healer | c7bd256365e128658030f335b2109530424ba7faa9af637c3832de23560b6088

Analysis

max time kernel
145s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
25/08/2023, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7bd256365e128658030f335b2109530424ba7faa9af637c3832de23560b6088.exe
Size

930KB
MD5

f89b08478ee62add2b68364838edd1d8
SHA1

afbc5c8201ce4ec95a5332b61e6058b36c7a3eac
SHA256

c7bd256365e128658030f335b2109530424ba7faa9af637c3832de23560b6088
SHA512

8adbbdc2f1dfc31dc79e7c9a674cc10995e158e847656c687d218ec2a014a56bc9318b1dfefd85b62f49e6a1741a2b3dbf3e130fedfe8026d0c6f499b86ab956
SSDEEP

12288:OMrTy90w20/hfehqmvwNILdJObElTCmQR6k+Y57wvY8ApozWUGrc10vgqYgSFRrd:Ry3gEmEIm4TCmQRJjNafTgSFR07hsh

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afc1-33.dat	healer
behavioral1/files/0x000700000001afc1-34.dat	healer
behavioral1/memory/4460-35-0x0000000000570000-0x000000000057A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q8679008.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q8679008.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q8679008.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q8679008.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q8679008.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4864	z5400785.exe
4892	z4314817.exe
168	z2587599.exe
4996	z9122793.exe
4460	q8679008.exe
2472	r6382774.exe
4044	s3303651.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q8679008.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c7bd256365e128658030f335b2109530424ba7faa9af637c3832de23560b6088.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5400785.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4314817.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2587599.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9122793.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4460	q8679008.exe
4460	q8679008.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4460	q8679008.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 4864	2160	c7bd256365e128658030f335b2109530424ba7faa9af637c3832de23560b6088.exe	69
PID 2160 wrote to memory of 4864	2160	c7bd256365e128658030f335b2109530424ba7faa9af637c3832de23560b6088.exe	69
PID 2160 wrote to memory of 4864	2160	c7bd256365e128658030f335b2109530424ba7faa9af637c3832de23560b6088.exe	69
PID 4864 wrote to memory of 4892	4864	z5400785.exe	70
PID 4864 wrote to memory of 4892	4864	z5400785.exe	70
PID 4864 wrote to memory of 4892	4864	z5400785.exe	70
PID 4892 wrote to memory of 168	4892	z4314817.exe	71
PID 4892 wrote to memory of 168	4892	z4314817.exe	71
PID 4892 wrote to memory of 168	4892	z4314817.exe	71
PID 168 wrote to memory of 4996	168	z2587599.exe	72
PID 168 wrote to memory of 4996	168	z2587599.exe	72
PID 168 wrote to memory of 4996	168	z2587599.exe	72
PID 4996 wrote to memory of 4460	4996	z9122793.exe	73
PID 4996 wrote to memory of 4460	4996	z9122793.exe	73
PID 4996 wrote to memory of 2472	4996	z9122793.exe	74
PID 4996 wrote to memory of 2472	4996	z9122793.exe	74
PID 4996 wrote to memory of 2472	4996	z9122793.exe	74
PID 168 wrote to memory of 4044	168	z2587599.exe	75
PID 168 wrote to memory of 4044	168	z2587599.exe	75
PID 168 wrote to memory of 4044	168	z2587599.exe	75

C:\Users\Admin\AppData\Local\Temp\c7bd256365e128658030f335b2109530424ba7faa9af637c3832de23560b6088.exe
"C:\Users\Admin\AppData\Local\Temp\c7bd256365e128658030f335b2109530424ba7faa9af637c3832de23560b6088.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5400785.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5400785.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4314817.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4314817.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4892
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2587599.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2587599.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:168
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9122793.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9122793.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4996
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8679008.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8679008.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6382774.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6382774.exe
        6⤵
        Executes dropped EXE
        
        PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3303651.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3303651.exe
        5⤵
        Executes dropped EXE
        
        PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5400785.exe

Filesize
824KB

MD5
8fc41df4102f3f40733cda52f1dc2d80

SHA1
b7d5b61087d9d01a274bf3c312147395b4719b97

SHA256
03dc4bf306c39270fb203099ba3e3b6e6bbd839bae80012696d3b04a31633ea0

SHA512
432caebe9c0e414c20c0bdc8f8e4c74b2a1c10af6471beedeed6987ff212eca024d0703b8d23168bc19176baae73cb2b8d53dc118eb4ef23b99b6874aaf197cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5400785.exe

Filesize
824KB

MD5
8fc41df4102f3f40733cda52f1dc2d80

SHA1
b7d5b61087d9d01a274bf3c312147395b4719b97

SHA256
03dc4bf306c39270fb203099ba3e3b6e6bbd839bae80012696d3b04a31633ea0

SHA512
432caebe9c0e414c20c0bdc8f8e4c74b2a1c10af6471beedeed6987ff212eca024d0703b8d23168bc19176baae73cb2b8d53dc118eb4ef23b99b6874aaf197cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4314817.exe

Filesize
598KB

MD5
250c02b53d5200b47997b97ff4c71cb0

SHA1
92dea158d0aa5cdc3464180b13764b72ba9b0e54

SHA256
64529595a39369e58ec9b6fa4d68386da1f38eee7475f63f476631f4248f63c2

SHA512
659e2ff9c0899fd238ee6f1e7ab41db59f81ce5581440f468aa1bdb65080f05d30a44a6bba8c6ba607a1f011ab91a1a4b4de14f6619bbefdf37a4572a0bd8f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4314817.exe

Filesize
598KB

MD5
250c02b53d5200b47997b97ff4c71cb0

SHA1
92dea158d0aa5cdc3464180b13764b72ba9b0e54

SHA256
64529595a39369e58ec9b6fa4d68386da1f38eee7475f63f476631f4248f63c2

SHA512
659e2ff9c0899fd238ee6f1e7ab41db59f81ce5581440f468aa1bdb65080f05d30a44a6bba8c6ba607a1f011ab91a1a4b4de14f6619bbefdf37a4572a0bd8f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2587599.exe

Filesize
372KB

MD5
5d3dcf7bbed518871148923cd8294168

SHA1
4af5e495bdc0abd2619632c70460fb1fc91a1c8a

SHA256
785c13f581b565160cb03fd05c5a8f07bee0f8771b659bf5b321661ed730b385

SHA512
c0d590eac3184ce7e3646a9a43911820ca67cbdcdacbd009b51d9ac6c138addaef0220b26ef0da071031d76bdc29e16615529dcdfbbe0c5a53272b8173099b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2587599.exe

Filesize
372KB

MD5
5d3dcf7bbed518871148923cd8294168

SHA1
4af5e495bdc0abd2619632c70460fb1fc91a1c8a

SHA256
785c13f581b565160cb03fd05c5a8f07bee0f8771b659bf5b321661ed730b385

SHA512
c0d590eac3184ce7e3646a9a43911820ca67cbdcdacbd009b51d9ac6c138addaef0220b26ef0da071031d76bdc29e16615529dcdfbbe0c5a53272b8173099b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3303651.exe

Filesize
174KB

MD5
42759d3a15a7d67c01aa0370d51b74d7

SHA1
227f3cc69883745f5a56798cd5b6f659f64a1dc3

SHA256
2a3e7030cafd441cc19bd8a351a0d6f63ba570aca7d53f0ea203a90ae763d5c0

SHA512
ea33775fdc927be1e8a5acf4f23c9eb3dbb4a49ef74d582a300de800a6fee8cb15f420bac492e10c99f1b5c23251b42819ee39885efecaf89f265690397c4f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3303651.exe

Filesize
174KB

MD5
42759d3a15a7d67c01aa0370d51b74d7

SHA1
227f3cc69883745f5a56798cd5b6f659f64a1dc3

SHA256
2a3e7030cafd441cc19bd8a351a0d6f63ba570aca7d53f0ea203a90ae763d5c0

SHA512
ea33775fdc927be1e8a5acf4f23c9eb3dbb4a49ef74d582a300de800a6fee8cb15f420bac492e10c99f1b5c23251b42819ee39885efecaf89f265690397c4f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9122793.exe

Filesize
216KB

MD5
b0db94902d9b63ecef0ac33ac529329c

SHA1
80fbe41edb73ea3a5c684759e400bbceb0930557

SHA256
2ea9fe98f7c46fe61907ebda02a6cbea46dfdd5ca2588fdde11155edfc2775b8

SHA512
3b597a0ae509164eeda6eba1cff9b90e24f6c34ed4b3db5c99c859638c4ca718836ac870efd627caa93c0b60a4d7e6b776855a65d8c22755a091a9f184e900dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9122793.exe

Filesize
216KB

MD5
b0db94902d9b63ecef0ac33ac529329c

SHA1
80fbe41edb73ea3a5c684759e400bbceb0930557

SHA256
2ea9fe98f7c46fe61907ebda02a6cbea46dfdd5ca2588fdde11155edfc2775b8

SHA512
3b597a0ae509164eeda6eba1cff9b90e24f6c34ed4b3db5c99c859638c4ca718836ac870efd627caa93c0b60a4d7e6b776855a65d8c22755a091a9f184e900dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8679008.exe

Filesize
14KB

MD5
de6cc7eb84a81a0348cc037ff8d115b1

SHA1
dec4f4e390386127518a51e4eb2fa060025640fe

SHA256
1de0225476d83b858c19bfbf890f2b5c53279634b70cde6c18860fc52fb7f8ab

SHA512
8e4600c5d036c404c249da24e833d0188d33417c7399702e16a22befeae394111ad05414f69164f57192f25cc47d5729e53a807448e8b238f2b2b194b5d861fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8679008.exe

Filesize
14KB

MD5
de6cc7eb84a81a0348cc037ff8d115b1

SHA1
dec4f4e390386127518a51e4eb2fa060025640fe

SHA256
1de0225476d83b858c19bfbf890f2b5c53279634b70cde6c18860fc52fb7f8ab

SHA512
8e4600c5d036c404c249da24e833d0188d33417c7399702e16a22befeae394111ad05414f69164f57192f25cc47d5729e53a807448e8b238f2b2b194b5d861fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6382774.exe

Filesize
140KB

MD5
0c9f07c05fa52a5533a901ce47f86cb2

SHA1
1f430747037c8ee90579491f9186ed5ca5e4c89a

SHA256
9783bcb3e07ecae04911149795a1dc75265dc77238095e119067d02cccb652d7

SHA512
10a9e36d31c0b091e527a50f1393622f169691ddcfd6b37015dce1d608c10b504f4f70322ad11d2cf3083a9bd798d9f14a759684fff4bb934f0634cb1fbfaff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r6382774.exe

Filesize
140KB

MD5
0c9f07c05fa52a5533a901ce47f86cb2

SHA1
1f430747037c8ee90579491f9186ed5ca5e4c89a

SHA256
9783bcb3e07ecae04911149795a1dc75265dc77238095e119067d02cccb652d7

SHA512
10a9e36d31c0b091e527a50f1393622f169691ddcfd6b37015dce1d608c10b504f4f70322ad11d2cf3083a9bd798d9f14a759684fff4bb934f0634cb1fbfaff2

Download Submit
memory/4044-46-0x0000000072C30000-0x000000007331E000-memory.dmp

Filesize
6.9MB

Download
memory/4044-45-0x0000000000DE0000-0x0000000000E10000-memory.dmp

Filesize
192KB

Download
memory/4044-47-0x00000000056A0000-0x00000000056A6000-memory.dmp

Filesize
24KB

Download
memory/4044-48-0x000000000B110000-0x000000000B716000-memory.dmp

Filesize
6.0MB

Download
memory/4044-49-0x000000000AC10000-0x000000000AD1A000-memory.dmp

Filesize
1.0MB

Download
memory/4044-50-0x000000000AB20000-0x000000000AB32000-memory.dmp

Filesize
72KB

Download
memory/4044-51-0x000000000AB80000-0x000000000ABBE000-memory.dmp

Filesize
248KB

Download
memory/4044-52-0x000000000AD20000-0x000000000AD6B000-memory.dmp

Filesize
300KB

Download
memory/4044-53-0x0000000072C30000-0x000000007331E000-memory.dmp

Filesize
6.9MB

Download
memory/4460-38-0x00007FFCA4B50000-0x00007FFCA553C000-memory.dmp

Filesize
9.9MB

Download
memory/4460-36-0x00007FFCA4B50000-0x00007FFCA553C000-memory.dmp

Filesize
9.9MB

Download
memory/4460-35-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download