healer | 0ef5db1a427151dbe4ea20814a421c66a0cb9e9ff718b24243943e427514c658

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2023 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ef5db1a427151dbe4ea20814a421c66a0cb9e9ff718b24243943e427514c658.exe
Size

828KB
MD5

63948807b260595b5bd052a5a7153d83
SHA1

dee6a653e15c660aacf42d8b6b521410e46b1b04
SHA256

0ef5db1a427151dbe4ea20814a421c66a0cb9e9ff718b24243943e427514c658
SHA512

97c79abde998341e78b4eb286e5eaa566cb6af8c43d7772ff2febecdaacc679ddbe5c28719b6f506817949bacdc9b9cd83ff9b751cb0096b8884a80d2f400b6f
SSDEEP

24576:LytWpSG0LSalsNw6ZY3Qxgd5CJ5CnqKng:+tJHL3iTMAgWZKn

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023292-33.dat	healer
behavioral1/files/0x0008000000023292-34.dat	healer
behavioral1/memory/2480-35-0x0000000000500000-0x000000000050A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5290571.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5290571.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5290571.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5290571.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5290571.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5290571.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4852	v2924441.exe
3648	v2518082.exe
812	v0285759.exe
1928	v7389866.exe
2480	a5290571.exe
2976	b7044761.exe
1496	c3234436.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5290571.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0ef5db1a427151dbe4ea20814a421c66a0cb9e9ff718b24243943e427514c658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2924441.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2518082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0285759.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7389866.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2480	a5290571.exe
2480	a5290571.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	a5290571.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 4852	216	0ef5db1a427151dbe4ea20814a421c66a0cb9e9ff718b24243943e427514c658.exe	81
PID 216 wrote to memory of 4852	216	0ef5db1a427151dbe4ea20814a421c66a0cb9e9ff718b24243943e427514c658.exe	81
PID 216 wrote to memory of 4852	216	0ef5db1a427151dbe4ea20814a421c66a0cb9e9ff718b24243943e427514c658.exe	81
PID 4852 wrote to memory of 3648	4852	v2924441.exe	82
PID 4852 wrote to memory of 3648	4852	v2924441.exe	82
PID 4852 wrote to memory of 3648	4852	v2924441.exe	82
PID 3648 wrote to memory of 812	3648	v2518082.exe	83
PID 3648 wrote to memory of 812	3648	v2518082.exe	83
PID 3648 wrote to memory of 812	3648	v2518082.exe	83
PID 812 wrote to memory of 1928	812	v0285759.exe	84
PID 812 wrote to memory of 1928	812	v0285759.exe	84
PID 812 wrote to memory of 1928	812	v0285759.exe	84
PID 1928 wrote to memory of 2480	1928	v7389866.exe	85
PID 1928 wrote to memory of 2480	1928	v7389866.exe	85
PID 1928 wrote to memory of 2976	1928	v7389866.exe	91
PID 1928 wrote to memory of 2976	1928	v7389866.exe	91
PID 1928 wrote to memory of 2976	1928	v7389866.exe	91
PID 812 wrote to memory of 1496	812	v0285759.exe	92
PID 812 wrote to memory of 1496	812	v0285759.exe	92
PID 812 wrote to memory of 1496	812	v0285759.exe	92

C:\Users\Admin\AppData\Local\Temp\0ef5db1a427151dbe4ea20814a421c66a0cb9e9ff718b24243943e427514c658.exe
"C:\Users\Admin\AppData\Local\Temp\0ef5db1a427151dbe4ea20814a421c66a0cb9e9ff718b24243943e427514c658.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2924441.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2924441.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2518082.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2518082.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0285759.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0285759.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:812
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7389866.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7389866.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5290571.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5290571.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7044761.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7044761.exe
        6⤵
        Executes dropped EXE
        
        PID:2976
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3234436.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3234436.exe
        5⤵
        Executes dropped EXE
        
        PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2924441.exe

Filesize
723KB

MD5
66a15b4088745d98dbcbf2b846917a7c

SHA1
81b7833f84cb113ec41d4544ac8ce4717b54f7b7

SHA256
7691ef43be6c59067c32c3d8fd7e7cd1babc09efe6b80af644a19fae33c65717

SHA512
35ebf3d9b6a687149ed79bdd6747c866c8d519450a93fd55b1c9f91884ea19fe92720c3855928e010a84eceeee12a4a6479a80a456bd67de1fc84dc838a5ee0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2924441.exe

Filesize
723KB

MD5
66a15b4088745d98dbcbf2b846917a7c

SHA1
81b7833f84cb113ec41d4544ac8ce4717b54f7b7

SHA256
7691ef43be6c59067c32c3d8fd7e7cd1babc09efe6b80af644a19fae33c65717

SHA512
35ebf3d9b6a687149ed79bdd6747c866c8d519450a93fd55b1c9f91884ea19fe92720c3855928e010a84eceeee12a4a6479a80a456bd67de1fc84dc838a5ee0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2518082.exe

Filesize
497KB

MD5
0b398dd882dd053380b313b40b86ee53

SHA1
76c18ef92b0aad5a81c24e0a3622f408772e784b

SHA256
4422bd280e62f9566b70762c86423eed2135f46b1b8cab351e5dc049a84c293f

SHA512
b16f42dd4be4c2789a506654f12b2d0efcaf1ccbb7998f4a0d96ed42a6d3f5fc48d4821a4e4944e62e3f5f5fd620b03ceb1d24e6e96f7bd12ef797ec815a69e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2518082.exe

Filesize
497KB

MD5
0b398dd882dd053380b313b40b86ee53

SHA1
76c18ef92b0aad5a81c24e0a3622f408772e784b

SHA256
4422bd280e62f9566b70762c86423eed2135f46b1b8cab351e5dc049a84c293f

SHA512
b16f42dd4be4c2789a506654f12b2d0efcaf1ccbb7998f4a0d96ed42a6d3f5fc48d4821a4e4944e62e3f5f5fd620b03ceb1d24e6e96f7bd12ef797ec815a69e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0285759.exe

Filesize
372KB

MD5
9557ac1db10a0e46c65501787230128e

SHA1
0085437f2466e832e78e5b6901abd55e67a6a4e0

SHA256
f429e0e3ff75068834ac57ac42392ad0f049573e355725f608d487055f2b3dbc

SHA512
23ad0dc3fa88e27df2c045c2515090b879e607e4bfdc7a502efc54cf210f23fb612e00e9ab7de7d4524302f8f4b64e05f8090ae2e46d51feef0aeaddfa0095f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0285759.exe

Filesize
372KB

MD5
9557ac1db10a0e46c65501787230128e

SHA1
0085437f2466e832e78e5b6901abd55e67a6a4e0

SHA256
f429e0e3ff75068834ac57ac42392ad0f049573e355725f608d487055f2b3dbc

SHA512
23ad0dc3fa88e27df2c045c2515090b879e607e4bfdc7a502efc54cf210f23fb612e00e9ab7de7d4524302f8f4b64e05f8090ae2e46d51feef0aeaddfa0095f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3234436.exe

Filesize
174KB

MD5
a76675f1b7396caf9ea4e42bc8fcdd21

SHA1
8ff846ab85abd7f9b136ca1e0da1a95044415f63

SHA256
04e7707e713af11830880e11f987e0400ede5b5dca37f9d77bbee9ca96344f7b

SHA512
dc9e8328e68c24f7db36ee9df6f2260757c417011b0505afd4a3139fd119ed17a72298430aa7f1d34dd31d369357862f766c5c8b508fe963d59d3fa679d868e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3234436.exe

Filesize
174KB

MD5
a76675f1b7396caf9ea4e42bc8fcdd21

SHA1
8ff846ab85abd7f9b136ca1e0da1a95044415f63

SHA256
04e7707e713af11830880e11f987e0400ede5b5dca37f9d77bbee9ca96344f7b

SHA512
dc9e8328e68c24f7db36ee9df6f2260757c417011b0505afd4a3139fd119ed17a72298430aa7f1d34dd31d369357862f766c5c8b508fe963d59d3fa679d868e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7389866.exe

Filesize
217KB

MD5
1bdaa14e85d53dad47df244e4b40e777

SHA1
3f3632866948adf107eb8eb9519cb527c404847a

SHA256
ec9c2a680db72ccb354a848903a18caac880664d7192d355bb896be6e9db6100

SHA512
40a64ffefa536f1472f896c84a2f59743bd092cd410940bb400240d1816374412b6ac4e927a46b80e52b545a300d9021005331676b05ddd309c3424c1b308d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7389866.exe

Filesize
217KB

MD5
1bdaa14e85d53dad47df244e4b40e777

SHA1
3f3632866948adf107eb8eb9519cb527c404847a

SHA256
ec9c2a680db72ccb354a848903a18caac880664d7192d355bb896be6e9db6100

SHA512
40a64ffefa536f1472f896c84a2f59743bd092cd410940bb400240d1816374412b6ac4e927a46b80e52b545a300d9021005331676b05ddd309c3424c1b308d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5290571.exe

Filesize
13KB

MD5
7405c5e9afb32c08be66af126a4e78ac

SHA1
0f05d5fd5021199fc6421aa758bb26b02bf38bcc

SHA256
9317d92157f2d073ba6fb93745d65938540386b25b16299f18eced1d27fd417d

SHA512
20d903329d9a06622d647008ebd61cfa7edb75f229b30c69cada9c5fa8984ca5e5aee4094cbdc1234522d75d62dab933f6d07d2f5b6482b9acdf239539862cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5290571.exe

Filesize
13KB

MD5
7405c5e9afb32c08be66af126a4e78ac

SHA1
0f05d5fd5021199fc6421aa758bb26b02bf38bcc

SHA256
9317d92157f2d073ba6fb93745d65938540386b25b16299f18eced1d27fd417d

SHA512
20d903329d9a06622d647008ebd61cfa7edb75f229b30c69cada9c5fa8984ca5e5aee4094cbdc1234522d75d62dab933f6d07d2f5b6482b9acdf239539862cc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7044761.exe

Filesize
140KB

MD5
e45085578de5c67378e761d9c172a154

SHA1
c7cb4173fa2ce2ab20a86b70a231f849a20879d2

SHA256
89ceda7d0761942da9e542f1513b4869e404474ca8efa20507bb6fb2b2c5eb7a

SHA512
0b94a249744f7024249e31086a8ccc584fce119beffa7160e738287ee8a41726e8887018835c143b0358ae0019289efb1063401d9b4e3c27a64a56df8f4acf03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7044761.exe

Filesize
140KB

MD5
e45085578de5c67378e761d9c172a154

SHA1
c7cb4173fa2ce2ab20a86b70a231f849a20879d2

SHA256
89ceda7d0761942da9e542f1513b4869e404474ca8efa20507bb6fb2b2c5eb7a

SHA512
0b94a249744f7024249e31086a8ccc584fce119beffa7160e738287ee8a41726e8887018835c143b0358ae0019289efb1063401d9b4e3c27a64a56df8f4acf03

Download Submit
memory/1496-45-0x0000000000FB0000-0x0000000000FE0000-memory.dmp

Filesize
192KB

Download
memory/1496-46-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/1496-47-0x0000000006060000-0x0000000006678000-memory.dmp

Filesize
6.1MB

Download
memory/1496-48-0x0000000005B50000-0x0000000005C5A000-memory.dmp

Filesize
1.0MB

Download
memory/1496-49-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/1496-50-0x0000000005A80000-0x0000000005A92000-memory.dmp

Filesize
72KB

Download
memory/1496-51-0x0000000005AE0000-0x0000000005B1C000-memory.dmp

Filesize
240KB

Download
memory/1496-52-0x0000000074130000-0x00000000748E0000-memory.dmp

Filesize
7.7MB

Download
memory/1496-53-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/2480-38-0x00007FFACC370000-0x00007FFACCE31000-memory.dmp

Filesize
10.8MB

Download
memory/2480-36-0x00007FFACC370000-0x00007FFACCE31000-memory.dmp

Filesize
10.8MB

Download
memory/2480-35-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download