healer | 4fef7cdcb8ff16a7e2ac11233d1cbe2bc8ac878bf8a115ab38d65b9a950fdf77

Analysis

max time kernel
139s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fef7cdcb8ff16a7e2ac11233d1cbe2bc8ac878bf8a115ab38d65b9a950fdf77.exe
Size

828KB
MD5

03e8ec50ad87d56dfe97d70452bd4a49
SHA1

4edd65cc2c1b0507f391d2cf70bc0377468c11dc
SHA256

4fef7cdcb8ff16a7e2ac11233d1cbe2bc8ac878bf8a115ab38d65b9a950fdf77
SHA512

6f3c9901e040efb07078317def923796adc736e1a967f81e9d73b158461172fad8069b8fab4d5456123a33243146f60ad163d6f260685af85b1a3eb997eda6ed
SSDEEP

12288:SMriy90+TmLaUZq4IZErbP0HjBLlAlMCv6u1jFbK8HUS8q3sftvIlsmk9FsBHK:syzTmL3eZEHcdlAi+B1jBHUSH3ssdk3

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023018-33.dat	healer
behavioral1/files/0x0007000000023018-34.dat	healer
behavioral1/memory/656-35-0x0000000000A20000-0x0000000000A2A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7480649.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7480649.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7480649.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7480649.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7480649.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7480649.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3804	v1147514.exe
3680	v2990095.exe
3304	v3277398.exe
1748	v3520051.exe
656	a7480649.exe
1276	b3168968.exe
4804	c8528927.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7480649.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4fef7cdcb8ff16a7e2ac11233d1cbe2bc8ac878bf8a115ab38d65b9a950fdf77.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1147514.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2990095.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3277398.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3520051.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
656	a7480649.exe
656	a7480649.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	656	a7480649.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 3804	4484	4fef7cdcb8ff16a7e2ac11233d1cbe2bc8ac878bf8a115ab38d65b9a950fdf77.exe	84
PID 4484 wrote to memory of 3804	4484	4fef7cdcb8ff16a7e2ac11233d1cbe2bc8ac878bf8a115ab38d65b9a950fdf77.exe	84
PID 4484 wrote to memory of 3804	4484	4fef7cdcb8ff16a7e2ac11233d1cbe2bc8ac878bf8a115ab38d65b9a950fdf77.exe	84
PID 3804 wrote to memory of 3680	3804	v1147514.exe	86
PID 3804 wrote to memory of 3680	3804	v1147514.exe	86
PID 3804 wrote to memory of 3680	3804	v1147514.exe	86
PID 3680 wrote to memory of 3304	3680	v2990095.exe	87
PID 3680 wrote to memory of 3304	3680	v2990095.exe	87
PID 3680 wrote to memory of 3304	3680	v2990095.exe	87
PID 3304 wrote to memory of 1748	3304	v3277398.exe	88
PID 3304 wrote to memory of 1748	3304	v3277398.exe	88
PID 3304 wrote to memory of 1748	3304	v3277398.exe	88
PID 1748 wrote to memory of 656	1748	v3520051.exe	89
PID 1748 wrote to memory of 656	1748	v3520051.exe	89
PID 1748 wrote to memory of 1276	1748	v3520051.exe	91
PID 1748 wrote to memory of 1276	1748	v3520051.exe	91
PID 1748 wrote to memory of 1276	1748	v3520051.exe	91
PID 3304 wrote to memory of 4804	3304	v3277398.exe	92
PID 3304 wrote to memory of 4804	3304	v3277398.exe	92
PID 3304 wrote to memory of 4804	3304	v3277398.exe	92

C:\Users\Admin\AppData\Local\Temp\4fef7cdcb8ff16a7e2ac11233d1cbe2bc8ac878bf8a115ab38d65b9a950fdf77.exe
"C:\Users\Admin\AppData\Local\Temp\4fef7cdcb8ff16a7e2ac11233d1cbe2bc8ac878bf8a115ab38d65b9a950fdf77.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1147514.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1147514.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2990095.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2990095.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3277398.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3277398.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3520051.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3520051.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7480649.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7480649.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3168968.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3168968.exe
        6⤵
        Executes dropped EXE
        
        PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8528927.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8528927.exe
        5⤵
        Executes dropped EXE
        
        PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1147514.exe

Filesize
723KB

MD5
b2ff1148a161f5a7a0fcea1ec33dde1a

SHA1
59ffd69cae41ff11fc65809937a685ea4bf83e96

SHA256
54d13033aeb248d454544ca7d4dc03033acc44713fe3c8aa1cbc5b4f504966e3

SHA512
c0919f8dc4237c7fe4cd36822c1ea51842a9f2fc71f822fc4d4a7f75b2677fdc7dea7470fa78f5469a5420d023ddcaaf48da88db7ac74fb22b2b0cb0e0f138d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1147514.exe

Filesize
723KB

MD5
b2ff1148a161f5a7a0fcea1ec33dde1a

SHA1
59ffd69cae41ff11fc65809937a685ea4bf83e96

SHA256
54d13033aeb248d454544ca7d4dc03033acc44713fe3c8aa1cbc5b4f504966e3

SHA512
c0919f8dc4237c7fe4cd36822c1ea51842a9f2fc71f822fc4d4a7f75b2677fdc7dea7470fa78f5469a5420d023ddcaaf48da88db7ac74fb22b2b0cb0e0f138d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2990095.exe

Filesize
497KB

MD5
fbae2ea482010b3a70787ed95e6a226b

SHA1
3a4d95bd1b0419a0856e4aa5583fcd8eff1d9819

SHA256
7cf82f4cd0722ca7e53bd0ae8cffe87f348278f705080b6e6c0276703290ee34

SHA512
f639b74677f91707c652ef3ae1920060b5d1f15b0224be21d2e89adb7663addd308b7e084dff7d78ea69e1f12ddf98f67d36ef8c212cc1e9c5132ab325ab7c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2990095.exe

Filesize
497KB

MD5
fbae2ea482010b3a70787ed95e6a226b

SHA1
3a4d95bd1b0419a0856e4aa5583fcd8eff1d9819

SHA256
7cf82f4cd0722ca7e53bd0ae8cffe87f348278f705080b6e6c0276703290ee34

SHA512
f639b74677f91707c652ef3ae1920060b5d1f15b0224be21d2e89adb7663addd308b7e084dff7d78ea69e1f12ddf98f67d36ef8c212cc1e9c5132ab325ab7c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3277398.exe

Filesize
372KB

MD5
675246a57c94692c160cf43003240a7a

SHA1
a7a30cd691e1d80161812979067f629c4f1164db

SHA256
bb7d4ed4a5e507fec22a91c682e4cdf1399768b069eec132a4b5cc0ea1f04b61

SHA512
571bb3b04ee47bb2606f3e1cb845bae64b06794bdcf1229cbec6b1bc1d0642707771329e524c18c91259a4f8c8c10c3cfd6d6552e51fc466af50567cf3c89b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3277398.exe

Filesize
372KB

MD5
675246a57c94692c160cf43003240a7a

SHA1
a7a30cd691e1d80161812979067f629c4f1164db

SHA256
bb7d4ed4a5e507fec22a91c682e4cdf1399768b069eec132a4b5cc0ea1f04b61

SHA512
571bb3b04ee47bb2606f3e1cb845bae64b06794bdcf1229cbec6b1bc1d0642707771329e524c18c91259a4f8c8c10c3cfd6d6552e51fc466af50567cf3c89b28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8528927.exe

Filesize
174KB

MD5
1b157dfe67db046097411867a3cc31d8

SHA1
875b9098265dd9a62be65d44e314774932c16f81

SHA256
cd2243ec4821e2c42146dd9c3a9ec4d41ff3a072498ba845e4669ba191075e10

SHA512
bf23695f64cf320f3b5fabb161e5760b5aeed80d1490d5e5a2345b15ed7f9c9a91e9e937abce74d61c823a2253c97bb876cf73cbff1eb73b448788b7d814b034

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8528927.exe

Filesize
174KB

MD5
1b157dfe67db046097411867a3cc31d8

SHA1
875b9098265dd9a62be65d44e314774932c16f81

SHA256
cd2243ec4821e2c42146dd9c3a9ec4d41ff3a072498ba845e4669ba191075e10

SHA512
bf23695f64cf320f3b5fabb161e5760b5aeed80d1490d5e5a2345b15ed7f9c9a91e9e937abce74d61c823a2253c97bb876cf73cbff1eb73b448788b7d814b034

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3520051.exe

Filesize
217KB

MD5
4aba7e5ce766f04d0da502278a80ac60

SHA1
8d91627111583e71263abd648a417f6bdeb66d72

SHA256
c6b8dedc2cec14ed0968e4a96e5167189a992f0740c57a2f0ab518f8352b88c1

SHA512
dbeba2f792f2af0a7281403699e281402e9da33940e7ac1ff940d628fb6affa44e1c40d54184472f86c00db863a6b30fde62b6c35a530502f566992340ec79a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3520051.exe

Filesize
217KB

MD5
4aba7e5ce766f04d0da502278a80ac60

SHA1
8d91627111583e71263abd648a417f6bdeb66d72

SHA256
c6b8dedc2cec14ed0968e4a96e5167189a992f0740c57a2f0ab518f8352b88c1

SHA512
dbeba2f792f2af0a7281403699e281402e9da33940e7ac1ff940d628fb6affa44e1c40d54184472f86c00db863a6b30fde62b6c35a530502f566992340ec79a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7480649.exe

Filesize
14KB

MD5
55006ea1d7bf8d234db794c0914c09b7

SHA1
1d7c9cfb2a16d07df0afa427375761178bb01cf4

SHA256
d2a027beac900de32880f50dd33fdec63f4ef54a20b058a6697fc691297d2ff1

SHA512
8f7c686fd8d88832ad10df7a7f4b48a42b9fa9a78fc62263ee27c0556e9958f45734cbe484aad3c070a55697cc53311f26e653c9cc4fcded45d65956603ba92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7480649.exe

Filesize
14KB

MD5
55006ea1d7bf8d234db794c0914c09b7

SHA1
1d7c9cfb2a16d07df0afa427375761178bb01cf4

SHA256
d2a027beac900de32880f50dd33fdec63f4ef54a20b058a6697fc691297d2ff1

SHA512
8f7c686fd8d88832ad10df7a7f4b48a42b9fa9a78fc62263ee27c0556e9958f45734cbe484aad3c070a55697cc53311f26e653c9cc4fcded45d65956603ba92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3168968.exe

Filesize
140KB

MD5
5fae4c2f17e1964524de82cdada06f09

SHA1
0a12c163c44fba2437ad648947453feb0b820148

SHA256
4e14d5ec9c4c20f1ecf17fb61ebc315f5bb50d29d767b96287585f4a833677f6

SHA512
ea4ef89d98915688f6d732003f61cfe2e95da2ba7aa5451a25af43ef30bb3c44ce8f90d5d4d46b260201d0b886c18d44eaad684b5fac4bc0a69b877ba91f8b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3168968.exe

Filesize
140KB

MD5
5fae4c2f17e1964524de82cdada06f09

SHA1
0a12c163c44fba2437ad648947453feb0b820148

SHA256
4e14d5ec9c4c20f1ecf17fb61ebc315f5bb50d29d767b96287585f4a833677f6

SHA512
ea4ef89d98915688f6d732003f61cfe2e95da2ba7aa5451a25af43ef30bb3c44ce8f90d5d4d46b260201d0b886c18d44eaad684b5fac4bc0a69b877ba91f8b39

Download Submit
memory/656-37-0x00007FFA426B0000-0x00007FFA43171000-memory.dmp

Filesize
10.8MB

Download
memory/656-39-0x00007FFA426B0000-0x00007FFA43171000-memory.dmp

Filesize
10.8MB

Download
memory/656-36-0x00007FFA426B0000-0x00007FFA43171000-memory.dmp

Filesize
10.8MB

Download
memory/656-35-0x0000000000A20000-0x0000000000A2A000-memory.dmp

Filesize
40KB

Download
memory/4804-46-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/4804-47-0x0000000000430000-0x0000000000460000-memory.dmp

Filesize
192KB

Download
memory/4804-48-0x0000000005610000-0x0000000005C28000-memory.dmp

Filesize
6.1MB

Download
memory/4804-49-0x0000000005100000-0x000000000520A000-memory.dmp

Filesize
1.0MB

Download
memory/4804-51-0x0000000004EF0000-0x0000000004F02000-memory.dmp

Filesize
72KB

Download
memory/4804-50-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download
memory/4804-52-0x0000000004F50000-0x0000000004F8C000-memory.dmp

Filesize
240KB

Download
memory/4804-53-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/4804-54-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

Filesize
64KB

Download