healer | 55835ee0d6831c4bfce2485d71b884881f5cfff7e66b4bd3c760b9a1fb9dd4d9

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ccc3d42253e1bf0c78cde794a86c5693.exe
Size

931KB
MD5

ccc3d42253e1bf0c78cde794a86c5693
SHA1

ea792cdd8dae77c7ea22b195e5fd6a2e6da402c1
SHA256

55835ee0d6831c4bfce2485d71b884881f5cfff7e66b4bd3c760b9a1fb9dd4d9
SHA512

fc708da99a0bebf20df29697bff5f13a1739eeb5933e4e3b384f4cdd056b4583189d00822eeb405bde81d05fadeae23284e7ef8a8d0f065cda05207228c9c18a
SSDEEP

12288:3Mrhy90u10zuiMlgrskr+ZLSgLKN2s2FGyrOtiQ1EWztWqLm+lr3wa1F3VgAGsR7:SydwutCsab2scrD+EWhW+lr78sR4Q

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000002320b-33.dat	healer
behavioral2/files/0x000700000002320b-34.dat	healer
behavioral2/memory/2844-35-0x00000000009B0000-0x00000000009BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q6051389.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q6051389.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q6051389.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q6051389.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q6051389.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q6051389.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3576	z3853699.exe
1340	z6693381.exe
2820	z1951670.exe
4668	z7259287.exe
2844	q6051389.exe
2680	r8641706.exe
3836	s5577883.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q6051389.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ccc3d42253e1bf0c78cde794a86c5693.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3853699.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6693381.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1951670.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z7259287.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2844	q6051389.exe
2844	q6051389.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	q6051389.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 3576	4608	ccc3d42253e1bf0c78cde794a86c5693.exe	83
PID 4608 wrote to memory of 3576	4608	ccc3d42253e1bf0c78cde794a86c5693.exe	83
PID 4608 wrote to memory of 3576	4608	ccc3d42253e1bf0c78cde794a86c5693.exe	83
PID 3576 wrote to memory of 1340	3576	z3853699.exe	84
PID 3576 wrote to memory of 1340	3576	z3853699.exe	84
PID 3576 wrote to memory of 1340	3576	z3853699.exe	84
PID 1340 wrote to memory of 2820	1340	z6693381.exe	85
PID 1340 wrote to memory of 2820	1340	z6693381.exe	85
PID 1340 wrote to memory of 2820	1340	z6693381.exe	85
PID 2820 wrote to memory of 4668	2820	z1951670.exe	86
PID 2820 wrote to memory of 4668	2820	z1951670.exe	86
PID 2820 wrote to memory of 4668	2820	z1951670.exe	86
PID 4668 wrote to memory of 2844	4668	z7259287.exe	87
PID 4668 wrote to memory of 2844	4668	z7259287.exe	87
PID 4668 wrote to memory of 2680	4668	z7259287.exe	92
PID 4668 wrote to memory of 2680	4668	z7259287.exe	92
PID 4668 wrote to memory of 2680	4668	z7259287.exe	92
PID 2820 wrote to memory of 3836	2820	z1951670.exe	93
PID 2820 wrote to memory of 3836	2820	z1951670.exe	93
PID 2820 wrote to memory of 3836	2820	z1951670.exe	93

C:\Users\Admin\AppData\Local\Temp\ccc3d42253e1bf0c78cde794a86c5693.exe
"C:\Users\Admin\AppData\Local\Temp\ccc3d42253e1bf0c78cde794a86c5693.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3853699.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3853699.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6693381.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6693381.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1951670.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1951670.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7259287.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7259287.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4668
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6051389.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6051389.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8641706.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8641706.exe
        6⤵
        Executes dropped EXE
        
        PID:2680
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5577883.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5577883.exe
        5⤵
        Executes dropped EXE
        
        PID:3836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3853699.exe

Filesize
825KB

MD5
2444d56336564dc1c96551722ef09f6f

SHA1
c2489ac72fc9308af45985e184281ed3a74bddb3

SHA256
5922e724593a7b39348a21068c26478a60879342778d5cb4926d3caef1700c54

SHA512
ab57756914884dfd5bfab8758dcf299edf074b7d5ac27de9dc8e0de817c13c8d59e456d5872847b799779f51f939240a9b8b80a12452d4be36242fe3902c1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3853699.exe

Filesize
825KB

MD5
2444d56336564dc1c96551722ef09f6f

SHA1
c2489ac72fc9308af45985e184281ed3a74bddb3

SHA256
5922e724593a7b39348a21068c26478a60879342778d5cb4926d3caef1700c54

SHA512
ab57756914884dfd5bfab8758dcf299edf074b7d5ac27de9dc8e0de817c13c8d59e456d5872847b799779f51f939240a9b8b80a12452d4be36242fe3902c1459

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6693381.exe

Filesize
599KB

MD5
82a565e555e483e5849a8d7a21c90ca7

SHA1
19eb147564cbe5beccb29727739c2f0df091410b

SHA256
984fc83210a8eb61283a1807bcbe4d7cbba2fd824cae24c97aa27a63c8b2e4ef

SHA512
f8d42f4351bb73f2bfb3ae70e7d9dc7378be7b49f49d6d0b0091c1e5e7fd8802fd4e65e5be0fb17fff5f886192ec2c22692fbe2949b474f4e848c5ab0656e4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6693381.exe

Filesize
599KB

MD5
82a565e555e483e5849a8d7a21c90ca7

SHA1
19eb147564cbe5beccb29727739c2f0df091410b

SHA256
984fc83210a8eb61283a1807bcbe4d7cbba2fd824cae24c97aa27a63c8b2e4ef

SHA512
f8d42f4351bb73f2bfb3ae70e7d9dc7378be7b49f49d6d0b0091c1e5e7fd8802fd4e65e5be0fb17fff5f886192ec2c22692fbe2949b474f4e848c5ab0656e4a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1951670.exe

Filesize
373KB

MD5
118c3b745927a9e6792e2bcad55c6480

SHA1
088907508bf2da5a911cb7f6e89a8854b2271d75

SHA256
77f0c281028ba8a2a929eb6b5f94f97bf1ac2569941c0a8aa90ee1031d210599

SHA512
30ee1632a2b2575d48578dc7f142b63a64fc74d054f5adf4d1d4ac14cf8bfc88dc1c5f37fcc721ac6efa8566c498dd3d2457fa7c2d28e05a7e664ed7e8bc9c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1951670.exe

Filesize
373KB

MD5
118c3b745927a9e6792e2bcad55c6480

SHA1
088907508bf2da5a911cb7f6e89a8854b2271d75

SHA256
77f0c281028ba8a2a929eb6b5f94f97bf1ac2569941c0a8aa90ee1031d210599

SHA512
30ee1632a2b2575d48578dc7f142b63a64fc74d054f5adf4d1d4ac14cf8bfc88dc1c5f37fcc721ac6efa8566c498dd3d2457fa7c2d28e05a7e664ed7e8bc9c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5577883.exe

Filesize
174KB

MD5
1426df22137e97ea22e5eef2fe04360e

SHA1
4171f136795d4037b960be1900d0f133eebabdae

SHA256
f6bfd3b6930a83a60dce1e18413e9d5cc4fd6af3d9ca46641f3fca4c9abe214a

SHA512
08c8b948aba9595bf37247f080681ddb874af25b41ff4f4c600db6244f1d229cf683e3ebfcafe06b8200ecf3674cfc5701617fb56a28a1c686125b45a865423b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5577883.exe

Filesize
174KB

MD5
1426df22137e97ea22e5eef2fe04360e

SHA1
4171f136795d4037b960be1900d0f133eebabdae

SHA256
f6bfd3b6930a83a60dce1e18413e9d5cc4fd6af3d9ca46641f3fca4c9abe214a

SHA512
08c8b948aba9595bf37247f080681ddb874af25b41ff4f4c600db6244f1d229cf683e3ebfcafe06b8200ecf3674cfc5701617fb56a28a1c686125b45a865423b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7259287.exe

Filesize
217KB

MD5
de3e70dabfdc7a220116ac0f5eaee41e

SHA1
e8cb0473560ea4589f8e99689d4f73b6843d7311

SHA256
ca5abf88c236548aad0ce4a8ad2a4a87fcd158ed4164cf4ff754aa025ff3cb06

SHA512
204191b018ca5ff441d8253a53523e86a26770e790ae47ab9717800591a66cb323dec104943b358c8156a1e847da45e730bf278dce0e140e134a3f4212876d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7259287.exe

Filesize
217KB

MD5
de3e70dabfdc7a220116ac0f5eaee41e

SHA1
e8cb0473560ea4589f8e99689d4f73b6843d7311

SHA256
ca5abf88c236548aad0ce4a8ad2a4a87fcd158ed4164cf4ff754aa025ff3cb06

SHA512
204191b018ca5ff441d8253a53523e86a26770e790ae47ab9717800591a66cb323dec104943b358c8156a1e847da45e730bf278dce0e140e134a3f4212876d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6051389.exe

Filesize
13KB

MD5
072dc90c58ff0dd21c79a00a7c50c7dd

SHA1
84b3810d2fa0cbe814ce3ca5226a18a1ab0ab8be

SHA256
6136dd58525b80962514754818f75c89d2e4bd39f74fa24d272db2e8818d34e2

SHA512
a89f3c0fa84935a52df50f01ad6f44bd6f8a3c4d4d44ab5eee3b3874cfdd7adae6623310873d8b998f109c16c4107df1278fc419127ffae1734a2d8a3d207cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6051389.exe

Filesize
13KB

MD5
072dc90c58ff0dd21c79a00a7c50c7dd

SHA1
84b3810d2fa0cbe814ce3ca5226a18a1ab0ab8be

SHA256
6136dd58525b80962514754818f75c89d2e4bd39f74fa24d272db2e8818d34e2

SHA512
a89f3c0fa84935a52df50f01ad6f44bd6f8a3c4d4d44ab5eee3b3874cfdd7adae6623310873d8b998f109c16c4107df1278fc419127ffae1734a2d8a3d207cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8641706.exe

Filesize
140KB

MD5
45192dc12f418297070a927c85813aaa

SHA1
8288a8d6a44c43636de209a68279dfa8dec02e0f

SHA256
c68d896b107eb07b8f3c5e7d703680c015906c6a133f0040d9e9e03676d674cc

SHA512
72bc7a1c340432fed37485c8edf74e3e1aed15409898d71c7c916be88cc2b171007948ffa953734035f9fda495610a0e31ee96064acad96516a1f0e2b219c81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8641706.exe

Filesize
140KB

MD5
45192dc12f418297070a927c85813aaa

SHA1
8288a8d6a44c43636de209a68279dfa8dec02e0f

SHA256
c68d896b107eb07b8f3c5e7d703680c015906c6a133f0040d9e9e03676d674cc

SHA512
72bc7a1c340432fed37485c8edf74e3e1aed15409898d71c7c916be88cc2b171007948ffa953734035f9fda495610a0e31ee96064acad96516a1f0e2b219c81b

Download Submit
memory/2844-38-0x00007FFA0B1C0000-0x00007FFA0BC81000-memory.dmp

Filesize
10.8MB

Download
memory/2844-36-0x00007FFA0B1C0000-0x00007FFA0BC81000-memory.dmp

Filesize
10.8MB

Download
memory/2844-35-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/3836-45-0x0000000000F40000-0x0000000000F70000-memory.dmp

Filesize
192KB

Download
memory/3836-46-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/3836-47-0x000000000B3C0000-0x000000000B9D8000-memory.dmp

Filesize
6.1MB

Download
memory/3836-48-0x000000000AEF0000-0x000000000AFFA000-memory.dmp

Filesize
1.0MB

Download
memory/3836-49-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download
memory/3836-50-0x000000000AE30000-0x000000000AE42000-memory.dmp

Filesize
72KB

Download
memory/3836-51-0x000000000AE90000-0x000000000AECC000-memory.dmp

Filesize
240KB

Download
memory/3836-52-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/3836-53-0x0000000005A10000-0x0000000005A20000-memory.dmp

Filesize
64KB

Download