healer | 3274fa5646a15d8614e3e4a8206534bebac70bfd6607a433e8bd622a1ec3f24d

Analysis

max time kernel
146s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
23/08/2023, 09:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3274fa5646a15d8614e3e4a8206534bebac70bfd6607a433e8bd622a1ec3f24d.exe
Size

828KB
MD5

e19c7d11d57e917098f2623510c878c2
SHA1

e68ead665cca50340c338973dcbcd00371efd4b6
SHA256

3274fa5646a15d8614e3e4a8206534bebac70bfd6607a433e8bd622a1ec3f24d
SHA512

f4af4c7a5b90bd6288e305bae9adf2cf52a63b049c5fcd826a2fc1ab29180bc297151f1c7709fa0f807d58357a1a928d5f0be94f32897ab81fccf7d4d80a5b42
SSDEEP

12288:PMrgy90v+xfAHlszcGueDZV+HQkVyIAg2O/zzhe1MgxYNMJYR7E5wrOVEYE2L1:PyYKzynHUS/h/gqN1R74VE72Z

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001aff0-150.dat	healer
behavioral1/files/0x000700000001aff0-151.dat	healer
behavioral1/memory/4236-152-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9361578.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9361578.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9361578.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9361578.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9361578.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4952	v9471457.exe
4828	v3961709.exe
3428	v6408387.exe
828	v4975437.exe
4236	a9361578.exe
4600	b0791829.exe
4960	c6367718.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9361578.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3274fa5646a15d8614e3e4a8206534bebac70bfd6607a433e8bd622a1ec3f24d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9471457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3961709.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6408387.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v4975437.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4236	a9361578.exe
4236	a9361578.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4236	a9361578.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 4952	2956	3274fa5646a15d8614e3e4a8206534bebac70bfd6607a433e8bd622a1ec3f24d.exe	70
PID 2956 wrote to memory of 4952	2956	3274fa5646a15d8614e3e4a8206534bebac70bfd6607a433e8bd622a1ec3f24d.exe	70
PID 2956 wrote to memory of 4952	2956	3274fa5646a15d8614e3e4a8206534bebac70bfd6607a433e8bd622a1ec3f24d.exe	70
PID 4952 wrote to memory of 4828	4952	v9471457.exe	71
PID 4952 wrote to memory of 4828	4952	v9471457.exe	71
PID 4952 wrote to memory of 4828	4952	v9471457.exe	71
PID 4828 wrote to memory of 3428	4828	v3961709.exe	72
PID 4828 wrote to memory of 3428	4828	v3961709.exe	72
PID 4828 wrote to memory of 3428	4828	v3961709.exe	72
PID 3428 wrote to memory of 828	3428	v6408387.exe	73
PID 3428 wrote to memory of 828	3428	v6408387.exe	73
PID 3428 wrote to memory of 828	3428	v6408387.exe	73
PID 828 wrote to memory of 4236	828	v4975437.exe	74
PID 828 wrote to memory of 4236	828	v4975437.exe	74
PID 828 wrote to memory of 4600	828	v4975437.exe	75
PID 828 wrote to memory of 4600	828	v4975437.exe	75
PID 828 wrote to memory of 4600	828	v4975437.exe	75
PID 3428 wrote to memory of 4960	3428	v6408387.exe	76
PID 3428 wrote to memory of 4960	3428	v6408387.exe	76
PID 3428 wrote to memory of 4960	3428	v6408387.exe	76

C:\Users\Admin\AppData\Local\Temp\3274fa5646a15d8614e3e4a8206534bebac70bfd6607a433e8bd622a1ec3f24d.exe
"C:\Users\Admin\AppData\Local\Temp\3274fa5646a15d8614e3e4a8206534bebac70bfd6607a433e8bd622a1ec3f24d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9471457.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9471457.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3961709.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3961709.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6408387.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6408387.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3428
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4975437.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4975437.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:828
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9361578.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9361578.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0791829.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0791829.exe
        6⤵
        Executes dropped EXE
        
        PID:4600
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6367718.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6367718.exe
        5⤵
        Executes dropped EXE
        
        PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9471457.exe

Filesize
723KB

MD5
a2577300672899ea69cb5999647e893b

SHA1
e5846baf897f3b474f3f3ed435b1b75dfa663e9f

SHA256
61d977a87a5eb510375d84b758c33c0eb1ff5fd752c9e54b8e306cd95ecc0449

SHA512
d6d1da6a800e2a569cccf25507167b8199bd0bc05973eb244a0bac6df310b3748278ace6cf397ebf8ec5f1d1c0a1dea011a83e5d25d8f811e03b1b7d8d6bf761

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9471457.exe

Filesize
723KB

MD5
a2577300672899ea69cb5999647e893b

SHA1
e5846baf897f3b474f3f3ed435b1b75dfa663e9f

SHA256
61d977a87a5eb510375d84b758c33c0eb1ff5fd752c9e54b8e306cd95ecc0449

SHA512
d6d1da6a800e2a569cccf25507167b8199bd0bc05973eb244a0bac6df310b3748278ace6cf397ebf8ec5f1d1c0a1dea011a83e5d25d8f811e03b1b7d8d6bf761

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3961709.exe

Filesize
497KB

MD5
e462234d565d2d6337466251ddf47b14

SHA1
2c372a23fec62c923b066e63eb52bc4a22746e4e

SHA256
5eb460b1d195d2fb22b8968711fd46be8406059fbcecedf428bccee4cd11edcf

SHA512
6a59e010210691c2f91d1058e08321ecbda0a28c97bcec6787870a8b4e7b52d982bcfbf8b2ea4633021cb2ac70d6bdbb2d23563660674f1623972a72ecc02b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3961709.exe

Filesize
497KB

MD5
e462234d565d2d6337466251ddf47b14

SHA1
2c372a23fec62c923b066e63eb52bc4a22746e4e

SHA256
5eb460b1d195d2fb22b8968711fd46be8406059fbcecedf428bccee4cd11edcf

SHA512
6a59e010210691c2f91d1058e08321ecbda0a28c97bcec6787870a8b4e7b52d982bcfbf8b2ea4633021cb2ac70d6bdbb2d23563660674f1623972a72ecc02b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6408387.exe

Filesize
372KB

MD5
4c9ef2c209f130017fd63bd0f8d0ed44

SHA1
271d8a2c106589727b1efe6548aa8c47ec74b13c

SHA256
f8f2c5279e805a7db77c5d75909b6dfd2a0b37fefd0cd156081cfefd762a5567

SHA512
968ab123ff7da8c4144cac9247075723ef41b4cbf3ea270faec2351608e351d9415d5edfcb173094e86f2acb6a23e49a9b1282dd17d75e3c2a8e1c38dc6bbc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6408387.exe

Filesize
372KB

MD5
4c9ef2c209f130017fd63bd0f8d0ed44

SHA1
271d8a2c106589727b1efe6548aa8c47ec74b13c

SHA256
f8f2c5279e805a7db77c5d75909b6dfd2a0b37fefd0cd156081cfefd762a5567

SHA512
968ab123ff7da8c4144cac9247075723ef41b4cbf3ea270faec2351608e351d9415d5edfcb173094e86f2acb6a23e49a9b1282dd17d75e3c2a8e1c38dc6bbc2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6367718.exe

Filesize
174KB

MD5
b862227b1c327018cd27212ae5ba4782

SHA1
2e025789452b75373b55f314162bb5a5e32f28d1

SHA256
a39c9c03603044cf87ca808162b217bdf268bd18ef1407b9e230031b0b268dd9

SHA512
23d95ec29f2ceeb6b6fe0d4e2f28e9e6e0776bea2ac0099288d899b2b1db93740ef5baf7cbe369ec2b26e34af1a7860fc8bcdc69ce1aebca8161ad7a78b1d2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6367718.exe

Filesize
174KB

MD5
b862227b1c327018cd27212ae5ba4782

SHA1
2e025789452b75373b55f314162bb5a5e32f28d1

SHA256
a39c9c03603044cf87ca808162b217bdf268bd18ef1407b9e230031b0b268dd9

SHA512
23d95ec29f2ceeb6b6fe0d4e2f28e9e6e0776bea2ac0099288d899b2b1db93740ef5baf7cbe369ec2b26e34af1a7860fc8bcdc69ce1aebca8161ad7a78b1d2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4975437.exe

Filesize
217KB

MD5
9651a01e3320ea5d555cfb195c28b7e3

SHA1
3327d9d43cac30911fe8f3558f5f8aa23bed0a29

SHA256
1232091694de13bdb09a041fd4fa856cc0ca43749e3355c71c0d948fc5b90bf0

SHA512
148f6eaa7beaf79ad4b7606aced76bce9069e3eef15abc2a0280a39997f7075f9933beb8e85ede71f96fe709364bee2dd7b232066107724ce10b8ffac3580f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4975437.exe

Filesize
217KB

MD5
9651a01e3320ea5d555cfb195c28b7e3

SHA1
3327d9d43cac30911fe8f3558f5f8aa23bed0a29

SHA256
1232091694de13bdb09a041fd4fa856cc0ca43749e3355c71c0d948fc5b90bf0

SHA512
148f6eaa7beaf79ad4b7606aced76bce9069e3eef15abc2a0280a39997f7075f9933beb8e85ede71f96fe709364bee2dd7b232066107724ce10b8ffac3580f80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9361578.exe

Filesize
12KB

MD5
d79d31205a7550610024e5cf12ac5ae1

SHA1
ba8b9bec3c9292680a30e36b0f34d2b4a87e5fac

SHA256
45f93ff2a7d9bff496fc8feb6492cd512733ea2dcc7fe9a822b674b36a7a4018

SHA512
092ee3c62b3a7456b2020fb2e0ae54de66b59da03cdd74ceae2de8f4b665f826ce72e350cc268e39897dfae78e10c2efa4f7efe3a7a8493a8510cc085eaa4a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9361578.exe

Filesize
12KB

MD5
d79d31205a7550610024e5cf12ac5ae1

SHA1
ba8b9bec3c9292680a30e36b0f34d2b4a87e5fac

SHA256
45f93ff2a7d9bff496fc8feb6492cd512733ea2dcc7fe9a822b674b36a7a4018

SHA512
092ee3c62b3a7456b2020fb2e0ae54de66b59da03cdd74ceae2de8f4b665f826ce72e350cc268e39897dfae78e10c2efa4f7efe3a7a8493a8510cc085eaa4a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0791829.exe

Filesize
140KB

MD5
ed6fb6998e8b773c2931e6a99108f76e

SHA1
cd05f3d47d9052b64cbc0e91de64989017cab2f5

SHA256
486dca542f602e4d2b0143e7964f049507a669b5ffa7a61fbcaacb102e89b6a9

SHA512
87a5cba4168ad2fb09710a53162fd41195fc72ec13a339d27e23c111d78ac109c2da7f1ebddbb8f373b4801be0c8b4e7c162130e2051aa9f79394a286a4fa729

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0791829.exe

Filesize
140KB

MD5
ed6fb6998e8b773c2931e6a99108f76e

SHA1
cd05f3d47d9052b64cbc0e91de64989017cab2f5

SHA256
486dca542f602e4d2b0143e7964f049507a669b5ffa7a61fbcaacb102e89b6a9

SHA512
87a5cba4168ad2fb09710a53162fd41195fc72ec13a339d27e23c111d78ac109c2da7f1ebddbb8f373b4801be0c8b4e7c162130e2051aa9f79394a286a4fa729

Download Submit
memory/4236-155-0x00007FFB75EB0000-0x00007FFB7689C000-memory.dmp

Filesize
9.9MB

Download
memory/4236-153-0x00007FFB75EB0000-0x00007FFB7689C000-memory.dmp

Filesize
9.9MB

Download
memory/4236-152-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4960-162-0x0000000000E30000-0x0000000000E60000-memory.dmp

Filesize
192KB

Download
memory/4960-163-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download
memory/4960-164-0x00000000014D0000-0x00000000014D6000-memory.dmp

Filesize
24KB

Download
memory/4960-165-0x000000000B0E0000-0x000000000B6E6000-memory.dmp

Filesize
6.0MB

Download
memory/4960-166-0x000000000AC40000-0x000000000AD4A000-memory.dmp

Filesize
1.0MB

Download
memory/4960-167-0x000000000AB70000-0x000000000AB82000-memory.dmp

Filesize
72KB

Download
memory/4960-168-0x000000000ABD0000-0x000000000AC0E000-memory.dmp

Filesize
248KB

Download
memory/4960-169-0x000000000AD50000-0x000000000AD9B000-memory.dmp

Filesize
300KB

Download
memory/4960-170-0x0000000073230000-0x000000007391E000-memory.dmp

Filesize
6.9MB

Download