healer | 8ecdd7b54d0e160eb62b6a46c7faaf330b2ce88a030d7ff4fbe3822ab878aad5

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 22:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ecdd7b54d0e160eb62b6a46c7faaf330b2ce88a030d7ff4fbe3822ab878aad5.exe
Size

829KB
MD5

448bd3cde5dc78d1569fccd49ac6641a
SHA1

6966d702004302a5bd73e7da3bc7a18648714c8e
SHA256

8ecdd7b54d0e160eb62b6a46c7faaf330b2ce88a030d7ff4fbe3822ab878aad5
SHA512

b7ef60c1d02c9c956ffb9ea2c31867ca41f7b538e2fb7940c018c3a4ae13d62206109c9120ca6189d9ead9f6f3efbb81b8bc2b5e67dc9344b4f23c79d2454d9a
SSDEEP

12288:rMrAy90Zd4sxIlrJfl0oFsCWsVHxOhuCoFh9kaIKzTHUq0gsZxl157/GeT6ph9VZ:HyKxIlrJ6o/WSHPSGUVgs7hDoJ+SV

Score

10^/10

healer redline stas dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

stas

77.91.124.82:19071

Attributes

auth_value
db6d96c4eade05afc28c31d9ad73a73c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000002323b-33.dat	healer
behavioral1/files/0x000800000002323b-34.dat	healer
behavioral1/memory/1532-35-0x0000000000730000-0x000000000073A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5776152.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5776152.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5776152.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5776152.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5776152.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5776152.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2296	v4037703.exe
4232	v6871489.exe
4700	v2843231.exe
2408	v1553867.exe
1532	a5776152.exe
3744	b3917197.exe
1860	c0484744.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5776152.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1553867.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8ecdd7b54d0e160eb62b6a46c7faaf330b2ce88a030d7ff4fbe3822ab878aad5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4037703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6871489.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2843231.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1532	a5776152.exe
1532	a5776152.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	a5776152.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2296	1956	8ecdd7b54d0e160eb62b6a46c7faaf330b2ce88a030d7ff4fbe3822ab878aad5.exe	82
PID 1956 wrote to memory of 2296	1956	8ecdd7b54d0e160eb62b6a46c7faaf330b2ce88a030d7ff4fbe3822ab878aad5.exe	82
PID 1956 wrote to memory of 2296	1956	8ecdd7b54d0e160eb62b6a46c7faaf330b2ce88a030d7ff4fbe3822ab878aad5.exe	82
PID 2296 wrote to memory of 4232	2296	v4037703.exe	83
PID 2296 wrote to memory of 4232	2296	v4037703.exe	83
PID 2296 wrote to memory of 4232	2296	v4037703.exe	83
PID 4232 wrote to memory of 4700	4232	v6871489.exe	84
PID 4232 wrote to memory of 4700	4232	v6871489.exe	84
PID 4232 wrote to memory of 4700	4232	v6871489.exe	84
PID 4700 wrote to memory of 2408	4700	v2843231.exe	85
PID 4700 wrote to memory of 2408	4700	v2843231.exe	85
PID 4700 wrote to memory of 2408	4700	v2843231.exe	85
PID 2408 wrote to memory of 1532	2408	v1553867.exe	86
PID 2408 wrote to memory of 1532	2408	v1553867.exe	86
PID 2408 wrote to memory of 3744	2408	v1553867.exe	95
PID 2408 wrote to memory of 3744	2408	v1553867.exe	95
PID 2408 wrote to memory of 3744	2408	v1553867.exe	95
PID 4700 wrote to memory of 1860	4700	v2843231.exe	96
PID 4700 wrote to memory of 1860	4700	v2843231.exe	96
PID 4700 wrote to memory of 1860	4700	v2843231.exe	96

C:\Users\Admin\AppData\Local\Temp\8ecdd7b54d0e160eb62b6a46c7faaf330b2ce88a030d7ff4fbe3822ab878aad5.exe
"C:\Users\Admin\AppData\Local\Temp\8ecdd7b54d0e160eb62b6a46c7faaf330b2ce88a030d7ff4fbe3822ab878aad5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4037703.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4037703.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6871489.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6871489.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2843231.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2843231.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1553867.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1553867.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2408
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5776152.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5776152.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3917197.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3917197.exe
        6⤵
        Executes dropped EXE
        
        PID:3744
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0484744.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0484744.exe
        5⤵
        Executes dropped EXE
        
        PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4037703.exe

Filesize
723KB

MD5
989124074b7a9a598e11e06426e199ef

SHA1
ddd0ef6a5d20988075439af9baad1ad1de2416aa

SHA256
2217608e2e12fd20cc7cefa93fb9810ee16bb63a49c6a2ddb0424851668e1285

SHA512
a2c63387015abb54ed220e541e51374222951151f47f1ccc10a62f0ff680c1d5029930d713528ee6e8d5aa987cba0d701a9006729cd4421905bde5f5ae90e26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4037703.exe

Filesize
723KB

MD5
989124074b7a9a598e11e06426e199ef

SHA1
ddd0ef6a5d20988075439af9baad1ad1de2416aa

SHA256
2217608e2e12fd20cc7cefa93fb9810ee16bb63a49c6a2ddb0424851668e1285

SHA512
a2c63387015abb54ed220e541e51374222951151f47f1ccc10a62f0ff680c1d5029930d713528ee6e8d5aa987cba0d701a9006729cd4421905bde5f5ae90e26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6871489.exe

Filesize
497KB

MD5
2cc98882c35ff0839854d14ce31eb423

SHA1
7a39a9951dfcc00cbbdaedb499dfaec75daea1c4

SHA256
3781e6d75e4d4df8e6d7fb3e89ed1dbd5af01b137dc47d5c8b220df49c38c939

SHA512
6fd684efd7a090922d8f02128bb7f5f38f70cd317d97e852aeb5e476c24e069f1fe638ff4efb96ebd42461f1aa5723d18b7d649f5f183d029628d208faa6dd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6871489.exe

Filesize
497KB

MD5
2cc98882c35ff0839854d14ce31eb423

SHA1
7a39a9951dfcc00cbbdaedb499dfaec75daea1c4

SHA256
3781e6d75e4d4df8e6d7fb3e89ed1dbd5af01b137dc47d5c8b220df49c38c939

SHA512
6fd684efd7a090922d8f02128bb7f5f38f70cd317d97e852aeb5e476c24e069f1fe638ff4efb96ebd42461f1aa5723d18b7d649f5f183d029628d208faa6dd1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2843231.exe

Filesize
372KB

MD5
03846776c68cb9ad5f05f21aac67f2e1

SHA1
849a5de23f988ffc8789a082c80dbc8e89b50b6b

SHA256
65a7951f109616860f5dd83bf3112e18df9a48ef9e2fcbd53be64ba3fb946f14

SHA512
4c6e9cd525a23156b33008d73c1138048f348b023dd6ea8031ef6018533b18f2ec4ba0070715b9628cd70aee6412a6d618beeccf273ac3540ea3638b2eb10922

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2843231.exe

Filesize
372KB

MD5
03846776c68cb9ad5f05f21aac67f2e1

SHA1
849a5de23f988ffc8789a082c80dbc8e89b50b6b

SHA256
65a7951f109616860f5dd83bf3112e18df9a48ef9e2fcbd53be64ba3fb946f14

SHA512
4c6e9cd525a23156b33008d73c1138048f348b023dd6ea8031ef6018533b18f2ec4ba0070715b9628cd70aee6412a6d618beeccf273ac3540ea3638b2eb10922

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0484744.exe

Filesize
174KB

MD5
27fd991f631faa6d8e5aa16c7c95959f

SHA1
470d9c05fcee1e64bd9777ad473c07a07d98aaf4

SHA256
8f3cfcbf98c8c27ddb305f86f705100656c4e9e09b25a91ed4e631fb7d6de7c8

SHA512
36312910e0fc2a5d5198c10c6b70376524fef35c17abeca6941c560173150b7b3339a2048b492095f842d7ee06e425c4fab2328ef83250ba6a5c803eaeb12715

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0484744.exe

Filesize
174KB

MD5
27fd991f631faa6d8e5aa16c7c95959f

SHA1
470d9c05fcee1e64bd9777ad473c07a07d98aaf4

SHA256
8f3cfcbf98c8c27ddb305f86f705100656c4e9e09b25a91ed4e631fb7d6de7c8

SHA512
36312910e0fc2a5d5198c10c6b70376524fef35c17abeca6941c560173150b7b3339a2048b492095f842d7ee06e425c4fab2328ef83250ba6a5c803eaeb12715

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1553867.exe

Filesize
217KB

MD5
132e1d77862c069ee6269a3158996a13

SHA1
a9705716b26379fe72507f04b5dd643caba96afb

SHA256
44e9ac665f6b4fa176e0d45c6ed2af370ded6ded875b095428a9f903c7a5ae06

SHA512
832a0c91b1aa5ac1f594d8eb0344410af2788d5573651d09fad7ea465e084d039ecc7106421783179706ea61688f3693486c84bbe41e27ab8442483d6d4556fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1553867.exe

Filesize
217KB

MD5
132e1d77862c069ee6269a3158996a13

SHA1
a9705716b26379fe72507f04b5dd643caba96afb

SHA256
44e9ac665f6b4fa176e0d45c6ed2af370ded6ded875b095428a9f903c7a5ae06

SHA512
832a0c91b1aa5ac1f594d8eb0344410af2788d5573651d09fad7ea465e084d039ecc7106421783179706ea61688f3693486c84bbe41e27ab8442483d6d4556fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5776152.exe

Filesize
15KB

MD5
065625637034f37eed1adc2c5136227b

SHA1
d61085bb622ed1c98e0621c12ce1a447b19878e2

SHA256
d09bc8cec64a04a407c4ed400b5c33d6e4069924c6babc127878a117807204ec

SHA512
a48724ef51624f54d7aa69f451418795713ae8e51895f5bd1495396bdc637f779417368260315b8c35e9444494bd4ae21dbcfa6f492e790444e322039a52d13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5776152.exe

Filesize
15KB

MD5
065625637034f37eed1adc2c5136227b

SHA1
d61085bb622ed1c98e0621c12ce1a447b19878e2

SHA256
d09bc8cec64a04a407c4ed400b5c33d6e4069924c6babc127878a117807204ec

SHA512
a48724ef51624f54d7aa69f451418795713ae8e51895f5bd1495396bdc637f779417368260315b8c35e9444494bd4ae21dbcfa6f492e790444e322039a52d13d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3917197.exe

Filesize
140KB

MD5
a2acfb5c07f5600178cb84e7ffc8f35e

SHA1
d006f91b6c0561a20ac1dcf364efded07f9dffda

SHA256
3a753df3ec68a522fa70b86557e5d754704f88ff72477643b22b1eecb892175f

SHA512
4442f066a5a25f3dae9d0985efda494d8d331482a2028a8c62ffe104be05e8b7dba5d362e15c05990020b04df4d9841dc8b1ba1e09334a598953ba43dae75d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3917197.exe

Filesize
140KB

MD5
a2acfb5c07f5600178cb84e7ffc8f35e

SHA1
d006f91b6c0561a20ac1dcf364efded07f9dffda

SHA256
3a753df3ec68a522fa70b86557e5d754704f88ff72477643b22b1eecb892175f

SHA512
4442f066a5a25f3dae9d0985efda494d8d331482a2028a8c62ffe104be05e8b7dba5d362e15c05990020b04df4d9841dc8b1ba1e09334a598953ba43dae75d2c

Download Submit
memory/1532-38-0x00007FFD3EFB0000-0x00007FFD3FA71000-memory.dmp

Filesize
10.8MB

Download
memory/1532-36-0x00007FFD3EFB0000-0x00007FFD3FA71000-memory.dmp

Filesize
10.8MB

Download
memory/1532-35-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/1860-45-0x0000000000540000-0x0000000000570000-memory.dmp

Filesize
192KB

Download
memory/1860-46-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/1860-47-0x000000000A990000-0x000000000AFA8000-memory.dmp

Filesize
6.1MB

Download
memory/1860-48-0x000000000A4F0000-0x000000000A5FA000-memory.dmp

Filesize
1.0MB

Download
memory/1860-49-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/1860-50-0x000000000A430000-0x000000000A442000-memory.dmp

Filesize
72KB

Download
memory/1860-51-0x000000000A490000-0x000000000A4CC000-memory.dmp

Filesize
240KB

Download
memory/1860-52-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/1860-53-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download