healer | afa6ccb4c0ef9f6b89cff27f6d9a125905ca4568b47a4ba68f20c2cc2a78bd6c

Analysis

max time kernel
148s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
25/08/2023, 02:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

afa6ccb4c0ef9f6b89cff27f6d9a125905ca4568b47a4ba68f20c2cc2a78bd6c.exe
Size

929KB
MD5

85e98f423baa8333198f250d3527ec53
SHA1

2ad44e8f7382263caa9d9473c4f0b01df8908dff
SHA256

afa6ccb4c0ef9f6b89cff27f6d9a125905ca4568b47a4ba68f20c2cc2a78bd6c
SHA512

af607c60ebb56f1411198235878da09c70304835bcebf971c8609fff8d9341aa233b310bb4533acebfdb739fbc5bf64cb82ab16da9b33e0e15f31e8742851fec
SSDEEP

24576:Ty43MddLmWJJMuErLIZVXW3jo9vZehqihVFyUsp8SS:m4qdLmWJqqjOjoIVt

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b009-33.dat	healer
behavioral1/files/0x000700000001b009-34.dat	healer
behavioral1/memory/328-35-0x0000000000A00000-0x0000000000A0A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q9214418.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q9214418.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q9214418.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q9214418.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q9214418.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
904	z5789474.exe
4936	z5955694.exe
4124	z8710714.exe
4568	z1841516.exe
328	q9214418.exe
3180	r0645375.exe
2960	s4987602.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q9214418.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	afa6ccb4c0ef9f6b89cff27f6d9a125905ca4568b47a4ba68f20c2cc2a78bd6c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5789474.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z5955694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8710714.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z1841516.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
328	q9214418.exe
328	q9214418.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	328	q9214418.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 904	3844	afa6ccb4c0ef9f6b89cff27f6d9a125905ca4568b47a4ba68f20c2cc2a78bd6c.exe	69
PID 3844 wrote to memory of 904	3844	afa6ccb4c0ef9f6b89cff27f6d9a125905ca4568b47a4ba68f20c2cc2a78bd6c.exe	69
PID 3844 wrote to memory of 904	3844	afa6ccb4c0ef9f6b89cff27f6d9a125905ca4568b47a4ba68f20c2cc2a78bd6c.exe	69
PID 904 wrote to memory of 4936	904	z5789474.exe	70
PID 904 wrote to memory of 4936	904	z5789474.exe	70
PID 904 wrote to memory of 4936	904	z5789474.exe	70
PID 4936 wrote to memory of 4124	4936	z5955694.exe	71
PID 4936 wrote to memory of 4124	4936	z5955694.exe	71
PID 4936 wrote to memory of 4124	4936	z5955694.exe	71
PID 4124 wrote to memory of 4568	4124	z8710714.exe	72
PID 4124 wrote to memory of 4568	4124	z8710714.exe	72
PID 4124 wrote to memory of 4568	4124	z8710714.exe	72
PID 4568 wrote to memory of 328	4568	z1841516.exe	73
PID 4568 wrote to memory of 328	4568	z1841516.exe	73
PID 4568 wrote to memory of 3180	4568	z1841516.exe	74
PID 4568 wrote to memory of 3180	4568	z1841516.exe	74
PID 4568 wrote to memory of 3180	4568	z1841516.exe	74
PID 4124 wrote to memory of 2960	4124	z8710714.exe	75
PID 4124 wrote to memory of 2960	4124	z8710714.exe	75
PID 4124 wrote to memory of 2960	4124	z8710714.exe	75

C:\Users\Admin\AppData\Local\Temp\afa6ccb4c0ef9f6b89cff27f6d9a125905ca4568b47a4ba68f20c2cc2a78bd6c.exe
"C:\Users\Admin\AppData\Local\Temp\afa6ccb4c0ef9f6b89cff27f6d9a125905ca4568b47a4ba68f20c2cc2a78bd6c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5789474.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5789474.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5955694.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5955694.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8710714.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8710714.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4124
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1841516.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1841516.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4568
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9214418.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9214418.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0645375.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0645375.exe
        6⤵
        Executes dropped EXE
        
        PID:3180
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4987602.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4987602.exe
        5⤵
        Executes dropped EXE
        
        PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5789474.exe

Filesize
823KB

MD5
78dd9bd557c3852cbb03a3e6d4046ca6

SHA1
e2e932be893a69e941e644a2e866337af0d4f793

SHA256
3e18b20167b997529e3eb7b4bb61ef5d9d1c90aa81dcd5ad2f07d08c74c372ec

SHA512
799c90249953981195b68412b65b4eeeeb0b4b08885ab1ae9d2edc1875d8c0c6ded4b41020415ab9c5bbfab1a098ec435a541527b993bbdccc08e916e1522101

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5789474.exe

Filesize
823KB

MD5
78dd9bd557c3852cbb03a3e6d4046ca6

SHA1
e2e932be893a69e941e644a2e866337af0d4f793

SHA256
3e18b20167b997529e3eb7b4bb61ef5d9d1c90aa81dcd5ad2f07d08c74c372ec

SHA512
799c90249953981195b68412b65b4eeeeb0b4b08885ab1ae9d2edc1875d8c0c6ded4b41020415ab9c5bbfab1a098ec435a541527b993bbdccc08e916e1522101

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5955694.exe

Filesize
598KB

MD5
9438f399f008881a9620b46f7f599505

SHA1
13ff62789431d2fd469f7a0f3f60f095d7425ffc

SHA256
f8c57e145d962da66cb99286d05dc07bf3139232f62ee23366dd7d3b517532ff

SHA512
57dd7500641953ebf198e2a812a6106206abd9649ae9e8e03a458da4ac3403a4e11a61b6442084a957c1973b3bc9e65655e661bf8b3e67922821ec8f45f7cd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5955694.exe

Filesize
598KB

MD5
9438f399f008881a9620b46f7f599505

SHA1
13ff62789431d2fd469f7a0f3f60f095d7425ffc

SHA256
f8c57e145d962da66cb99286d05dc07bf3139232f62ee23366dd7d3b517532ff

SHA512
57dd7500641953ebf198e2a812a6106206abd9649ae9e8e03a458da4ac3403a4e11a61b6442084a957c1973b3bc9e65655e661bf8b3e67922821ec8f45f7cd8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8710714.exe

Filesize
372KB

MD5
93a60fd834dbc0c748546fd30313a857

SHA1
bb102f7270af437f0105b17f35682a0504c57c64

SHA256
746133a0806ecbea26b48f8001e33887a45eb11e0450e92f6a03ccf024f68646

SHA512
40a391e33a4f3a4a0d4ad96a579809ee17ff76c3fcaf4553bd5171e15d7fd6a5a7afba3af4533c6b355a355acf4144857746febfa63ddfb073fa6d13e3cfbd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8710714.exe

Filesize
372KB

MD5
93a60fd834dbc0c748546fd30313a857

SHA1
bb102f7270af437f0105b17f35682a0504c57c64

SHA256
746133a0806ecbea26b48f8001e33887a45eb11e0450e92f6a03ccf024f68646

SHA512
40a391e33a4f3a4a0d4ad96a579809ee17ff76c3fcaf4553bd5171e15d7fd6a5a7afba3af4533c6b355a355acf4144857746febfa63ddfb073fa6d13e3cfbd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4987602.exe

Filesize
174KB

MD5
b57bcdc91ea185aa009f4105aca4d1d5

SHA1
5331e734003fd0f7ddc5ce1e7da47374e807a67b

SHA256
52ab9499ba1841ee35c9f14e9f62aada637606051afa133072c27418356a7485

SHA512
b2b42bef5397d1469c27199f3dbfc1bfb849fb3c44dcbf80f7ee64076d1513616f3332f394f681228196051b41da334943af6218b2743c6de21379a4d9f95ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4987602.exe

Filesize
174KB

MD5
b57bcdc91ea185aa009f4105aca4d1d5

SHA1
5331e734003fd0f7ddc5ce1e7da47374e807a67b

SHA256
52ab9499ba1841ee35c9f14e9f62aada637606051afa133072c27418356a7485

SHA512
b2b42bef5397d1469c27199f3dbfc1bfb849fb3c44dcbf80f7ee64076d1513616f3332f394f681228196051b41da334943af6218b2743c6de21379a4d9f95ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1841516.exe

Filesize
217KB

MD5
81c3c4ac4d87cab253b3b722182c678b

SHA1
b2b4c01289cbab7b7bc088deceab50d22930e69e

SHA256
d28f0f6605d9002f582e25a78cf31797ab2d41e6f09ee7018ed95aee0b53d576

SHA512
fae144ead6b4016b88d76c1c31672b0c61924dd0311aff1692aa62a262d7346a54a286d731e5fe1560810221453e70cda1be2e3a769f93c41113953e8a201b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1841516.exe

Filesize
217KB

MD5
81c3c4ac4d87cab253b3b722182c678b

SHA1
b2b4c01289cbab7b7bc088deceab50d22930e69e

SHA256
d28f0f6605d9002f582e25a78cf31797ab2d41e6f09ee7018ed95aee0b53d576

SHA512
fae144ead6b4016b88d76c1c31672b0c61924dd0311aff1692aa62a262d7346a54a286d731e5fe1560810221453e70cda1be2e3a769f93c41113953e8a201b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9214418.exe

Filesize
13KB

MD5
570743ecbe8ffeb53f4cf8601ef86b5d

SHA1
edb13ac456b0e2776aa70346542a96393e7e1d02

SHA256
7e7d916ff0629fac6fa399859c2d3a7c4cf1c76aee8a4e1d8f3edafd3be8778f

SHA512
76d40bca0518cf95cf3f94873ce9917c7af2f18caf584ddf3de76c9cd933f06b527f1afe5b4606140a877b514c8eeb106c9c957c9e786a7c59f144dae2bb11ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9214418.exe

Filesize
13KB

MD5
570743ecbe8ffeb53f4cf8601ef86b5d

SHA1
edb13ac456b0e2776aa70346542a96393e7e1d02

SHA256
7e7d916ff0629fac6fa399859c2d3a7c4cf1c76aee8a4e1d8f3edafd3be8778f

SHA512
76d40bca0518cf95cf3f94873ce9917c7af2f18caf584ddf3de76c9cd933f06b527f1afe5b4606140a877b514c8eeb106c9c957c9e786a7c59f144dae2bb11ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0645375.exe

Filesize
140KB

MD5
6116832f09717439f36ccd78130684f6

SHA1
90634d233c2952cbc9d286421dec22ea901ce0a4

SHA256
19ec27d41a4c93219a8e0f31f1069501d2fbb5495a7578bac780cc0698aaff6c

SHA512
318f8480f8772c8101577261fd029c6c9af6445cd02131dfebe70c0db54aa96812592f4ca4ae34eec68f1ba6eabcdd5a2d8bf60334b08c606fe93666a3782893

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0645375.exe

Filesize
140KB

MD5
6116832f09717439f36ccd78130684f6

SHA1
90634d233c2952cbc9d286421dec22ea901ce0a4

SHA256
19ec27d41a4c93219a8e0f31f1069501d2fbb5495a7578bac780cc0698aaff6c

SHA512
318f8480f8772c8101577261fd029c6c9af6445cd02131dfebe70c0db54aa96812592f4ca4ae34eec68f1ba6eabcdd5a2d8bf60334b08c606fe93666a3782893

Download Submit
memory/328-38-0x00007FF8C5AD0000-0x00007FF8C64BC000-memory.dmp

Filesize
9.9MB

Download
memory/328-36-0x00007FF8C5AD0000-0x00007FF8C64BC000-memory.dmp

Filesize
9.9MB

Download
memory/328-35-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/2960-45-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/2960-46-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download
memory/2960-47-0x0000000002840000-0x0000000002846000-memory.dmp

Filesize
24KB

Download
memory/2960-48-0x000000000A8F0000-0x000000000AEF6000-memory.dmp

Filesize
6.0MB

Download
memory/2960-49-0x000000000A3F0000-0x000000000A4FA000-memory.dmp

Filesize
1.0MB

Download
memory/2960-50-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/2960-51-0x000000000A370000-0x000000000A3AE000-memory.dmp

Filesize
248KB

Download
memory/2960-52-0x000000000A500000-0x000000000A54B000-memory.dmp

Filesize
300KB

Download
memory/2960-53-0x0000000073310000-0x00000000739FE000-memory.dmp

Filesize
6.9MB

Download