healer | 04564577997141d823ae97f19f8febb05160bde567c2c1439c74e4d24255ecdd

Analysis

max time kernel
280s
max time network
292s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
25-08-2023 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

z4921733.exe
Size

372KB
MD5

3356f0a504f98ebe19bb177856184fbd
SHA1

be551871751081f37f458b7bf62656f3dc6ed89d
SHA256

04564577997141d823ae97f19f8febb05160bde567c2c1439c74e4d24255ecdd
SHA512

5cf27fcf13ed56ad49dff48ea7c8359d81c5ebe641aba8e4a31b4de783a8734770bfd3ca7e3188e3518b39be890bbe74baa90ffbda980c20e833d22428a1f6c6
SSDEEP

6144:K3y+bnr+Tp0yN90QESpbj/Pj4BgD2zUcPD+lSLwwvohu5/p8qWlt6lHC4+k0e:ZMr/y90Ij/Pj4aqb9wY8qWl8xCy

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 4 IoCs

resource	yara_rule
behavioral1/files/0x000700000001946c-14.dat	healer
behavioral1/files/0x000700000001946c-16.dat	healer
behavioral1/files/0x000700000001946c-17.dat	healer
behavioral1/memory/1872-18-0x0000000000300000-0x000000000030A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q0556973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q0556973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q0556973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q0556973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q0556973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q0556973.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2176	z6122764.exe
1872	q0556973.exe
1692	r3006724.exe
1136	s1389380.exe

Loads dropped DLL 7 IoCs

pid	Process
1964	z4921733.exe
2176	z6122764.exe
2176	z6122764.exe
2176	z6122764.exe
1692	r3006724.exe
1964	z4921733.exe
1136	s1389380.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	q0556973.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q0556973.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	z4921733.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6122764.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1872	q0556973.exe
1872	q0556973.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	q0556973.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2176	1964	z4921733.exe	28
PID 1964 wrote to memory of 2176	1964	z4921733.exe	28
PID 1964 wrote to memory of 2176	1964	z4921733.exe	28
PID 1964 wrote to memory of 2176	1964	z4921733.exe	28
PID 1964 wrote to memory of 2176	1964	z4921733.exe	28
PID 1964 wrote to memory of 2176	1964	z4921733.exe	28
PID 1964 wrote to memory of 2176	1964	z4921733.exe	28
PID 2176 wrote to memory of 1872	2176	z6122764.exe	29
PID 2176 wrote to memory of 1872	2176	z6122764.exe	29
PID 2176 wrote to memory of 1872	2176	z6122764.exe	29
PID 2176 wrote to memory of 1872	2176	z6122764.exe	29
PID 2176 wrote to memory of 1872	2176	z6122764.exe	29
PID 2176 wrote to memory of 1872	2176	z6122764.exe	29
PID 2176 wrote to memory of 1872	2176	z6122764.exe	29
PID 2176 wrote to memory of 1692	2176	z6122764.exe	30
PID 2176 wrote to memory of 1692	2176	z6122764.exe	30
PID 2176 wrote to memory of 1692	2176	z6122764.exe	30
PID 2176 wrote to memory of 1692	2176	z6122764.exe	30
PID 2176 wrote to memory of 1692	2176	z6122764.exe	30
PID 2176 wrote to memory of 1692	2176	z6122764.exe	30
PID 2176 wrote to memory of 1692	2176	z6122764.exe	30
PID 1964 wrote to memory of 1136	1964	z4921733.exe	33
PID 1964 wrote to memory of 1136	1964	z4921733.exe	33
PID 1964 wrote to memory of 1136	1964	z4921733.exe	33
PID 1964 wrote to memory of 1136	1964	z4921733.exe	33
PID 1964 wrote to memory of 1136	1964	z4921733.exe	33
PID 1964 wrote to memory of 1136	1964	z4921733.exe	33
PID 1964 wrote to memory of 1136	1964	z4921733.exe	33

C:\Users\Admin\AppData\Local\Temp\z4921733.exe
"C:\Users\Admin\AppData\Local\Temp\z4921733.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6122764.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6122764.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0556973.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0556973.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3006724.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3006724.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1692
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1389380.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1389380.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1389380.exe

Filesize
174KB

MD5
06f2a58cc262f752e8c67b4345c16b6c

SHA1
737541609d2bbefd038e0c848a0ff5da2c2e768a

SHA256
e100b806bc9587accd03ab26aae2f37b4136b0bb6aa0415bdc49815bd83196b1

SHA512
cc73836af52d14150122604f6c5fc4d7195943a2be106fb44fcddc8002c2aa0ee73840c7f5d65c9c7bfcf44460587df9959788f3e53ab121db48f7538854aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1389380.exe

Filesize
174KB

MD5
06f2a58cc262f752e8c67b4345c16b6c

SHA1
737541609d2bbefd038e0c848a0ff5da2c2e768a

SHA256
e100b806bc9587accd03ab26aae2f37b4136b0bb6aa0415bdc49815bd83196b1

SHA512
cc73836af52d14150122604f6c5fc4d7195943a2be106fb44fcddc8002c2aa0ee73840c7f5d65c9c7bfcf44460587df9959788f3e53ab121db48f7538854aa65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6122764.exe

Filesize
217KB

MD5
3339c50a2fddaeb1d68cc1ebae24c240

SHA1
a225a8359680f957be893f237894b050d0a6b720

SHA256
af36c2a3af9e6714c8280892d49405fd76f3fd8d50c44121969018759f7e6264

SHA512
6af46d550829615d498b32f34724f34aac960853e0a19b0d522904d81cde6df188895df0bde4583ea90af506dec7d045dbd0b9675430b4aa07a4a3b3b2e20119

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6122764.exe

Filesize
217KB

MD5
3339c50a2fddaeb1d68cc1ebae24c240

SHA1
a225a8359680f957be893f237894b050d0a6b720

SHA256
af36c2a3af9e6714c8280892d49405fd76f3fd8d50c44121969018759f7e6264

SHA512
6af46d550829615d498b32f34724f34aac960853e0a19b0d522904d81cde6df188895df0bde4583ea90af506dec7d045dbd0b9675430b4aa07a4a3b3b2e20119

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0556973.exe

Filesize
13KB

MD5
18e4e8a529a08a0d453d509cc4a44665

SHA1
0dfc8ce833e94545ba31a5b41c722664021aac44

SHA256
349ca83cbed28a8a42764969725bb9b049565b613842a3954a041d474fb0e62d

SHA512
8b81a06ff7c021fd3299b2140641e2f18a6ccabde04c79c962bfbca410addf5938795cc2de84e0778a15f5ada6b394ee6e56d2787430be801d6fc572c0accd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0556973.exe

Filesize
13KB

MD5
18e4e8a529a08a0d453d509cc4a44665

SHA1
0dfc8ce833e94545ba31a5b41c722664021aac44

SHA256
349ca83cbed28a8a42764969725bb9b049565b613842a3954a041d474fb0e62d

SHA512
8b81a06ff7c021fd3299b2140641e2f18a6ccabde04c79c962bfbca410addf5938795cc2de84e0778a15f5ada6b394ee6e56d2787430be801d6fc572c0accd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3006724.exe

Filesize
140KB

MD5
577820ffc3f05e7ba539b190c28ef6a0

SHA1
b88220edcf973f1a010e6c2323c1715f63d2780b

SHA256
8b262c918bcada4f425885d75c18731164e5f6996fd56f03ab1c30ff70f618e7

SHA512
7b8c089211a5510f85fce759700fa16112beb4435bc37e4c894c7cccf439599b08c9a3b33ee9a9c438ac65c9f38faa4a17e89a37fee519b434ef3cbf9c92ede8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3006724.exe

Filesize
140KB

MD5
577820ffc3f05e7ba539b190c28ef6a0

SHA1
b88220edcf973f1a010e6c2323c1715f63d2780b

SHA256
8b262c918bcada4f425885d75c18731164e5f6996fd56f03ab1c30ff70f618e7

SHA512
7b8c089211a5510f85fce759700fa16112beb4435bc37e4c894c7cccf439599b08c9a3b33ee9a9c438ac65c9f38faa4a17e89a37fee519b434ef3cbf9c92ede8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1389380.exe

Filesize
174KB

MD5
06f2a58cc262f752e8c67b4345c16b6c

SHA1
737541609d2bbefd038e0c848a0ff5da2c2e768a

SHA256
e100b806bc9587accd03ab26aae2f37b4136b0bb6aa0415bdc49815bd83196b1

SHA512
cc73836af52d14150122604f6c5fc4d7195943a2be106fb44fcddc8002c2aa0ee73840c7f5d65c9c7bfcf44460587df9959788f3e53ab121db48f7538854aa65

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\s1389380.exe

Filesize
174KB

MD5
06f2a58cc262f752e8c67b4345c16b6c

SHA1
737541609d2bbefd038e0c848a0ff5da2c2e768a

SHA256
e100b806bc9587accd03ab26aae2f37b4136b0bb6aa0415bdc49815bd83196b1

SHA512
cc73836af52d14150122604f6c5fc4d7195943a2be106fb44fcddc8002c2aa0ee73840c7f5d65c9c7bfcf44460587df9959788f3e53ab121db48f7538854aa65

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6122764.exe

Filesize
217KB

MD5
3339c50a2fddaeb1d68cc1ebae24c240

SHA1
a225a8359680f957be893f237894b050d0a6b720

SHA256
af36c2a3af9e6714c8280892d49405fd76f3fd8d50c44121969018759f7e6264

SHA512
6af46d550829615d498b32f34724f34aac960853e0a19b0d522904d81cde6df188895df0bde4583ea90af506dec7d045dbd0b9675430b4aa07a4a3b3b2e20119

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6122764.exe

Filesize
217KB

MD5
3339c50a2fddaeb1d68cc1ebae24c240

SHA1
a225a8359680f957be893f237894b050d0a6b720

SHA256
af36c2a3af9e6714c8280892d49405fd76f3fd8d50c44121969018759f7e6264

SHA512
6af46d550829615d498b32f34724f34aac960853e0a19b0d522904d81cde6df188895df0bde4583ea90af506dec7d045dbd0b9675430b4aa07a4a3b3b2e20119

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\q0556973.exe

Filesize
13KB

MD5
18e4e8a529a08a0d453d509cc4a44665

SHA1
0dfc8ce833e94545ba31a5b41c722664021aac44

SHA256
349ca83cbed28a8a42764969725bb9b049565b613842a3954a041d474fb0e62d

SHA512
8b81a06ff7c021fd3299b2140641e2f18a6ccabde04c79c962bfbca410addf5938795cc2de84e0778a15f5ada6b394ee6e56d2787430be801d6fc572c0accd19

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3006724.exe

Filesize
140KB

MD5
577820ffc3f05e7ba539b190c28ef6a0

SHA1
b88220edcf973f1a010e6c2323c1715f63d2780b

SHA256
8b262c918bcada4f425885d75c18731164e5f6996fd56f03ab1c30ff70f618e7

SHA512
7b8c089211a5510f85fce759700fa16112beb4435bc37e4c894c7cccf439599b08c9a3b33ee9a9c438ac65c9f38faa4a17e89a37fee519b434ef3cbf9c92ede8

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\r3006724.exe

Filesize
140KB

MD5
577820ffc3f05e7ba539b190c28ef6a0

SHA1
b88220edcf973f1a010e6c2323c1715f63d2780b

SHA256
8b262c918bcada4f425885d75c18731164e5f6996fd56f03ab1c30ff70f618e7

SHA512
7b8c089211a5510f85fce759700fa16112beb4435bc37e4c894c7cccf439599b08c9a3b33ee9a9c438ac65c9f38faa4a17e89a37fee519b434ef3cbf9c92ede8

Download Submit
memory/1136-34-0x0000000000B60000-0x0000000000B90000-memory.dmp

Filesize
192KB

Download
memory/1136-35-0x0000000000490000-0x0000000000496000-memory.dmp

Filesize
24KB

Download
memory/1872-20-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-21-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-19-0x000007FEF54F0000-0x000007FEF5EDC000-memory.dmp

Filesize
9.9MB

Download
memory/1872-18-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download