healer | 33de78450b55cd64ea95985048f05935d340106812884f607c04b2b6e4744da1

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33de78450b55cd64ea95985048f05935d340106812884f607c04b2b6e4744da1.exe
Size

926KB
MD5

c44f42f23585d18efd53f635c5851c42
SHA1

5deede0d2cceeb11a768ba1ea98871774599e5eb
SHA256

33de78450b55cd64ea95985048f05935d340106812884f607c04b2b6e4744da1
SHA512

aac6ba807dfe066dbd0ac707a18fcbbc6b88335d02912690f394e1c8f759b7bf769877e01f90489d571ee7ccdc5b067ccb684d86887d2b47591240126ca45dd2
SSDEEP

12288:xMrey901Tk6i6P5Sg7Y47dohYdQ7PyQX7s0jgeBBKchc0Lr2eym9mtioIgT53fHt:fymi6Ftd/dULXUOhFL5I4BCvYwa4R

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000231fb-33.dat	healer
behavioral1/files/0x00080000000231fb-34.dat	healer
behavioral1/memory/2536-35-0x0000000000280000-0x000000000028A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q0843623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q0843623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q0843623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q0843623.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q0843623.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q0843623.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3952	z5383946.exe
3724	z4206184.exe
648	z8875853.exe
3016	z7775914.exe
2536	q0843623.exe
3620	r6468693.exe
1348	s9083707.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q0843623.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	33de78450b55cd64ea95985048f05935d340106812884f607c04b2b6e4744da1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5383946.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4206184.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z8875853.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z7775914.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2536	q0843623.exe
2536	q0843623.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	q0843623.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 3952	3396	33de78450b55cd64ea95985048f05935d340106812884f607c04b2b6e4744da1.exe	82
PID 3396 wrote to memory of 3952	3396	33de78450b55cd64ea95985048f05935d340106812884f607c04b2b6e4744da1.exe	82
PID 3396 wrote to memory of 3952	3396	33de78450b55cd64ea95985048f05935d340106812884f607c04b2b6e4744da1.exe	82
PID 3952 wrote to memory of 3724	3952	z5383946.exe	83
PID 3952 wrote to memory of 3724	3952	z5383946.exe	83
PID 3952 wrote to memory of 3724	3952	z5383946.exe	83
PID 3724 wrote to memory of 648	3724	z4206184.exe	84
PID 3724 wrote to memory of 648	3724	z4206184.exe	84
PID 3724 wrote to memory of 648	3724	z4206184.exe	84
PID 648 wrote to memory of 3016	648	z8875853.exe	85
PID 648 wrote to memory of 3016	648	z8875853.exe	85
PID 648 wrote to memory of 3016	648	z8875853.exe	85
PID 3016 wrote to memory of 2536	3016	z7775914.exe	86
PID 3016 wrote to memory of 2536	3016	z7775914.exe	86
PID 3016 wrote to memory of 3620	3016	z7775914.exe	92
PID 3016 wrote to memory of 3620	3016	z7775914.exe	92
PID 3016 wrote to memory of 3620	3016	z7775914.exe	92
PID 648 wrote to memory of 1348	648	z8875853.exe	95
PID 648 wrote to memory of 1348	648	z8875853.exe	95
PID 648 wrote to memory of 1348	648	z8875853.exe	95

C:\Users\Admin\AppData\Local\Temp\33de78450b55cd64ea95985048f05935d340106812884f607c04b2b6e4744da1.exe
"C:\Users\Admin\AppData\Local\Temp\33de78450b55cd64ea95985048f05935d340106812884f607c04b2b6e4744da1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5383946.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5383946.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4206184.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4206184.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8875853.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8875853.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:648
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7775914.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7775914.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0843623.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0843623.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6468693.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6468693.exe
        6⤵
        Executes dropped EXE
        
        PID:3620
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9083707.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9083707.exe
        5⤵
        Executes dropped EXE
        
        PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5383946.exe

Filesize
823KB

MD5
cfb3127e61a15674b8e5871cad42cc62

SHA1
bb47658ce89ae0e6d6e418da4c64663c8775337b

SHA256
602e8c820780dc29982beddf1ddf22dbaa0cb84a36607dc9fe333b88001477af

SHA512
007c832ca369ea2d177f56d75ad721abc84f109056fc144e56f62af430202cc3cb0586c254390bd0bca4d6dc1948a3dbfb7b7b55828b65ca556b956e8dae9a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5383946.exe

Filesize
823KB

MD5
cfb3127e61a15674b8e5871cad42cc62

SHA1
bb47658ce89ae0e6d6e418da4c64663c8775337b

SHA256
602e8c820780dc29982beddf1ddf22dbaa0cb84a36607dc9fe333b88001477af

SHA512
007c832ca369ea2d177f56d75ad721abc84f109056fc144e56f62af430202cc3cb0586c254390bd0bca4d6dc1948a3dbfb7b7b55828b65ca556b956e8dae9a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4206184.exe

Filesize
598KB

MD5
c0fd08a9109c1178fccf7adc8abeacf5

SHA1
2f75e6c3d693e23dc91b861fa586e8d98c76f790

SHA256
c3bb38b59165920c1a0d28ce8b9003beb142e8cf9640518910f08e87e038a5bb

SHA512
704b52c6753cf3987d1bcc5343058f2263f2e482c033a445fa9a0ff4064f43990f4bcead8ad6770edde13df446fcfaa7a3567351767ea6acaad541f1b4554783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4206184.exe

Filesize
598KB

MD5
c0fd08a9109c1178fccf7adc8abeacf5

SHA1
2f75e6c3d693e23dc91b861fa586e8d98c76f790

SHA256
c3bb38b59165920c1a0d28ce8b9003beb142e8cf9640518910f08e87e038a5bb

SHA512
704b52c6753cf3987d1bcc5343058f2263f2e482c033a445fa9a0ff4064f43990f4bcead8ad6770edde13df446fcfaa7a3567351767ea6acaad541f1b4554783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8875853.exe

Filesize
373KB

MD5
95e5b5c2a71051ea504f9cc7b29c671e

SHA1
5af475598ca6762271260362fa35a58344b6676c

SHA256
00644ed9ac871aa4114970a075cb4306a2dec07718f2d21fa11901e1067a2b62

SHA512
15ed3aeafc707c6bca32e8949a90abc124ec312cfcc5d191ca70904f213e52fc6fc5f24cfd88692a8c5a2e358d703f9cac587bd859426041cf773f7744db8e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8875853.exe

Filesize
373KB

MD5
95e5b5c2a71051ea504f9cc7b29c671e

SHA1
5af475598ca6762271260362fa35a58344b6676c

SHA256
00644ed9ac871aa4114970a075cb4306a2dec07718f2d21fa11901e1067a2b62

SHA512
15ed3aeafc707c6bca32e8949a90abc124ec312cfcc5d191ca70904f213e52fc6fc5f24cfd88692a8c5a2e358d703f9cac587bd859426041cf773f7744db8e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9083707.exe

Filesize
174KB

MD5
efe9150e92641c127441384fef59b0b1

SHA1
e99e0dafb609eefa888efaafe31883c522c9eded

SHA256
a35c08df54c7e9916406a56b883697f032e103b148bf99cbc5bef7b306a9c942

SHA512
04e3185b73df5663950a04394166fe0520259470f28b3490b76b41dd3efb5a224d950ca0196aba53a159e23e73c0cfa99ca9d68d9113a5584ee18115f987f8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9083707.exe

Filesize
174KB

MD5
efe9150e92641c127441384fef59b0b1

SHA1
e99e0dafb609eefa888efaafe31883c522c9eded

SHA256
a35c08df54c7e9916406a56b883697f032e103b148bf99cbc5bef7b306a9c942

SHA512
04e3185b73df5663950a04394166fe0520259470f28b3490b76b41dd3efb5a224d950ca0196aba53a159e23e73c0cfa99ca9d68d9113a5584ee18115f987f8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7775914.exe

Filesize
217KB

MD5
741a655b707c50f07a1faa9f18f58898

SHA1
0e3b59127970304824df287c02c7bc06f5da0a41

SHA256
4594431e49cde6807b01c118d28055ba570e80baaeb174d018387ce7051aa5ad

SHA512
fc7e22eae2bceaced01289e2345f7f8769a04124384caf0c0330f775aaaf6b8ff7bc7eb5af999983e1efad3ec838497d81efe139b60c5ede01257d225896c83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z7775914.exe

Filesize
217KB

MD5
741a655b707c50f07a1faa9f18f58898

SHA1
0e3b59127970304824df287c02c7bc06f5da0a41

SHA256
4594431e49cde6807b01c118d28055ba570e80baaeb174d018387ce7051aa5ad

SHA512
fc7e22eae2bceaced01289e2345f7f8769a04124384caf0c0330f775aaaf6b8ff7bc7eb5af999983e1efad3ec838497d81efe139b60c5ede01257d225896c83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0843623.exe

Filesize
14KB

MD5
6b9fdce6aa415decf5df22ac8ef7e462

SHA1
c42c413efb6a6d14ffe32578db5bb15ffc0947c3

SHA256
d6db5a1f3f8010157ea2faa4d5be264b3360160d25ea5bf95357d72fe0bd506a

SHA512
4f33faf08d156e5ab8bbf3976be123b5a1801a5c5afc5eeb7d092551db79fb85819e5b97986a752a2d5489dc1715ac47828f809046aef8adc5f5ebdd7d773786

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0843623.exe

Filesize
14KB

MD5
6b9fdce6aa415decf5df22ac8ef7e462

SHA1
c42c413efb6a6d14ffe32578db5bb15ffc0947c3

SHA256
d6db5a1f3f8010157ea2faa4d5be264b3360160d25ea5bf95357d72fe0bd506a

SHA512
4f33faf08d156e5ab8bbf3976be123b5a1801a5c5afc5eeb7d092551db79fb85819e5b97986a752a2d5489dc1715ac47828f809046aef8adc5f5ebdd7d773786

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6468693.exe

Filesize
140KB

MD5
29fc1820ee38d38c725be24af1ac132f

SHA1
3668e1a920b15ff3f93000db50237ab5ba512421

SHA256
7e2ad7e659aed31aaa00d430bfff2c82bcfa3222498dbd2006da74fa65ccd448

SHA512
00f3b8a66556440daeafbf66b148364e4204975372a90aed599b5d3b58956377610b25df7ba361b38271d5606e928eff05149798228606a5d4cffeee5f3ecfdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6468693.exe

Filesize
140KB

MD5
29fc1820ee38d38c725be24af1ac132f

SHA1
3668e1a920b15ff3f93000db50237ab5ba512421

SHA256
7e2ad7e659aed31aaa00d430bfff2c82bcfa3222498dbd2006da74fa65ccd448

SHA512
00f3b8a66556440daeafbf66b148364e4204975372a90aed599b5d3b58956377610b25df7ba361b38271d5606e928eff05149798228606a5d4cffeee5f3ecfdb

Download Submit
memory/1348-46-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/1348-45-0x0000000000B40000-0x0000000000B70000-memory.dmp

Filesize
192KB

Download
memory/1348-47-0x0000000005BE0000-0x00000000061F8000-memory.dmp

Filesize
6.1MB

Download
memory/1348-48-0x00000000056D0000-0x00000000057DA000-memory.dmp

Filesize
1.0MB

Download
memory/1348-50-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/1348-49-0x0000000005610000-0x0000000005622000-memory.dmp

Filesize
72KB

Download
memory/1348-51-0x0000000005670000-0x00000000056AC000-memory.dmp

Filesize
240KB

Download
memory/1348-52-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/1348-53-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/2536-41-0x00007FFC854D0000-0x00007FFC85F91000-memory.dmp

Filesize
10.8MB

Download
memory/2536-36-0x00007FFC854D0000-0x00007FFC85F91000-memory.dmp

Filesize
10.8MB

Download
memory/2536-35-0x0000000000280000-0x000000000028A000-memory.dmp

Filesize
40KB

Download