healer | 00ae6f70be288d72545360b749c0b7496aba245886d8c4e4b8993a923a82d2e5

Analysis

max time kernel
152s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27/08/2023, 04:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00ae6f70be288d72545360b749c0b7496aba245886d8c4e4b8993a923a82d2e5.exe
Size

829KB
MD5

a82a8ffef07b6ba5fcb6e278febe13ab
SHA1

d7dfc78d760b93114550deb4b1f142bcace6bf23
SHA256

00ae6f70be288d72545360b749c0b7496aba245886d8c4e4b8993a923a82d2e5
SHA512

b86fbf1cbf0ca6b3abd2ed9bd3db4b55bd9486484a82aa71e71d023d8675378b559eecb0ae6845a2cdc1c21b77086d56a163dcd535f145f17ea57eab2258c6a6
SSDEEP

12288:2MrWy90R8g7RMrzXq5HKlEPwo+ia6iAjgLDnV6V2JKEILGy9fhsD1T2bBi:kyA8+ISHYEPA6ifnVK1RDs5T2b0

Score

10^/10

healer redline nrava dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nrava

77.91.124.82:19071

Attributes

auth_value
43fe50e9ee6afb85588e03ac9676e2f7

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023223-33.dat	healer
behavioral1/files/0x0009000000023223-34.dat	healer
behavioral1/memory/3284-35-0x0000000000160000-0x000000000016A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5350953.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5350953.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5350953.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5350953.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5350953.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5350953.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023220-43.dat	family_redline
behavioral1/files/0x0007000000023220-44.dat	family_redline
behavioral1/memory/4352-45-0x00000000001E0000-0x0000000000210000-memory.dmp	family_redline

Executes dropped EXE 7 IoCs

pid	Process
4828	v4734304.exe
1468	v7976179.exe
4896	v5755344.exe
4472	v8686218.exe
3284	a5350953.exe
1432	b8967596.exe
4352	c6220824.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5350953.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8686218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	00ae6f70be288d72545360b749c0b7496aba245886d8c4e4b8993a923a82d2e5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4734304.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7976179.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5755344.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3284	a5350953.exe
3284	a5350953.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3284	a5350953.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4828	1520	00ae6f70be288d72545360b749c0b7496aba245886d8c4e4b8993a923a82d2e5.exe	82
PID 1520 wrote to memory of 4828	1520	00ae6f70be288d72545360b749c0b7496aba245886d8c4e4b8993a923a82d2e5.exe	82
PID 1520 wrote to memory of 4828	1520	00ae6f70be288d72545360b749c0b7496aba245886d8c4e4b8993a923a82d2e5.exe	82
PID 4828 wrote to memory of 1468	4828	v4734304.exe	83
PID 4828 wrote to memory of 1468	4828	v4734304.exe	83
PID 4828 wrote to memory of 1468	4828	v4734304.exe	83
PID 1468 wrote to memory of 4896	1468	v7976179.exe	84
PID 1468 wrote to memory of 4896	1468	v7976179.exe	84
PID 1468 wrote to memory of 4896	1468	v7976179.exe	84
PID 4896 wrote to memory of 4472	4896	v5755344.exe	85
PID 4896 wrote to memory of 4472	4896	v5755344.exe	85
PID 4896 wrote to memory of 4472	4896	v5755344.exe	85
PID 4472 wrote to memory of 3284	4472	v8686218.exe	86
PID 4472 wrote to memory of 3284	4472	v8686218.exe	86
PID 4472 wrote to memory of 1432	4472	v8686218.exe	95
PID 4472 wrote to memory of 1432	4472	v8686218.exe	95
PID 4472 wrote to memory of 1432	4472	v8686218.exe	95
PID 4896 wrote to memory of 4352	4896	v5755344.exe	96
PID 4896 wrote to memory of 4352	4896	v5755344.exe	96
PID 4896 wrote to memory of 4352	4896	v5755344.exe	96

C:\Users\Admin\AppData\Local\Temp\00ae6f70be288d72545360b749c0b7496aba245886d8c4e4b8993a923a82d2e5.exe
"C:\Users\Admin\AppData\Local\Temp\00ae6f70be288d72545360b749c0b7496aba245886d8c4e4b8993a923a82d2e5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4734304.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4734304.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7976179.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7976179.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5755344.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5755344.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4896
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8686218.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8686218.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4472
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5350953.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5350953.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967596.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967596.exe
        6⤵
        Executes dropped EXE
        
        PID:1432
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6220824.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6220824.exe
        5⤵
        Executes dropped EXE
        
        PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4734304.exe

Filesize
723KB

MD5
94b2ee67d00de5f5470f7b83ec0107e6

SHA1
3f6358060abb32f8cf10cc2b6a4773d77c1828d2

SHA256
3783f83f4a3be94d8d2e228cbf3a5565d31edc01b96df3edaa71b1886bca421c

SHA512
75c18531b09659d2bdd19d1bf60768c536fa9bed9efb48e5b23e09bfc4905418ca2afd9ce6857d6e8aba45b62503104eff43285b29e339330ab9407418502a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4734304.exe

Filesize
723KB

MD5
94b2ee67d00de5f5470f7b83ec0107e6

SHA1
3f6358060abb32f8cf10cc2b6a4773d77c1828d2

SHA256
3783f83f4a3be94d8d2e228cbf3a5565d31edc01b96df3edaa71b1886bca421c

SHA512
75c18531b09659d2bdd19d1bf60768c536fa9bed9efb48e5b23e09bfc4905418ca2afd9ce6857d6e8aba45b62503104eff43285b29e339330ab9407418502a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7976179.exe

Filesize
497KB

MD5
4e18d2f0c2b7d2992071d11c28c35c10

SHA1
97bdb02a93efcecdf49b8764d1eb7f297b834d4e

SHA256
57ff470a9b0d1d7ab71afee5be4eb5dedf4bc3f7ee9090864db21004676b741a

SHA512
a22d85c90b72d964cc34672d0691d4f8e7931287d0c87296247b3ce0551fb63c7e2eb0e8bd0035bbaa5625a284b10c574efef96825db43bdc972d4ca008afc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7976179.exe

Filesize
497KB

MD5
4e18d2f0c2b7d2992071d11c28c35c10

SHA1
97bdb02a93efcecdf49b8764d1eb7f297b834d4e

SHA256
57ff470a9b0d1d7ab71afee5be4eb5dedf4bc3f7ee9090864db21004676b741a

SHA512
a22d85c90b72d964cc34672d0691d4f8e7931287d0c87296247b3ce0551fb63c7e2eb0e8bd0035bbaa5625a284b10c574efef96825db43bdc972d4ca008afc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5755344.exe

Filesize
372KB

MD5
52c143695dd0b8fac6fe0d125a83796f

SHA1
1f30cd539a330144c897845b7143cec457b58bd2

SHA256
437aa8152047c44b2a45535bceebaa4c889454d8eadc7464e8c6b911fc9a8e6b

SHA512
5579066acbca5492c0b10d347ff6ec6f0a21bfbf9ccaefe690f8e529c61c374867f45a9d4e6cefd7265848b8f187194e8783df4a35cdec360b50e47a20e7c2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5755344.exe

Filesize
372KB

MD5
52c143695dd0b8fac6fe0d125a83796f

SHA1
1f30cd539a330144c897845b7143cec457b58bd2

SHA256
437aa8152047c44b2a45535bceebaa4c889454d8eadc7464e8c6b911fc9a8e6b

SHA512
5579066acbca5492c0b10d347ff6ec6f0a21bfbf9ccaefe690f8e529c61c374867f45a9d4e6cefd7265848b8f187194e8783df4a35cdec360b50e47a20e7c2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6220824.exe

Filesize
173KB

MD5
e78c834502aa3e5fdc6ac9a9c3e99ba8

SHA1
713e67aea1e3748bcbddc45a57474511113106a7

SHA256
bb0ef1004a57eba48a6a5304f3130db9a92381a4df501cfb2c8a7436dbcfbfbd

SHA512
993e8e2058e3172551e54eb542e6e624d272b7f6842086033106a45afbe2d0a3842a23aec9278a63f29f9a1788204ffe27a77b6c00cd338399c0a23b63638eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c6220824.exe

Filesize
173KB

MD5
e78c834502aa3e5fdc6ac9a9c3e99ba8

SHA1
713e67aea1e3748bcbddc45a57474511113106a7

SHA256
bb0ef1004a57eba48a6a5304f3130db9a92381a4df501cfb2c8a7436dbcfbfbd

SHA512
993e8e2058e3172551e54eb542e6e624d272b7f6842086033106a45afbe2d0a3842a23aec9278a63f29f9a1788204ffe27a77b6c00cd338399c0a23b63638eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8686218.exe

Filesize
217KB

MD5
461c91a1f850f6da632991f260120552

SHA1
c5090cd11c29e7811d01935e6749cce70f8a2c3c

SHA256
61b31b0132b67c0463b66311041d1e3b41b55017b5630b2b92793449c7a9333e

SHA512
82d2814a3a3fe5c81cce4a451e5f104783c7a311a285d044af4689531c3b0eb4c6abb6251709943052eb8b64913bdfb4caee8396821cfc97789b62da53c0bccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8686218.exe

Filesize
217KB

MD5
461c91a1f850f6da632991f260120552

SHA1
c5090cd11c29e7811d01935e6749cce70f8a2c3c

SHA256
61b31b0132b67c0463b66311041d1e3b41b55017b5630b2b92793449c7a9333e

SHA512
82d2814a3a3fe5c81cce4a451e5f104783c7a311a285d044af4689531c3b0eb4c6abb6251709943052eb8b64913bdfb4caee8396821cfc97789b62da53c0bccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5350953.exe

Filesize
15KB

MD5
3e0b1463577175c8223d513b595e4e48

SHA1
1272b3d3eeb5564986bc4ca908ef51d4406d0849

SHA256
4b0a53914b6377ab5fa070228e99a1a07806e32626cc018121efb854ef2ddc05

SHA512
0777b408290ca7d6b6d2bbde23fa32d32dbdf13a4c98266f922ab0a9bc25206d586cb25e65c0bc33d685881d7e11c45de81e803dc221bc73518124a524fcf2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5350953.exe

Filesize
15KB

MD5
3e0b1463577175c8223d513b595e4e48

SHA1
1272b3d3eeb5564986bc4ca908ef51d4406d0849

SHA256
4b0a53914b6377ab5fa070228e99a1a07806e32626cc018121efb854ef2ddc05

SHA512
0777b408290ca7d6b6d2bbde23fa32d32dbdf13a4c98266f922ab0a9bc25206d586cb25e65c0bc33d685881d7e11c45de81e803dc221bc73518124a524fcf2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967596.exe

Filesize
140KB

MD5
a235645655f2fa7efe6b421c605ebb24

SHA1
c39063abbc2136fe966f463862b354729382aeac

SHA256
6f603066644e6415d605f7feb983dbec1d4d0b5aa523df945c6cacc8265640ba

SHA512
cd3c6c3ecaba4564159ed12048489f588be2495397a9aa7c6169822651bc1e7770639e42a6e9da7e50d1819177155b9de05e919177fcdd2c4130aee4e2d4e830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8967596.exe

Filesize
140KB

MD5
a235645655f2fa7efe6b421c605ebb24

SHA1
c39063abbc2136fe966f463862b354729382aeac

SHA256
6f603066644e6415d605f7feb983dbec1d4d0b5aa523df945c6cacc8265640ba

SHA512
cd3c6c3ecaba4564159ed12048489f588be2495397a9aa7c6169822651bc1e7770639e42a6e9da7e50d1819177155b9de05e919177fcdd2c4130aee4e2d4e830

Download Submit
memory/3284-38-0x00007FF979450000-0x00007FF979F11000-memory.dmp

Filesize
10.8MB

Download
memory/3284-36-0x00007FF979450000-0x00007FF979F11000-memory.dmp

Filesize
10.8MB

Download
memory/3284-35-0x0000000000160000-0x000000000016A000-memory.dmp

Filesize
40KB

Download
memory/4352-45-0x00000000001E0000-0x0000000000210000-memory.dmp

Filesize
192KB

Download
memory/4352-46-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/4352-47-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/4352-48-0x0000000004E60000-0x0000000004F6A000-memory.dmp

Filesize
1.0MB

Download
memory/4352-49-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/4352-50-0x0000000002750000-0x0000000002762000-memory.dmp

Filesize
72KB

Download
memory/4352-51-0x0000000004D50000-0x0000000004D8C000-memory.dmp

Filesize
240KB

Download
memory/4352-52-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/4352-53-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download