healer | b1427247e83a328702f506097008cdc9f875798ae73a306138b539b305948ccf

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2023, 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1427247e83a328702f506097008cdc9f875798ae73a306138b539b305948ccf.exe
Size

828KB
MD5

0bb4c46655518033ef17665430071501
SHA1

41cf2e4b4dc81e9db9a6fe0949ea1533d6a18412
SHA256

b1427247e83a328702f506097008cdc9f875798ae73a306138b539b305948ccf
SHA512

3f5940b154f889a2c210d5e6b81e842b4a16b07a0c1550a4edb40b3783fa4140c3c076f3bf852d43f7ca525214bdb01356022db8a51884d9b9fbfce92b65b06c
SSDEEP

12288:uMr6y90VDUgFLozVXpuLlV3I1FHWsBD6O5NFQpKVbzt6q786bN7AAh/ETnFiptT9:wyoDjFLwXpuxIlV7FHll57nKFirAGJb

Score

10^/10

healer redline gogi dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

gogi

77.91.124.73:19071

Attributes

auth_value
c7dbabcf1eff128a595c7532cb5489a8

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023244-34.dat	healer
behavioral1/files/0x0007000000023244-33.dat	healer
behavioral1/memory/3976-35-0x0000000000310000-0x000000000031A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2180038.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2180038.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2180038.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2180038.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2180038.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2180038.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2780	v0707178.exe
1928	v4181062.exe
1252	v4164147.exe
4892	v8435507.exe
3976	a2180038.exe
4200	b6215410.exe
216	c3688994.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2180038.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4181062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4164147.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8435507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b1427247e83a328702f506097008cdc9f875798ae73a306138b539b305948ccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0707178.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3976	a2180038.exe
3976	a2180038.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	a2180038.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2780	228	b1427247e83a328702f506097008cdc9f875798ae73a306138b539b305948ccf.exe	82
PID 228 wrote to memory of 2780	228	b1427247e83a328702f506097008cdc9f875798ae73a306138b539b305948ccf.exe	82
PID 228 wrote to memory of 2780	228	b1427247e83a328702f506097008cdc9f875798ae73a306138b539b305948ccf.exe	82
PID 2780 wrote to memory of 1928	2780	v0707178.exe	83
PID 2780 wrote to memory of 1928	2780	v0707178.exe	83
PID 2780 wrote to memory of 1928	2780	v0707178.exe	83
PID 1928 wrote to memory of 1252	1928	v4181062.exe	84
PID 1928 wrote to memory of 1252	1928	v4181062.exe	84
PID 1928 wrote to memory of 1252	1928	v4181062.exe	84
PID 1252 wrote to memory of 4892	1252	v4164147.exe	85
PID 1252 wrote to memory of 4892	1252	v4164147.exe	85
PID 1252 wrote to memory of 4892	1252	v4164147.exe	85
PID 4892 wrote to memory of 3976	4892	v8435507.exe	86
PID 4892 wrote to memory of 3976	4892	v8435507.exe	86
PID 4892 wrote to memory of 4200	4892	v8435507.exe	88
PID 4892 wrote to memory of 4200	4892	v8435507.exe	88
PID 4892 wrote to memory of 4200	4892	v8435507.exe	88
PID 1252 wrote to memory of 216	1252	v4164147.exe	89
PID 1252 wrote to memory of 216	1252	v4164147.exe	89
PID 1252 wrote to memory of 216	1252	v4164147.exe	89

C:\Users\Admin\AppData\Local\Temp\b1427247e83a328702f506097008cdc9f875798ae73a306138b539b305948ccf.exe
"C:\Users\Admin\AppData\Local\Temp\b1427247e83a328702f506097008cdc9f875798ae73a306138b539b305948ccf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0707178.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0707178.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4181062.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4181062.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4164147.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4164147.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1252
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8435507.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8435507.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4892
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2180038.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2180038.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6215410.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6215410.exe
        6⤵
        Executes dropped EXE
        
        PID:4200
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3688994.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3688994.exe
        5⤵
        Executes dropped EXE
        
        PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0707178.exe

Filesize
722KB

MD5
6f42a05b701e8dc9a8586104645abdef

SHA1
f297a78a44dfe61ab1326941838a8d52d443c46c

SHA256
e5e24d1a5b39f7d7b387fb7790784d765519146d40e1dfb273d358ea923b9b09

SHA512
df2038901504f22962f887933c4d48a50189e0690725cffa30e857acc357c6b2f50c195af14c1f1a47fb02eb76db592d6b102875f548e5bcc838a9e0312df6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0707178.exe

Filesize
722KB

MD5
6f42a05b701e8dc9a8586104645abdef

SHA1
f297a78a44dfe61ab1326941838a8d52d443c46c

SHA256
e5e24d1a5b39f7d7b387fb7790784d765519146d40e1dfb273d358ea923b9b09

SHA512
df2038901504f22962f887933c4d48a50189e0690725cffa30e857acc357c6b2f50c195af14c1f1a47fb02eb76db592d6b102875f548e5bcc838a9e0312df6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4181062.exe

Filesize
496KB

MD5
258dc34ea22727a3e2de9973cae89a87

SHA1
d841e41e2522fe0b5c58d77b5dc8bef791a8642f

SHA256
618ad2df39451d9035f49eb6aa70be8e01d074b56cdf09b83a0c8fd46f6ea396

SHA512
ec2294e5ac5b8d9a2ac6b0c87239840cd950260ce712883dbb635ba359c9eadfd83398042163e3d2e22591e2f49ec814c963bf3b8b7ceef38c1499cb8e6dfa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4181062.exe

Filesize
496KB

MD5
258dc34ea22727a3e2de9973cae89a87

SHA1
d841e41e2522fe0b5c58d77b5dc8bef791a8642f

SHA256
618ad2df39451d9035f49eb6aa70be8e01d074b56cdf09b83a0c8fd46f6ea396

SHA512
ec2294e5ac5b8d9a2ac6b0c87239840cd950260ce712883dbb635ba359c9eadfd83398042163e3d2e22591e2f49ec814c963bf3b8b7ceef38c1499cb8e6dfa3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4164147.exe

Filesize
372KB

MD5
8620dd51b23816b0a4ce0a22d6825b30

SHA1
40159ce49358d52bb5cea544187ce97f8128f9df

SHA256
a4d69c96d89dc8ca88436343e6c43aed7fd7420f02cf8801441b886b0a96c1d4

SHA512
5df8b0832b37868a13ccd0e06bfd25e5a19daa03689ce96c7c19d49a44dc74697da1dbf0e97cd2e45d0f478841b1b701df8d2880fc5aafa76bc3a466ef1a6159

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4164147.exe

Filesize
372KB

MD5
8620dd51b23816b0a4ce0a22d6825b30

SHA1
40159ce49358d52bb5cea544187ce97f8128f9df

SHA256
a4d69c96d89dc8ca88436343e6c43aed7fd7420f02cf8801441b886b0a96c1d4

SHA512
5df8b0832b37868a13ccd0e06bfd25e5a19daa03689ce96c7c19d49a44dc74697da1dbf0e97cd2e45d0f478841b1b701df8d2880fc5aafa76bc3a466ef1a6159

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3688994.exe

Filesize
173KB

MD5
8fac03bbbfa86af76a8442f40660f3af

SHA1
5c83f3187759666db700e92c7b2fd024fb0cdcfb

SHA256
6c66197b6f05491ab78f8e877a5767731686c981815164fa80425c95268d8cf7

SHA512
7df7b82efc2f8f0535d62e120e07c090b5e4fd96b9045a0b78dc2ab26debe56916504d65dbc5dbb78d745b3db95fa93f066e0fe5ed2e8c41d90c7fd9eec9d01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3688994.exe

Filesize
173KB

MD5
8fac03bbbfa86af76a8442f40660f3af

SHA1
5c83f3187759666db700e92c7b2fd024fb0cdcfb

SHA256
6c66197b6f05491ab78f8e877a5767731686c981815164fa80425c95268d8cf7

SHA512
7df7b82efc2f8f0535d62e120e07c090b5e4fd96b9045a0b78dc2ab26debe56916504d65dbc5dbb78d745b3db95fa93f066e0fe5ed2e8c41d90c7fd9eec9d01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8435507.exe

Filesize
216KB

MD5
71e17c4e620bce98ca31f8e24d7be2be

SHA1
3df50cc467792aa89d99568d3dec297f66cb24b3

SHA256
4815aaa689a1f2fcb1d97d4ffa7f1369bf0b8b990ef681b857f8d31e10d349a9

SHA512
7eb3bc4ad2a3e53228a160f67294a067128daf8825103041a1bcb686042e991a93223040482db85dd031356ffcabe6eb1e7f52daf4f0aacc3171fc20bb0514ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8435507.exe

Filesize
216KB

MD5
71e17c4e620bce98ca31f8e24d7be2be

SHA1
3df50cc467792aa89d99568d3dec297f66cb24b3

SHA256
4815aaa689a1f2fcb1d97d4ffa7f1369bf0b8b990ef681b857f8d31e10d349a9

SHA512
7eb3bc4ad2a3e53228a160f67294a067128daf8825103041a1bcb686042e991a93223040482db85dd031356ffcabe6eb1e7f52daf4f0aacc3171fc20bb0514ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2180038.exe

Filesize
12KB

MD5
fb326fe292e88d46e3912c96212abc53

SHA1
bea325fa8cb13e6ee0522ee65b6ae737b9120ed7

SHA256
93b2222c6db173f592daf35ff9c13d91d38b56d413979918d2c21aae8b5e5cc1

SHA512
50be00f838d5a490d2fd13b25566d515ee1ea9d5eb6b63d5486e29337dc803f46f5c33b04f97e98cf2b4a1b950da0aa3e0eea5e88495822f81216619c9a68ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2180038.exe

Filesize
12KB

MD5
fb326fe292e88d46e3912c96212abc53

SHA1
bea325fa8cb13e6ee0522ee65b6ae737b9120ed7

SHA256
93b2222c6db173f592daf35ff9c13d91d38b56d413979918d2c21aae8b5e5cc1

SHA512
50be00f838d5a490d2fd13b25566d515ee1ea9d5eb6b63d5486e29337dc803f46f5c33b04f97e98cf2b4a1b950da0aa3e0eea5e88495822f81216619c9a68ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6215410.exe

Filesize
140KB

MD5
390401bd4e217b24be087293a2faac66

SHA1
4915830a2db32df8410693cc62a2b8c19ce37ef9

SHA256
ea5bea5b22752c558bd41e1a44dabd95230b8cca3f6f2514cad9b8f09a04c4ba

SHA512
a235d3e4e1fee644708791cfd1e02f7a31d530953e48832b4f8cc6a87e37bf110671a14715cb9c0d2a2e12b6200565f333038c2438bc4774931e091b97ef04fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6215410.exe

Filesize
140KB

MD5
390401bd4e217b24be087293a2faac66

SHA1
4915830a2db32df8410693cc62a2b8c19ce37ef9

SHA256
ea5bea5b22752c558bd41e1a44dabd95230b8cca3f6f2514cad9b8f09a04c4ba

SHA512
a235d3e4e1fee644708791cfd1e02f7a31d530953e48832b4f8cc6a87e37bf110671a14715cb9c0d2a2e12b6200565f333038c2438bc4774931e091b97ef04fe

Download Submit
memory/216-46-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/216-45-0x0000000000190000-0x00000000001C0000-memory.dmp

Filesize
192KB

Download
memory/216-47-0x000000000A5C0000-0x000000000ABD8000-memory.dmp

Filesize
6.1MB

Download
memory/216-48-0x000000000A140000-0x000000000A24A000-memory.dmp

Filesize
1.0MB

Download
memory/216-49-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/216-50-0x000000000A080000-0x000000000A092000-memory.dmp

Filesize
72KB

Download
memory/216-51-0x000000000A0E0000-0x000000000A11C000-memory.dmp

Filesize
240KB

Download
memory/216-52-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/216-53-0x0000000004AF0000-0x0000000004B00000-memory.dmp

Filesize
64KB

Download
memory/3976-38-0x00007FFA3D060000-0x00007FFA3DB21000-memory.dmp

Filesize
10.8MB

Download
memory/3976-36-0x00007FFA3D060000-0x00007FFA3DB21000-memory.dmp

Filesize
10.8MB

Download
memory/3976-35-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download