healer | f21377efdcf6d9b1f10a431e8b039835c569c708b000ef50d8bdbfdf43de00ac

Analysis

max time kernel
140s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
24/08/2023, 08:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f21377efdcf6d9b1f10a431e8b039835c569c708b000ef50d8bdbfdf43de00ac.exe
Size

829KB
MD5

b342cdbef1253fcb65e6af310ec9b703
SHA1

e6aca500a9d6c277c2a94515f64ca1881cc2817e
SHA256

f21377efdcf6d9b1f10a431e8b039835c569c708b000ef50d8bdbfdf43de00ac
SHA512

4c5c5a10e1ab4f599741cd12f559583d4d0f01ab48f984a3e4a6059a87f81af27e41446a41702c549f4ed6535f2a89f879cb039819b747a8fd15b5db1bf1defd
SSDEEP

12288:XMrGy905usUt+nuahr8KVAPFqlOFq6snOmqQ5w0aOhdsp6TaTDZ+lGf0:NyKUMuahtiPdjF6TaTDZTf0

Score

10^/10

healer redline rwan dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rwan

77.91.124.73:19071

Attributes

auth_value
7c40eda5da4f888d6f61befbf947d9fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b014-33.dat	healer
behavioral1/files/0x000700000001b014-34.dat	healer
behavioral1/memory/2988-35-0x00000000001A0000-0x00000000001AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5183542.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5183542.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5183542.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5183542.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5183542.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1940	v5231507.exe
3824	v5446449.exe
3816	v0204121.exe
1080	v2165666.exe
2988	a5183542.exe
656	b8311929.exe
2212	c5228132.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5183542.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5231507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5446449.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0204121.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2165666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f21377efdcf6d9b1f10a431e8b039835c569c708b000ef50d8bdbfdf43de00ac.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2988	a5183542.exe
2988	a5183542.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	a5183542.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 1940	4112	f21377efdcf6d9b1f10a431e8b039835c569c708b000ef50d8bdbfdf43de00ac.exe	70
PID 4112 wrote to memory of 1940	4112	f21377efdcf6d9b1f10a431e8b039835c569c708b000ef50d8bdbfdf43de00ac.exe	70
PID 4112 wrote to memory of 1940	4112	f21377efdcf6d9b1f10a431e8b039835c569c708b000ef50d8bdbfdf43de00ac.exe	70
PID 1940 wrote to memory of 3824	1940	v5231507.exe	71
PID 1940 wrote to memory of 3824	1940	v5231507.exe	71
PID 1940 wrote to memory of 3824	1940	v5231507.exe	71
PID 3824 wrote to memory of 3816	3824	v5446449.exe	72
PID 3824 wrote to memory of 3816	3824	v5446449.exe	72
PID 3824 wrote to memory of 3816	3824	v5446449.exe	72
PID 3816 wrote to memory of 1080	3816	v0204121.exe	73
PID 3816 wrote to memory of 1080	3816	v0204121.exe	73
PID 3816 wrote to memory of 1080	3816	v0204121.exe	73
PID 1080 wrote to memory of 2988	1080	v2165666.exe	74
PID 1080 wrote to memory of 2988	1080	v2165666.exe	74
PID 1080 wrote to memory of 656	1080	v2165666.exe	75
PID 1080 wrote to memory of 656	1080	v2165666.exe	75
PID 1080 wrote to memory of 656	1080	v2165666.exe	75
PID 3816 wrote to memory of 2212	3816	v0204121.exe	76
PID 3816 wrote to memory of 2212	3816	v0204121.exe	76
PID 3816 wrote to memory of 2212	3816	v0204121.exe	76

C:\Users\Admin\AppData\Local\Temp\f21377efdcf6d9b1f10a431e8b039835c569c708b000ef50d8bdbfdf43de00ac.exe
"C:\Users\Admin\AppData\Local\Temp\f21377efdcf6d9b1f10a431e8b039835c569c708b000ef50d8bdbfdf43de00ac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5231507.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5231507.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5446449.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5446449.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0204121.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0204121.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3816
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2165666.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2165666.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1080
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5183542.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5183542.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8311929.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8311929.exe
        6⤵
        Executes dropped EXE
        
        PID:656
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5228132.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5228132.exe
        5⤵
        Executes dropped EXE
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5231507.exe

Filesize
724KB

MD5
4aa28170986ccf4c90483e46f9f21999

SHA1
091ca279e9ef3da318aff14b993c9077197fd5f7

SHA256
c4638e7f56d1f1721cea03d1bb987cc2ffb817a48c0d7d21be33bd3104619c73

SHA512
27f714cbebf12a455f8fe092b3d2690b6f22a99c8d0c6795b545414933679811aaa830cde0abacfa22c571937acb7b1222175b88865a79f6d4d2acabf1050ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5231507.exe

Filesize
724KB

MD5
4aa28170986ccf4c90483e46f9f21999

SHA1
091ca279e9ef3da318aff14b993c9077197fd5f7

SHA256
c4638e7f56d1f1721cea03d1bb987cc2ffb817a48c0d7d21be33bd3104619c73

SHA512
27f714cbebf12a455f8fe092b3d2690b6f22a99c8d0c6795b545414933679811aaa830cde0abacfa22c571937acb7b1222175b88865a79f6d4d2acabf1050ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5446449.exe

Filesize
498KB

MD5
6fdd911433718999ec9c355039f79cdb

SHA1
07c5b9d71a9e3d443113b67d384dd2d6c882281f

SHA256
35743f0cba4a90d3b28d3751a1c43575080cf12e26d2a26b921fc586f71ab888

SHA512
6d11e30fda2af0ee7251e3d7604f6053898f543aa7c4449dce9973721ccd6108c2ee18530feb6064fbe02833f68f49bd2620468305f76462c41c477e63e60e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5446449.exe

Filesize
498KB

MD5
6fdd911433718999ec9c355039f79cdb

SHA1
07c5b9d71a9e3d443113b67d384dd2d6c882281f

SHA256
35743f0cba4a90d3b28d3751a1c43575080cf12e26d2a26b921fc586f71ab888

SHA512
6d11e30fda2af0ee7251e3d7604f6053898f543aa7c4449dce9973721ccd6108c2ee18530feb6064fbe02833f68f49bd2620468305f76462c41c477e63e60e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0204121.exe

Filesize
373KB

MD5
cca0a6b8f266e5b4650c5d0cdb954259

SHA1
6654432e21948639ee22600743ba28160a6e3869

SHA256
6c281f0dcc43ef807cd4b5b36afd5d727e6397f02f90326cc07b80cd324ff755

SHA512
a8fd08a681e3f51f35de237fe698b8c04415d1f33c7cb0a575f92abd95b98c1eb632f3252d0a5eecd2b1582117bdce7d5e306500791525dcaf2bce1130391d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0204121.exe

Filesize
373KB

MD5
cca0a6b8f266e5b4650c5d0cdb954259

SHA1
6654432e21948639ee22600743ba28160a6e3869

SHA256
6c281f0dcc43ef807cd4b5b36afd5d727e6397f02f90326cc07b80cd324ff755

SHA512
a8fd08a681e3f51f35de237fe698b8c04415d1f33c7cb0a575f92abd95b98c1eb632f3252d0a5eecd2b1582117bdce7d5e306500791525dcaf2bce1130391d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5228132.exe

Filesize
174KB

MD5
d5a2224fde71b150bc9e2b99c0f55411

SHA1
f0c97db6f1d62754e22e30546d9ca98f0c5eae6a

SHA256
1c96c4cb44dfac9904c7e805116060d0cb0bebeedc90fea37e3c3e4b8bb05929

SHA512
aad5381c1b161a39c52405ad3a370adac4949ca9a91226556984cf5fb83b274b16e4a2deadd85b3cf83e0633db16d5828c2078d9d9d66803af5812e89e1c9279

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5228132.exe

Filesize
174KB

MD5
d5a2224fde71b150bc9e2b99c0f55411

SHA1
f0c97db6f1d62754e22e30546d9ca98f0c5eae6a

SHA256
1c96c4cb44dfac9904c7e805116060d0cb0bebeedc90fea37e3c3e4b8bb05929

SHA512
aad5381c1b161a39c52405ad3a370adac4949ca9a91226556984cf5fb83b274b16e4a2deadd85b3cf83e0633db16d5828c2078d9d9d66803af5812e89e1c9279

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2165666.exe

Filesize
217KB

MD5
1c51d098fd3da5cffbe0dc91ebb51391

SHA1
ec3430dfcf222a95789ca10b8949d24776abe1f2

SHA256
0c435114d50ecfd8ac21c5297512bd84db7936549bdab99cecbcfbcf257db876

SHA512
fa79f750508b1b69cc4aad5ab36a4022d9b414b5a7ce55bfb12e0352d1fbf4feaf76950fee2c7caf93a0081ad41aa1a1265c7e1f4b4937d5b234d912a69a23ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2165666.exe

Filesize
217KB

MD5
1c51d098fd3da5cffbe0dc91ebb51391

SHA1
ec3430dfcf222a95789ca10b8949d24776abe1f2

SHA256
0c435114d50ecfd8ac21c5297512bd84db7936549bdab99cecbcfbcf257db876

SHA512
fa79f750508b1b69cc4aad5ab36a4022d9b414b5a7ce55bfb12e0352d1fbf4feaf76950fee2c7caf93a0081ad41aa1a1265c7e1f4b4937d5b234d912a69a23ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5183542.exe

Filesize
13KB

MD5
0aacd9c11f332a31fcc81d79e185f441

SHA1
abb342fc6526ed9ec68cc0e08e70c54f3ebedc53

SHA256
e624c5838d99503cb0972325cbb2bc2ea76c5e1cfb60aa80bb9148a43aa2e9c4

SHA512
dd42c0efb58fe8bb6139bef844d1d8b763a8d0f8baab02ce9e34be0db1e10ce38b9a6b1be24e87d01fa9bb3504f2f0dbb4827e0aeaae08112d6c6a8622844f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5183542.exe

Filesize
13KB

MD5
0aacd9c11f332a31fcc81d79e185f441

SHA1
abb342fc6526ed9ec68cc0e08e70c54f3ebedc53

SHA256
e624c5838d99503cb0972325cbb2bc2ea76c5e1cfb60aa80bb9148a43aa2e9c4

SHA512
dd42c0efb58fe8bb6139bef844d1d8b763a8d0f8baab02ce9e34be0db1e10ce38b9a6b1be24e87d01fa9bb3504f2f0dbb4827e0aeaae08112d6c6a8622844f52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8311929.exe

Filesize
140KB

MD5
b0b70138b7cc98d73fa5f4da803e2529

SHA1
b709d5a0f4dc1b808361dc3d8009d74020b89415

SHA256
1c86a75655a77c724e14f4353f766e1aaaf4f90d9c797b16b5a87082b8cfc503

SHA512
6c65eb40e9468ca7a9b20c3791e6ce25e7752993f97149132992330125e2c6397f81431485d886f1830aca2a0587fb070d4d52c8e22b0b195ce7a0827ac22445

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8311929.exe

Filesize
140KB

MD5
b0b70138b7cc98d73fa5f4da803e2529

SHA1
b709d5a0f4dc1b808361dc3d8009d74020b89415

SHA256
1c86a75655a77c724e14f4353f766e1aaaf4f90d9c797b16b5a87082b8cfc503

SHA512
6c65eb40e9468ca7a9b20c3791e6ce25e7752993f97149132992330125e2c6397f81431485d886f1830aca2a0587fb070d4d52c8e22b0b195ce7a0827ac22445

Download Submit
memory/2212-46-0x0000000073320000-0x0000000073A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2212-45-0x0000000000660000-0x0000000000690000-memory.dmp

Filesize
192KB

Download
memory/2212-47-0x0000000002830000-0x0000000002836000-memory.dmp

Filesize
24KB

Download
memory/2212-48-0x00000000056D0000-0x0000000005CD6000-memory.dmp

Filesize
6.0MB

Download
memory/2212-49-0x00000000051D0000-0x00000000052DA000-memory.dmp

Filesize
1.0MB

Download
memory/2212-50-0x00000000050C0000-0x00000000050D2000-memory.dmp

Filesize
72KB

Download
memory/2212-51-0x0000000005120000-0x000000000515E000-memory.dmp

Filesize
248KB

Download
memory/2212-52-0x0000000005170000-0x00000000051BB000-memory.dmp

Filesize
300KB

Download
memory/2212-53-0x0000000073320000-0x0000000073A0E000-memory.dmp

Filesize
6.9MB

Download
memory/2988-38-0x00007FFA4C350000-0x00007FFA4CD3C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-36-0x00007FFA4C350000-0x00007FFA4CD3C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-35-0x00000000001A0000-0x00000000001AA000-memory.dmp

Filesize
40KB

Download