healer | cdce6d33004137145e45d9b6f0a9124270ed4e912d2431fb026438e6f4bd4e96

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
25/08/2023, 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdce6d33004137145e45d9b6f0a9124270ed4e912d2431fb026438e6f4bd4e96.exe
Size

825KB
MD5

9b17decb353a40c4ea08a422e88c6dce
SHA1

eaad406d35ae9245a7f0e2e4c6faf279eb522ce8
SHA256

cdce6d33004137145e45d9b6f0a9124270ed4e912d2431fb026438e6f4bd4e96
SHA512

b4efaa26c273fc7fdbb0caea0ae1b7c8fa72669f98f85c3d798ccd19325c29d4a11f680e74565ded921842008c3c1ac6c6e4b3140b49eeff45123bd678e07bd1
SSDEEP

12288:wMr6y90Nwi1UmVRxmSyQ0jgzESrGgUdETEaLtaWNds+6ibllcySRaK55Fd:ayVi1UYxmfqGZdEVsWP1NlcvRHDd

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afe3-33.dat	healer
behavioral1/files/0x000700000001afe3-34.dat	healer
behavioral1/memory/4904-35-0x00000000002D0000-0x00000000002DA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9506095.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9506095.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9506095.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9506095.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9506095.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
5012	v9910492.exe
4276	v8061522.exe
1300	v3449014.exe
1012	v6303745.exe
4904	a9506095.exe
380	b3303272.exe
4436	c5013856.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9506095.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cdce6d33004137145e45d9b6f0a9124270ed4e912d2431fb026438e6f4bd4e96.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9910492.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8061522.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3449014.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6303745.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4904	a9506095.exe
4904	a9506095.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	a9506095.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 5012	1604	cdce6d33004137145e45d9b6f0a9124270ed4e912d2431fb026438e6f4bd4e96.exe	69
PID 1604 wrote to memory of 5012	1604	cdce6d33004137145e45d9b6f0a9124270ed4e912d2431fb026438e6f4bd4e96.exe	69
PID 1604 wrote to memory of 5012	1604	cdce6d33004137145e45d9b6f0a9124270ed4e912d2431fb026438e6f4bd4e96.exe	69
PID 5012 wrote to memory of 4276	5012	v9910492.exe	70
PID 5012 wrote to memory of 4276	5012	v9910492.exe	70
PID 5012 wrote to memory of 4276	5012	v9910492.exe	70
PID 4276 wrote to memory of 1300	4276	v8061522.exe	71
PID 4276 wrote to memory of 1300	4276	v8061522.exe	71
PID 4276 wrote to memory of 1300	4276	v8061522.exe	71
PID 1300 wrote to memory of 1012	1300	v3449014.exe	72
PID 1300 wrote to memory of 1012	1300	v3449014.exe	72
PID 1300 wrote to memory of 1012	1300	v3449014.exe	72
PID 1012 wrote to memory of 4904	1012	v6303745.exe	73
PID 1012 wrote to memory of 4904	1012	v6303745.exe	73
PID 1012 wrote to memory of 380	1012	v6303745.exe	74
PID 1012 wrote to memory of 380	1012	v6303745.exe	74
PID 1012 wrote to memory of 380	1012	v6303745.exe	74
PID 1300 wrote to memory of 4436	1300	v3449014.exe	75
PID 1300 wrote to memory of 4436	1300	v3449014.exe	75
PID 1300 wrote to memory of 4436	1300	v3449014.exe	75

C:\Users\Admin\AppData\Local\Temp\cdce6d33004137145e45d9b6f0a9124270ed4e912d2431fb026438e6f4bd4e96.exe
"C:\Users\Admin\AppData\Local\Temp\cdce6d33004137145e45d9b6f0a9124270ed4e912d2431fb026438e6f4bd4e96.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9910492.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9910492.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8061522.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8061522.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3449014.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3449014.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1300
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6303745.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6303745.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1012
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9506095.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9506095.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4904
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3303272.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3303272.exe
        6⤵
        Executes dropped EXE
        
        PID:380
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5013856.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5013856.exe
        5⤵
        Executes dropped EXE
        
        PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9910492.exe

Filesize
722KB

MD5
dd96be044085a44480ee6d78156c4df1

SHA1
e593b4ed9343f7e25fa57dd0e52f6b367a8d0357

SHA256
4eca59442af35d066a701838f035652d53a6542d2628ae4ea4d0df12a9dd52a9

SHA512
3b68a8258315404e17478a6f0950a8968fe2ddc537029bf64e779f776838c8c4cceae2808477597d8bfd07b7f138d32a217482827df54a6b0a773cb6f2a8a2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9910492.exe

Filesize
722KB

MD5
dd96be044085a44480ee6d78156c4df1

SHA1
e593b4ed9343f7e25fa57dd0e52f6b367a8d0357

SHA256
4eca59442af35d066a701838f035652d53a6542d2628ae4ea4d0df12a9dd52a9

SHA512
3b68a8258315404e17478a6f0950a8968fe2ddc537029bf64e779f776838c8c4cceae2808477597d8bfd07b7f138d32a217482827df54a6b0a773cb6f2a8a2a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8061522.exe

Filesize
497KB

MD5
8ebfc7a5b8ef868b4fc358732bca9078

SHA1
d67210d17090277fc833468f132301d09e220d6f

SHA256
8ca3a299f79fa1ac7449c66fd60bc2d37fed32ccf7b1efec966fbb0e8e6a16ba

SHA512
3d77c0ebabbd61ae5789a0eeb51323ddd57b9f78dd1bcde277fa7e85f7053e633f60f0f12d3cbc4550b49f07fefeaebf61da975d671076bab84f910b5516075f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8061522.exe

Filesize
497KB

MD5
8ebfc7a5b8ef868b4fc358732bca9078

SHA1
d67210d17090277fc833468f132301d09e220d6f

SHA256
8ca3a299f79fa1ac7449c66fd60bc2d37fed32ccf7b1efec966fbb0e8e6a16ba

SHA512
3d77c0ebabbd61ae5789a0eeb51323ddd57b9f78dd1bcde277fa7e85f7053e633f60f0f12d3cbc4550b49f07fefeaebf61da975d671076bab84f910b5516075f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3449014.exe

Filesize
373KB

MD5
6c920589d6af2cb77607fa5dd2c25f0d

SHA1
77bf23436483eb793dffe180fc11d27637f55dba

SHA256
91c415427c64fb57acb2f2b25b5aa0ac499334716ed89f88e6e791fd78ace0c8

SHA512
05982f1a4dd482cbb7e55051114831ae2d1c508b0db4a2ff168383db82f099695dd5db462906730237c7939a3aa5bae6932a99acf2b423b1663661429a36e07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3449014.exe

Filesize
373KB

MD5
6c920589d6af2cb77607fa5dd2c25f0d

SHA1
77bf23436483eb793dffe180fc11d27637f55dba

SHA256
91c415427c64fb57acb2f2b25b5aa0ac499334716ed89f88e6e791fd78ace0c8

SHA512
05982f1a4dd482cbb7e55051114831ae2d1c508b0db4a2ff168383db82f099695dd5db462906730237c7939a3aa5bae6932a99acf2b423b1663661429a36e07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5013856.exe

Filesize
174KB

MD5
8a7cd9ca59d216c40e0e99e166b69f20

SHA1
c5f8155f8d376776f46006cdcb6c643a3e687335

SHA256
451287f8a845df2593f7493a22805d14eb86795d266621dcdf97c6d977f5884b

SHA512
e3667cbb402ec0de67054aded94aa2989fa343d4119da02ea9dd06b3de02c52d721e3162ce628967caa748fb98c16e31184a1a967529a44356b1f11adfc4c7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5013856.exe

Filesize
174KB

MD5
8a7cd9ca59d216c40e0e99e166b69f20

SHA1
c5f8155f8d376776f46006cdcb6c643a3e687335

SHA256
451287f8a845df2593f7493a22805d14eb86795d266621dcdf97c6d977f5884b

SHA512
e3667cbb402ec0de67054aded94aa2989fa343d4119da02ea9dd06b3de02c52d721e3162ce628967caa748fb98c16e31184a1a967529a44356b1f11adfc4c7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6303745.exe

Filesize
217KB

MD5
b21c05c745495db8cc883cf0746a735e

SHA1
4e584e53a41f16a44d16229a7a0376724071c199

SHA256
d696e7d0f1835a17074daacfdb38908068b0c9c8687f2f9fcfe34ed8c5936d15

SHA512
0d49b3b417d3998e6ab355298549d78b55edf6923b3529ef59d5a9333a771c3abfe8583a3b7abf1243c86611d5c960d61c363c7161b166268941156bf65790d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6303745.exe

Filesize
217KB

MD5
b21c05c745495db8cc883cf0746a735e

SHA1
4e584e53a41f16a44d16229a7a0376724071c199

SHA256
d696e7d0f1835a17074daacfdb38908068b0c9c8687f2f9fcfe34ed8c5936d15

SHA512
0d49b3b417d3998e6ab355298549d78b55edf6923b3529ef59d5a9333a771c3abfe8583a3b7abf1243c86611d5c960d61c363c7161b166268941156bf65790d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9506095.exe

Filesize
13KB

MD5
4ae240da32c853d65e381f9621822a07

SHA1
15015ae44705892a6bfa2db26a95e43af8e6229a

SHA256
32087a6820a757040e3dbdf8cf4e918074357c5cbace673a50eb2f6021e3eaa9

SHA512
c788bede408f99772d62bcfe354e76c82c0e7527568bd856e1fa4facb03c23be78162e10d1e164ec056e15c652820432dcd1786acbf97bc81552664c67c85c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9506095.exe

Filesize
13KB

MD5
4ae240da32c853d65e381f9621822a07

SHA1
15015ae44705892a6bfa2db26a95e43af8e6229a

SHA256
32087a6820a757040e3dbdf8cf4e918074357c5cbace673a50eb2f6021e3eaa9

SHA512
c788bede408f99772d62bcfe354e76c82c0e7527568bd856e1fa4facb03c23be78162e10d1e164ec056e15c652820432dcd1786acbf97bc81552664c67c85c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3303272.exe

Filesize
140KB

MD5
73ec95dcfc47b5338916f1105ea1e754

SHA1
9597ee123366336caa3b447ac9534974b4c228a3

SHA256
f3a9883f808db0d65267691155096ef6dede4e6ab45e5a17eead95f58384764f

SHA512
b4f2f8f92779ce42c2e941338268431d9feb6fb4df9bd99d1ea647dcfac712b438430e9106c522497377a62d5df367ee58c3a901be10bd0b004ac834c99c72b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3303272.exe

Filesize
140KB

MD5
73ec95dcfc47b5338916f1105ea1e754

SHA1
9597ee123366336caa3b447ac9534974b4c228a3

SHA256
f3a9883f808db0d65267691155096ef6dede4e6ab45e5a17eead95f58384764f

SHA512
b4f2f8f92779ce42c2e941338268431d9feb6fb4df9bd99d1ea647dcfac712b438430e9106c522497377a62d5df367ee58c3a901be10bd0b004ac834c99c72b6

Download Submit
memory/4436-46-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/4436-45-0x0000000000380000-0x00000000003B0000-memory.dmp

Filesize
192KB

Download
memory/4436-47-0x0000000002500000-0x0000000002506000-memory.dmp

Filesize
24KB

Download
memory/4436-48-0x0000000005300000-0x0000000005906000-memory.dmp

Filesize
6.0MB

Download
memory/4436-49-0x0000000004E00000-0x0000000004F0A000-memory.dmp

Filesize
1.0MB

Download
memory/4436-50-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/4436-51-0x0000000004D30000-0x0000000004D6E000-memory.dmp

Filesize
248KB

Download
memory/4436-52-0x0000000004D70000-0x0000000004DBB000-memory.dmp

Filesize
300KB

Download
memory/4436-53-0x0000000073790000-0x0000000073E7E000-memory.dmp

Filesize
6.9MB

Download
memory/4904-38-0x00007FF83ABE0000-0x00007FF83B5CC000-memory.dmp

Filesize
9.9MB

Download
memory/4904-36-0x00007FF83ABE0000-0x00007FF83B5CC000-memory.dmp

Filesize
9.9MB

Download
memory/4904-35-0x00000000002D0000-0x00000000002DA000-memory.dmp

Filesize
40KB

Download