healer | f458c6906bc69275dd873400d1338c15ad311144b05f51c0e205cf7f038ba871

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f458c6906bc69275dd873400d1338c15ad311144b05f51c0e205cf7f038ba871.exe
Size

927KB
MD5

8931772ac129966a57259992aaf6bbf5
SHA1

1a312aba62f193bb70f62605df551782624f8a98
SHA256

f458c6906bc69275dd873400d1338c15ad311144b05f51c0e205cf7f038ba871
SHA512

dcabf94e5bbabce5313352ab14a4f0cb7caa875a0711ed440a583e281bf3d0b7f02b063c51e85102b932f57b653c9116a5170123d37a45d685a597174a0b0fc0
SSDEEP

24576:GyhnkM3KrLMEDKjziVi+la5aLu4Au73chDd:VhkQqvDKjClSaHv

Score

10^/10

healer redline gogi dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

gogi

77.91.124.73:19071

Attributes

auth_value
c7dbabcf1eff128a595c7532cb5489a8

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231c0-33.dat	healer
behavioral1/files/0x00070000000231c0-34.dat	healer
behavioral1/memory/1524-35-0x0000000000720000-0x000000000072A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q9416907.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q9416907.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q9416907.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q9416907.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q9416907.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q9416907.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1256	z7426656.exe
2684	z5118834.exe
3692	z6143595.exe
2796	z5366510.exe
1524	q9416907.exe
3552	r1812259.exe
3912	s7955961.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q9416907.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z5366510.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f458c6906bc69275dd873400d1338c15ad311144b05f51c0e205cf7f038ba871.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7426656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5118834.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z6143595.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1524	q9416907.exe
1524	q9416907.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1524	q9416907.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 1256	576	f458c6906bc69275dd873400d1338c15ad311144b05f51c0e205cf7f038ba871.exe	80
PID 576 wrote to memory of 1256	576	f458c6906bc69275dd873400d1338c15ad311144b05f51c0e205cf7f038ba871.exe	80
PID 576 wrote to memory of 1256	576	f458c6906bc69275dd873400d1338c15ad311144b05f51c0e205cf7f038ba871.exe	80
PID 1256 wrote to memory of 2684	1256	z7426656.exe	81
PID 1256 wrote to memory of 2684	1256	z7426656.exe	81
PID 1256 wrote to memory of 2684	1256	z7426656.exe	81
PID 2684 wrote to memory of 3692	2684	z5118834.exe	82
PID 2684 wrote to memory of 3692	2684	z5118834.exe	82
PID 2684 wrote to memory of 3692	2684	z5118834.exe	82
PID 3692 wrote to memory of 2796	3692	z6143595.exe	83
PID 3692 wrote to memory of 2796	3692	z6143595.exe	83
PID 3692 wrote to memory of 2796	3692	z6143595.exe	83
PID 2796 wrote to memory of 1524	2796	z5366510.exe	84
PID 2796 wrote to memory of 1524	2796	z5366510.exe	84
PID 2796 wrote to memory of 3552	2796	z5366510.exe	93
PID 2796 wrote to memory of 3552	2796	z5366510.exe	93
PID 2796 wrote to memory of 3552	2796	z5366510.exe	93
PID 3692 wrote to memory of 3912	3692	z6143595.exe	94
PID 3692 wrote to memory of 3912	3692	z6143595.exe	94
PID 3692 wrote to memory of 3912	3692	z6143595.exe	94

C:\Users\Admin\AppData\Local\Temp\f458c6906bc69275dd873400d1338c15ad311144b05f51c0e205cf7f038ba871.exe
"C:\Users\Admin\AppData\Local\Temp\f458c6906bc69275dd873400d1338c15ad311144b05f51c0e205cf7f038ba871.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:576
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7426656.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7426656.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5118834.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5118834.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6143595.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6143595.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3692
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5366510.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5366510.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9416907.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9416907.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1812259.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1812259.exe
        6⤵
        Executes dropped EXE
        
        PID:3552
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7955961.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7955961.exe
        5⤵
        Executes dropped EXE
        
        PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7426656.exe

Filesize
822KB

MD5
3209a46858157101c27b827cd60f2c75

SHA1
5fde000f5ea9333f8db6446f02663f199cf1b7d7

SHA256
832139e6e22ac8c93ef4549b2121d16170b07346dec5755b7ea121d59f82e1ac

SHA512
7ddaa2cbe6f30e6d928efd24c2fbcb595ede9ae9a3071e2e48d502cf5335c1ee75c074056f293a1de0e26d9d7cb775be7b01b0a2bd4702fe25dfae3397d7ac53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7426656.exe

Filesize
822KB

MD5
3209a46858157101c27b827cd60f2c75

SHA1
5fde000f5ea9333f8db6446f02663f199cf1b7d7

SHA256
832139e6e22ac8c93ef4549b2121d16170b07346dec5755b7ea121d59f82e1ac

SHA512
7ddaa2cbe6f30e6d928efd24c2fbcb595ede9ae9a3071e2e48d502cf5335c1ee75c074056f293a1de0e26d9d7cb775be7b01b0a2bd4702fe25dfae3397d7ac53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5118834.exe

Filesize
597KB

MD5
588e4c9855101440f35b2bfcf53d6d01

SHA1
946319fa0976723180c1bf36aa8a57238c9cc4cf

SHA256
1aa4ea1f9731fd1c15dafe61ca1673f64bfdd5a01501fecb929df3c929854e5a

SHA512
ec43d6e2105fe199b1662b2ae64a5bf01381887cc2feb2ef1c1d8d9b46c111200c205f197745a5c1aadb1e64f95b5c14a62a3d4e8901b60bf5396cec986d0957

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5118834.exe

Filesize
597KB

MD5
588e4c9855101440f35b2bfcf53d6d01

SHA1
946319fa0976723180c1bf36aa8a57238c9cc4cf

SHA256
1aa4ea1f9731fd1c15dafe61ca1673f64bfdd5a01501fecb929df3c929854e5a

SHA512
ec43d6e2105fe199b1662b2ae64a5bf01381887cc2feb2ef1c1d8d9b46c111200c205f197745a5c1aadb1e64f95b5c14a62a3d4e8901b60bf5396cec986d0957

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6143595.exe

Filesize
372KB

MD5
b2245959a1c1f0b3f00d7770b62b65d8

SHA1
a3d14bee37c68de2ff9c86f0ff7dab98be279950

SHA256
06183e1c318941fce3faf2209c27d4f7c43ab2e09d646dfec980e43545e7cc68

SHA512
86c096fbe67f58563809c900b3e8f003b2f5cc0367c6938f44dfe20e43ef716c827540ac6222ef1a0979b5301909d1fdcfaef30aeb005179f8f39cd2d0ceba8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6143595.exe

Filesize
372KB

MD5
b2245959a1c1f0b3f00d7770b62b65d8

SHA1
a3d14bee37c68de2ff9c86f0ff7dab98be279950

SHA256
06183e1c318941fce3faf2209c27d4f7c43ab2e09d646dfec980e43545e7cc68

SHA512
86c096fbe67f58563809c900b3e8f003b2f5cc0367c6938f44dfe20e43ef716c827540ac6222ef1a0979b5301909d1fdcfaef30aeb005179f8f39cd2d0ceba8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7955961.exe

Filesize
173KB

MD5
2666188c02158583a46cfc278e99d533

SHA1
a7ff7b48703cdf342c79b0d0e9ebc2d04fa87205

SHA256
5ffba153287aa6599eaa6f8b6d21f17a99401806c640e7c654b5d79f77cbdd94

SHA512
565d5d75e419128d4709e2d441d26691f35de006dcb3292a645f82edab2f53ca22f0dd6a66763d82dd0c912bf38eb042b0303f1659abb5812544684a3c6892a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7955961.exe

Filesize
173KB

MD5
2666188c02158583a46cfc278e99d533

SHA1
a7ff7b48703cdf342c79b0d0e9ebc2d04fa87205

SHA256
5ffba153287aa6599eaa6f8b6d21f17a99401806c640e7c654b5d79f77cbdd94

SHA512
565d5d75e419128d4709e2d441d26691f35de006dcb3292a645f82edab2f53ca22f0dd6a66763d82dd0c912bf38eb042b0303f1659abb5812544684a3c6892a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5366510.exe

Filesize
217KB

MD5
17cc7ad3418a2c3e01b02f8165b6324c

SHA1
fb40f9fe5ce8ad52e013407e2f89b8de9a3fc12a

SHA256
b53cfee9598a40afb41c9cdd76cec178190ce3183ac9b3a3308aa9941bbad180

SHA512
f19303a42e9e418d406d32e2baa55762fd68cd535b02fb66cf96ce4c3ce70af355d72b3ae4b65f5f79aa427771c98028528da25784ff6b32f6723c05d5a7caf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z5366510.exe

Filesize
217KB

MD5
17cc7ad3418a2c3e01b02f8165b6324c

SHA1
fb40f9fe5ce8ad52e013407e2f89b8de9a3fc12a

SHA256
b53cfee9598a40afb41c9cdd76cec178190ce3183ac9b3a3308aa9941bbad180

SHA512
f19303a42e9e418d406d32e2baa55762fd68cd535b02fb66cf96ce4c3ce70af355d72b3ae4b65f5f79aa427771c98028528da25784ff6b32f6723c05d5a7caf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9416907.exe

Filesize
12KB

MD5
ddbf67886ef98fcbd84c97d0c42f9278

SHA1
a4775eaa66316c70c9f2321de04167258b253b95

SHA256
92b6a1c51d8f2f3ae417bad623b8aad3d0277c2c70eab16a5935b60e20560f9a

SHA512
789a6be03daf982330ec183323df643513bf8709cad646454277802e8f3b0234e76ecfd88d9a19bbb4aa0f8c7b714a085741682e8fbbea493cb9b2a8de7e3dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9416907.exe

Filesize
12KB

MD5
ddbf67886ef98fcbd84c97d0c42f9278

SHA1
a4775eaa66316c70c9f2321de04167258b253b95

SHA256
92b6a1c51d8f2f3ae417bad623b8aad3d0277c2c70eab16a5935b60e20560f9a

SHA512
789a6be03daf982330ec183323df643513bf8709cad646454277802e8f3b0234e76ecfd88d9a19bbb4aa0f8c7b714a085741682e8fbbea493cb9b2a8de7e3dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1812259.exe

Filesize
140KB

MD5
70ebe7f83d4760f2398d4b4bdef746c1

SHA1
cd588aacbbd467c91e912452fdfb0c8cb4747d97

SHA256
1264d1e3c89a83a5b8f48e9c80e3e35001999e87a97759ce2da9de7cc86b429a

SHA512
aa51e4c1841cba35bc021d17c3be78886765c4bc27797e2b50142266c3e9dffcf107d8ae5e9872166204d86bca6b124a38982ab9003c96644708980ced863140

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1812259.exe

Filesize
140KB

MD5
70ebe7f83d4760f2398d4b4bdef746c1

SHA1
cd588aacbbd467c91e912452fdfb0c8cb4747d97

SHA256
1264d1e3c89a83a5b8f48e9c80e3e35001999e87a97759ce2da9de7cc86b429a

SHA512
aa51e4c1841cba35bc021d17c3be78886765c4bc27797e2b50142266c3e9dffcf107d8ae5e9872166204d86bca6b124a38982ab9003c96644708980ced863140

Download Submit
memory/1524-38-0x00007FFEED590000-0x00007FFEEE051000-memory.dmp

Filesize
10.8MB

Download
memory/1524-36-0x00007FFEED590000-0x00007FFEEE051000-memory.dmp

Filesize
10.8MB

Download
memory/1524-35-0x0000000000720000-0x000000000072A000-memory.dmp

Filesize
40KB

Download
memory/3912-45-0x00000000005A0000-0x00000000005D0000-memory.dmp

Filesize
192KB

Download
memory/3912-46-0x0000000074040000-0x00000000747F0000-memory.dmp

Filesize
7.7MB

Download
memory/3912-47-0x0000000005590000-0x0000000005BA8000-memory.dmp

Filesize
6.1MB

Download
memory/3912-48-0x0000000005080000-0x000000000518A000-memory.dmp

Filesize
1.0MB

Download
memory/3912-49-0x0000000004E20000-0x0000000004E32000-memory.dmp

Filesize
72KB

Download
memory/3912-50-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3912-51-0x0000000004FB0000-0x0000000004FEC000-memory.dmp

Filesize
240KB

Download
memory/3912-52-0x0000000074040000-0x00000000747F0000-memory.dmp

Filesize
7.7MB

Download
memory/3912-53-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download