healer | 9b7c0e860c482a385a5be361a21fe9d9e0397ef62eb669fe0742763c0342893a

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2023 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b7c0e860c482a385a5be361a21fe9d9e0397ef62eb669fe0742763c0342893a.exe
Size

829KB
MD5

e9a731ac3c9ff3f4df6d430f0b8097d6
SHA1

02adc66cfdf517bad1e3c50557f3cfa4c264dcf8
SHA256

9b7c0e860c482a385a5be361a21fe9d9e0397ef62eb669fe0742763c0342893a
SHA512

eaaf1674e03619156c04f60c881cec3e7d6d916027482155dea1f742ffa96f408998a4e0db6d531724899fa72d55e23d4321af893129a40b4073bc402c4969be
SSDEEP

12288:5MrIy90OWKVDwlXgjyqvFP1RjfheEHu7gt79n13T25Crrrl8v69:hy/VDetqn1hLu7gR3Hra69

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000231e9-33.dat	healer
behavioral1/files/0x00080000000231e9-34.dat	healer
behavioral1/memory/2968-35-0x0000000000960000-0x000000000096A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9583215.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9583215.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9583215.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9583215.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9583215.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9583215.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3684	v5103805.exe
3060	v5891964.exe
1924	v1155078.exe
3496	v1057549.exe
2968	a9583215.exe
3256	b9532621.exe
792	c2475814.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9583215.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b7c0e860c482a385a5be361a21fe9d9e0397ef62eb669fe0742763c0342893a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5103805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5891964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1155078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1057549.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	a9583215.exe
2968	a9583215.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	a9583215.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 3684	5024	9b7c0e860c482a385a5be361a21fe9d9e0397ef62eb669fe0742763c0342893a.exe	81
PID 5024 wrote to memory of 3684	5024	9b7c0e860c482a385a5be361a21fe9d9e0397ef62eb669fe0742763c0342893a.exe	81
PID 5024 wrote to memory of 3684	5024	9b7c0e860c482a385a5be361a21fe9d9e0397ef62eb669fe0742763c0342893a.exe	81
PID 3684 wrote to memory of 3060	3684	v5103805.exe	82
PID 3684 wrote to memory of 3060	3684	v5103805.exe	82
PID 3684 wrote to memory of 3060	3684	v5103805.exe	82
PID 3060 wrote to memory of 1924	3060	v5891964.exe	83
PID 3060 wrote to memory of 1924	3060	v5891964.exe	83
PID 3060 wrote to memory of 1924	3060	v5891964.exe	83
PID 1924 wrote to memory of 3496	1924	v1155078.exe	84
PID 1924 wrote to memory of 3496	1924	v1155078.exe	84
PID 1924 wrote to memory of 3496	1924	v1155078.exe	84
PID 3496 wrote to memory of 2968	3496	v1057549.exe	85
PID 3496 wrote to memory of 2968	3496	v1057549.exe	85
PID 3496 wrote to memory of 3256	3496	v1057549.exe	90
PID 3496 wrote to memory of 3256	3496	v1057549.exe	90
PID 3496 wrote to memory of 3256	3496	v1057549.exe	90
PID 1924 wrote to memory of 792	1924	v1155078.exe	91
PID 1924 wrote to memory of 792	1924	v1155078.exe	91
PID 1924 wrote to memory of 792	1924	v1155078.exe	91

C:\Users\Admin\AppData\Local\Temp\9b7c0e860c482a385a5be361a21fe9d9e0397ef62eb669fe0742763c0342893a.exe
"C:\Users\Admin\AppData\Local\Temp\9b7c0e860c482a385a5be361a21fe9d9e0397ef62eb669fe0742763c0342893a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5103805.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5103805.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5891964.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5891964.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1155078.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1155078.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1924
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1057549.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1057549.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3496
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9583215.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9583215.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9532621.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9532621.exe
        6⤵
        Executes dropped EXE
        
        PID:3256
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2475814.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2475814.exe
        5⤵
        Executes dropped EXE
        
        PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5103805.exe

Filesize
723KB

MD5
aeef5cb240563d1772e15d68f61e4f41

SHA1
4d37e7b0b5c6b68628348f924a83f4769882b3f6

SHA256
13260558b0ff79ae88eb8d98d6d772f8481ab3396a5ee45a873d811bf1cf61dc

SHA512
582a73f1531414fea4828134f083e87165fcd3213591d7e5c0c0e0167c6d0f09cc44f26ad7ee3b5a1a82f8684d9aeb2cc3d620b516ab3ef7878bd56341d5f234

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5103805.exe

Filesize
723KB

MD5
aeef5cb240563d1772e15d68f61e4f41

SHA1
4d37e7b0b5c6b68628348f924a83f4769882b3f6

SHA256
13260558b0ff79ae88eb8d98d6d772f8481ab3396a5ee45a873d811bf1cf61dc

SHA512
582a73f1531414fea4828134f083e87165fcd3213591d7e5c0c0e0167c6d0f09cc44f26ad7ee3b5a1a82f8684d9aeb2cc3d620b516ab3ef7878bd56341d5f234

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5891964.exe

Filesize
497KB

MD5
bb64f910c2b233f7c8f446027378962e

SHA1
8638a38270368d14198e7182f9ea38cb6d8d8f8c

SHA256
0e96e8a11f58992bf15666b2ca2f18d67467450413ac399f1c5124c63509666e

SHA512
0578dd2dfea2ada3949f7e4083b61d1176466fd389961c2b66e2842e80e01f36585d510fc61ebb29441c823f97a64468335e7ce69e908476109e8b206d76beca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5891964.exe

Filesize
497KB

MD5
bb64f910c2b233f7c8f446027378962e

SHA1
8638a38270368d14198e7182f9ea38cb6d8d8f8c

SHA256
0e96e8a11f58992bf15666b2ca2f18d67467450413ac399f1c5124c63509666e

SHA512
0578dd2dfea2ada3949f7e4083b61d1176466fd389961c2b66e2842e80e01f36585d510fc61ebb29441c823f97a64468335e7ce69e908476109e8b206d76beca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1155078.exe

Filesize
372KB

MD5
9b0faba192cd61d50ceaa5060d79f1f8

SHA1
dd15e32703a000a2a9a4793b5e19b2e7e93429fc

SHA256
8ace38b13555223a035cc061fe9ffeed969d34b51da5bfc03115f14231b66261

SHA512
b1ce24b084e3a29bb0875a33a953e8341a296238e29058151009f807f61997c7db2b51c0fc686d305f35238a70f6823cf7096eb2ad9c700ab0c5f6d1fde93dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1155078.exe

Filesize
372KB

MD5
9b0faba192cd61d50ceaa5060d79f1f8

SHA1
dd15e32703a000a2a9a4793b5e19b2e7e93429fc

SHA256
8ace38b13555223a035cc061fe9ffeed969d34b51da5bfc03115f14231b66261

SHA512
b1ce24b084e3a29bb0875a33a953e8341a296238e29058151009f807f61997c7db2b51c0fc686d305f35238a70f6823cf7096eb2ad9c700ab0c5f6d1fde93dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2475814.exe

Filesize
174KB

MD5
4072a7d7d1aa8169539e3acfbc3c4899

SHA1
20fb4e49ccb9b7491d9e2e468804b3f3302fb9b8

SHA256
e48b193f157c9e1a276938a362f7524776188cf6457c442a34a75236029d7b46

SHA512
9fe221e4b3eb65f383f557e442b3a67da5ec11bc9929d969327881b6e51e22c386de373d13c2de26779132ec0fc28d5d2627a0a6bf94b6c8bec850298d8b1bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2475814.exe

Filesize
174KB

MD5
4072a7d7d1aa8169539e3acfbc3c4899

SHA1
20fb4e49ccb9b7491d9e2e468804b3f3302fb9b8

SHA256
e48b193f157c9e1a276938a362f7524776188cf6457c442a34a75236029d7b46

SHA512
9fe221e4b3eb65f383f557e442b3a67da5ec11bc9929d969327881b6e51e22c386de373d13c2de26779132ec0fc28d5d2627a0a6bf94b6c8bec850298d8b1bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1057549.exe

Filesize
216KB

MD5
8afd8de4ed5a0018fad06243d8dad49d

SHA1
e513080c819ceb64a531981423ae402071788bd6

SHA256
63c79afabcc3abf8885810ddd3eba8e3a5aa924b4def19ee966cca4ef806ba9d

SHA512
51ef2e4c808115f7fdcdc88b12c97cd4d8519833c2f9c4dd8d6051c08a07a3a9c15bb4b05a4e3bfdb4672edb7614d72444367abe4e381c3b80e076cf2e768156

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1057549.exe

Filesize
216KB

MD5
8afd8de4ed5a0018fad06243d8dad49d

SHA1
e513080c819ceb64a531981423ae402071788bd6

SHA256
63c79afabcc3abf8885810ddd3eba8e3a5aa924b4def19ee966cca4ef806ba9d

SHA512
51ef2e4c808115f7fdcdc88b12c97cd4d8519833c2f9c4dd8d6051c08a07a3a9c15bb4b05a4e3bfdb4672edb7614d72444367abe4e381c3b80e076cf2e768156

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9583215.exe

Filesize
14KB

MD5
1b7fff2111bd79ea5f9cc9da098e184c

SHA1
50fc0793cfc437db9ce3b1571eaea72587070bfc

SHA256
56a9bcb5588d758b539ee969e4d6a2ca2fc9e2765ffc78cbf7a891f08f0cdbae

SHA512
8507cf806c98e98b44a4d9fa12e341fe6b27340077d5aaa2aff6451802d0288ad40d6e848d4ee311d3b8bcbadc0aed6634fb2818736fae11825159299a324a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9583215.exe

Filesize
14KB

MD5
1b7fff2111bd79ea5f9cc9da098e184c

SHA1
50fc0793cfc437db9ce3b1571eaea72587070bfc

SHA256
56a9bcb5588d758b539ee969e4d6a2ca2fc9e2765ffc78cbf7a891f08f0cdbae

SHA512
8507cf806c98e98b44a4d9fa12e341fe6b27340077d5aaa2aff6451802d0288ad40d6e848d4ee311d3b8bcbadc0aed6634fb2818736fae11825159299a324a43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9532621.exe

Filesize
140KB

MD5
72f953808f329d3b5463b5dfe28f35a6

SHA1
87f60a2e76dab7ed0b50fadc75bcc9621adb58b6

SHA256
3000669dfb8d911d0bd15b69481f40509701114166bb591d5eaffd5c3da6f1df

SHA512
30888707edace32a61f8f9524b1cb4fdf79df6a2ea843f4db1020334f1360a22ced91592a0a891061c899ceff17e66a047a949bdd819071aa98763cc487db16b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9532621.exe

Filesize
140KB

MD5
72f953808f329d3b5463b5dfe28f35a6

SHA1
87f60a2e76dab7ed0b50fadc75bcc9621adb58b6

SHA256
3000669dfb8d911d0bd15b69481f40509701114166bb591d5eaffd5c3da6f1df

SHA512
30888707edace32a61f8f9524b1cb4fdf79df6a2ea843f4db1020334f1360a22ced91592a0a891061c899ceff17e66a047a949bdd819071aa98763cc487db16b

Download Submit
memory/792-45-0x0000000000A80000-0x0000000000AB0000-memory.dmp

Filesize
192KB

Download
memory/792-46-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/792-47-0x000000000AEB0000-0x000000000B4C8000-memory.dmp

Filesize
6.1MB

Download
memory/792-48-0x000000000AA30000-0x000000000AB3A000-memory.dmp

Filesize
1.0MB

Download
memory/792-49-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/792-50-0x000000000A970000-0x000000000A982000-memory.dmp

Filesize
72KB

Download
memory/792-51-0x000000000A9D0000-0x000000000AA0C000-memory.dmp

Filesize
240KB

Download
memory/792-52-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/792-53-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/2968-38-0x00007FFC75D80000-0x00007FFC76841000-memory.dmp

Filesize
10.8MB

Download
memory/2968-36-0x00007FFC75D80000-0x00007FFC76841000-memory.dmp

Filesize
10.8MB

Download
memory/2968-35-0x0000000000960000-0x000000000096A000-memory.dmp

Filesize
40KB

Download