healer | fef1a45ee3c1cb5823425a0f1444c79f57bf7542b1528a985380d5ec33c5de4d

Analysis

max time kernel
148s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
26/08/2023, 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fef1a45ee3c1cb5823425a0f1444c79f57bf7542b1528a985380d5ec33c5de4d.exe
Size

826KB
MD5

beaca4f9be052cc860177f118d1e05f8
SHA1

fdf16307319c4e8ea95ff7a585c201649047d322
SHA256

fef1a45ee3c1cb5823425a0f1444c79f57bf7542b1528a985380d5ec33c5de4d
SHA512

bf926616004b734226f3b9cf5a4622aca96d30e66c4470e1dd742d801fb48c167bf280501ea95aef3d3683a5cb3c59ac2b3b22e232af078bb9e2fa2c1f5f6f07
SSDEEP

12288:GMruy90uIvD6nnCR+6fxIQiEUtCGaEcKw42Opq8DXVr:EykvDSCRVIPTavSpqUXJ

Score

10^/10

healer redline jaja dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jaja

77.91.124.73:19071

Attributes

auth_value
3670179d176ca399ed08e7914610b43c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b010-33.dat	healer
behavioral1/files/0x000700000001b010-34.dat	healer
behavioral1/memory/4688-35-0x0000000000E90000-0x0000000000E9A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2678866.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2678866.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2678866.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2678866.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2678866.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4328	v7618373.exe
2292	v5095445.exe
656	v6398538.exe
2708	v2039341.exe
4688	a2678866.exe
2424	b4557547.exe
876	c7124821.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2678866.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6398538.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2039341.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fef1a45ee3c1cb5823425a0f1444c79f57bf7542b1528a985380d5ec33c5de4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7618373.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5095445.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4688	a2678866.exe
4688	a2678866.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4688	a2678866.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 4328	2960	fef1a45ee3c1cb5823425a0f1444c79f57bf7542b1528a985380d5ec33c5de4d.exe	70
PID 2960 wrote to memory of 4328	2960	fef1a45ee3c1cb5823425a0f1444c79f57bf7542b1528a985380d5ec33c5de4d.exe	70
PID 2960 wrote to memory of 4328	2960	fef1a45ee3c1cb5823425a0f1444c79f57bf7542b1528a985380d5ec33c5de4d.exe	70
PID 4328 wrote to memory of 2292	4328	v7618373.exe	71
PID 4328 wrote to memory of 2292	4328	v7618373.exe	71
PID 4328 wrote to memory of 2292	4328	v7618373.exe	71
PID 2292 wrote to memory of 656	2292	v5095445.exe	72
PID 2292 wrote to memory of 656	2292	v5095445.exe	72
PID 2292 wrote to memory of 656	2292	v5095445.exe	72
PID 656 wrote to memory of 2708	656	v6398538.exe	73
PID 656 wrote to memory of 2708	656	v6398538.exe	73
PID 656 wrote to memory of 2708	656	v6398538.exe	73
PID 2708 wrote to memory of 4688	2708	v2039341.exe	74
PID 2708 wrote to memory of 4688	2708	v2039341.exe	74
PID 2708 wrote to memory of 2424	2708	v2039341.exe	75
PID 2708 wrote to memory of 2424	2708	v2039341.exe	75
PID 2708 wrote to memory of 2424	2708	v2039341.exe	75
PID 656 wrote to memory of 876	656	v6398538.exe	76
PID 656 wrote to memory of 876	656	v6398538.exe	76
PID 656 wrote to memory of 876	656	v6398538.exe	76

C:\Users\Admin\AppData\Local\Temp\fef1a45ee3c1cb5823425a0f1444c79f57bf7542b1528a985380d5ec33c5de4d.exe
"C:\Users\Admin\AppData\Local\Temp\fef1a45ee3c1cb5823425a0f1444c79f57bf7542b1528a985380d5ec33c5de4d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7618373.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7618373.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5095445.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5095445.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6398538.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6398538.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:656
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2039341.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2039341.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2678866.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2678866.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4688
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4557547.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4557547.exe
        6⤵
        Executes dropped EXE
        
        PID:2424
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7124821.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7124821.exe
        5⤵
        Executes dropped EXE
        
        PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7618373.exe

Filesize
723KB

MD5
0fff0723205b3afa0817c6fe161eb8aa

SHA1
99f5e78fbe2c747a001e363f0082820de6057447

SHA256
fca2c747f2336854b2900a0caf0aaa7e87eb121f33371dac2c5541b74b46e44a

SHA512
c74e8ad24ee039848d718b55360fdfd3193e77c994353d9cfc55d9365b1b268190adcb48f9b8df2b480a415cf72e702c756d8b94b8f9acb9caf920eb6c42a442

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7618373.exe

Filesize
723KB

MD5
0fff0723205b3afa0817c6fe161eb8aa

SHA1
99f5e78fbe2c747a001e363f0082820de6057447

SHA256
fca2c747f2336854b2900a0caf0aaa7e87eb121f33371dac2c5541b74b46e44a

SHA512
c74e8ad24ee039848d718b55360fdfd3193e77c994353d9cfc55d9365b1b268190adcb48f9b8df2b480a415cf72e702c756d8b94b8f9acb9caf920eb6c42a442

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5095445.exe

Filesize
497KB

MD5
f2f8a7967abd5d5944193cfd2bd8caa0

SHA1
44722be257cefdde7d26553d6b6a4914b18dbb1a

SHA256
0d0ae484e90faec384a4312c6f2255649d699c3cdbf2827038e28ad25689de7c

SHA512
e1ae2eb3dac0b499caeee3c08e780d189f845cbe0b689df2d537759ae2d062bfa03be30653511797e4e818f3d3a6675de49fc77525fb7471449b4966c031cc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5095445.exe

Filesize
497KB

MD5
f2f8a7967abd5d5944193cfd2bd8caa0

SHA1
44722be257cefdde7d26553d6b6a4914b18dbb1a

SHA256
0d0ae484e90faec384a4312c6f2255649d699c3cdbf2827038e28ad25689de7c

SHA512
e1ae2eb3dac0b499caeee3c08e780d189f845cbe0b689df2d537759ae2d062bfa03be30653511797e4e818f3d3a6675de49fc77525fb7471449b4966c031cc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6398538.exe

Filesize
373KB

MD5
044465d30b6508964a8fe9a09b4acf2f

SHA1
80fa708c4c4c5c370113302e1900fc877883fabe

SHA256
aed07642c6b017a323feae0e74d4632d049ecd4f21f486db2f655fb2716d91e3

SHA512
36cc9714397844759757c3c8a95d6d134d024016dbb867309e9f1d9dc3c156e8133314f0b8343bd1b1d3b75a30be4e2e959592893225ec159cc8ab8038754324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6398538.exe

Filesize
373KB

MD5
044465d30b6508964a8fe9a09b4acf2f

SHA1
80fa708c4c4c5c370113302e1900fc877883fabe

SHA256
aed07642c6b017a323feae0e74d4632d049ecd4f21f486db2f655fb2716d91e3

SHA512
36cc9714397844759757c3c8a95d6d134d024016dbb867309e9f1d9dc3c156e8133314f0b8343bd1b1d3b75a30be4e2e959592893225ec159cc8ab8038754324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7124821.exe

Filesize
174KB

MD5
3f1d3841bcccf10d38c4de5ccab195fd

SHA1
504dec90ea94f82260753892dc0486afbd526c14

SHA256
ddbeafd76a74571eacfd87d4d4fbf3f231b8edd4022a76e769b4b1b8211ca420

SHA512
87cd467266f5cf1f0c0e076ea313c0e4874f2a3e573249ba242ed0b7e51a1fd58e348683bb1ba97877a3889d753265c94d23dc90cfa679f59a3464aef7cdca0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7124821.exe

Filesize
174KB

MD5
3f1d3841bcccf10d38c4de5ccab195fd

SHA1
504dec90ea94f82260753892dc0486afbd526c14

SHA256
ddbeafd76a74571eacfd87d4d4fbf3f231b8edd4022a76e769b4b1b8211ca420

SHA512
87cd467266f5cf1f0c0e076ea313c0e4874f2a3e573249ba242ed0b7e51a1fd58e348683bb1ba97877a3889d753265c94d23dc90cfa679f59a3464aef7cdca0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2039341.exe

Filesize
217KB

MD5
c34187bf510d7c28c65ecf6edaa3fd89

SHA1
a82e7166a53427f5dd5c622da3b566e614c25eb2

SHA256
07463c9735647cc873040ee27fd37bafad2f6a26c84b2d59bd85233ebd95240c

SHA512
3b76ebd10cc4feec6f97e5c35123997768f8e1ec98482f5d0e1fd1bc9f10ae9283edb8a491cd5f0fda316f248605b9a18d334648cf52ac2eb85303d2ac204496

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2039341.exe

Filesize
217KB

MD5
c34187bf510d7c28c65ecf6edaa3fd89

SHA1
a82e7166a53427f5dd5c622da3b566e614c25eb2

SHA256
07463c9735647cc873040ee27fd37bafad2f6a26c84b2d59bd85233ebd95240c

SHA512
3b76ebd10cc4feec6f97e5c35123997768f8e1ec98482f5d0e1fd1bc9f10ae9283edb8a491cd5f0fda316f248605b9a18d334648cf52ac2eb85303d2ac204496

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2678866.exe

Filesize
14KB

MD5
fe39f7b29d1ec59aba47630b6bd9b1e1

SHA1
1a36aaedc62dc87d9be6e96af55d8fe88446a898

SHA256
bc579445df78d1c41e452bf92ff376b40c058aca3ac56a806bd425eb263722d1

SHA512
06dcdde878b79b8f9707c25ec1a39ea6312e73d4aa8c884474182521f2b904c6631b301d8fea9cd3bde355784d7d55ed53deb28ce88e6f84837682357b08ab14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2678866.exe

Filesize
14KB

MD5
fe39f7b29d1ec59aba47630b6bd9b1e1

SHA1
1a36aaedc62dc87d9be6e96af55d8fe88446a898

SHA256
bc579445df78d1c41e452bf92ff376b40c058aca3ac56a806bd425eb263722d1

SHA512
06dcdde878b79b8f9707c25ec1a39ea6312e73d4aa8c884474182521f2b904c6631b301d8fea9cd3bde355784d7d55ed53deb28ce88e6f84837682357b08ab14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4557547.exe

Filesize
141KB

MD5
030f5ce05b19cd56e30ea9562dab35bf

SHA1
34d3521b52d5ef26d40660deb38c4fcbb2cc7be9

SHA256
297bcadbf4f447c1829b71456b66f06d2e18d86653a71bf07d0c0eff875a5faf

SHA512
d2efd39240a26a6fc95e79474f6bca87b385ba5f361835c8689a7e8c190c79ebdb0c31573cd53adfd9ac2123900fe868757681b6e75c1eed3429858e5c5201e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4557547.exe

Filesize
141KB

MD5
030f5ce05b19cd56e30ea9562dab35bf

SHA1
34d3521b52d5ef26d40660deb38c4fcbb2cc7be9

SHA256
297bcadbf4f447c1829b71456b66f06d2e18d86653a71bf07d0c0eff875a5faf

SHA512
d2efd39240a26a6fc95e79474f6bca87b385ba5f361835c8689a7e8c190c79ebdb0c31573cd53adfd9ac2123900fe868757681b6e75c1eed3429858e5c5201e7

Download Submit
memory/876-46-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/876-45-0x0000000000900000-0x0000000000930000-memory.dmp

Filesize
192KB

Download
memory/876-47-0x0000000000FF0000-0x0000000000FF6000-memory.dmp

Filesize
24KB

Download
memory/876-48-0x000000000AC20000-0x000000000B226000-memory.dmp

Filesize
6.0MB

Download
memory/876-49-0x000000000A720000-0x000000000A82A000-memory.dmp

Filesize
1.0MB

Download
memory/876-50-0x000000000A640000-0x000000000A652000-memory.dmp

Filesize
72KB

Download
memory/876-51-0x000000000A6A0000-0x000000000A6DE000-memory.dmp

Filesize
248KB

Download
memory/876-52-0x000000000A830000-0x000000000A87B000-memory.dmp

Filesize
300KB

Download
memory/876-53-0x0000000073110000-0x00000000737FE000-memory.dmp

Filesize
6.9MB

Download
memory/4688-38-0x00007FFB3B740000-0x00007FFB3C12C000-memory.dmp

Filesize
9.9MB

Download
memory/4688-36-0x00007FFB3B740000-0x00007FFB3C12C000-memory.dmp

Filesize
9.9MB

Download
memory/4688-35-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download