healer | 0f11340789ea01aef686a3c03f6a1760c0ee7c4871ee4a18e8aa9873181e5b37

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
27-08-2023 09:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f11340789ea01aef686a3c03f6a1760c0ee7c4871ee4a18e8aa9873181e5b37.exe
Size

825KB
MD5

2b7c2817d7034f340bc53372b7664f3d
SHA1

fcd32b289fb7307df1a21ded630d46974e6430e3
SHA256

0f11340789ea01aef686a3c03f6a1760c0ee7c4871ee4a18e8aa9873181e5b37
SHA512

5dc1a9ca4fbb0c1f6b4ffb9bcd8e0874cd1760f067542b1df9044387a1454302c7cd46816dd7b9fc3f84febe9601053d73af822f59ec298db88f7b37eadc13ba
SSDEEP

12288:jMrMy90EpVroyDEOkBDVIyRJ55ECb/qJETRaydkBKH/LE59lgKTqJG7:7yjpuyDEO6DlUe/qedkUqso

Score

10^/10

healer redline nrava dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nrava

77.91.124.82:19071

Attributes

auth_value
43fe50e9ee6afb85588e03ac9676e2f7

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afd6-33.dat	healer
behavioral1/files/0x000700000001afd6-34.dat	healer
behavioral1/memory/2500-35-0x00000000009E0000-0x00000000009EA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5512686.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5512686.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5512686.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5512686.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5512686.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001afd4-43.dat	family_redline
behavioral1/files/0x000600000001afd4-44.dat	family_redline
behavioral1/memory/2104-45-0x0000000000BC0000-0x0000000000BF0000-memory.dmp	family_redline

Executes dropped EXE 7 IoCs

pid	Process
3676	v0095841.exe
4164	v8523941.exe
4152	v5446918.exe
3096	v0622857.exe
2500	a5512686.exe
2452	b1579028.exe
2104	c7730462.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5512686.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0f11340789ea01aef686a3c03f6a1760c0ee7c4871ee4a18e8aa9873181e5b37.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0095841.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8523941.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5446918.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v0622857.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2500	a5512686.exe
2500	a5512686.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	a5512686.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 3676	4936	0f11340789ea01aef686a3c03f6a1760c0ee7c4871ee4a18e8aa9873181e5b37.exe	70
PID 4936 wrote to memory of 3676	4936	0f11340789ea01aef686a3c03f6a1760c0ee7c4871ee4a18e8aa9873181e5b37.exe	70
PID 4936 wrote to memory of 3676	4936	0f11340789ea01aef686a3c03f6a1760c0ee7c4871ee4a18e8aa9873181e5b37.exe	70
PID 3676 wrote to memory of 4164	3676	v0095841.exe	71
PID 3676 wrote to memory of 4164	3676	v0095841.exe	71
PID 3676 wrote to memory of 4164	3676	v0095841.exe	71
PID 4164 wrote to memory of 4152	4164	v8523941.exe	72
PID 4164 wrote to memory of 4152	4164	v8523941.exe	72
PID 4164 wrote to memory of 4152	4164	v8523941.exe	72
PID 4152 wrote to memory of 3096	4152	v5446918.exe	73
PID 4152 wrote to memory of 3096	4152	v5446918.exe	73
PID 4152 wrote to memory of 3096	4152	v5446918.exe	73
PID 3096 wrote to memory of 2500	3096	v0622857.exe	74
PID 3096 wrote to memory of 2500	3096	v0622857.exe	74
PID 3096 wrote to memory of 2452	3096	v0622857.exe	75
PID 3096 wrote to memory of 2452	3096	v0622857.exe	75
PID 3096 wrote to memory of 2452	3096	v0622857.exe	75
PID 4152 wrote to memory of 2104	4152	v5446918.exe	76
PID 4152 wrote to memory of 2104	4152	v5446918.exe	76
PID 4152 wrote to memory of 2104	4152	v5446918.exe	76

C:\Users\Admin\AppData\Local\Temp\0f11340789ea01aef686a3c03f6a1760c0ee7c4871ee4a18e8aa9873181e5b37.exe
"C:\Users\Admin\AppData\Local\Temp\0f11340789ea01aef686a3c03f6a1760c0ee7c4871ee4a18e8aa9873181e5b37.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0095841.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0095841.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8523941.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8523941.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5446918.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5446918.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4152
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0622857.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0622857.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3096
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5512686.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5512686.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1579028.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1579028.exe
        6⤵
        Executes dropped EXE
        
        PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7730462.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7730462.exe
        5⤵
        Executes dropped EXE
        
        PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0095841.exe

Filesize
720KB

MD5
380527ef11f9a991e0785063305de45b

SHA1
9d71e4c10e1e50ccbe43574017e3f1ac1bf400ad

SHA256
c96a1c98b289b7eac4443d95fc00416424575d4c578f923dd6052960b77e0167

SHA512
56cd83be8df0c31dce9d8363f60a0c588fbc29254a4256cfa03bc52fd2c6015531aaf5c43eafdf0322ae2e6ce768f198f92f32c91e7629055d77fe4d99eed02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0095841.exe

Filesize
720KB

MD5
380527ef11f9a991e0785063305de45b

SHA1
9d71e4c10e1e50ccbe43574017e3f1ac1bf400ad

SHA256
c96a1c98b289b7eac4443d95fc00416424575d4c578f923dd6052960b77e0167

SHA512
56cd83be8df0c31dce9d8363f60a0c588fbc29254a4256cfa03bc52fd2c6015531aaf5c43eafdf0322ae2e6ce768f198f92f32c91e7629055d77fe4d99eed02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8523941.exe

Filesize
497KB

MD5
5d665b86b4f16611d44a80597682cf29

SHA1
a378787b8a8ec8a0529222cfa014ba907e0128b1

SHA256
ff64d87c99d979762dcf9dc6dc630b53c1c0f8e2e5fa37133dd60f50f55014a9

SHA512
3f45abbff46c6b89b7d67a92a57e7ec4447d587d3562b7efde2eccb874f3fa41ac6212bfee03337b35997109b80905f3423693e211f32007ba04534ca7187dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8523941.exe

Filesize
497KB

MD5
5d665b86b4f16611d44a80597682cf29

SHA1
a378787b8a8ec8a0529222cfa014ba907e0128b1

SHA256
ff64d87c99d979762dcf9dc6dc630b53c1c0f8e2e5fa37133dd60f50f55014a9

SHA512
3f45abbff46c6b89b7d67a92a57e7ec4447d587d3562b7efde2eccb874f3fa41ac6212bfee03337b35997109b80905f3423693e211f32007ba04534ca7187dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5446918.exe

Filesize
372KB

MD5
8dafb63512c7961736783b79ee017d67

SHA1
c8da94c8075d68f6207ddbb69d92ead458fadeaf

SHA256
07005cc59012f59b334e101d556d4adcc55f885c4feb5c26319574057c2c6b67

SHA512
395ee7df22dca90a2ce24999fd5cc65f2e7d4c4bec026c658940000d520aae0a6233dbaedb176b5a6d9c21fc4124af1b4c9a86d8acf3c39538900cd30d784ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5446918.exe

Filesize
372KB

MD5
8dafb63512c7961736783b79ee017d67

SHA1
c8da94c8075d68f6207ddbb69d92ead458fadeaf

SHA256
07005cc59012f59b334e101d556d4adcc55f885c4feb5c26319574057c2c6b67

SHA512
395ee7df22dca90a2ce24999fd5cc65f2e7d4c4bec026c658940000d520aae0a6233dbaedb176b5a6d9c21fc4124af1b4c9a86d8acf3c39538900cd30d784ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7730462.exe

Filesize
173KB

MD5
3b2fc6c0ae4552d60fed423d208f09fc

SHA1
5490af3c6ef5fb2fcbf44c6649458837180be32f

SHA256
6f35fb24b416016e2e036cde81ec758974918386f53c81874ce1086e14a3315b

SHA512
8905af33804fb62c30c856b6e49f51877937c5fa1239a565803092e4377973070e53e31d32856369dafa517fbb0469887c9129f09e3ee529395951a1dd407949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7730462.exe

Filesize
173KB

MD5
3b2fc6c0ae4552d60fed423d208f09fc

SHA1
5490af3c6ef5fb2fcbf44c6649458837180be32f

SHA256
6f35fb24b416016e2e036cde81ec758974918386f53c81874ce1086e14a3315b

SHA512
8905af33804fb62c30c856b6e49f51877937c5fa1239a565803092e4377973070e53e31d32856369dafa517fbb0469887c9129f09e3ee529395951a1dd407949

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0622857.exe

Filesize
217KB

MD5
5172c5b08b2cc986083a50600e624c32

SHA1
66a473e908dbfebeb841cac56fe1f79716d753b3

SHA256
20d796ffd9b87af241021e346863a5eceb0eac8053e368584cd6bc1017e117b8

SHA512
5061bff876d3a95745e690a81028fce56c18b6551cc24214c10a51855a3c7d909ead889ffe9aae5bbd9d8d31da21b54f221838bf46136144cfcdd0f59abd6fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0622857.exe

Filesize
217KB

MD5
5172c5b08b2cc986083a50600e624c32

SHA1
66a473e908dbfebeb841cac56fe1f79716d753b3

SHA256
20d796ffd9b87af241021e346863a5eceb0eac8053e368584cd6bc1017e117b8

SHA512
5061bff876d3a95745e690a81028fce56c18b6551cc24214c10a51855a3c7d909ead889ffe9aae5bbd9d8d31da21b54f221838bf46136144cfcdd0f59abd6fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5512686.exe

Filesize
15KB

MD5
44b823d259663278cd7f040ff89d76d4

SHA1
270208ff7e0ab6d988ceb0a83aa8306124f970cf

SHA256
ca44f43058fe6042684cef04fd066e50f9e97ec8124e3ffc63180d3603362045

SHA512
c9d67dae3f2aaa555739e0b88dc4c15b12a6adf763e4b25800e54699b1bf643e4000e56cad4717e5e21c11c749016cfd14add1837a6d51e50a5564a616dfd649

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5512686.exe

Filesize
15KB

MD5
44b823d259663278cd7f040ff89d76d4

SHA1
270208ff7e0ab6d988ceb0a83aa8306124f970cf

SHA256
ca44f43058fe6042684cef04fd066e50f9e97ec8124e3ffc63180d3603362045

SHA512
c9d67dae3f2aaa555739e0b88dc4c15b12a6adf763e4b25800e54699b1bf643e4000e56cad4717e5e21c11c749016cfd14add1837a6d51e50a5564a616dfd649

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1579028.exe

Filesize
140KB

MD5
b0cd89f095f570751764f9fe7dd86ae3

SHA1
101125d951640d8f08f5e380b7b8c3ce8030a7f5

SHA256
6f7738f0e315d6ae38dc852f5258bf6e656bfbb9f01c6c0a0b9836e6356a5371

SHA512
705181acd062028cc1d772f4448872e3c6af824244aed400715b5892efa4a282ee1ba17874ff736e0419fff76d8025c5e00036968fc3b355f1021000006315ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1579028.exe

Filesize
140KB

MD5
b0cd89f095f570751764f9fe7dd86ae3

SHA1
101125d951640d8f08f5e380b7b8c3ce8030a7f5

SHA256
6f7738f0e315d6ae38dc852f5258bf6e656bfbb9f01c6c0a0b9836e6356a5371

SHA512
705181acd062028cc1d772f4448872e3c6af824244aed400715b5892efa4a282ee1ba17874ff736e0419fff76d8025c5e00036968fc3b355f1021000006315ac

Download Submit
memory/2104-46-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2104-45-0x0000000000BC0000-0x0000000000BF0000-memory.dmp

Filesize
192KB

Download
memory/2104-47-0x0000000002DF0000-0x0000000002DF6000-memory.dmp

Filesize
24KB

Download
memory/2104-48-0x000000000AE40000-0x000000000B446000-memory.dmp

Filesize
6.0MB

Download
memory/2104-49-0x000000000A9D0000-0x000000000AADA000-memory.dmp

Filesize
1.0MB

Download
memory/2104-50-0x000000000A900000-0x000000000A912000-memory.dmp

Filesize
72KB

Download
memory/2104-51-0x000000000A960000-0x000000000A99E000-memory.dmp

Filesize
248KB

Download
memory/2104-52-0x000000000AAE0000-0x000000000AB2B000-memory.dmp

Filesize
300KB

Download
memory/2104-53-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2500-38-0x00007FFCB18E0000-0x00007FFCB22CC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-36-0x00007FFCB18E0000-0x00007FFCB22CC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-35-0x00000000009E0000-0x00000000009EA000-memory.dmp

Filesize
40KB

Download