healer | fe7bb0521aa20a9b28bcf13e7d828424cfaa30fd32da85b759c82f183bcd0224

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2023, 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe7bb0521aa20a9b28bcf13e7d828424cfaa30fd32da85b759c82f183bcd0224.exe
Size

827KB
MD5

03545f263bead65039a6afd93ee8f16a
SHA1

8a04a648f8c92ab6b377c9d6763dbbdc39ac32ef
SHA256

fe7bb0521aa20a9b28bcf13e7d828424cfaa30fd32da85b759c82f183bcd0224
SHA512

bfd79439bc2a38bf63d1bd851e43346f34335c8e2448a6d74cf0284080a1ffba44e18a40dc8f0cb8eff49be2889371c22042d2c2d6dadbd68e22e7461efb353b
SSDEEP

24576:xyuTBaKOoEx4EtIVGIyIqBgrRTKmcAWzK7ULg:kaaPoEx4EtIV8FBupDWrL

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000002323d-33.dat	healer
behavioral1/files/0x000700000002323d-34.dat	healer
behavioral1/memory/4100-35-0x0000000000EA0000-0x0000000000EAA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0792519.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0792519.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0792519.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0792519.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0792519.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0792519.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2448	v9473435.exe
3796	v7555230.exe
1804	v3320745.exe
1436	v4171806.exe
4100	a0792519.exe
820	b9474784.exe
1456	c8771721.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0792519.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fe7bb0521aa20a9b28bcf13e7d828424cfaa30fd32da85b759c82f183bcd0224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9473435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7555230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3320745.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v4171806.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2304	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4100	a0792519.exe
4100	a0792519.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	a0792519.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 2448	1800	fe7bb0521aa20a9b28bcf13e7d828424cfaa30fd32da85b759c82f183bcd0224.exe	83
PID 1800 wrote to memory of 2448	1800	fe7bb0521aa20a9b28bcf13e7d828424cfaa30fd32da85b759c82f183bcd0224.exe	83
PID 1800 wrote to memory of 2448	1800	fe7bb0521aa20a9b28bcf13e7d828424cfaa30fd32da85b759c82f183bcd0224.exe	83
PID 2448 wrote to memory of 3796	2448	v9473435.exe	84
PID 2448 wrote to memory of 3796	2448	v9473435.exe	84
PID 2448 wrote to memory of 3796	2448	v9473435.exe	84
PID 3796 wrote to memory of 1804	3796	v7555230.exe	85
PID 3796 wrote to memory of 1804	3796	v7555230.exe	85
PID 3796 wrote to memory of 1804	3796	v7555230.exe	85
PID 1804 wrote to memory of 1436	1804	v3320745.exe	86
PID 1804 wrote to memory of 1436	1804	v3320745.exe	86
PID 1804 wrote to memory of 1436	1804	v3320745.exe	86
PID 1436 wrote to memory of 4100	1436	v4171806.exe	87
PID 1436 wrote to memory of 4100	1436	v4171806.exe	87
PID 1436 wrote to memory of 820	1436	v4171806.exe	92
PID 1436 wrote to memory of 820	1436	v4171806.exe	92
PID 1436 wrote to memory of 820	1436	v4171806.exe	92
PID 1804 wrote to memory of 1456	1804	v3320745.exe	93
PID 1804 wrote to memory of 1456	1804	v3320745.exe	93
PID 1804 wrote to memory of 1456	1804	v3320745.exe	93

C:\Users\Admin\AppData\Local\Temp\fe7bb0521aa20a9b28bcf13e7d828424cfaa30fd32da85b759c82f183bcd0224.exe
"C:\Users\Admin\AppData\Local\Temp\fe7bb0521aa20a9b28bcf13e7d828424cfaa30fd32da85b759c82f183bcd0224.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9473435.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9473435.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7555230.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7555230.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3796
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3320745.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3320745.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1804
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4171806.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4171806.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1436
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0792519.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0792519.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9474784.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9474784.exe
        6⤵
        Executes dropped EXE
        
        PID:820
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8771721.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8771721.exe
        5⤵
        Executes dropped EXE
        
        PID:1456

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9473435.exe

Filesize
723KB

MD5
a3c99f8349051ec7aab630d145c0cb35

SHA1
0d16ded3db4b3c424460c687cb8e9744664c58f9

SHA256
9d3dd2f9cbf8ea00f34523bc13b9b1ad531e6bccc5a3cf5a3d76b3929fc0301d

SHA512
ba15bef78794a3a35b20ed1fefbd366f43a7fd6a1d1556970c75089dbb896fecb15e9f02c06902e74479fcf6d5ad1020f4afd957040ae1132f49ecb9e43fd738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9473435.exe

Filesize
723KB

MD5
a3c99f8349051ec7aab630d145c0cb35

SHA1
0d16ded3db4b3c424460c687cb8e9744664c58f9

SHA256
9d3dd2f9cbf8ea00f34523bc13b9b1ad531e6bccc5a3cf5a3d76b3929fc0301d

SHA512
ba15bef78794a3a35b20ed1fefbd366f43a7fd6a1d1556970c75089dbb896fecb15e9f02c06902e74479fcf6d5ad1020f4afd957040ae1132f49ecb9e43fd738

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7555230.exe

Filesize
497KB

MD5
6002468baa2a0c3be184467f9bd6c90a

SHA1
4291b5f212926b2bd35e6f38990acc71cf28c732

SHA256
9194922356c97acc03e86207987bd34df00a4ef6cd82303a04e64070ac580fa0

SHA512
688572a44bb6141d78d28786bbbfe16a0d181df051c621a41e671aa85edc1a759198fd923aecbf2a2501161191ccc83d78b1246df9dbdc677d53ebd42325b49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7555230.exe

Filesize
497KB

MD5
6002468baa2a0c3be184467f9bd6c90a

SHA1
4291b5f212926b2bd35e6f38990acc71cf28c732

SHA256
9194922356c97acc03e86207987bd34df00a4ef6cd82303a04e64070ac580fa0

SHA512
688572a44bb6141d78d28786bbbfe16a0d181df051c621a41e671aa85edc1a759198fd923aecbf2a2501161191ccc83d78b1246df9dbdc677d53ebd42325b49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3320745.exe

Filesize
372KB

MD5
1dae3127e2b6c3e74acfc6a69bac27f1

SHA1
48b62f84fae8e7f10b57acd975a49c0b4456cfe0

SHA256
0711372f4131645822cdb4fd733e3fbb7f8feb215f7075677884d20d17a4bf4b

SHA512
fe3524302ccdb957cf6f5aa9a56f11fa9dcc9b6d173d4b04f80f99774dccbbe41df7be406a1daeb8e57c9e377e6039b27909a50aa8ea88b2cecb6d6c81922f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3320745.exe

Filesize
372KB

MD5
1dae3127e2b6c3e74acfc6a69bac27f1

SHA1
48b62f84fae8e7f10b57acd975a49c0b4456cfe0

SHA256
0711372f4131645822cdb4fd733e3fbb7f8feb215f7075677884d20d17a4bf4b

SHA512
fe3524302ccdb957cf6f5aa9a56f11fa9dcc9b6d173d4b04f80f99774dccbbe41df7be406a1daeb8e57c9e377e6039b27909a50aa8ea88b2cecb6d6c81922f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8771721.exe

Filesize
174KB

MD5
a8c2549c8f3afc5f087b5e823d5669dc

SHA1
c12e0640cc045b3eb2c155e82bbfdfa0aa7adbd4

SHA256
009e5d073236f60fdcfb8ac9264f2b9de1390f9116b548cb9de4017d8d475a79

SHA512
3fb56a9b8ae9277fff82130aee4fa16c3ed886b32b3bb5e25d4a410819b580643f6031dcc172a3424a9cabf0afedd6f20c8f7babae72438d79f8b8168e11ac23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8771721.exe

Filesize
174KB

MD5
a8c2549c8f3afc5f087b5e823d5669dc

SHA1
c12e0640cc045b3eb2c155e82bbfdfa0aa7adbd4

SHA256
009e5d073236f60fdcfb8ac9264f2b9de1390f9116b548cb9de4017d8d475a79

SHA512
3fb56a9b8ae9277fff82130aee4fa16c3ed886b32b3bb5e25d4a410819b580643f6031dcc172a3424a9cabf0afedd6f20c8f7babae72438d79f8b8168e11ac23

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4171806.exe

Filesize
217KB

MD5
72cce6e4bace8f191c0b52ee40bf4f2a

SHA1
a1304bdc8079b728f31f18ddcaba6b985ed9874a

SHA256
f477991fa831170a9aa6280c5659ed93cb5bdfe1400cb4819a9234cdb4611504

SHA512
03a5e4bfbeef746fe3e71194920609c783530e914eff1336cdd1262887f852d82bf4b4c3573360535316d9644d4a12edda4842ef36e65ddb58406a46b3336c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4171806.exe

Filesize
217KB

MD5
72cce6e4bace8f191c0b52ee40bf4f2a

SHA1
a1304bdc8079b728f31f18ddcaba6b985ed9874a

SHA256
f477991fa831170a9aa6280c5659ed93cb5bdfe1400cb4819a9234cdb4611504

SHA512
03a5e4bfbeef746fe3e71194920609c783530e914eff1336cdd1262887f852d82bf4b4c3573360535316d9644d4a12edda4842ef36e65ddb58406a46b3336c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0792519.exe

Filesize
14KB

MD5
c18fdd90ae0aef5e367136482d8340f7

SHA1
51252b1442139cbf4432e245a14497888da42c73

SHA256
88f84a4469215ae6b9cc4f962367d8d75ee3f7fc1973d406dc919b5d4be096c8

SHA512
828a3835eb25fc5bee926193bae3da840fbe12b631c6ca7213ba0cc69991cb562e407d37c4b95c643e2e25deaacb620b8e11f23a6e7884eaeca888835e4efa7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0792519.exe

Filesize
14KB

MD5
c18fdd90ae0aef5e367136482d8340f7

SHA1
51252b1442139cbf4432e245a14497888da42c73

SHA256
88f84a4469215ae6b9cc4f962367d8d75ee3f7fc1973d406dc919b5d4be096c8

SHA512
828a3835eb25fc5bee926193bae3da840fbe12b631c6ca7213ba0cc69991cb562e407d37c4b95c643e2e25deaacb620b8e11f23a6e7884eaeca888835e4efa7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9474784.exe

Filesize
140KB

MD5
f23631ef8fd2fc262ec93eeb0b9083a2

SHA1
3b0e45ea08f909a3ec3881fb46d149c1214fca9e

SHA256
bcd75058546d027ee9d646fa4716240b67defc96d803b420002d3f8456b861fd

SHA512
523cedf1604471b4da1618ef8d9d27caef28fba7787fad33e0aae30f613395e3999c90585c3d921dcddb437977162a45643b7ec4e5bc94c237a9671f6a951e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9474784.exe

Filesize
140KB

MD5
f23631ef8fd2fc262ec93eeb0b9083a2

SHA1
3b0e45ea08f909a3ec3881fb46d149c1214fca9e

SHA256
bcd75058546d027ee9d646fa4716240b67defc96d803b420002d3f8456b861fd

SHA512
523cedf1604471b4da1618ef8d9d27caef28fba7787fad33e0aae30f613395e3999c90585c3d921dcddb437977162a45643b7ec4e5bc94c237a9671f6a951e0f

Download Submit
memory/1456-46-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1456-45-0x0000000000700000-0x0000000000730000-memory.dmp

Filesize
192KB

Download
memory/1456-47-0x00000000057C0000-0x0000000005DD8000-memory.dmp

Filesize
6.1MB

Download
memory/1456-48-0x00000000052B0000-0x00000000053BA000-memory.dmp

Filesize
1.0MB

Download
memory/1456-50-0x00000000051D0000-0x00000000051E2000-memory.dmp

Filesize
72KB

Download
memory/1456-49-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/1456-51-0x0000000005230000-0x000000000526C000-memory.dmp

Filesize
240KB

Download
memory/1456-52-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/1456-53-0x0000000005090000-0x00000000050A0000-memory.dmp

Filesize
64KB

Download
memory/4100-38-0x00007FF84F860000-0x00007FF850321000-memory.dmp

Filesize
10.8MB

Download
memory/4100-36-0x00007FF84F860000-0x00007FF850321000-memory.dmp

Filesize
10.8MB

Download
memory/4100-35-0x0000000000EA0000-0x0000000000EAA000-memory.dmp

Filesize
40KB

Download