healer | 237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe
Size

829KB
MD5

de7e162e101efce9b2c2005f2574fc0e
SHA1

9448f5251cb4b4df414417655d6fb7859d04d4be
SHA256

237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b
SHA512

cd95e14d31c6f4c5b592b80d27689db644412fce386bb81e6ff1434655c252c3d3cceeff60041e205b426ab91114b8ccef927ea0f74c04454641487c5bed6fcc
SSDEEP

24576:OyKl52iJun73tw12Lwpte59gZhnDo7IhK+3Jq:dKl52hhw12cbkWDo/SJ

Score

10^/10

healer redline rota dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rota

77.91.124.73:19071

Attributes

auth_value
320c7daa59eb9b82e20a15162392a756

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023213-33.dat	healer
behavioral1/files/0x0007000000023213-34.dat	healer
behavioral1/memory/2260-35-0x0000000000E70000-0x0000000000E7A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9762231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9762231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9762231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9762231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9762231.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9762231.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1900	v6486195.exe
4896	v8882386.exe
4812	v6198440.exe
5064	v3612864.exe
2260	a9762231.exe
4448	b0840550.exe
1764	c5735330.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9762231.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8882386.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6198440.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3612864.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6486195.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2260	a9762231.exe
2260	a9762231.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	a9762231.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 1900	2860	237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe	82
PID 2860 wrote to memory of 1900	2860	237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe	82
PID 2860 wrote to memory of 1900	2860	237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe	82
PID 1900 wrote to memory of 4896	1900	v6486195.exe	83
PID 1900 wrote to memory of 4896	1900	v6486195.exe	83
PID 1900 wrote to memory of 4896	1900	v6486195.exe	83
PID 4896 wrote to memory of 4812	4896	v8882386.exe	84
PID 4896 wrote to memory of 4812	4896	v8882386.exe	84
PID 4896 wrote to memory of 4812	4896	v8882386.exe	84
PID 4812 wrote to memory of 5064	4812	v6198440.exe	85
PID 4812 wrote to memory of 5064	4812	v6198440.exe	85
PID 4812 wrote to memory of 5064	4812	v6198440.exe	85
PID 5064 wrote to memory of 2260	5064	v3612864.exe	86
PID 5064 wrote to memory of 2260	5064	v3612864.exe	86
PID 5064 wrote to memory of 4448	5064	v3612864.exe	91
PID 5064 wrote to memory of 4448	5064	v3612864.exe	91
PID 5064 wrote to memory of 4448	5064	v3612864.exe	91
PID 4812 wrote to memory of 1764	4812	v6198440.exe	92
PID 4812 wrote to memory of 1764	4812	v6198440.exe	92
PID 4812 wrote to memory of 1764	4812	v6198440.exe	92

C:\Users\Admin\AppData\Local\Temp\237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe
"C:\Users\Admin\AppData\Local\Temp\237c684649d711320a39fd7d082e72a2931ecb325c498e6c62c0e77b82dc902b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6486195.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6486195.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8882386.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8882386.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6198440.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6198440.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4812
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3612864.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3612864.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5064
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9762231.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9762231.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0840550.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0840550.exe
        6⤵
        Executes dropped EXE
        
        PID:4448
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5735330.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5735330.exe
        5⤵
        Executes dropped EXE
        
        PID:1764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6486195.exe

Filesize
723KB

MD5
5a40bedb7c560598e0e8bb97827eb787

SHA1
0fa5a0acd890f04d3fbb84575e4370b97eedf87e

SHA256
46ee9f7b4b56b65f8b3d8616a2c447462974cd44a6ede313cb26ff2846c5cb0e

SHA512
61bc2fbfc920acbe91a97b0dbc16735864836be7022718cb6f551998c44d0d1eba34a0c1cd5c45ea1585b5c35cde560f0aebb46d74cef77e06b055e887b8352b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6486195.exe

Filesize
723KB

MD5
5a40bedb7c560598e0e8bb97827eb787

SHA1
0fa5a0acd890f04d3fbb84575e4370b97eedf87e

SHA256
46ee9f7b4b56b65f8b3d8616a2c447462974cd44a6ede313cb26ff2846c5cb0e

SHA512
61bc2fbfc920acbe91a97b0dbc16735864836be7022718cb6f551998c44d0d1eba34a0c1cd5c45ea1585b5c35cde560f0aebb46d74cef77e06b055e887b8352b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8882386.exe

Filesize
497KB

MD5
b932e55871f7282c0ba197dfe0b99ffc

SHA1
b18eb5201c54d260a84735b45e423a28ee0964eb

SHA256
872dd46ae1cc8c43b02373d0f23e2b95594fe7f1b334259969f5bfd65ad09515

SHA512
b9153b3e8951cf51bb18e1ef1e072a283d0c51732c1e3636b976e5068d11bca4d22dd8e162383845279746cfff7566ecb24cf56d00cb0310ef068b7249962f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8882386.exe

Filesize
497KB

MD5
b932e55871f7282c0ba197dfe0b99ffc

SHA1
b18eb5201c54d260a84735b45e423a28ee0964eb

SHA256
872dd46ae1cc8c43b02373d0f23e2b95594fe7f1b334259969f5bfd65ad09515

SHA512
b9153b3e8951cf51bb18e1ef1e072a283d0c51732c1e3636b976e5068d11bca4d22dd8e162383845279746cfff7566ecb24cf56d00cb0310ef068b7249962f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6198440.exe

Filesize
372KB

MD5
3cceb3ef2fa3e36a677a915b41b6d1f8

SHA1
5919a593d3887d12c381de84ab46f5a5605e624b

SHA256
d5b458c3845766a4b6c2bac89772ee3259dd838b78c8313537be6c550efb9e31

SHA512
fadb99b824cd25cc6dfae1de47ff075f749da6853677f6de535661d8e200e679c8b2b0288fe080462f6d16fa6105896e05d6bbd4f67ba14c0b930f9da7ceae52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6198440.exe

Filesize
372KB

MD5
3cceb3ef2fa3e36a677a915b41b6d1f8

SHA1
5919a593d3887d12c381de84ab46f5a5605e624b

SHA256
d5b458c3845766a4b6c2bac89772ee3259dd838b78c8313537be6c550efb9e31

SHA512
fadb99b824cd25cc6dfae1de47ff075f749da6853677f6de535661d8e200e679c8b2b0288fe080462f6d16fa6105896e05d6bbd4f67ba14c0b930f9da7ceae52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5735330.exe

Filesize
174KB

MD5
fddabb80b29e54714fbe416d8c935155

SHA1
db63b8ba4592864eb0068d930208e55ac083ca36

SHA256
79a63663fc4acabbbb08f11f7f1c9494202ccda93c58f01aa48bfa781523e6cb

SHA512
e1b13f5b7b22034ec7ff1c824400c3e9d050a610d0865908b518b0ad638f17d269c5800510664702b96e8be7face019812e24c564e1ed04b97ffe3d76b7768aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5735330.exe

Filesize
174KB

MD5
fddabb80b29e54714fbe416d8c935155

SHA1
db63b8ba4592864eb0068d930208e55ac083ca36

SHA256
79a63663fc4acabbbb08f11f7f1c9494202ccda93c58f01aa48bfa781523e6cb

SHA512
e1b13f5b7b22034ec7ff1c824400c3e9d050a610d0865908b518b0ad638f17d269c5800510664702b96e8be7face019812e24c564e1ed04b97ffe3d76b7768aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3612864.exe

Filesize
217KB

MD5
9fa1ce3bca475de64f786d62d6a13d30

SHA1
9a01ef94a413df891b54998eb262285e9048eabb

SHA256
2834c107aba1de3e43af4248083c686e0bbffcfc99ce0999600456d8bc7b4376

SHA512
ebef3e2c3fcc7ea50b26897b7aeab7f8189b6307c0d214a4870359bddb7b5b2d5642441fff0557ecfbab57f254eb6da15860a2c790a7b3ca00804904646f8f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3612864.exe

Filesize
217KB

MD5
9fa1ce3bca475de64f786d62d6a13d30

SHA1
9a01ef94a413df891b54998eb262285e9048eabb

SHA256
2834c107aba1de3e43af4248083c686e0bbffcfc99ce0999600456d8bc7b4376

SHA512
ebef3e2c3fcc7ea50b26897b7aeab7f8189b6307c0d214a4870359bddb7b5b2d5642441fff0557ecfbab57f254eb6da15860a2c790a7b3ca00804904646f8f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9762231.exe

Filesize
12KB

MD5
68d7d958f30640f42ecdb2e431c2bcab

SHA1
d9c0f817ae81a88c8d6f7fe2bc4226c961c573db

SHA256
a3e1a180c400b8abd4ab310148a9da4493eeaf11bc30012191c20474562210b0

SHA512
690c83503338b543669960fbe1846a1a29b0bce173c1462f5d4624b0a0e926171971e5ce7a03e6216782b538c4da15c932823bc8ab9c9f2999f1d3bf1f93256f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9762231.exe

Filesize
12KB

MD5
68d7d958f30640f42ecdb2e431c2bcab

SHA1
d9c0f817ae81a88c8d6f7fe2bc4226c961c573db

SHA256
a3e1a180c400b8abd4ab310148a9da4493eeaf11bc30012191c20474562210b0

SHA512
690c83503338b543669960fbe1846a1a29b0bce173c1462f5d4624b0a0e926171971e5ce7a03e6216782b538c4da15c932823bc8ab9c9f2999f1d3bf1f93256f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0840550.exe

Filesize
140KB

MD5
bd1f0f82725037052ed73b3f83b098dd

SHA1
98a2a878ddb9434ba0a7f3489a029a83339ff9f9

SHA256
09077838ee57edd0338bc67495a8876b270f9278adcd1b982862d78f1f7cc23b

SHA512
456babb9ae329bd51fb628c2a4adff0505d3242edf98f6f5401c6b34a998bef0f7d400ef6c187dd6527cafa32cf7e3ddd5a1e23857a726583d2479dc8fe7686a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0840550.exe

Filesize
140KB

MD5
bd1f0f82725037052ed73b3f83b098dd

SHA1
98a2a878ddb9434ba0a7f3489a029a83339ff9f9

SHA256
09077838ee57edd0338bc67495a8876b270f9278adcd1b982862d78f1f7cc23b

SHA512
456babb9ae329bd51fb628c2a4adff0505d3242edf98f6f5401c6b34a998bef0f7d400ef6c187dd6527cafa32cf7e3ddd5a1e23857a726583d2479dc8fe7686a

Download Submit
memory/1764-46-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download
memory/1764-45-0x00000000000C0000-0x00000000000F0000-memory.dmp

Filesize
192KB

Download
memory/1764-47-0x0000000005180000-0x0000000005798000-memory.dmp

Filesize
6.1MB

Download
memory/1764-48-0x0000000004C70000-0x0000000004D7A000-memory.dmp

Filesize
1.0MB

Download
memory/1764-49-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/1764-50-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/1764-51-0x0000000004BF0000-0x0000000004C2C000-memory.dmp

Filesize
240KB

Download
memory/1764-52-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download
memory/1764-53-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/2260-38-0x00007FFEF52E0000-0x00007FFEF5DA1000-memory.dmp

Filesize
10.8MB

Download
memory/2260-36-0x00007FFEF52E0000-0x00007FFEF5DA1000-memory.dmp

Filesize
10.8MB

Download
memory/2260-35-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download