healer | 28fc66f58c00ac4d8c27f4ec094ac78365e85b3f20e28ab3fd5106a490ac61f7

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2023 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28fc66f58c00ac4d8c27f4ec094ac78365e85b3f20e28ab3fd5106a490ac61f7.exe
Size

829KB
MD5

9fd32896fbef495ceed7f2b74ad5cf4e
SHA1

5ed5abb2b111be45b40dc8d22ff968ab437c9992
SHA256

28fc66f58c00ac4d8c27f4ec094ac78365e85b3f20e28ab3fd5106a490ac61f7
SHA512

b864c665ae56a232a860bcfe7c8301938ed2b82b5543a66d031af0b1b9292923ecc14ce4adca20ebcc4ee736442b0406a1746054f5e2646bd68484caff98c1cb
SSDEEP

12288:IMrEy908dVlNB7rO0fNrkt+xToKIklyDrJ8LV7eqBIFvUxtNdj5:syjd1lOlfKlYyeobvND

Score

10^/10

healer redline vaga dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vaga

77.91.124.73:19071

Attributes

auth_value
393905212ded984248e8e000e612d4fe

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000002323c-34.dat	healer
behavioral1/files/0x000700000002323c-33.dat	healer
behavioral1/memory/1656-35-0x0000000000A90000-0x0000000000A9A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6947859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6947859.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6947859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6947859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6947859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6947859.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1268	v8786178.exe
3804	v6783511.exe
1500	v7294739.exe
4236	v8349415.exe
1656	a6947859.exe
1400	b7041466.exe
3388	c1967166.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6947859.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7294739.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8349415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	28fc66f58c00ac4d8c27f4ec094ac78365e85b3f20e28ab3fd5106a490ac61f7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8786178.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6783511.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1656	a6947859.exe
1656	a6947859.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	a6947859.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4104 wrote to memory of 1268	4104	28fc66f58c00ac4d8c27f4ec094ac78365e85b3f20e28ab3fd5106a490ac61f7.exe	82
PID 4104 wrote to memory of 1268	4104	28fc66f58c00ac4d8c27f4ec094ac78365e85b3f20e28ab3fd5106a490ac61f7.exe	82
PID 4104 wrote to memory of 1268	4104	28fc66f58c00ac4d8c27f4ec094ac78365e85b3f20e28ab3fd5106a490ac61f7.exe	82
PID 1268 wrote to memory of 3804	1268	v8786178.exe	83
PID 1268 wrote to memory of 3804	1268	v8786178.exe	83
PID 1268 wrote to memory of 3804	1268	v8786178.exe	83
PID 3804 wrote to memory of 1500	3804	v6783511.exe	84
PID 3804 wrote to memory of 1500	3804	v6783511.exe	84
PID 3804 wrote to memory of 1500	3804	v6783511.exe	84
PID 1500 wrote to memory of 4236	1500	v7294739.exe	85
PID 1500 wrote to memory of 4236	1500	v7294739.exe	85
PID 1500 wrote to memory of 4236	1500	v7294739.exe	85
PID 4236 wrote to memory of 1656	4236	v8349415.exe	86
PID 4236 wrote to memory of 1656	4236	v8349415.exe	86
PID 4236 wrote to memory of 1400	4236	v8349415.exe	89
PID 4236 wrote to memory of 1400	4236	v8349415.exe	89
PID 4236 wrote to memory of 1400	4236	v8349415.exe	89
PID 1500 wrote to memory of 3388	1500	v7294739.exe	90
PID 1500 wrote to memory of 3388	1500	v7294739.exe	90
PID 1500 wrote to memory of 3388	1500	v7294739.exe	90

C:\Users\Admin\AppData\Local\Temp\28fc66f58c00ac4d8c27f4ec094ac78365e85b3f20e28ab3fd5106a490ac61f7.exe
"C:\Users\Admin\AppData\Local\Temp\28fc66f58c00ac4d8c27f4ec094ac78365e85b3f20e28ab3fd5106a490ac61f7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8786178.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8786178.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6783511.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6783511.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3804
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7294739.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7294739.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1500
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8349415.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8349415.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4236
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6947859.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6947859.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7041466.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7041466.exe
        6⤵
        Executes dropped EXE
        
        PID:1400
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1967166.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1967166.exe
        5⤵
        Executes dropped EXE
        
        PID:3388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8786178.exe

Filesize
723KB

MD5
5ec48ac68c236e49e4670097d747543e

SHA1
01906ae69ecdee1d10c4e07f7c273861f285fdb6

SHA256
c34b2bb8336a809ed8f71f9922fee0421ba6af67544c32e5f8d51cbe0533c044

SHA512
aa35f9dc04ef3a9ed597a1526dffbfd05131a03825b882ee376b8fa051ee27c65785cdcbc504823b72a85b8f2d4ef9ea7e27d901bba91a530288c81d4fb3fe6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8786178.exe

Filesize
723KB

MD5
5ec48ac68c236e49e4670097d747543e

SHA1
01906ae69ecdee1d10c4e07f7c273861f285fdb6

SHA256
c34b2bb8336a809ed8f71f9922fee0421ba6af67544c32e5f8d51cbe0533c044

SHA512
aa35f9dc04ef3a9ed597a1526dffbfd05131a03825b882ee376b8fa051ee27c65785cdcbc504823b72a85b8f2d4ef9ea7e27d901bba91a530288c81d4fb3fe6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6783511.exe

Filesize
496KB

MD5
d3701cb4c69cde652b29186154adb387

SHA1
355e9d56616341a48dd156be30c942e02611ed68

SHA256
b5909246033240b06e328623e6344094212fd04577d6ea7bcf2ca115d7f91f18

SHA512
3ee4858299fafc32e1efbe3db40edaa711aa7bca5bc1793ea41a29b254c303f820956133da8e1b545303158a1f58385ed6c7983ec3dfec45b3d214902501de0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6783511.exe

Filesize
496KB

MD5
d3701cb4c69cde652b29186154adb387

SHA1
355e9d56616341a48dd156be30c942e02611ed68

SHA256
b5909246033240b06e328623e6344094212fd04577d6ea7bcf2ca115d7f91f18

SHA512
3ee4858299fafc32e1efbe3db40edaa711aa7bca5bc1793ea41a29b254c303f820956133da8e1b545303158a1f58385ed6c7983ec3dfec45b3d214902501de0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7294739.exe

Filesize
372KB

MD5
e2b40de18dd379ffd32d6cf96b4ff702

SHA1
c5546dbfbf2619f5c641b71f9ff48ad7e220e822

SHA256
bf4f8213ea9fdddc379638f4587f4b634d5c76883f06cab21e5f0c17daf814c3

SHA512
ce1a6cfdfedbbeb01c95884d90169c05993951180e4dbbfd123608c9e048dbcf9be1496c30ce82f99ae4b9ae11f5866c6a6975f5170450cc0a0dd1ba46a3d732

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7294739.exe

Filesize
372KB

MD5
e2b40de18dd379ffd32d6cf96b4ff702

SHA1
c5546dbfbf2619f5c641b71f9ff48ad7e220e822

SHA256
bf4f8213ea9fdddc379638f4587f4b634d5c76883f06cab21e5f0c17daf814c3

SHA512
ce1a6cfdfedbbeb01c95884d90169c05993951180e4dbbfd123608c9e048dbcf9be1496c30ce82f99ae4b9ae11f5866c6a6975f5170450cc0a0dd1ba46a3d732

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1967166.exe

Filesize
174KB

MD5
b15dd2a8d13c1e49c5d531831b4cd620

SHA1
d24450a9c66352a4079e79f1629ef7d35df7bf2d

SHA256
d4569cafa57e89c8d359fa266526a82c33080321d55e909b60b2c83c6045225f

SHA512
34146196cbaf1393af5feb78afc59bf81b4da36afe9ac923b5cbb0fa050dab2a6f64598030eeba28ef590426a5ae234821257be767ced504db1c2dd0e87a6788

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1967166.exe

Filesize
174KB

MD5
b15dd2a8d13c1e49c5d531831b4cd620

SHA1
d24450a9c66352a4079e79f1629ef7d35df7bf2d

SHA256
d4569cafa57e89c8d359fa266526a82c33080321d55e909b60b2c83c6045225f

SHA512
34146196cbaf1393af5feb78afc59bf81b4da36afe9ac923b5cbb0fa050dab2a6f64598030eeba28ef590426a5ae234821257be767ced504db1c2dd0e87a6788

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8349415.exe

Filesize
216KB

MD5
e80a9d7b8f8df20d0bfcaaae727c5741

SHA1
954e4c304ba9c590d4610b0b3062934acdbf9184

SHA256
c1a4cec683cf652f937dfd094f8696cd57c52370688f96e2a34083b247903e16

SHA512
0dd82ea6c2e470be95407bb78c1315ae0a5dee5fe600394887d80ec52daa3bf8cbbaa2236ba6a8231d0bd2e7e7c8118422a3873c1dd1ff37041687084cce00fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8349415.exe

Filesize
216KB

MD5
e80a9d7b8f8df20d0bfcaaae727c5741

SHA1
954e4c304ba9c590d4610b0b3062934acdbf9184

SHA256
c1a4cec683cf652f937dfd094f8696cd57c52370688f96e2a34083b247903e16

SHA512
0dd82ea6c2e470be95407bb78c1315ae0a5dee5fe600394887d80ec52daa3bf8cbbaa2236ba6a8231d0bd2e7e7c8118422a3873c1dd1ff37041687084cce00fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6947859.exe

Filesize
14KB

MD5
a9a2f37b79c391fdb1d5dad795eb5f49

SHA1
c5ff52898c10393574a9fc388306ced4289fe685

SHA256
9f92c494f69ab99614b7f8f07ee61fd6942360c38fb116353bcdf1b523db0dad

SHA512
e16163f8a1d51978274bbed5b81baa60034aea136d9eaf438b3874934859becfe95c244fa6920727b4890332b041aa0dc4d6188c2edbae04d6a68c053481c338

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6947859.exe

Filesize
14KB

MD5
a9a2f37b79c391fdb1d5dad795eb5f49

SHA1
c5ff52898c10393574a9fc388306ced4289fe685

SHA256
9f92c494f69ab99614b7f8f07ee61fd6942360c38fb116353bcdf1b523db0dad

SHA512
e16163f8a1d51978274bbed5b81baa60034aea136d9eaf438b3874934859becfe95c244fa6920727b4890332b041aa0dc4d6188c2edbae04d6a68c053481c338

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7041466.exe

Filesize
140KB

MD5
ed3f921177c95104fadac3c0e2b53af7

SHA1
f41f7102759416411b19b5156c0a8c971756ae0a

SHA256
bb6ae9f190a058285ff7fee161d704548e635a6c0e00b4fba65b599c7a290908

SHA512
2b8997628289ab43739841060a39f21a7bed406df897516eee1081725ac10225f10d434b4b53f636a1ece4eb2a97114a0967360c6280059879d0d6e3e6ecbe6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7041466.exe

Filesize
140KB

MD5
ed3f921177c95104fadac3c0e2b53af7

SHA1
f41f7102759416411b19b5156c0a8c971756ae0a

SHA256
bb6ae9f190a058285ff7fee161d704548e635a6c0e00b4fba65b599c7a290908

SHA512
2b8997628289ab43739841060a39f21a7bed406df897516eee1081725ac10225f10d434b4b53f636a1ece4eb2a97114a0967360c6280059879d0d6e3e6ecbe6d

Download Submit
memory/1656-37-0x00007FFBD1260000-0x00007FFBD1D21000-memory.dmp

Filesize
10.8MB

Download
memory/1656-39-0x00007FFBD1260000-0x00007FFBD1D21000-memory.dmp

Filesize
10.8MB

Download
memory/1656-36-0x00007FFBD1260000-0x00007FFBD1D21000-memory.dmp

Filesize
10.8MB

Download
memory/1656-35-0x0000000000A90000-0x0000000000A9A000-memory.dmp

Filesize
40KB

Download
memory/3388-46-0x0000000000FA0000-0x0000000000FD0000-memory.dmp

Filesize
192KB

Download
memory/3388-47-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/3388-48-0x0000000006090000-0x00000000066A8000-memory.dmp

Filesize
6.1MB

Download
memory/3388-49-0x0000000005B80000-0x0000000005C8A000-memory.dmp

Filesize
1.0MB

Download
memory/3388-50-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/3388-51-0x0000000005A70000-0x0000000005A82000-memory.dmp

Filesize
72KB

Download
memory/3388-52-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

Filesize
240KB

Download
memory/3388-53-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/3388-54-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download