healer | 642bbdfed1fe525de87228585d5191cff914b7a5b5d75b4f171bad570e90731d

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 17:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

642bbdfed1fe525de87228585d5191cff914b7a5b5d75b4f171bad570e90731d.exe
Size

828KB
MD5

a20055d2c026f44b066145c0aa071fb0
SHA1

ea566bf4a19946e23ea9772985885e52a420ffa6
SHA256

642bbdfed1fe525de87228585d5191cff914b7a5b5d75b4f171bad570e90731d
SHA512

0e587e913bebcc0d8d6c90683e8dcd3a91b5f77b8cee515010551f39c45cd9eeb6570b23f7f100c2859d0b59867a9f8bcbd9af83fcbee901501cb123dc6b8468
SSDEEP

24576:tyIjGnM8VgDPoH7QaREK2xIL2T/w7x6yc7:IVMDORf8A4

Score

10^/10

healer redline gogi dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

gogi

77.91.124.73:19071

Attributes

auth_value
c7dbabcf1eff128a595c7532cb5489a8

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023237-33.dat	healer
behavioral1/files/0x0007000000023237-34.dat	healer
behavioral1/memory/3884-35-0x00000000003A0000-0x00000000003AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9122562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9122562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9122562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9122562.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9122562.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9122562.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4876	v8158188.exe
1336	v1918618.exe
400	v3847809.exe
2084	v7844641.exe
3884	a9122562.exe
4428	b7950752.exe
540	c4920468.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9122562.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8158188.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1918618.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3847809.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7844641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	642bbdfed1fe525de87228585d5191cff914b7a5b5d75b4f171bad570e90731d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3884	a9122562.exe
3884	a9122562.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3884	a9122562.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 4876	1508	642bbdfed1fe525de87228585d5191cff914b7a5b5d75b4f171bad570e90731d.exe	82
PID 1508 wrote to memory of 4876	1508	642bbdfed1fe525de87228585d5191cff914b7a5b5d75b4f171bad570e90731d.exe	82
PID 1508 wrote to memory of 4876	1508	642bbdfed1fe525de87228585d5191cff914b7a5b5d75b4f171bad570e90731d.exe	82
PID 4876 wrote to memory of 1336	4876	v8158188.exe	83
PID 4876 wrote to memory of 1336	4876	v8158188.exe	83
PID 4876 wrote to memory of 1336	4876	v8158188.exe	83
PID 1336 wrote to memory of 400	1336	v1918618.exe	84
PID 1336 wrote to memory of 400	1336	v1918618.exe	84
PID 1336 wrote to memory of 400	1336	v1918618.exe	84
PID 400 wrote to memory of 2084	400	v3847809.exe	85
PID 400 wrote to memory of 2084	400	v3847809.exe	85
PID 400 wrote to memory of 2084	400	v3847809.exe	85
PID 2084 wrote to memory of 3884	2084	v7844641.exe	86
PID 2084 wrote to memory of 3884	2084	v7844641.exe	86
PID 2084 wrote to memory of 4428	2084	v7844641.exe	94
PID 2084 wrote to memory of 4428	2084	v7844641.exe	94
PID 2084 wrote to memory of 4428	2084	v7844641.exe	94
PID 400 wrote to memory of 540	400	v3847809.exe	95
PID 400 wrote to memory of 540	400	v3847809.exe	95
PID 400 wrote to memory of 540	400	v3847809.exe	95

C:\Users\Admin\AppData\Local\Temp\642bbdfed1fe525de87228585d5191cff914b7a5b5d75b4f171bad570e90731d.exe
"C:\Users\Admin\AppData\Local\Temp\642bbdfed1fe525de87228585d5191cff914b7a5b5d75b4f171bad570e90731d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8158188.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8158188.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1918618.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1918618.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3847809.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3847809.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7844641.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7844641.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9122562.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9122562.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7950752.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7950752.exe
        6⤵
        Executes dropped EXE
        
        PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4920468.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4920468.exe
        5⤵
        Executes dropped EXE
        
        PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8158188.exe

Filesize
723KB

MD5
313d49a1bb9311f43481ff417d31da92

SHA1
961f173d21ea41eb40ab34d8399cd9ea42b5ac1c

SHA256
e54a69e279d4ddccdde8cef6d7741c6e1b491449e8efe0f79d3fcaae856aeb64

SHA512
3c626e3ce7c6e5829b05291ef90b0495af4f4bf89f3de7be32a738742da9d31aea041644ac7f73252a1ae0b7910bb2cb368e728a367124f7a31d055c8bac1401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8158188.exe

Filesize
723KB

MD5
313d49a1bb9311f43481ff417d31da92

SHA1
961f173d21ea41eb40ab34d8399cd9ea42b5ac1c

SHA256
e54a69e279d4ddccdde8cef6d7741c6e1b491449e8efe0f79d3fcaae856aeb64

SHA512
3c626e3ce7c6e5829b05291ef90b0495af4f4bf89f3de7be32a738742da9d31aea041644ac7f73252a1ae0b7910bb2cb368e728a367124f7a31d055c8bac1401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1918618.exe

Filesize
497KB

MD5
9f5924a2156ede4c58bbb022d5db83fc

SHA1
a21cc42ae21449459e3841d87ae81cbc6ec10b85

SHA256
05e3b2093349668e22e8f046387a15620b35c18cdfa3ba5096ada3cea158ec31

SHA512
4bc858f852369338810e2eaca28499af3e89f71f2d8b5f92bb51d29cf6506a30a655863093a9d6fd264e0c29805ca18e138c8a928fea33fd7b9869abc7ec2697

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1918618.exe

Filesize
497KB

MD5
9f5924a2156ede4c58bbb022d5db83fc

SHA1
a21cc42ae21449459e3841d87ae81cbc6ec10b85

SHA256
05e3b2093349668e22e8f046387a15620b35c18cdfa3ba5096ada3cea158ec31

SHA512
4bc858f852369338810e2eaca28499af3e89f71f2d8b5f92bb51d29cf6506a30a655863093a9d6fd264e0c29805ca18e138c8a928fea33fd7b9869abc7ec2697

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3847809.exe

Filesize
373KB

MD5
a504b5389fc800f064149c872532d371

SHA1
9332905a3a3c015bfe62cadb0b802e65c2bc5090

SHA256
8b2369aada64232975d48fd15a4bdb1da2c8d44ae3919982e0e0e0633fe8c18d

SHA512
8af7457f20381273aa1f8af314d2a9159e825160d271fb3fe749201d3ca687c846dd1970190bff0ab5aa2cdd9108abe08dc96e2c131fcd0fe4c58557bfada475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3847809.exe

Filesize
373KB

MD5
a504b5389fc800f064149c872532d371

SHA1
9332905a3a3c015bfe62cadb0b802e65c2bc5090

SHA256
8b2369aada64232975d48fd15a4bdb1da2c8d44ae3919982e0e0e0633fe8c18d

SHA512
8af7457f20381273aa1f8af314d2a9159e825160d271fb3fe749201d3ca687c846dd1970190bff0ab5aa2cdd9108abe08dc96e2c131fcd0fe4c58557bfada475

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4920468.exe

Filesize
173KB

MD5
f3c53290825d382c2b93eefadd5dc9fb

SHA1
1a10fd85b1342fc51ca3ccec3a8f1d15b71feeca

SHA256
ab4244e68c80b6814c65b59d99e23812d9632cdad7ab12cee62ad9455f8a1d35

SHA512
39fb1751b2d53b883075364ec79f72e828061741e729bcda0478611ce4e1f7d02dde721391958bd8adbc9bb24ab13574ad89bf22627ffc8e0a9fdfaf3af9bf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4920468.exe

Filesize
173KB

MD5
f3c53290825d382c2b93eefadd5dc9fb

SHA1
1a10fd85b1342fc51ca3ccec3a8f1d15b71feeca

SHA256
ab4244e68c80b6814c65b59d99e23812d9632cdad7ab12cee62ad9455f8a1d35

SHA512
39fb1751b2d53b883075364ec79f72e828061741e729bcda0478611ce4e1f7d02dde721391958bd8adbc9bb24ab13574ad89bf22627ffc8e0a9fdfaf3af9bf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7844641.exe

Filesize
217KB

MD5
1e9489eab0eac141f68bf3b08a1fbe49

SHA1
f7e784b4bcfe08f653a3d49e2c5a9d465dc834f8

SHA256
83e9693b9147d58077dfead159b0091ab073cf07060ccfac799888fdedf9f689

SHA512
d415de087ec4734a7ad14dbbf2ff49985322c6d8cbd0272911f248c992913408d10a05922f369912e57a2fc0b81969a435f529892733340055454f3968b94f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7844641.exe

Filesize
217KB

MD5
1e9489eab0eac141f68bf3b08a1fbe49

SHA1
f7e784b4bcfe08f653a3d49e2c5a9d465dc834f8

SHA256
83e9693b9147d58077dfead159b0091ab073cf07060ccfac799888fdedf9f689

SHA512
d415de087ec4734a7ad14dbbf2ff49985322c6d8cbd0272911f248c992913408d10a05922f369912e57a2fc0b81969a435f529892733340055454f3968b94f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9122562.exe

Filesize
12KB

MD5
8c350a8ab78f7aef75078687ceab5711

SHA1
858a03c16af22c8dcb887ad2016d6f999f7e0d14

SHA256
fa5bdf03302727e2417cfe4d824b753cf3243c5066694b82073f101198c3bd0f

SHA512
deff1900e0e9f0158e6b48863aa689ce3b282de939fde8bacb676aaa41f4121e3dd5bd04483d592cc8a6ea28612f5f9762a908505cd5f16e433835df55a1bc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9122562.exe

Filesize
12KB

MD5
8c350a8ab78f7aef75078687ceab5711

SHA1
858a03c16af22c8dcb887ad2016d6f999f7e0d14

SHA256
fa5bdf03302727e2417cfe4d824b753cf3243c5066694b82073f101198c3bd0f

SHA512
deff1900e0e9f0158e6b48863aa689ce3b282de939fde8bacb676aaa41f4121e3dd5bd04483d592cc8a6ea28612f5f9762a908505cd5f16e433835df55a1bc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7950752.exe

Filesize
140KB

MD5
23b2e69a10ee5011fdf256893ac11aed

SHA1
5945daac54ba4aa82e54ce0c6cd7215087686449

SHA256
abe89318d4a6e30624ab55d1a298e4388e39b48b37b5b562eb8f4b9c9711f3cb

SHA512
6abbb89b44a9e258fc8ceb2beb4408de7e97feb2113da8dc80df624195963e62a92ce12988974fc0d9cd60e82b28271356d5eb1f2e47ee1284c8180808dce9da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7950752.exe

Filesize
140KB

MD5
23b2e69a10ee5011fdf256893ac11aed

SHA1
5945daac54ba4aa82e54ce0c6cd7215087686449

SHA256
abe89318d4a6e30624ab55d1a298e4388e39b48b37b5b562eb8f4b9c9711f3cb

SHA512
6abbb89b44a9e258fc8ceb2beb4408de7e97feb2113da8dc80df624195963e62a92ce12988974fc0d9cd60e82b28271356d5eb1f2e47ee1284c8180808dce9da

Download Submit
memory/540-46-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/540-45-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/540-47-0x0000000005460000-0x0000000005A78000-memory.dmp

Filesize
6.1MB

Download
memory/540-48-0x0000000004F50000-0x000000000505A000-memory.dmp

Filesize
1.0MB

Download
memory/540-49-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/540-50-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/540-51-0x0000000004E40000-0x0000000004E7C000-memory.dmp

Filesize
240KB

Download
memory/540-52-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/540-53-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/3884-38-0x00007FFA321A0000-0x00007FFA32C61000-memory.dmp

Filesize
10.8MB

Download
memory/3884-36-0x00007FFA321A0000-0x00007FFA32C61000-memory.dmp

Filesize
10.8MB

Download
memory/3884-35-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download