healer | 8ae605cdedc477e3c0eed41880efe64bd29c46bc6c94c45e6bfbb0d5c5963d22

Analysis

max time kernel
147s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
24/08/2023, 14:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ae605cdedc477e3c0eed41880efe64bd29c46bc6c94c45e6bfbb0d5c5963d22.exe
Size

829KB
MD5

6e76f53f52ec82663b8f68420d1f474a
SHA1

6955d62be9c0b3f6820b7db385e9ced922518eb8
SHA256

8ae605cdedc477e3c0eed41880efe64bd29c46bc6c94c45e6bfbb0d5c5963d22
SHA512

f2c88bb4a078634fef5d658aa993f84e3def86a8afb20d3f43d4c20d7a50e0bb3904fe28353f65a6e92a60ac8069d09a76efeb983ab8bbb2c4257444f5582168
SSDEEP

12288:uMrQy90+tyCxKpT7KMHxF9tGmqkPjp12SwxyyoxlA6kD2QWgo9YgrKJef:Sy1yXpTNODkPjOTsA8k58f

Score

10^/10

healer redline rwan dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rwan

77.91.124.73:19071

Attributes

auth_value
7c40eda5da4f888d6f61befbf947d9fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b03f-33.dat	healer
behavioral1/files/0x000700000001b03f-34.dat	healer
behavioral1/memory/3192-35-0x0000000000490000-0x000000000049A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4982830.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4982830.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4982830.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4982830.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4982830.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4308	v1182786.exe
2992	v5656007.exe
4468	v0647733.exe
2736	v2578887.exe
3192	a4982830.exe
2940	b1285336.exe
2568	c5741393.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4982830.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0647733.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2578887.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8ae605cdedc477e3c0eed41880efe64bd29c46bc6c94c45e6bfbb0d5c5963d22.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1182786.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5656007.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3192	a4982830.exe
3192	a4982830.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	a4982830.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 4308	3500	8ae605cdedc477e3c0eed41880efe64bd29c46bc6c94c45e6bfbb0d5c5963d22.exe	70
PID 3500 wrote to memory of 4308	3500	8ae605cdedc477e3c0eed41880efe64bd29c46bc6c94c45e6bfbb0d5c5963d22.exe	70
PID 3500 wrote to memory of 4308	3500	8ae605cdedc477e3c0eed41880efe64bd29c46bc6c94c45e6bfbb0d5c5963d22.exe	70
PID 4308 wrote to memory of 2992	4308	v1182786.exe	71
PID 4308 wrote to memory of 2992	4308	v1182786.exe	71
PID 4308 wrote to memory of 2992	4308	v1182786.exe	71
PID 2992 wrote to memory of 4468	2992	v5656007.exe	72
PID 2992 wrote to memory of 4468	2992	v5656007.exe	72
PID 2992 wrote to memory of 4468	2992	v5656007.exe	72
PID 4468 wrote to memory of 2736	4468	v0647733.exe	73
PID 4468 wrote to memory of 2736	4468	v0647733.exe	73
PID 4468 wrote to memory of 2736	4468	v0647733.exe	73
PID 2736 wrote to memory of 3192	2736	v2578887.exe	74
PID 2736 wrote to memory of 3192	2736	v2578887.exe	74
PID 2736 wrote to memory of 2940	2736	v2578887.exe	75
PID 2736 wrote to memory of 2940	2736	v2578887.exe	75
PID 2736 wrote to memory of 2940	2736	v2578887.exe	75
PID 4468 wrote to memory of 2568	4468	v0647733.exe	76
PID 4468 wrote to memory of 2568	4468	v0647733.exe	76
PID 4468 wrote to memory of 2568	4468	v0647733.exe	76

C:\Users\Admin\AppData\Local\Temp\8ae605cdedc477e3c0eed41880efe64bd29c46bc6c94c45e6bfbb0d5c5963d22.exe
"C:\Users\Admin\AppData\Local\Temp\8ae605cdedc477e3c0eed41880efe64bd29c46bc6c94c45e6bfbb0d5c5963d22.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1182786.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1182786.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5656007.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5656007.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0647733.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0647733.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4468
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2578887.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2578887.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4982830.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4982830.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1285336.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1285336.exe
        6⤵
        Executes dropped EXE
        
        PID:2940
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5741393.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5741393.exe
        5⤵
        Executes dropped EXE
        
        PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1182786.exe

Filesize
723KB

MD5
39c91842d0bd59e8a8727e10970d56cb

SHA1
eecb92549f79ad2f8bf17f9e0153f8dd61b2c031

SHA256
c1cd9fe2298f389abe0bb7123a5b7bb9ae8e6efb4d2fb4a4398c027772e6af3b

SHA512
25e311654a9188973d7f2481ff5d895222b60ffe9aad1704364e68318760ebdd0385b554894883dba71536a8886a2f7608317e6da0a64057684de929c06cbdc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1182786.exe

Filesize
723KB

MD5
39c91842d0bd59e8a8727e10970d56cb

SHA1
eecb92549f79ad2f8bf17f9e0153f8dd61b2c031

SHA256
c1cd9fe2298f389abe0bb7123a5b7bb9ae8e6efb4d2fb4a4398c027772e6af3b

SHA512
25e311654a9188973d7f2481ff5d895222b60ffe9aad1704364e68318760ebdd0385b554894883dba71536a8886a2f7608317e6da0a64057684de929c06cbdc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5656007.exe

Filesize
497KB

MD5
530e36856fe3ae384566bb4bee1c610e

SHA1
f7e92ee238e39a2c6c5c2831c2deff90cfb5d5e0

SHA256
4f9d17c95fd0b5d2cdccac556feb054e5e4d7d88e9fb70d6c99206367f1473ed

SHA512
ba60265522e400594fc246a346463b15040bab40a425a73260ce0f37d3ba885d7c10a168871a14efe343e874ded5f55dfea5b704bfbab8b7aad618e8be892974

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5656007.exe

Filesize
497KB

MD5
530e36856fe3ae384566bb4bee1c610e

SHA1
f7e92ee238e39a2c6c5c2831c2deff90cfb5d5e0

SHA256
4f9d17c95fd0b5d2cdccac556feb054e5e4d7d88e9fb70d6c99206367f1473ed

SHA512
ba60265522e400594fc246a346463b15040bab40a425a73260ce0f37d3ba885d7c10a168871a14efe343e874ded5f55dfea5b704bfbab8b7aad618e8be892974

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0647733.exe

Filesize
372KB

MD5
bd20777eb78e4bcc41b7e10bb3d20616

SHA1
f3f2751a0a15c6cdf9e81c1404df91484db8759a

SHA256
06a43919f0a127a639969e41f11dd8800dc4c35797c6dbe353c0704536115684

SHA512
3947cff2c6472a83d6b99bb238c6d3676384bc4e560fd690868082d4ac05c5eea5473461bde2f357ee5b480dac7624bd3c6dcaaf8e90241a4b573bc36d9deb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0647733.exe

Filesize
372KB

MD5
bd20777eb78e4bcc41b7e10bb3d20616

SHA1
f3f2751a0a15c6cdf9e81c1404df91484db8759a

SHA256
06a43919f0a127a639969e41f11dd8800dc4c35797c6dbe353c0704536115684

SHA512
3947cff2c6472a83d6b99bb238c6d3676384bc4e560fd690868082d4ac05c5eea5473461bde2f357ee5b480dac7624bd3c6dcaaf8e90241a4b573bc36d9deb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5741393.exe

Filesize
174KB

MD5
063c73d83cf79f7af20430e41d989e18

SHA1
1ed314803da8dd594cfc380dbb6315a6478caf74

SHA256
45b32ec3fd1679f02332c5d89474529553723eb4bec1a2253da69e3ee57ffe89

SHA512
51fe60139cda0d375bf0d9ca3ef96024a8df886f6fd2e70762b043a04e697e53034c5d2f7367f643eb168dbced0791bdf132e068f5bf9cbde24ce48692447805

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5741393.exe

Filesize
174KB

MD5
063c73d83cf79f7af20430e41d989e18

SHA1
1ed314803da8dd594cfc380dbb6315a6478caf74

SHA256
45b32ec3fd1679f02332c5d89474529553723eb4bec1a2253da69e3ee57ffe89

SHA512
51fe60139cda0d375bf0d9ca3ef96024a8df886f6fd2e70762b043a04e697e53034c5d2f7367f643eb168dbced0791bdf132e068f5bf9cbde24ce48692447805

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2578887.exe

Filesize
216KB

MD5
2df60f9aa5aa163f6bb637daa7a535ac

SHA1
d27d4d479bbeba5d4e0b20bd6471fefd49afba7d

SHA256
02572397347b2f03eb121dc8051f493523b99309e9f854ab68ce118db67208a2

SHA512
9e5fa7fe1ad6fc40eafc8e5fa4d8e6d869976b76887621cd908a03c9b9f353af33d0a0950de3e919bc4882d94024774287d751987f27edec41adbec3382395a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2578887.exe

Filesize
216KB

MD5
2df60f9aa5aa163f6bb637daa7a535ac

SHA1
d27d4d479bbeba5d4e0b20bd6471fefd49afba7d

SHA256
02572397347b2f03eb121dc8051f493523b99309e9f854ab68ce118db67208a2

SHA512
9e5fa7fe1ad6fc40eafc8e5fa4d8e6d869976b76887621cd908a03c9b9f353af33d0a0950de3e919bc4882d94024774287d751987f27edec41adbec3382395a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4982830.exe

Filesize
13KB

MD5
cdcfa53d47026e5d32abe0730ef3b591

SHA1
e03e511957ef186da49e3470b582b3625de3d10e

SHA256
00ab3cc9f841b7db5c108ce972b8eae96c1e1255832fe2a3205ef3be31780efb

SHA512
c30edd62818f7ac7894a9f78c30777b9d21e1f6240d22149deb32a5ac45e7c1a063045592fb50ad55c96eabf62ac1e72b7d7a54d376343bcfade74312b2710ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4982830.exe

Filesize
13KB

MD5
cdcfa53d47026e5d32abe0730ef3b591

SHA1
e03e511957ef186da49e3470b582b3625de3d10e

SHA256
00ab3cc9f841b7db5c108ce972b8eae96c1e1255832fe2a3205ef3be31780efb

SHA512
c30edd62818f7ac7894a9f78c30777b9d21e1f6240d22149deb32a5ac45e7c1a063045592fb50ad55c96eabf62ac1e72b7d7a54d376343bcfade74312b2710ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1285336.exe

Filesize
140KB

MD5
54f4c03eb292a6fd3e4d00dfe81b8606

SHA1
ae4e8b42ad6ad13e1d4be11de84592a1f2e91a67

SHA256
97187d6d3f586b421fbc64ef1177413810b0afe6818965ce8f4967ca3131e0d7

SHA512
05e154b1cb7b0e74a93fd5ea065d34422ef5c4732c00917f86325b8e5adb02f371171b51c908278859a6d72c17e360aa4bb188ba26976bf89c0598431667ad8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1285336.exe

Filesize
140KB

MD5
54f4c03eb292a6fd3e4d00dfe81b8606

SHA1
ae4e8b42ad6ad13e1d4be11de84592a1f2e91a67

SHA256
97187d6d3f586b421fbc64ef1177413810b0afe6818965ce8f4967ca3131e0d7

SHA512
05e154b1cb7b0e74a93fd5ea065d34422ef5c4732c00917f86325b8e5adb02f371171b51c908278859a6d72c17e360aa4bb188ba26976bf89c0598431667ad8f

Download Submit
memory/2568-46-0x0000000072EA0000-0x000000007358E000-memory.dmp

Filesize
6.9MB

Download
memory/2568-45-0x0000000000110000-0x0000000000140000-memory.dmp

Filesize
192KB

Download
memory/2568-47-0x00000000008D0000-0x00000000008D6000-memory.dmp

Filesize
24KB

Download
memory/2568-48-0x000000000A4F0000-0x000000000AAF6000-memory.dmp

Filesize
6.0MB

Download
memory/2568-49-0x0000000009FF0000-0x000000000A0FA000-memory.dmp

Filesize
1.0MB

Download
memory/2568-50-0x00000000049C0000-0x00000000049D2000-memory.dmp

Filesize
72KB

Download
memory/2568-51-0x0000000009EE0000-0x0000000009F1E000-memory.dmp

Filesize
248KB

Download
memory/2568-52-0x0000000009F20000-0x0000000009F6B000-memory.dmp

Filesize
300KB

Download
memory/2568-53-0x0000000072EA0000-0x000000007358E000-memory.dmp

Filesize
6.9MB

Download
memory/3192-38-0x00007FFC50F80000-0x00007FFC5196C000-memory.dmp

Filesize
9.9MB

Download
memory/3192-36-0x00007FFC50F80000-0x00007FFC5196C000-memory.dmp

Filesize
9.9MB

Download
memory/3192-35-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download