healer | 53224089c1e3e860180166fe7305bbf25bf7d594cb2b4229e692369944219200

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 09:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

53224089c1e3e860180166fe7305bbf25bf7d594cb2b4229e692369944219200.exe
Size

829KB
MD5

df25d29a9a77068a854f9a200f2cbc91
SHA1

90be3079f529083220f74b9bb3ce65376c857e69
SHA256

53224089c1e3e860180166fe7305bbf25bf7d594cb2b4229e692369944219200
SHA512

03d4dd15340897cbed1834cb57d122b31d77b11f7cb35aef6a2b4a2690fcc7a095d4cc71a69c6a6131c19894c9b82f97c1573795c65728a130192ba296d28bf5
SSDEEP

24576:hyKe1P+bVXgQXjXdb79qHM93jN09JE+VLsiVXn:UKZOQXuc3jN0k+hfVX

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023238-165.dat	healer
behavioral1/files/0x0008000000023238-167.dat	healer
behavioral1/memory/1536-168-0x0000000000FF0000-0x0000000000FFA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4691023.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4691023.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4691023.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4691023.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4691023.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4691023.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1576	v3017547.exe
3944	v4299363.exe
4632	v3257004.exe
2684	v1192915.exe
1536	a4691023.exe
2512	b6284529.exe
1996	c9311941.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4691023.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	53224089c1e3e860180166fe7305bbf25bf7d594cb2b4229e692369944219200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3017547.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4299363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3257004.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1192915.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1536	a4691023.exe
1536	a4691023.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	a4691023.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 1576	2520	53224089c1e3e860180166fe7305bbf25bf7d594cb2b4229e692369944219200.exe	81
PID 2520 wrote to memory of 1576	2520	53224089c1e3e860180166fe7305bbf25bf7d594cb2b4229e692369944219200.exe	81
PID 2520 wrote to memory of 1576	2520	53224089c1e3e860180166fe7305bbf25bf7d594cb2b4229e692369944219200.exe	81
PID 1576 wrote to memory of 3944	1576	v3017547.exe	82
PID 1576 wrote to memory of 3944	1576	v3017547.exe	82
PID 1576 wrote to memory of 3944	1576	v3017547.exe	82
PID 3944 wrote to memory of 4632	3944	v4299363.exe	83
PID 3944 wrote to memory of 4632	3944	v4299363.exe	83
PID 3944 wrote to memory of 4632	3944	v4299363.exe	83
PID 4632 wrote to memory of 2684	4632	v3257004.exe	84
PID 4632 wrote to memory of 2684	4632	v3257004.exe	84
PID 4632 wrote to memory of 2684	4632	v3257004.exe	84
PID 2684 wrote to memory of 1536	2684	v1192915.exe	85
PID 2684 wrote to memory of 1536	2684	v1192915.exe	85
PID 2684 wrote to memory of 2512	2684	v1192915.exe	90
PID 2684 wrote to memory of 2512	2684	v1192915.exe	90
PID 2684 wrote to memory of 2512	2684	v1192915.exe	90
PID 4632 wrote to memory of 1996	4632	v3257004.exe	91
PID 4632 wrote to memory of 1996	4632	v3257004.exe	91
PID 4632 wrote to memory of 1996	4632	v3257004.exe	91

C:\Users\Admin\AppData\Local\Temp\53224089c1e3e860180166fe7305bbf25bf7d594cb2b4229e692369944219200.exe
"C:\Users\Admin\AppData\Local\Temp\53224089c1e3e860180166fe7305bbf25bf7d594cb2b4229e692369944219200.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3017547.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3017547.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4299363.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4299363.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3257004.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3257004.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4632
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1192915.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1192915.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2684
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4691023.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4691023.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6284529.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6284529.exe
        6⤵
        Executes dropped EXE
        
        PID:2512
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9311941.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9311941.exe
        5⤵
        Executes dropped EXE
        
        PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3017547.exe

Filesize
723KB

MD5
163008d7a9727881389cf15c26bebb9d

SHA1
5def0d1b345e06751fb7358986aabdfb63ed0b4c

SHA256
6993ec3deba8ff6a767090575fef065fbefcdc15a9368e246ec3bf2899abd335

SHA512
1750c67b3fb877bc1ab0bb1164f624ec3367962445ae9ae0e763e7e379ccab049325408de4228a5f325f929db96a89cf55b4e68a594bdff54cd5a98307a26e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3017547.exe

Filesize
723KB

MD5
163008d7a9727881389cf15c26bebb9d

SHA1
5def0d1b345e06751fb7358986aabdfb63ed0b4c

SHA256
6993ec3deba8ff6a767090575fef065fbefcdc15a9368e246ec3bf2899abd335

SHA512
1750c67b3fb877bc1ab0bb1164f624ec3367962445ae9ae0e763e7e379ccab049325408de4228a5f325f929db96a89cf55b4e68a594bdff54cd5a98307a26e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4299363.exe

Filesize
497KB

MD5
c2df1660a38cecef9a65df62d3c69b98

SHA1
170b8656d91a0cd72ac5e18523c55039b9d053ff

SHA256
caacea4df7cd8039387080a19c312ef7c8b7ecf961ecf2631eed249f45ea5038

SHA512
34ee1c2668d81f0617cd5712aad8a11d5805627c8c97b10840f61a9e9fc60f754d3d7b0190e8203c3d948664c86d81f4613794d40c1cd32e7644ee8cac977e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4299363.exe

Filesize
497KB

MD5
c2df1660a38cecef9a65df62d3c69b98

SHA1
170b8656d91a0cd72ac5e18523c55039b9d053ff

SHA256
caacea4df7cd8039387080a19c312ef7c8b7ecf961ecf2631eed249f45ea5038

SHA512
34ee1c2668d81f0617cd5712aad8a11d5805627c8c97b10840f61a9e9fc60f754d3d7b0190e8203c3d948664c86d81f4613794d40c1cd32e7644ee8cac977e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3257004.exe

Filesize
373KB

MD5
d2b4297896dc29fc9a58ae06cca84d95

SHA1
1503cd589db661308e26ff3a9f22ca8d21f08940

SHA256
3e648ab144392c04256b03b3b02ccf86c003fa3796cd2f03f389816cef94ae5f

SHA512
6a68dac68919c3e670703514f138f0f17cce4db4e00df4c9ee31f8bd1945e5e8f41b7738bf760d6e21194949b1c9d82ea6fadefb3f69b859bfd9503429e6fd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3257004.exe

Filesize
373KB

MD5
d2b4297896dc29fc9a58ae06cca84d95

SHA1
1503cd589db661308e26ff3a9f22ca8d21f08940

SHA256
3e648ab144392c04256b03b3b02ccf86c003fa3796cd2f03f389816cef94ae5f

SHA512
6a68dac68919c3e670703514f138f0f17cce4db4e00df4c9ee31f8bd1945e5e8f41b7738bf760d6e21194949b1c9d82ea6fadefb3f69b859bfd9503429e6fd5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9311941.exe

Filesize
174KB

MD5
822a1073b9a7eb0025db222975fca853

SHA1
8e5e41b6c08497cc51759b8f98e15e18d5c4e9ab

SHA256
22dfd8e4cd2b213e26b46341329cc22a07c8b008eac75d0030aa4ef00f3536f8

SHA512
482d9126ca47c1f865fdf3e638b37f416f81129aee6b9bb180ced1e94363c647d157945b5e40958c1bb0869a092e893a17bcff8d50cf17fbfbf77c887a28bd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9311941.exe

Filesize
174KB

MD5
822a1073b9a7eb0025db222975fca853

SHA1
8e5e41b6c08497cc51759b8f98e15e18d5c4e9ab

SHA256
22dfd8e4cd2b213e26b46341329cc22a07c8b008eac75d0030aa4ef00f3536f8

SHA512
482d9126ca47c1f865fdf3e638b37f416f81129aee6b9bb180ced1e94363c647d157945b5e40958c1bb0869a092e893a17bcff8d50cf17fbfbf77c887a28bd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1192915.exe

Filesize
217KB

MD5
891db12c53fffa0b0416407ac9c1cdb8

SHA1
636250177d116550b39cd5d2d116378846e567c6

SHA256
451e2089ccc5b4216a93fcf691f473ebc996881ab72abbdcf8e097fec79a7bb6

SHA512
6c5b17796d11ff6efc642ff63ae5b9b471b670d48e810a2939e559340bd3724176997b29e6ab3b8a5526cf4cbb1eac352a6c39490aef4e855c7ae916d7788234

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1192915.exe

Filesize
217KB

MD5
891db12c53fffa0b0416407ac9c1cdb8

SHA1
636250177d116550b39cd5d2d116378846e567c6

SHA256
451e2089ccc5b4216a93fcf691f473ebc996881ab72abbdcf8e097fec79a7bb6

SHA512
6c5b17796d11ff6efc642ff63ae5b9b471b670d48e810a2939e559340bd3724176997b29e6ab3b8a5526cf4cbb1eac352a6c39490aef4e855c7ae916d7788234

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4691023.exe

Filesize
12KB

MD5
72ed17a6511844a8bd29bc95bc22dc0b

SHA1
36c17a7046d3ebc1759b8645e504d5876705e9e2

SHA256
dff1a52941a762c6bb3ac7b76c7857679e39e780d5c0210a2f1cf4819435f166

SHA512
923e49b7e6dc016a5e9836cb5b1250c6a52cd30c47044dbd5b65f1ba1038c9351e63d64b43ba80bdd209e74c4ff254b604ec0a9bac3e6eb7c7dcdbf8ce28caed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4691023.exe

Filesize
12KB

MD5
72ed17a6511844a8bd29bc95bc22dc0b

SHA1
36c17a7046d3ebc1759b8645e504d5876705e9e2

SHA256
dff1a52941a762c6bb3ac7b76c7857679e39e780d5c0210a2f1cf4819435f166

SHA512
923e49b7e6dc016a5e9836cb5b1250c6a52cd30c47044dbd5b65f1ba1038c9351e63d64b43ba80bdd209e74c4ff254b604ec0a9bac3e6eb7c7dcdbf8ce28caed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6284529.exe

Filesize
140KB

MD5
2c681ffd3703c8ec5a74f16150b0f71a

SHA1
a7b1cde5c9969a03948668f70caabad4467348a3

SHA256
fc44e71ba7faff2b40464623ef5497ae2018e977d30b1f374c5f74c6e86bce23

SHA512
2a61cb8f5abe4c12468a193d101a26becb3818064cef0a4fb69169e2784442853e9d978fc69a9be967f3df806df71fa04b9676078d068494ec8e2a6a391089a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6284529.exe

Filesize
140KB

MD5
2c681ffd3703c8ec5a74f16150b0f71a

SHA1
a7b1cde5c9969a03948668f70caabad4467348a3

SHA256
fc44e71ba7faff2b40464623ef5497ae2018e977d30b1f374c5f74c6e86bce23

SHA512
2a61cb8f5abe4c12468a193d101a26becb3818064cef0a4fb69169e2784442853e9d978fc69a9be967f3df806df71fa04b9676078d068494ec8e2a6a391089a4

Download Submit
memory/1536-171-0x00007FF8E02B0000-0x00007FF8E0D71000-memory.dmp

Filesize
10.8MB

Download
memory/1536-169-0x00007FF8E02B0000-0x00007FF8E0D71000-memory.dmp

Filesize
10.8MB

Download
memory/1536-168-0x0000000000FF0000-0x0000000000FFA000-memory.dmp

Filesize
40KB

Download
memory/1996-178-0x00000000006B0000-0x00000000006E0000-memory.dmp

Filesize
192KB

Download
memory/1996-179-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/1996-180-0x00000000057A0000-0x0000000005DB8000-memory.dmp

Filesize
6.1MB

Download
memory/1996-181-0x0000000005290000-0x000000000539A000-memory.dmp

Filesize
1.0MB

Download
memory/1996-182-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/1996-183-0x0000000005180000-0x0000000005192000-memory.dmp

Filesize
72KB

Download
memory/1996-184-0x00000000051E0000-0x000000000521C000-memory.dmp

Filesize
240KB

Download
memory/1996-185-0x0000000074B90000-0x0000000075340000-memory.dmp

Filesize
7.7MB

Download
memory/1996-186-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download