healer | a6badd0e1c92e94bef6631b881a66946e7be1257b15e3e85088f4936e2c030e3

Analysis

max time kernel
145s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
25/08/2023, 23:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a6badd0e1c92e94bef6631b881a66946e7be1257b15e3e85088f4936e2c030e3.exe
Size

822KB
MD5

44a8530c50fdcf99bf60c3b5657061d8
SHA1

c572d24b32a9ca2559d919545ba68a9a0b5037c8
SHA256

a6badd0e1c92e94bef6631b881a66946e7be1257b15e3e85088f4936e2c030e3
SHA512

eab96b67e078903f9a0af123a396b6272acc50071359c1b699bf65a5ebc18de25d014a0031011ed14eeaff2d752345ddc65930e714c6130df4a9f92681a3b5da
SSDEEP

12288:tMr8y900X4OnHNtEo8C+OGy4aQdI8zin48O4jXPoL7v5CKVL4xDb63bRH4S2gsDK:dyTHZ1LG9SNhvPso+IbcFQ7m

Score

10^/10

healer redline jaja dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jaja

77.91.124.73:19071

Attributes

auth_value
3670179d176ca399ed08e7914610b43c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afe2-33.dat	healer
behavioral1/files/0x000700000001afe2-34.dat	healer
behavioral1/memory/3412-35-0x0000000000350000-0x000000000035A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6290874.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6290874.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6290874.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6290874.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6290874.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
696	v7997915.exe
1792	v4026599.exe
520	v1751408.exe
2228	v8125943.exe
3412	a6290874.exe
3404	b5620680.exe
956	c4453711.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6290874.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4026599.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1751408.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8125943.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a6badd0e1c92e94bef6631b881a66946e7be1257b15e3e85088f4936e2c030e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7997915.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3412	a6290874.exe
3412	a6290874.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	a6290874.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 696	952	a6badd0e1c92e94bef6631b881a66946e7be1257b15e3e85088f4936e2c030e3.exe	70
PID 952 wrote to memory of 696	952	a6badd0e1c92e94bef6631b881a66946e7be1257b15e3e85088f4936e2c030e3.exe	70
PID 952 wrote to memory of 696	952	a6badd0e1c92e94bef6631b881a66946e7be1257b15e3e85088f4936e2c030e3.exe	70
PID 696 wrote to memory of 1792	696	v7997915.exe	71
PID 696 wrote to memory of 1792	696	v7997915.exe	71
PID 696 wrote to memory of 1792	696	v7997915.exe	71
PID 1792 wrote to memory of 520	1792	v4026599.exe	72
PID 1792 wrote to memory of 520	1792	v4026599.exe	72
PID 1792 wrote to memory of 520	1792	v4026599.exe	72
PID 520 wrote to memory of 2228	520	v1751408.exe	73
PID 520 wrote to memory of 2228	520	v1751408.exe	73
PID 520 wrote to memory of 2228	520	v1751408.exe	73
PID 2228 wrote to memory of 3412	2228	v8125943.exe	74
PID 2228 wrote to memory of 3412	2228	v8125943.exe	74
PID 2228 wrote to memory of 3404	2228	v8125943.exe	75
PID 2228 wrote to memory of 3404	2228	v8125943.exe	75
PID 2228 wrote to memory of 3404	2228	v8125943.exe	75
PID 520 wrote to memory of 956	520	v1751408.exe	76
PID 520 wrote to memory of 956	520	v1751408.exe	76
PID 520 wrote to memory of 956	520	v1751408.exe	76

C:\Users\Admin\AppData\Local\Temp\a6badd0e1c92e94bef6631b881a66946e7be1257b15e3e85088f4936e2c030e3.exe
"C:\Users\Admin\AppData\Local\Temp\a6badd0e1c92e94bef6631b881a66946e7be1257b15e3e85088f4936e2c030e3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:952
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7997915.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7997915.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4026599.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4026599.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1751408.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1751408.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:520
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8125943.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8125943.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6290874.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6290874.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5620680.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5620680.exe
        6⤵
        Executes dropped EXE
        
        PID:3404
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4453711.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4453711.exe
        5⤵
        Executes dropped EXE
        
        PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7997915.exe

Filesize
723KB

MD5
0511b3a0ea80acb30d9f1f7b20c01345

SHA1
073db6c6a1e2d9d5ab68fb2612558ef10525b1da

SHA256
21a5dc998b50351cc215387ad7fa7638dd10d5953f989afca34eb8193abf3484

SHA512
d0a29fa6b9471be19f95f10d7a786381cde00abbf9bf1102ebb6c6f11ba80c4e7d47f687e2bc6eef8e0b7c7756070e5fa1366ad091b2de4c4e4f59909ecee4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7997915.exe

Filesize
723KB

MD5
0511b3a0ea80acb30d9f1f7b20c01345

SHA1
073db6c6a1e2d9d5ab68fb2612558ef10525b1da

SHA256
21a5dc998b50351cc215387ad7fa7638dd10d5953f989afca34eb8193abf3484

SHA512
d0a29fa6b9471be19f95f10d7a786381cde00abbf9bf1102ebb6c6f11ba80c4e7d47f687e2bc6eef8e0b7c7756070e5fa1366ad091b2de4c4e4f59909ecee4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4026599.exe

Filesize
497KB

MD5
6e944b875fa255395c0ca435c47ae59f

SHA1
51f3f94247b64ca06c6c9df1555eb9157a6f47fb

SHA256
04d1198056e4824f12962d3d70de2ca8c5dc80f4906795a2e1fc17c06fb1a922

SHA512
548c1c2db6cbf5649a85b868c7d096866b04806ae22153168957bf5617bf06827f12dab9a31a14819953ddcaef7ce7101c5209be31b89751c08ac1f354f8f828

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4026599.exe

Filesize
497KB

MD5
6e944b875fa255395c0ca435c47ae59f

SHA1
51f3f94247b64ca06c6c9df1555eb9157a6f47fb

SHA256
04d1198056e4824f12962d3d70de2ca8c5dc80f4906795a2e1fc17c06fb1a922

SHA512
548c1c2db6cbf5649a85b868c7d096866b04806ae22153168957bf5617bf06827f12dab9a31a14819953ddcaef7ce7101c5209be31b89751c08ac1f354f8f828

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1751408.exe

Filesize
372KB

MD5
19a8fac41b82b77d68e1b99f89e6b698

SHA1
e4d2e1156cd484dc1a1f1826b04da2f84fcba292

SHA256
7fab4583caf1b3b8753af17ef369aaf10824d9a154db09fbe452818f07cbe513

SHA512
5fc5117655eca9ec28e564dfcf825b86ffc47dc9cbc652bf1673f8fcc6747fc51e2618774cba555d070077d40211ad8d65e0371de3c7fe0568958da9a786bf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1751408.exe

Filesize
372KB

MD5
19a8fac41b82b77d68e1b99f89e6b698

SHA1
e4d2e1156cd484dc1a1f1826b04da2f84fcba292

SHA256
7fab4583caf1b3b8753af17ef369aaf10824d9a154db09fbe452818f07cbe513

SHA512
5fc5117655eca9ec28e564dfcf825b86ffc47dc9cbc652bf1673f8fcc6747fc51e2618774cba555d070077d40211ad8d65e0371de3c7fe0568958da9a786bf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4453711.exe

Filesize
174KB

MD5
da7fd1eb59774befeb1b80eacb5a075d

SHA1
c017d5c625c8d5f51e241cbcb9098558f6c9b5d9

SHA256
8059628d238362fdd2f8adf5fde38548d3eaaca7282f990523f4c4247db62663

SHA512
eab131488fb15279a949f5ff36e99c90b88b13b8aa1acda53d038688c409b62f6e874286773950981b29bf328188e83456ea44cda02be603626048061fd799fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4453711.exe

Filesize
174KB

MD5
da7fd1eb59774befeb1b80eacb5a075d

SHA1
c017d5c625c8d5f51e241cbcb9098558f6c9b5d9

SHA256
8059628d238362fdd2f8adf5fde38548d3eaaca7282f990523f4c4247db62663

SHA512
eab131488fb15279a949f5ff36e99c90b88b13b8aa1acda53d038688c409b62f6e874286773950981b29bf328188e83456ea44cda02be603626048061fd799fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8125943.exe

Filesize
217KB

MD5
3152d067374968e12dd2c583afe5971b

SHA1
394667078db761f025638a51901014199c7bb75d

SHA256
a399d9198a466d27b716537b79543a8cf2ca623794bc6417cb7e36a93bbb5be0

SHA512
f407589fcebb63dd93ab38d5b0a1f6654a3a0e84485c6edccb61970af6fb9631175fb46fd4be5957a84e5e73d8fb37bb7e3c0301a7a438784a32e7e530d4d771

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8125943.exe

Filesize
217KB

MD5
3152d067374968e12dd2c583afe5971b

SHA1
394667078db761f025638a51901014199c7bb75d

SHA256
a399d9198a466d27b716537b79543a8cf2ca623794bc6417cb7e36a93bbb5be0

SHA512
f407589fcebb63dd93ab38d5b0a1f6654a3a0e84485c6edccb61970af6fb9631175fb46fd4be5957a84e5e73d8fb37bb7e3c0301a7a438784a32e7e530d4d771

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6290874.exe

Filesize
14KB

MD5
1e3e28649ae07f6ed2efac4e411d6cd5

SHA1
f1971e66d33bb0ed0bc27e2a755c5f7ae8f57fcd

SHA256
8b2adab78d8b79ace98707f4e924c821f3b572059593ebc0b3f26c88c2304a14

SHA512
4b2b2f1dea5e88c4f6f519daf7a65489abf0a1622a5de274af2323c73d0efcc07c507383b8075a1826737ecbe64ae5d069a6cb1d56b0fe5987f519bbb24644d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6290874.exe

Filesize
14KB

MD5
1e3e28649ae07f6ed2efac4e411d6cd5

SHA1
f1971e66d33bb0ed0bc27e2a755c5f7ae8f57fcd

SHA256
8b2adab78d8b79ace98707f4e924c821f3b572059593ebc0b3f26c88c2304a14

SHA512
4b2b2f1dea5e88c4f6f519daf7a65489abf0a1622a5de274af2323c73d0efcc07c507383b8075a1826737ecbe64ae5d069a6cb1d56b0fe5987f519bbb24644d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5620680.exe

Filesize
140KB

MD5
4c4bd3c61d0fd8c98ccda81bd51184a9

SHA1
f9fd5fbdf1e7c25ed4619549f6995260f64919b3

SHA256
d79dc58668d4beec8baf9c67981ae5cd28a8aa0470ce83bd86ca080dd7dd554f

SHA512
483eb1d8ed86327e58e09b9e318b6873e2683a97d1bebfbf0667258b9d80a526c6cf0d1913f9c4e8395a9071b5196ed143e59f335e34ea247c82bb3e5ea37012

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5620680.exe

Filesize
140KB

MD5
4c4bd3c61d0fd8c98ccda81bd51184a9

SHA1
f9fd5fbdf1e7c25ed4619549f6995260f64919b3

SHA256
d79dc58668d4beec8baf9c67981ae5cd28a8aa0470ce83bd86ca080dd7dd554f

SHA512
483eb1d8ed86327e58e09b9e318b6873e2683a97d1bebfbf0667258b9d80a526c6cf0d1913f9c4e8395a9071b5196ed143e59f335e34ea247c82bb3e5ea37012

Download Submit
memory/956-46-0x0000000072DE0000-0x00000000734CE000-memory.dmp

Filesize
6.9MB

Download
memory/956-45-0x0000000000F60000-0x0000000000F90000-memory.dmp

Filesize
192KB

Download
memory/956-47-0x00000000031B0000-0x00000000031B6000-memory.dmp

Filesize
24KB

Download
memory/956-48-0x000000000B340000-0x000000000B946000-memory.dmp

Filesize
6.0MB

Download
memory/956-49-0x000000000AEB0000-0x000000000AFBA000-memory.dmp

Filesize
1.0MB

Download
memory/956-50-0x000000000ADE0000-0x000000000ADF2000-memory.dmp

Filesize
72KB

Download
memory/956-51-0x000000000AE40000-0x000000000AE7E000-memory.dmp

Filesize
248KB

Download
memory/956-52-0x000000000AFC0000-0x000000000B00B000-memory.dmp

Filesize
300KB

Download
memory/956-53-0x0000000072DE0000-0x00000000734CE000-memory.dmp

Filesize
6.9MB

Download
memory/3412-38-0x00007FFE34320000-0x00007FFE34D0C000-memory.dmp

Filesize
9.9MB

Download
memory/3412-36-0x00007FFE34320000-0x00007FFE34D0C000-memory.dmp

Filesize
9.9MB

Download
memory/3412-35-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download