healer | 093a61458849781533493401f3ce15aaf4710b6a55f76ed8fedc9075ec58b700

Analysis

max time kernel
141s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2023, 08:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

093a61458849781533493401f3ce15aaf4710b6a55f76ed8fedc9075ec58b700.exe
Size

826KB
MD5

18405c37f6af9d0c4457645db5930eaf
SHA1

60cfd3530b05e8dec2227ef3e7ddb7749971f335
SHA256

093a61458849781533493401f3ce15aaf4710b6a55f76ed8fedc9075ec58b700
SHA512

7e2ca74cc496c473764cb3e413bf58d97166609f8cb70291885f3ef0509cd4dcc460e96086e9920adcc90454cd5b8b34bf2abed098c649586362720c49917082
SSDEEP

12288:HMr6y90ijUtjpRLIKXU1HHcDeNZSN6gotS0RkWqer12xrwa8gi4JSt4:JyojpBIKUHcDyAN6LBkR81awXK64

Score

10^/10

healer redline rwan dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rwan

77.91.124.73:19071

Attributes

auth_value
7c40eda5da4f888d6f61befbf947d9fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000002323a-33.dat	healer
behavioral1/files/0x000700000002323a-34.dat	healer
behavioral1/memory/4800-35-0x0000000000300000-0x000000000030A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5478702.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5478702.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5478702.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5478702.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5478702.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5478702.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2804	v8635287.exe
4828	v8392205.exe
2212	v1047836.exe
4612	v3219871.exe
4800	a5478702.exe
4664	b5004766.exe
464	c3802492.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5478702.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	093a61458849781533493401f3ce15aaf4710b6a55f76ed8fedc9075ec58b700.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8635287.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8392205.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1047836.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3219871.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4800	a5478702.exe
4800	a5478702.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4800	a5478702.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2804	2236	093a61458849781533493401f3ce15aaf4710b6a55f76ed8fedc9075ec58b700.exe	81
PID 2236 wrote to memory of 2804	2236	093a61458849781533493401f3ce15aaf4710b6a55f76ed8fedc9075ec58b700.exe	81
PID 2236 wrote to memory of 2804	2236	093a61458849781533493401f3ce15aaf4710b6a55f76ed8fedc9075ec58b700.exe	81
PID 2804 wrote to memory of 4828	2804	v8635287.exe	82
PID 2804 wrote to memory of 4828	2804	v8635287.exe	82
PID 2804 wrote to memory of 4828	2804	v8635287.exe	82
PID 4828 wrote to memory of 2212	4828	v8392205.exe	83
PID 4828 wrote to memory of 2212	4828	v8392205.exe	83
PID 4828 wrote to memory of 2212	4828	v8392205.exe	83
PID 2212 wrote to memory of 4612	2212	v1047836.exe	84
PID 2212 wrote to memory of 4612	2212	v1047836.exe	84
PID 2212 wrote to memory of 4612	2212	v1047836.exe	84
PID 4612 wrote to memory of 4800	4612	v3219871.exe	85
PID 4612 wrote to memory of 4800	4612	v3219871.exe	85
PID 4612 wrote to memory of 4664	4612	v3219871.exe	87
PID 4612 wrote to memory of 4664	4612	v3219871.exe	87
PID 4612 wrote to memory of 4664	4612	v3219871.exe	87
PID 2212 wrote to memory of 464	2212	v1047836.exe	89
PID 2212 wrote to memory of 464	2212	v1047836.exe	89
PID 2212 wrote to memory of 464	2212	v1047836.exe	89

C:\Users\Admin\AppData\Local\Temp\093a61458849781533493401f3ce15aaf4710b6a55f76ed8fedc9075ec58b700.exe
"C:\Users\Admin\AppData\Local\Temp\093a61458849781533493401f3ce15aaf4710b6a55f76ed8fedc9075ec58b700.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8635287.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8635287.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8392205.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8392205.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1047836.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1047836.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3219871.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3219871.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4612
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5478702.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5478702.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4800
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5004766.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5004766.exe
        6⤵
        Executes dropped EXE
        
        PID:4664
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3802492.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3802492.exe
        5⤵
        Executes dropped EXE
        
        PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8635287.exe

Filesize
720KB

MD5
d4157fb4d7931190fd6c039be2e65099

SHA1
8a7faaa7c18ee03557cabe356b2bc8ecdaaa0aa6

SHA256
0179afd1e2a4e3be0524dcfbcd5979760f59f6ebdb4d9391bba8728d9b6c3443

SHA512
60e0549a32a62b02f3c6f8a089b0f4aa7069eb62cc419c5036dcaa93eeae07abdc7414ce562cac8e83c551dd403eb6617916a75446658a1b26768aac1bfeebb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8635287.exe

Filesize
720KB

MD5
d4157fb4d7931190fd6c039be2e65099

SHA1
8a7faaa7c18ee03557cabe356b2bc8ecdaaa0aa6

SHA256
0179afd1e2a4e3be0524dcfbcd5979760f59f6ebdb4d9391bba8728d9b6c3443

SHA512
60e0549a32a62b02f3c6f8a089b0f4aa7069eb62cc419c5036dcaa93eeae07abdc7414ce562cac8e83c551dd403eb6617916a75446658a1b26768aac1bfeebb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8392205.exe

Filesize
497KB

MD5
0aa745cd02790673e5e1596ac2dedeaa

SHA1
5db7c20327e32002255a4c35e5b9d451456c61f0

SHA256
5eb3e3f5bb6596962888cb547255df0f344971d0aef45dd059c62e4ad0641909

SHA512
a89299afe80e976312875175849a90cd4b9f62a14e13cbb3337763883df12b01e31b77dd945c7a258b1dc9def08bf3d4d12febed0f0f2c3404e5fbe1686487ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8392205.exe

Filesize
497KB

MD5
0aa745cd02790673e5e1596ac2dedeaa

SHA1
5db7c20327e32002255a4c35e5b9d451456c61f0

SHA256
5eb3e3f5bb6596962888cb547255df0f344971d0aef45dd059c62e4ad0641909

SHA512
a89299afe80e976312875175849a90cd4b9f62a14e13cbb3337763883df12b01e31b77dd945c7a258b1dc9def08bf3d4d12febed0f0f2c3404e5fbe1686487ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1047836.exe

Filesize
373KB

MD5
1674cc4890c31a4c4cead62e01b40436

SHA1
5af8cbd460d08fd5d6212ed3d694f50de9008681

SHA256
04228324fbe8c9c96ba46dd6d16fdc3f81ff56fab6734ae4f5b9ab4ebcec0ae4

SHA512
32d567af6a2d08f339ae7e760e3c691612c26e0532e915e3fe5a167758606d9397f42fa9717d226f65ddab8bfb4c12864abbe7fad7bae34a09e4e637106da0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1047836.exe

Filesize
373KB

MD5
1674cc4890c31a4c4cead62e01b40436

SHA1
5af8cbd460d08fd5d6212ed3d694f50de9008681

SHA256
04228324fbe8c9c96ba46dd6d16fdc3f81ff56fab6734ae4f5b9ab4ebcec0ae4

SHA512
32d567af6a2d08f339ae7e760e3c691612c26e0532e915e3fe5a167758606d9397f42fa9717d226f65ddab8bfb4c12864abbe7fad7bae34a09e4e637106da0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3802492.exe

Filesize
174KB

MD5
1c9e224f3a921352efa8d4dfdbdead7a

SHA1
e10f8d2d43fcd8aed723c7afe75bc8bdb82c6909

SHA256
b6b9d5a1e08a3336bafffae344eb7ce0cb64340977083fd95305bb98816e4f19

SHA512
5523de8af3673d3f7fb343f51cd84729878e15ce28784f4773df6c5a65030241cabce7b42920bd169397e5581f9e66b5fb6d71d82524300da9454afa95c8f89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3802492.exe

Filesize
174KB

MD5
1c9e224f3a921352efa8d4dfdbdead7a

SHA1
e10f8d2d43fcd8aed723c7afe75bc8bdb82c6909

SHA256
b6b9d5a1e08a3336bafffae344eb7ce0cb64340977083fd95305bb98816e4f19

SHA512
5523de8af3673d3f7fb343f51cd84729878e15ce28784f4773df6c5a65030241cabce7b42920bd169397e5581f9e66b5fb6d71d82524300da9454afa95c8f89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3219871.exe

Filesize
217KB

MD5
8cd4f99076f1c9ab4a69d53dae634e52

SHA1
85ab21ba971a60b70fa172e42294f30f322062c9

SHA256
87fe8bd64b45033f75517a88c7902b3fcea4365cc9ccd26fda09652d202de9d1

SHA512
ab6ad186957180a6678a8fdf821e24ffd1d2425a9493e15c59580e822f9bb43ec75c5341891aab1ee77635a39dcb0e4b6b8fb68638c19d962339acfdec0796dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3219871.exe

Filesize
217KB

MD5
8cd4f99076f1c9ab4a69d53dae634e52

SHA1
85ab21ba971a60b70fa172e42294f30f322062c9

SHA256
87fe8bd64b45033f75517a88c7902b3fcea4365cc9ccd26fda09652d202de9d1

SHA512
ab6ad186957180a6678a8fdf821e24ffd1d2425a9493e15c59580e822f9bb43ec75c5341891aab1ee77635a39dcb0e4b6b8fb68638c19d962339acfdec0796dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5478702.exe

Filesize
13KB

MD5
d7a739effe6f2d78c910302700c5e1d4

SHA1
5812c5c752638b6f52072d50358100995b84d8f6

SHA256
41f26592914b9ef6fd89e307ef1ead21bcee92bd9f8c8f729eb76ca7b808e3b9

SHA512
9a03b220410a233087595cdb70bb3548022c3d736dcff4beed5c93961105e713984b02a59cebb35c9815217c2659afddfb40f7a249b566fd18380ccd113dc897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5478702.exe

Filesize
13KB

MD5
d7a739effe6f2d78c910302700c5e1d4

SHA1
5812c5c752638b6f52072d50358100995b84d8f6

SHA256
41f26592914b9ef6fd89e307ef1ead21bcee92bd9f8c8f729eb76ca7b808e3b9

SHA512
9a03b220410a233087595cdb70bb3548022c3d736dcff4beed5c93961105e713984b02a59cebb35c9815217c2659afddfb40f7a249b566fd18380ccd113dc897

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5004766.exe

Filesize
140KB

MD5
bc75d6dbe640a84901eecdb6555e566b

SHA1
3aed1df9476d78facbbcdaf2f4949406e7591c5a

SHA256
070c65006945d73db616b4ccdc34716f44bf669d4a0218daf08ca3015efd27a0

SHA512
a65ffc863ab57fcfeaa78c5bde8a98a248115ae7329b37e792c8008474e98fcb3696d8683b4dfaac19503f16f2e959a07d0a3e6ef58811eaf9345a38c97a0882

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5004766.exe

Filesize
140KB

MD5
bc75d6dbe640a84901eecdb6555e566b

SHA1
3aed1df9476d78facbbcdaf2f4949406e7591c5a

SHA256
070c65006945d73db616b4ccdc34716f44bf669d4a0218daf08ca3015efd27a0

SHA512
a65ffc863ab57fcfeaa78c5bde8a98a248115ae7329b37e792c8008474e98fcb3696d8683b4dfaac19503f16f2e959a07d0a3e6ef58811eaf9345a38c97a0882

Download Submit
memory/464-46-0x0000000074010000-0x00000000747C0000-memory.dmp

Filesize
7.7MB

Download
memory/464-45-0x0000000000C60000-0x0000000000C90000-memory.dmp

Filesize
192KB

Download
memory/464-47-0x000000000B090000-0x000000000B6A8000-memory.dmp

Filesize
6.1MB

Download
memory/464-48-0x000000000AC10000-0x000000000AD1A000-memory.dmp

Filesize
1.0MB

Download
memory/464-49-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/464-50-0x000000000AB50000-0x000000000AB62000-memory.dmp

Filesize
72KB

Download
memory/464-51-0x000000000ABB0000-0x000000000ABEC000-memory.dmp

Filesize
240KB

Download
memory/464-52-0x0000000074010000-0x00000000747C0000-memory.dmp

Filesize
7.7MB

Download
memory/464-53-0x0000000005690000-0x00000000056A0000-memory.dmp

Filesize
64KB

Download
memory/4800-38-0x00007FFF1A640000-0x00007FFF1B101000-memory.dmp

Filesize
10.8MB

Download
memory/4800-36-0x00007FFF1A640000-0x00007FFF1B101000-memory.dmp

Filesize
10.8MB

Download
memory/4800-35-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download