000000000A95B000-memory.dmp

Filesize
300KB

Download
memory/2280-170-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download