healer | cbfbc04a8018d517a65d65abe2e565d986c8b430d1b47ecdd592a6b52e79dabd

Analysis

max time kernel
139s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2023 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbfbc04a8018d517a65d65abe2e565d986c8b430d1b47ecdd592a6b52e79dabd.exe
Size

829KB
MD5

5f9839b338906d76e7271c1b02c2ca1b
SHA1

06fc4705e34bc555469026f7580520334c1a8c0a
SHA256

cbfbc04a8018d517a65d65abe2e565d986c8b430d1b47ecdd592a6b52e79dabd
SHA512

35201ee1badc7bf739789cbbfea22bf974771b7346316bd6e5e0bfa88af928ec22ac21018c6fffdc3dc34d9e524d562b6a2f073e5b26c50e0e902a309de1fa9a
SSDEEP

12288:VMrYy90gLLCkFkGBA6kinfl8pAQMzqhqZ7Dly8bfAPWHjQL4h+6Rj04qz8:JyxWki36kiypAlqyg87AzE+6Rwxz8

Score

10^/10

healer redline jaja dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jaja

77.91.124.73:19071

Attributes

auth_value
3670179d176ca399ed08e7914610b43c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023017-33.dat	healer
behavioral1/files/0x0009000000023017-34.dat	healer
behavioral1/memory/3888-35-0x0000000000CD0000-0x0000000000CDA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8097772.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8097772.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8097772.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8097772.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8097772.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a8097772.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
816	v3413874.exe
1204	v0776915.exe
3096	v8304033.exe
4668	v9988149.exe
3888	a8097772.exe
5076	b6997319.exe
1944	c0932759.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8097772.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8304033.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9988149.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cbfbc04a8018d517a65d65abe2e565d986c8b430d1b47ecdd592a6b52e79dabd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3413874.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0776915.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3888	a8097772.exe
3888	a8097772.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	a8097772.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 816	2060	cbfbc04a8018d517a65d65abe2e565d986c8b430d1b47ecdd592a6b52e79dabd.exe	86
PID 2060 wrote to memory of 816	2060	cbfbc04a8018d517a65d65abe2e565d986c8b430d1b47ecdd592a6b52e79dabd.exe	86
PID 2060 wrote to memory of 816	2060	cbfbc04a8018d517a65d65abe2e565d986c8b430d1b47ecdd592a6b52e79dabd.exe	86
PID 816 wrote to memory of 1204	816	v3413874.exe	88
PID 816 wrote to memory of 1204	816	v3413874.exe	88
PID 816 wrote to memory of 1204	816	v3413874.exe	88
PID 1204 wrote to memory of 3096	1204	v0776915.exe	89
PID 1204 wrote to memory of 3096	1204	v0776915.exe	89
PID 1204 wrote to memory of 3096	1204	v0776915.exe	89
PID 3096 wrote to memory of 4668	3096	v8304033.exe	90
PID 3096 wrote to memory of 4668	3096	v8304033.exe	90
PID 3096 wrote to memory of 4668	3096	v8304033.exe	90
PID 4668 wrote to memory of 3888	4668	v9988149.exe	91
PID 4668 wrote to memory of 3888	4668	v9988149.exe	91
PID 4668 wrote to memory of 5076	4668	v9988149.exe	92
PID 4668 wrote to memory of 5076	4668	v9988149.exe	92
PID 4668 wrote to memory of 5076	4668	v9988149.exe	92
PID 3096 wrote to memory of 1944	3096	v8304033.exe	93
PID 3096 wrote to memory of 1944	3096	v8304033.exe	93
PID 3096 wrote to memory of 1944	3096	v8304033.exe	93

C:\Users\Admin\AppData\Local\Temp\cbfbc04a8018d517a65d65abe2e565d986c8b430d1b47ecdd592a6b52e79dabd.exe
"C:\Users\Admin\AppData\Local\Temp\cbfbc04a8018d517a65d65abe2e565d986c8b430d1b47ecdd592a6b52e79dabd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3413874.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3413874.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0776915.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0776915.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8304033.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8304033.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3096
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9988149.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9988149.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4668
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8097772.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8097772.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3888
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6997319.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6997319.exe
        6⤵
        Executes dropped EXE
        
        PID:5076
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0932759.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0932759.exe
        5⤵
        Executes dropped EXE
        
        PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3413874.exe

Filesize
723KB

MD5
123446e60befb78b619dd03b770b5e0f

SHA1
783a9a343b5827c7e94be68151fdfbdf9ae9fd87

SHA256
fcde16729259efcc0b60e0c23a3577ff671ad2da51c0569c9ee537735c8e94d9

SHA512
a0782e990fced045b453c37dde148c9413c5ccb8e76bb4dbb341ff555e11af6d22f9613b807f0bbd271a4402e0c9252f915a5304f4bebc67368258de5883c971

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3413874.exe

Filesize
723KB

MD5
123446e60befb78b619dd03b770b5e0f

SHA1
783a9a343b5827c7e94be68151fdfbdf9ae9fd87

SHA256
fcde16729259efcc0b60e0c23a3577ff671ad2da51c0569c9ee537735c8e94d9

SHA512
a0782e990fced045b453c37dde148c9413c5ccb8e76bb4dbb341ff555e11af6d22f9613b807f0bbd271a4402e0c9252f915a5304f4bebc67368258de5883c971

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0776915.exe

Filesize
497KB

MD5
d15f57f960c8fa6438499bb9f5855ed4

SHA1
fe33dc20bb210ad27ce472694a4d8d4780ea3791

SHA256
a968f5f6b1a9a7d340b8a3b49f82d3473ccf4f799df3631336ba2bfefe1ce503

SHA512
4474ff182852e7ec48be0761e44dcbd35f51e5db9dd54bc3665aa850aa3de5904eff92fa81c1be30e1d1823af1f19d48e3bd91f488808ace8a38b52f35b6d6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0776915.exe

Filesize
497KB

MD5
d15f57f960c8fa6438499bb9f5855ed4

SHA1
fe33dc20bb210ad27ce472694a4d8d4780ea3791

SHA256
a968f5f6b1a9a7d340b8a3b49f82d3473ccf4f799df3631336ba2bfefe1ce503

SHA512
4474ff182852e7ec48be0761e44dcbd35f51e5db9dd54bc3665aa850aa3de5904eff92fa81c1be30e1d1823af1f19d48e3bd91f488808ace8a38b52f35b6d6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8304033.exe

Filesize
372KB

MD5
6c2942afa9aa840b88a4b4b1ac3c29d9

SHA1
dd542bd6b1fe73b97e02b83414c3ecdb377873b2

SHA256
5b6fcdf524d0bc852e7949032856088d22c478a92c7014d763b8c99ac7ed9a2c

SHA512
cd429595837bbf2169d69c94f0acad4460b1836af021b32cee81825b106dc41a4b89756afade418c995a32df4e24f4c3fb766c605625b90615ca840a51944f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8304033.exe

Filesize
372KB

MD5
6c2942afa9aa840b88a4b4b1ac3c29d9

SHA1
dd542bd6b1fe73b97e02b83414c3ecdb377873b2

SHA256
5b6fcdf524d0bc852e7949032856088d22c478a92c7014d763b8c99ac7ed9a2c

SHA512
cd429595837bbf2169d69c94f0acad4460b1836af021b32cee81825b106dc41a4b89756afade418c995a32df4e24f4c3fb766c605625b90615ca840a51944f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0932759.exe

Filesize
174KB

MD5
31f1d65bc9d9700b435ad9238b6a72ae

SHA1
3338dabc0fa7744833e43501167e6a6b6189b22a

SHA256
2e3a313d2b93bae007fd1b9071fea83855faee152395766ba5788ba96a3ab823

SHA512
660759f8f3c2412ef2539c963be713aa3888dc4d95324d8e2b0e349451e86ce0d6cf3ea92303b0bf7c6e971624b8ddfe3ed356585f06e9bc2e82dfb0b3427e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0932759.exe

Filesize
174KB

MD5
31f1d65bc9d9700b435ad9238b6a72ae

SHA1
3338dabc0fa7744833e43501167e6a6b6189b22a

SHA256
2e3a313d2b93bae007fd1b9071fea83855faee152395766ba5788ba96a3ab823

SHA512
660759f8f3c2412ef2539c963be713aa3888dc4d95324d8e2b0e349451e86ce0d6cf3ea92303b0bf7c6e971624b8ddfe3ed356585f06e9bc2e82dfb0b3427e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9988149.exe

Filesize
217KB

MD5
9b907d9dab504151dadd4b60e6887611

SHA1
1419d4ea72c9c9612558d12d54f6887175b7944b

SHA256
77a24c2b9c83dab2420970cc20e33640f0a26adbb89feb4307a0ea8cd2671a61

SHA512
6209802ec2ec29aea6c0de8708dd5eb84ba3768c5fd08cd48ef402b41a404d5e4a9d166568b179e63add2afb77b18b970a09c932c839a0d45288bdfa8c9d7150

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9988149.exe

Filesize
217KB

MD5
9b907d9dab504151dadd4b60e6887611

SHA1
1419d4ea72c9c9612558d12d54f6887175b7944b

SHA256
77a24c2b9c83dab2420970cc20e33640f0a26adbb89feb4307a0ea8cd2671a61

SHA512
6209802ec2ec29aea6c0de8708dd5eb84ba3768c5fd08cd48ef402b41a404d5e4a9d166568b179e63add2afb77b18b970a09c932c839a0d45288bdfa8c9d7150

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8097772.exe

Filesize
14KB

MD5
7cca75ede0412274536dfedd5ed9f0dc

SHA1
23b4d221eb7dfa13215b0689c5cd6a79e0f03fc2

SHA256
955cd173d9227eb7f105ad96cc2de03e736c7d139cdba43d76e318066d1cbedb

SHA512
ee81405d489f0068d48f2d7bbcf89380993e8d43ef45c272aa89c22044ceb9c267c51eb229c6e0ed9f5773cb01cf498130ab9bfbfc0082fe932ae254330c2d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8097772.exe

Filesize
14KB

MD5
7cca75ede0412274536dfedd5ed9f0dc

SHA1
23b4d221eb7dfa13215b0689c5cd6a79e0f03fc2

SHA256
955cd173d9227eb7f105ad96cc2de03e736c7d139cdba43d76e318066d1cbedb

SHA512
ee81405d489f0068d48f2d7bbcf89380993e8d43ef45c272aa89c22044ceb9c267c51eb229c6e0ed9f5773cb01cf498130ab9bfbfc0082fe932ae254330c2d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6997319.exe

Filesize
140KB

MD5
b55ea574846c84dda1c567c778857af5

SHA1
f0d17afba2aaef0ecb51d13ab4c0a76330424481

SHA256
bea096495dfec3f656b9d4dd1caf76234e5507d40c6bad3f2780b93e85d58f2f

SHA512
6c30ca407d5e13959da34f169b5194389130db3e6806c2deadde479536fd5547aebd612723b28f853a4887f1cc8a82b84c5e009bd63a0504ce25e4314006727a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6997319.exe

Filesize
140KB

MD5
b55ea574846c84dda1c567c778857af5

SHA1
f0d17afba2aaef0ecb51d13ab4c0a76330424481

SHA256
bea096495dfec3f656b9d4dd1caf76234e5507d40c6bad3f2780b93e85d58f2f

SHA512
6c30ca407d5e13959da34f169b5194389130db3e6806c2deadde479536fd5547aebd612723b28f853a4887f1cc8a82b84c5e009bd63a0504ce25e4314006727a

Download Submit
memory/1944-45-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/1944-46-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/1944-47-0x000000000A680000-0x000000000AC98000-memory.dmp

Filesize
6.1MB

Download
memory/1944-48-0x000000000A170000-0x000000000A27A000-memory.dmp

Filesize
1.0MB

Download
memory/1944-50-0x000000000A0A0000-0x000000000A0B2000-memory.dmp

Filesize
72KB

Download
memory/1944-49-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/1944-51-0x000000000A100000-0x000000000A13C000-memory.dmp

Filesize
240KB

Download
memory/1944-52-0x0000000074A20000-0x00000000751D0000-memory.dmp

Filesize
7.7MB

Download
memory/1944-53-0x0000000004BD0000-0x0000000004BE0000-memory.dmp

Filesize
64KB

Download
memory/3888-41-0x00007FFA426B0000-0x00007FFA43171000-memory.dmp

Filesize
10.8MB

Download
memory/3888-36-0x00007FFA426B0000-0x00007FFA43171000-memory.dmp

Filesize
10.8MB

Download
memory/3888-35-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download