healer | b9a81519560c039cec393071739d86e712e1973bc845ce11e765c45a9be757e1

Analysis

max time kernel
145s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
23-08-2023 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9a81519560c039cec393071739d86e712e1973bc845ce11e765c45a9be757e1.exe
Size

827KB
MD5

f49ddeefd84d274d8f37029176db0093
SHA1

d5be6beccd23ca3c333394517644b268c5b082cb
SHA256

b9a81519560c039cec393071739d86e712e1973bc845ce11e765c45a9be757e1
SHA512

b2408c5de8067739eaf67356f00e34de6268795bfb766c29758173420d3d8fd029af3019ae2c1890328911fd9face5687d1bc2995a6a9f086cbab930dc6310c7
SSDEEP

12288:RMrny90sF3XQgab3G5iSGLTpw/ePE2IHdZExRouiiXYROyAx2PptUplB1:iy3q3G56pul2a7ExRoui0YRBcgpqlB1

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b01f-156.dat	healer
behavioral1/files/0x000700000001b01f-155.dat	healer
behavioral1/memory/1668-157-0x00000000008E0000-0x00000000008EA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2303701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2303701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2303701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2303701.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2303701.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4520	v6723782.exe
4292	v4302551.exe
2772	v6090066.exe
4200	v9733535.exe
1668	a2303701.exe
3020	b7409640.exe
384	c9210187.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2303701.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b9a81519560c039cec393071739d86e712e1973bc845ce11e765c45a9be757e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6723782.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4302551.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6090066.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9733535.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1668	a2303701.exe
1668	a2303701.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	a2303701.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4304 wrote to memory of 4520	4304	b9a81519560c039cec393071739d86e712e1973bc845ce11e765c45a9be757e1.exe	70
PID 4304 wrote to memory of 4520	4304	b9a81519560c039cec393071739d86e712e1973bc845ce11e765c45a9be757e1.exe	70
PID 4304 wrote to memory of 4520	4304	b9a81519560c039cec393071739d86e712e1973bc845ce11e765c45a9be757e1.exe	70
PID 4520 wrote to memory of 4292	4520	v6723782.exe	71
PID 4520 wrote to memory of 4292	4520	v6723782.exe	71
PID 4520 wrote to memory of 4292	4520	v6723782.exe	71
PID 4292 wrote to memory of 2772	4292	v4302551.exe	72
PID 4292 wrote to memory of 2772	4292	v4302551.exe	72
PID 4292 wrote to memory of 2772	4292	v4302551.exe	72
PID 2772 wrote to memory of 4200	2772	v6090066.exe	73
PID 2772 wrote to memory of 4200	2772	v6090066.exe	73
PID 2772 wrote to memory of 4200	2772	v6090066.exe	73
PID 4200 wrote to memory of 1668	4200	v9733535.exe	74
PID 4200 wrote to memory of 1668	4200	v9733535.exe	74
PID 4200 wrote to memory of 3020	4200	v9733535.exe	75
PID 4200 wrote to memory of 3020	4200	v9733535.exe	75
PID 4200 wrote to memory of 3020	4200	v9733535.exe	75
PID 2772 wrote to memory of 384	2772	v6090066.exe	76
PID 2772 wrote to memory of 384	2772	v6090066.exe	76
PID 2772 wrote to memory of 384	2772	v6090066.exe	76

C:\Users\Admin\AppData\Local\Temp\b9a81519560c039cec393071739d86e712e1973bc845ce11e765c45a9be757e1.exe
"C:\Users\Admin\AppData\Local\Temp\b9a81519560c039cec393071739d86e712e1973bc845ce11e765c45a9be757e1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4304
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6723782.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6723782.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4302551.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4302551.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4292
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6090066.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6090066.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9733535.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9733535.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4200
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2303701.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2303701.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7409640.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7409640.exe
        6⤵
        Executes dropped EXE
        
        PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9210187.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9210187.exe
        5⤵
        Executes dropped EXE
        
        PID:384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6723782.exe

Filesize
721KB

MD5
521b4236310857dc152ef81cb1162165

SHA1
10b6a50dc613b49e81546bcc4dfe8b6fcfff004a

SHA256
354919e5096e761b879dec3daa10bb4c978d844b16221374eb7c6a1b54ecee4c

SHA512
abd9df34966e2769a42ebec86f74797f396a3fae258fbcec6fa11ac4bdaaf8da3dd7b2967af27242e365ec9fc018f3606a22973c0112058a6bceb6331605d7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6723782.exe

Filesize
721KB

MD5
521b4236310857dc152ef81cb1162165

SHA1
10b6a50dc613b49e81546bcc4dfe8b6fcfff004a

SHA256
354919e5096e761b879dec3daa10bb4c978d844b16221374eb7c6a1b54ecee4c

SHA512
abd9df34966e2769a42ebec86f74797f396a3fae258fbcec6fa11ac4bdaaf8da3dd7b2967af27242e365ec9fc018f3606a22973c0112058a6bceb6331605d7e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4302551.exe

Filesize
497KB

MD5
5121db367f26cc5f409c476046c5a34d

SHA1
b7e66543b7d3f144a283371409e7f9ab1161876c

SHA256
f5dcb873a4f32bf2747e72e88981e57e384aafeec48c1b095c0e3f9b9fdf1a11

SHA512
f134379863e4e31852086a96977a51b41f758b223ee6dcef81d49e54e982f4735300af222c2119dfc564dec2a1c2559381ad0e3aa72e7783798820aa7bfecb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4302551.exe

Filesize
497KB

MD5
5121db367f26cc5f409c476046c5a34d

SHA1
b7e66543b7d3f144a283371409e7f9ab1161876c

SHA256
f5dcb873a4f32bf2747e72e88981e57e384aafeec48c1b095c0e3f9b9fdf1a11

SHA512
f134379863e4e31852086a96977a51b41f758b223ee6dcef81d49e54e982f4735300af222c2119dfc564dec2a1c2559381ad0e3aa72e7783798820aa7bfecb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6090066.exe

Filesize
372KB

MD5
b0002eeb50b12a0b336897e64c08865f

SHA1
7c01233b25f563768762382cbd805b9106ca5c0e

SHA256
961958f174707ab99ee02bbac7803e8f147f13e421b09c5de940923592132f31

SHA512
78a682acc5b3f9f1a76bc0d569a85ba9c6bd576ef5a27a230f7284d1ef5aee99a20e9aa8991a28b68c1ed69b80c73ca30ca05b643a1f34e8002b634830d51c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6090066.exe

Filesize
372KB

MD5
b0002eeb50b12a0b336897e64c08865f

SHA1
7c01233b25f563768762382cbd805b9106ca5c0e

SHA256
961958f174707ab99ee02bbac7803e8f147f13e421b09c5de940923592132f31

SHA512
78a682acc5b3f9f1a76bc0d569a85ba9c6bd576ef5a27a230f7284d1ef5aee99a20e9aa8991a28b68c1ed69b80c73ca30ca05b643a1f34e8002b634830d51c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9210187.exe

Filesize
174KB

MD5
a0e54dd811e1b8899f5d52a1182cb0e1

SHA1
836e580becc97ee61a8b0b97915176d49ab5ace4

SHA256
bfd38afc2d16d0d436019383fa0f9940cc3ba8e60c0425e9dd74d6268b1e74ea

SHA512
92d8fb3ac1d12ad6d14b713f053737598420a588fb44b0df07a38b3d6e01061f89e9b73e04442f362bc609cd1eb4210089e1830c11111b77ef7d7d19120b0613

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9210187.exe

Filesize
174KB

MD5
a0e54dd811e1b8899f5d52a1182cb0e1

SHA1
836e580becc97ee61a8b0b97915176d49ab5ace4

SHA256
bfd38afc2d16d0d436019383fa0f9940cc3ba8e60c0425e9dd74d6268b1e74ea

SHA512
92d8fb3ac1d12ad6d14b713f053737598420a588fb44b0df07a38b3d6e01061f89e9b73e04442f362bc609cd1eb4210089e1830c11111b77ef7d7d19120b0613

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9733535.exe

Filesize
217KB

MD5
4b3eaf69d9d3f7dbbba1ff972511372c

SHA1
12951d1a819138b9bcc900e3a640e87f17da06e5

SHA256
5ccbb0ea0f99290431854180be37bb07b3f25e59801ed5a11889a256defe792e

SHA512
33a542b789391151a44202d7ea2f803e587087ed259b8d4d990b661aec3d76d33d26dcdfb77281fa4f31e403968aefa4d26cc9f30d97daf98ad54e5433d64196

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9733535.exe

Filesize
217KB

MD5
4b3eaf69d9d3f7dbbba1ff972511372c

SHA1
12951d1a819138b9bcc900e3a640e87f17da06e5

SHA256
5ccbb0ea0f99290431854180be37bb07b3f25e59801ed5a11889a256defe792e

SHA512
33a542b789391151a44202d7ea2f803e587087ed259b8d4d990b661aec3d76d33d26dcdfb77281fa4f31e403968aefa4d26cc9f30d97daf98ad54e5433d64196

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2303701.exe

Filesize
12KB

MD5
bb47a57b8e88ed6dd85fa5c531e24b7e

SHA1
eb0f0257eb8441020e5a5da3e818648ee9750d07

SHA256
dcbe74b6da6c5988061930a838401832237a78acc30a696b63457dcf27f113c1

SHA512
0e1ee931db65004d238668f1da88428fa9cceb01c937ddb51bb5ac1abe4ada1a2f817e649e71e4cda3176e3c86bde3c2540fd01cdb2b2dfc3451aa899d365e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2303701.exe

Filesize
12KB

MD5
bb47a57b8e88ed6dd85fa5c531e24b7e

SHA1
eb0f0257eb8441020e5a5da3e818648ee9750d07

SHA256
dcbe74b6da6c5988061930a838401832237a78acc30a696b63457dcf27f113c1

SHA512
0e1ee931db65004d238668f1da88428fa9cceb01c937ddb51bb5ac1abe4ada1a2f817e649e71e4cda3176e3c86bde3c2540fd01cdb2b2dfc3451aa899d365e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7409640.exe

Filesize
140KB

MD5
bd3434e051df7068696042ee6e3d5b3f

SHA1
67e4b36b7e3d80acd4f011b4e970e9d923f4e433

SHA256
903566ca381ff449cbb8e0c579078b2a512a65b796e79c803b7e6dbcdaf56d82

SHA512
44dd9bc2244479c242bee5a063aaddb82ac5a1b507b3125dbbe5cb2b9845c24c42a6baf2885d086e281eddb1b1260eb228f23863dc51bdc1e987e78b71bcc741

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7409640.exe

Filesize
140KB

MD5
bd3434e051df7068696042ee6e3d5b3f

SHA1
67e4b36b7e3d80acd4f011b4e970e9d923f4e433

SHA256
903566ca381ff449cbb8e0c579078b2a512a65b796e79c803b7e6dbcdaf56d82

SHA512
44dd9bc2244479c242bee5a063aaddb82ac5a1b507b3125dbbe5cb2b9845c24c42a6baf2885d086e281eddb1b1260eb228f23863dc51bdc1e987e78b71bcc741

Download Submit
memory/384-167-0x00000000000B0000-0x00000000000E0000-memory.dmp

Filesize
192KB

Download
memory/384-168-0x0000000073570000-0x0000000073C5E000-memory.dmp

Filesize
6.9MB

Download
memory/384-169-0x0000000006D00000-0x0000000006D06000-memory.dmp

Filesize
24KB

Download
memory/384-170-0x000000000A330000-0x000000000A936000-memory.dmp

Filesize
6.0MB

Download
memory/384-171-0x0000000009EC0000-0x0000000009FCA000-memory.dmp

Filesize
1.0MB

Download
memory/384-172-0x0000000009DF0000-0x0000000009E02000-memory.dmp

Filesize
72KB

Download
memory/384-173-0x0000000009E50000-0x0000000009E8E000-memory.dmp

Filesize
248KB

Download
memory/384-174-0x0000000009FD0000-0x000000000A01B000-memory.dmp

Filesize
300KB

Download
memory/384-175-0x0000000073570000-0x0000000073C5E000-memory.dmp

Filesize
6.9MB

Download
memory/1668-160-0x00007FFE48610000-0x00007FFE48FFC000-memory.dmp

Filesize
9.9MB

Download
memory/1668-158-0x00007FFE48610000-0x00007FFE48FFC000-memory.dmp

Filesize
9.9MB

Download
memory/1668-157-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download