healer | 5ba444d0a079d37f5eeff4c25871fa8e2f71dc3e5fe866822f072b574297ecbc

Analysis

max time kernel
276s
max time network
291s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
23/08/2023, 03:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

o7130896.exe
Size

928KB
MD5

17d04870919745d700f123ef6ed04e3b
SHA1

8a1338c7258e69fed04191c738bec1aa49a92758
SHA256

5ba444d0a079d37f5eeff4c25871fa8e2f71dc3e5fe866822f072b574297ecbc
SHA512

13caa905855553b239c305874bb589e017c5ae2acb5b17f7d6bcdc7a1857727b3b60d4d9bdbffe9e1d015d77f574252ae0509c0d7a90bda6ca3224806b549fd6
SSDEEP

24576:qyUTPvCve+dTh+zeL4DkvcJOWGDSwOPw850tlXW:xYCm2TI6cDkvcJoDSwOPwJlX

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000001b035-155.dat	healer
behavioral2/files/0x000700000001b035-156.dat	healer
behavioral2/memory/2380-157-0x0000000000730000-0x000000000073A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q0302117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q0302117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q0302117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q0302117.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q0302117.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1560	z6106149.exe
5056	z5270231.exe
4844	z6351101.exe
4520	z4982998.exe
2380	q0302117.exe
4816	r2815646.exe
1420	s7666749.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q0302117.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	o7130896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6106149.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5270231.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z6351101.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4982998.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2380	q0302117.exe
2380	q0302117.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	q0302117.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 1560	4500	o7130896.exe	70
PID 4500 wrote to memory of 1560	4500	o7130896.exe	70
PID 4500 wrote to memory of 1560	4500	o7130896.exe	70
PID 1560 wrote to memory of 5056	1560	z6106149.exe	71
PID 1560 wrote to memory of 5056	1560	z6106149.exe	71
PID 1560 wrote to memory of 5056	1560	z6106149.exe	71
PID 5056 wrote to memory of 4844	5056	z5270231.exe	72
PID 5056 wrote to memory of 4844	5056	z5270231.exe	72
PID 5056 wrote to memory of 4844	5056	z5270231.exe	72
PID 4844 wrote to memory of 4520	4844	z6351101.exe	73
PID 4844 wrote to memory of 4520	4844	z6351101.exe	73
PID 4844 wrote to memory of 4520	4844	z6351101.exe	73
PID 4520 wrote to memory of 2380	4520	z4982998.exe	74
PID 4520 wrote to memory of 2380	4520	z4982998.exe	74
PID 4520 wrote to memory of 4816	4520	z4982998.exe	75
PID 4520 wrote to memory of 4816	4520	z4982998.exe	75
PID 4520 wrote to memory of 4816	4520	z4982998.exe	75
PID 4844 wrote to memory of 1420	4844	z6351101.exe	76
PID 4844 wrote to memory of 1420	4844	z6351101.exe	76
PID 4844 wrote to memory of 1420	4844	z6351101.exe	76

C:\Users\Admin\AppData\Local\Temp\o7130896.exe
"C:\Users\Admin\AppData\Local\Temp\o7130896.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6106149.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6106149.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5270231.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5270231.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6351101.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6351101.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4982998.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4982998.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4520
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0302117.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0302117.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2815646.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2815646.exe
        6⤵
        Executes dropped EXE
        
        PID:4816
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7666749.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7666749.exe
        5⤵
        Executes dropped EXE
        
        PID:1420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6106149.exe

Filesize
824KB

MD5
6f97e370809343457b876acadee5d594

SHA1
0218f41b2f239549d68b654bf22d85d52050a168

SHA256
9d3d7c6ff872abad4d4d05ff780b0fdb41f5d70969e95afc05bddeef13b09fb1

SHA512
983ed2bc77d050bbddc328e71a9d438c80cdfbfe3c66bba708bba83855df1775e025b2aa3ed7c37706fb9aa912962472631a4389eeae666f3e5517e60cffb129

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6106149.exe

Filesize
824KB

MD5
6f97e370809343457b876acadee5d594

SHA1
0218f41b2f239549d68b654bf22d85d52050a168

SHA256
9d3d7c6ff872abad4d4d05ff780b0fdb41f5d70969e95afc05bddeef13b09fb1

SHA512
983ed2bc77d050bbddc328e71a9d438c80cdfbfe3c66bba708bba83855df1775e025b2aa3ed7c37706fb9aa912962472631a4389eeae666f3e5517e60cffb129

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5270231.exe

Filesize
598KB

MD5
8075bf7d36d8e8ad65af7d9c1b30d6de

SHA1
e846baff3e5ea4e605657c43d4d34132a564e13e

SHA256
e8cf7739c71533c6c69a701d0ce08d4677fa106977bfba95cb96fae1f08118e3

SHA512
020304e8262cee17cb03f2adc38a712a2226cc2e311c84e91fb8786a14c2d94152020566fef5751add4fc09046fece726892e76319deda132949867fb9ab2d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5270231.exe

Filesize
598KB

MD5
8075bf7d36d8e8ad65af7d9c1b30d6de

SHA1
e846baff3e5ea4e605657c43d4d34132a564e13e

SHA256
e8cf7739c71533c6c69a701d0ce08d4677fa106977bfba95cb96fae1f08118e3

SHA512
020304e8262cee17cb03f2adc38a712a2226cc2e311c84e91fb8786a14c2d94152020566fef5751add4fc09046fece726892e76319deda132949867fb9ab2d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6351101.exe

Filesize
373KB

MD5
fc8290ffaef5f0c27ccd5e3763eb5105

SHA1
59f1bf4167e198cf6a1e7661149c7d2599c82372

SHA256
654a2f3f623d94edea977ad46d1ac66f9ee35e1e059553f9a7eed855bc95f174

SHA512
d0c77c7e9bcd1c19611b892ee465125d014466f7589ca2a0b56cebb406546968f6b220e88e94098c344c251d981fffb05e2972e8d924b10b556dde3263d17ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6351101.exe

Filesize
373KB

MD5
fc8290ffaef5f0c27ccd5e3763eb5105

SHA1
59f1bf4167e198cf6a1e7661149c7d2599c82372

SHA256
654a2f3f623d94edea977ad46d1ac66f9ee35e1e059553f9a7eed855bc95f174

SHA512
d0c77c7e9bcd1c19611b892ee465125d014466f7589ca2a0b56cebb406546968f6b220e88e94098c344c251d981fffb05e2972e8d924b10b556dde3263d17ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7666749.exe

Filesize
174KB

MD5
7b3365c6b70fdb985cb1efd9f80557bd

SHA1
35bd330f0fa1c280e88152e487761253e4084e36

SHA256
24ee91a8f55df99dba80047ebe0aec5b65fbef345724bdc449635aef6f62d29e

SHA512
6516efcdbe8631e36f6b8867a5125da15774b93f5ae5d006fc96d792c184d45cb16decba26a03c8a740b476104a5fd9f767d010c119b0a66610ce5f5e3aa5881

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7666749.exe

Filesize
174KB

MD5
7b3365c6b70fdb985cb1efd9f80557bd

SHA1
35bd330f0fa1c280e88152e487761253e4084e36

SHA256
24ee91a8f55df99dba80047ebe0aec5b65fbef345724bdc449635aef6f62d29e

SHA512
6516efcdbe8631e36f6b8867a5125da15774b93f5ae5d006fc96d792c184d45cb16decba26a03c8a740b476104a5fd9f767d010c119b0a66610ce5f5e3aa5881

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4982998.exe

Filesize
216KB

MD5
1906566f5372524b56c54aa055d16f15

SHA1
63fbc60f0e12e100d0abda0d25596dc20987b1c9

SHA256
490aa879fd389fe2202ea6a12d1d3be9f88bf3bc5cd6652913a70d6eecb59e96

SHA512
4bee347998aacc4856f56b1d2c4167e20d5254dd28866ab4963e6d831b290724f7562bb6af98d2d2fb00c6889045994cf5e1a461c07e27bac200751a82a06d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4982998.exe

Filesize
216KB

MD5
1906566f5372524b56c54aa055d16f15

SHA1
63fbc60f0e12e100d0abda0d25596dc20987b1c9

SHA256
490aa879fd389fe2202ea6a12d1d3be9f88bf3bc5cd6652913a70d6eecb59e96

SHA512
4bee347998aacc4856f56b1d2c4167e20d5254dd28866ab4963e6d831b290724f7562bb6af98d2d2fb00c6889045994cf5e1a461c07e27bac200751a82a06d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0302117.exe

Filesize
12KB

MD5
4b9e1ccba95c26bf826973d346b0e468

SHA1
ab0fe75bd9a10e15605b55a1b63f7e938b90a5b6

SHA256
d4cce0b64f8e705189ad693758e72908452167595ea2a17c15e0dd5479abe8cb

SHA512
60abbe91849bd11aee810f0da3f5392e31502969d6a457415896c88bbbccfbbbd697fb09d9a4766d76b778558cc93a21094bef9672c075f2a81c09c18cab0744

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0302117.exe

Filesize
12KB

MD5
4b9e1ccba95c26bf826973d346b0e468

SHA1
ab0fe75bd9a10e15605b55a1b63f7e938b90a5b6

SHA256
d4cce0b64f8e705189ad693758e72908452167595ea2a17c15e0dd5479abe8cb

SHA512
60abbe91849bd11aee810f0da3f5392e31502969d6a457415896c88bbbccfbbbd697fb09d9a4766d76b778558cc93a21094bef9672c075f2a81c09c18cab0744

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2815646.exe

Filesize
140KB

MD5
0421e5ebed5493191d296ba6be627f22

SHA1
3cebae2ab15223c00ce642d9f65e7c9e95c80f14

SHA256
d384f37e74a71e7f8dc679ee6f9585ad1405e59a40f65587d5b1871f6e437167

SHA512
e6932e316521f7e7ccb3c9ef43beda81f0373226e93b6decfc8f2fa97c4ca8d97961b2b0b8f26b9a6cdd6ad1b62ca0bb11bbfd9e5025d7fc4bb9250a5bc5c4e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2815646.exe

Filesize
140KB

MD5
0421e5ebed5493191d296ba6be627f22

SHA1
3cebae2ab15223c00ce642d9f65e7c9e95c80f14

SHA256
d384f37e74a71e7f8dc679ee6f9585ad1405e59a40f65587d5b1871f6e437167

SHA512
e6932e316521f7e7ccb3c9ef43beda81f0373226e93b6decfc8f2fa97c4ca8d97961b2b0b8f26b9a6cdd6ad1b62ca0bb11bbfd9e5025d7fc4bb9250a5bc5c4e0

Download Submit
memory/1420-168-0x00000000738C0000-0x0000000073FAE000-memory.dmp

Filesize
6.9MB

Download
memory/1420-167-0x0000000000340000-0x0000000000370000-memory.dmp

Filesize
192KB

Download
memory/1420-169-0x0000000002660000-0x0000000002666000-memory.dmp

Filesize
24KB

Download
memory/1420-170-0x000000000A630000-0x000000000AC36000-memory.dmp

Filesize
6.0MB

Download
memory/1420-171-0x000000000A150000-0x000000000A25A000-memory.dmp

Filesize
1.0MB

Download
memory/1420-172-0x000000000A080000-0x000000000A092000-memory.dmp

Filesize
72KB

Download
memory/1420-173-0x000000000A0E0000-0x000000000A11E000-memory.dmp

Filesize
248KB

Download
memory/1420-174-0x000000000A260000-0x000000000A2AB000-memory.dmp

Filesize
300KB

Download
memory/1420-175-0x00000000738C0000-0x0000000073FAE000-memory.dmp

Filesize
6.9MB

Download
memory/2380-160-0x00007FFA9C3A0000-0x00007FFA9CD8C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-158-0x00007FFA9C3A0000-0x00007FFA9CD8C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-157-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download