healer | 40f026f5ac84239706230b92ace37bbdd1309c67fcb402e0aa5cc132457ecc9e

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40f026f5ac84239706230b92ace37bbdd1309c67fcb402e0aa5cc132457ecc9e.exe
Size

929KB
MD5

01095b3275e0279e54d486cff819b4c7
SHA1

2461018bd5c362f7b733487d836af95648b03b5a
SHA256

40f026f5ac84239706230b92ace37bbdd1309c67fcb402e0aa5cc132457ecc9e
SHA512

8944baa9e4afa0f451c1ef3b9348978df98fed927d122f76eefe4f0b942ed8be7ce89590ce80804fa32f4e0d423080083d518c5a4b0f96bdcd28d9bc0cf24459
SSDEEP

12288:5MrQy90J3onxZ2uG/gNLA/Z1lfovIqgKCWHvbL5rIWacyyAmKrd8GFpdSFyJdPvE:lysQfMZgwqg186WactAmgXdomypn

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023291-33.dat	healer
behavioral1/files/0x0008000000023291-34.dat	healer
behavioral1/memory/4024-35-0x00000000001F0000-0x00000000001FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q5710765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q5710765.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q5710765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q5710765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q5710765.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q5710765.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3260	z6298480.exe
1648	z8181457.exe
4820	z8650966.exe
4584	z0462117.exe
4024	q5710765.exe
2608	r2406327.exe
3728	s9106343.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q5710765.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	40f026f5ac84239706230b92ace37bbdd1309c67fcb402e0aa5cc132457ecc9e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6298480.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8181457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8650966.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z0462117.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4024	q5710765.exe
4024	q5710765.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4024	q5710765.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 3260	1184	40f026f5ac84239706230b92ace37bbdd1309c67fcb402e0aa5cc132457ecc9e.exe	83
PID 1184 wrote to memory of 3260	1184	40f026f5ac84239706230b92ace37bbdd1309c67fcb402e0aa5cc132457ecc9e.exe	83
PID 1184 wrote to memory of 3260	1184	40f026f5ac84239706230b92ace37bbdd1309c67fcb402e0aa5cc132457ecc9e.exe	83
PID 3260 wrote to memory of 1648	3260	z6298480.exe	84
PID 3260 wrote to memory of 1648	3260	z6298480.exe	84
PID 3260 wrote to memory of 1648	3260	z6298480.exe	84
PID 1648 wrote to memory of 4820	1648	z8181457.exe	85
PID 1648 wrote to memory of 4820	1648	z8181457.exe	85
PID 1648 wrote to memory of 4820	1648	z8181457.exe	85
PID 4820 wrote to memory of 4584	4820	z8650966.exe	86
PID 4820 wrote to memory of 4584	4820	z8650966.exe	86
PID 4820 wrote to memory of 4584	4820	z8650966.exe	86
PID 4584 wrote to memory of 4024	4584	z0462117.exe	87
PID 4584 wrote to memory of 4024	4584	z0462117.exe	87
PID 4584 wrote to memory of 2608	4584	z0462117.exe	96
PID 4584 wrote to memory of 2608	4584	z0462117.exe	96
PID 4584 wrote to memory of 2608	4584	z0462117.exe	96
PID 4820 wrote to memory of 3728	4820	z8650966.exe	97
PID 4820 wrote to memory of 3728	4820	z8650966.exe	97
PID 4820 wrote to memory of 3728	4820	z8650966.exe	97

C:\Users\Admin\AppData\Local\Temp\40f026f5ac84239706230b92ace37bbdd1309c67fcb402e0aa5cc132457ecc9e.exe
"C:\Users\Admin\AppData\Local\Temp\40f026f5ac84239706230b92ace37bbdd1309c67fcb402e0aa5cc132457ecc9e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6298480.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6298480.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8181457.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8181457.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8650966.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8650966.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0462117.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0462117.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4584
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5710765.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5710765.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2406327.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2406327.exe
        6⤵
        Executes dropped EXE
        
        PID:2608
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9106343.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9106343.exe
        5⤵
        Executes dropped EXE
        
        PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6298480.exe

Filesize
823KB

MD5
da3f16353171da87cf22dfdb5ed38d3b

SHA1
4979ae5fcd3472a390bf5a509a77a7f42756a77d

SHA256
caaba01b2ba9a1249b4cf837d043bcbbd0580bf243be63bfc3f91f44fafcda6c

SHA512
cb9ed4d5b5a9aaa9de8ee464d9179760b9344c503a036e9de25949f72e1009dca624d89d40df4ae9c3d5638fcb439262fb1b626bb41e8f47c94ca50a8f55feb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6298480.exe

Filesize
823KB

MD5
da3f16353171da87cf22dfdb5ed38d3b

SHA1
4979ae5fcd3472a390bf5a509a77a7f42756a77d

SHA256
caaba01b2ba9a1249b4cf837d043bcbbd0580bf243be63bfc3f91f44fafcda6c

SHA512
cb9ed4d5b5a9aaa9de8ee464d9179760b9344c503a036e9de25949f72e1009dca624d89d40df4ae9c3d5638fcb439262fb1b626bb41e8f47c94ca50a8f55feb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8181457.exe

Filesize
598KB

MD5
94ab7f36e300bce3bd02645a8a221710

SHA1
dab647ee964722d5a348d81fb34160c9905883eb

SHA256
25d4db9116dc0d205e5b8cb739070afb5644aad2f51f94ec41392ea888e9a723

SHA512
f7afe21ed90cdbc9840ea44413b682ba42e787ae066c4fe38ca73893571c9825556840e0de7bbca74bf4ece155d6cc8a8e8f9da8354924908742646b496a0df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8181457.exe

Filesize
598KB

MD5
94ab7f36e300bce3bd02645a8a221710

SHA1
dab647ee964722d5a348d81fb34160c9905883eb

SHA256
25d4db9116dc0d205e5b8cb739070afb5644aad2f51f94ec41392ea888e9a723

SHA512
f7afe21ed90cdbc9840ea44413b682ba42e787ae066c4fe38ca73893571c9825556840e0de7bbca74bf4ece155d6cc8a8e8f9da8354924908742646b496a0df2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8650966.exe

Filesize
372KB

MD5
9c554b5d7c9f69a0080f3c609b657d8f

SHA1
3bf2f32b16204530e3aa315ed275787c5857952c

SHA256
d28ad3893c46e9b323f68adf17326c8f6deab1e6f7d9cb8cee87fed52cf22da2

SHA512
d514f0df17f1c8b0dbf5e5f1f9db4d8eb37bd04b9248195233cc96a4d41a37bad604950023a700d807d16f90a775fec69963763cc2c0a9abda167a077d0aefb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8650966.exe

Filesize
372KB

MD5
9c554b5d7c9f69a0080f3c609b657d8f

SHA1
3bf2f32b16204530e3aa315ed275787c5857952c

SHA256
d28ad3893c46e9b323f68adf17326c8f6deab1e6f7d9cb8cee87fed52cf22da2

SHA512
d514f0df17f1c8b0dbf5e5f1f9db4d8eb37bd04b9248195233cc96a4d41a37bad604950023a700d807d16f90a775fec69963763cc2c0a9abda167a077d0aefb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9106343.exe

Filesize
174KB

MD5
19ee4e22a7b262be0094998cdb18878b

SHA1
840419df23d6b050f610f5457ab3f6fe59c1c613

SHA256
de0ec4c41f5bb815f0a3f31e145b17a033423107b4d9832c6fcb328fda51d994

SHA512
303994d31a48b7f5184e46b6d26b510103627d761a17607373c5798403742f634b64fd203350788807c8a7073082813bf3a9619a75e6d2194ed9709168bfc39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9106343.exe

Filesize
174KB

MD5
19ee4e22a7b262be0094998cdb18878b

SHA1
840419df23d6b050f610f5457ab3f6fe59c1c613

SHA256
de0ec4c41f5bb815f0a3f31e145b17a033423107b4d9832c6fcb328fda51d994

SHA512
303994d31a48b7f5184e46b6d26b510103627d761a17607373c5798403742f634b64fd203350788807c8a7073082813bf3a9619a75e6d2194ed9709168bfc39b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0462117.exe

Filesize
217KB

MD5
5b3b9504674457d18be626b3d208ed46

SHA1
ca49e5b783636443a6efb68c1bf32215760f8905

SHA256
b0a4ad341809d20ccaf1cefb51ff43d65115755b869f270e3a98917ed485de65

SHA512
f0423abd642e262e1cfcfd3a5bf06c88f35bd8bdae57f7325c0396a6076964da87f0a8fbd5cc073eab54d5c0b62101abed07500a38117a4fef351d894d1b2db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0462117.exe

Filesize
217KB

MD5
5b3b9504674457d18be626b3d208ed46

SHA1
ca49e5b783636443a6efb68c1bf32215760f8905

SHA256
b0a4ad341809d20ccaf1cefb51ff43d65115755b869f270e3a98917ed485de65

SHA512
f0423abd642e262e1cfcfd3a5bf06c88f35bd8bdae57f7325c0396a6076964da87f0a8fbd5cc073eab54d5c0b62101abed07500a38117a4fef351d894d1b2db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5710765.exe

Filesize
13KB

MD5
12e7baeccd75a4eff375125ae34c810b

SHA1
80df70c61ef6e277bbd8bc023471d61bba31c5ce

SHA256
af11d9602cdeed1eda020b3e47f5c0e940463f0329a6b4ce204910f3246b32d5

SHA512
e510ead628a321dd670a7920be55255346e71fcc4148e73929d68624562f12bc525977ba2e579d4c7877c2531bb43a92ee291aeeeaa54e81d861e7c706912449

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5710765.exe

Filesize
13KB

MD5
12e7baeccd75a4eff375125ae34c810b

SHA1
80df70c61ef6e277bbd8bc023471d61bba31c5ce

SHA256
af11d9602cdeed1eda020b3e47f5c0e940463f0329a6b4ce204910f3246b32d5

SHA512
e510ead628a321dd670a7920be55255346e71fcc4148e73929d68624562f12bc525977ba2e579d4c7877c2531bb43a92ee291aeeeaa54e81d861e7c706912449

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2406327.exe

Filesize
140KB

MD5
5c1c68585240da3b58647dda932994b8

SHA1
834841710283026b14fd978c6b96f861a99eda6a

SHA256
1f93377dba728f947ce736d418d446ea78163c088e1b1b0a39033db05b394a6c

SHA512
f41b2cdebba7002c8e8804a88bed630344b221b322ebbe28e69b3f5857297cc0b4af7579851c76c17963ef5e4446f29f9c1eb2761e19e341c1d57452e33c206a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2406327.exe

Filesize
140KB

MD5
5c1c68585240da3b58647dda932994b8

SHA1
834841710283026b14fd978c6b96f861a99eda6a

SHA256
1f93377dba728f947ce736d418d446ea78163c088e1b1b0a39033db05b394a6c

SHA512
f41b2cdebba7002c8e8804a88bed630344b221b322ebbe28e69b3f5857297cc0b4af7579851c76c17963ef5e4446f29f9c1eb2761e19e341c1d57452e33c206a

Download Submit
memory/3728-46-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/3728-45-0x0000000000660000-0x0000000000690000-memory.dmp

Filesize
192KB

Download
memory/3728-47-0x00000000057C0000-0x0000000005DD8000-memory.dmp

Filesize
6.1MB

Download
memory/3728-48-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/3728-49-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/3728-50-0x0000000005020000-0x0000000005032000-memory.dmp

Filesize
72KB

Download
memory/3728-51-0x00000000051A0000-0x00000000051DC000-memory.dmp

Filesize
240KB

Download
memory/3728-52-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/3728-53-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4024-38-0x00007FFF28030000-0x00007FFF28AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4024-36-0x00007FFF28030000-0x00007FFF28AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4024-35-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download