healer | d9c55523ab287281fb0b8e9638570193fb991e03c3fa62795b2805d3fd41247e

Analysis

max time kernel
146s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
27/08/2023, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9c55523ab287281fb0b8e9638570193fb991e03c3fa62795b2805d3fd41247e.exe
Size

826KB
MD5

117bf634d70e27870b32d2e3b390db61
SHA1

bcb98ee589428aa941aad060073b11b4e8b6f383
SHA256

d9c55523ab287281fb0b8e9638570193fb991e03c3fa62795b2805d3fd41247e
SHA512

851042e5e92d2cfbc43d8a4d7432753217426bcfb9552301c02933c48d96149798643457a09a37fafff700283cd35f979fdadb6eb624cbbbba567c0157ba0b26
SSDEEP

12288:WMr8y905IbwkUlz+VJEFayGDb7mjTvrMTZ9cvLEU958DJSpSoBkDkkN1x1x6w:uyXskUlz1aO/vrMMYWQRoyksxL6w

Score

10^/10

healer redline nrava dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nrava

77.91.124.82:19071

Attributes

auth_value
43fe50e9ee6afb85588e03ac9676e2f7

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b063-33.dat	healer
behavioral1/files/0x000700000001b063-34.dat	healer
behavioral1/memory/164-35-0x00000000000C0000-0x00000000000CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9061137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9061137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9061137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9061137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9061137.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001b061-43.dat	family_redline
behavioral1/files/0x000600000001b061-44.dat	family_redline
behavioral1/memory/3240-45-0x0000000000C50000-0x0000000000C80000-memory.dmp	family_redline

Executes dropped EXE 7 IoCs

pid	Process
4676	v9195503.exe
320	v3320296.exe
3112	v2118420.exe
1424	v2721210.exe
164	a9061137.exe
1128	b4033647.exe
3240	c8610590.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9061137.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9c55523ab287281fb0b8e9638570193fb991e03c3fa62795b2805d3fd41247e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9195503.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3320296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2118420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2721210.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
164	a9061137.exe
164	a9061137.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	164	a9061137.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4676	4588	d9c55523ab287281fb0b8e9638570193fb991e03c3fa62795b2805d3fd41247e.exe	70
PID 4588 wrote to memory of 4676	4588	d9c55523ab287281fb0b8e9638570193fb991e03c3fa62795b2805d3fd41247e.exe	70
PID 4588 wrote to memory of 4676	4588	d9c55523ab287281fb0b8e9638570193fb991e03c3fa62795b2805d3fd41247e.exe	70
PID 4676 wrote to memory of 320	4676	v9195503.exe	71
PID 4676 wrote to memory of 320	4676	v9195503.exe	71
PID 4676 wrote to memory of 320	4676	v9195503.exe	71
PID 320 wrote to memory of 3112	320	v3320296.exe	72
PID 320 wrote to memory of 3112	320	v3320296.exe	72
PID 320 wrote to memory of 3112	320	v3320296.exe	72
PID 3112 wrote to memory of 1424	3112	v2118420.exe	73
PID 3112 wrote to memory of 1424	3112	v2118420.exe	73
PID 3112 wrote to memory of 1424	3112	v2118420.exe	73
PID 1424 wrote to memory of 164	1424	v2721210.exe	74
PID 1424 wrote to memory of 164	1424	v2721210.exe	74
PID 1424 wrote to memory of 1128	1424	v2721210.exe	75
PID 1424 wrote to memory of 1128	1424	v2721210.exe	75
PID 1424 wrote to memory of 1128	1424	v2721210.exe	75
PID 3112 wrote to memory of 3240	3112	v2118420.exe	76
PID 3112 wrote to memory of 3240	3112	v2118420.exe	76
PID 3112 wrote to memory of 3240	3112	v2118420.exe	76

C:\Users\Admin\AppData\Local\Temp\d9c55523ab287281fb0b8e9638570193fb991e03c3fa62795b2805d3fd41247e.exe
"C:\Users\Admin\AppData\Local\Temp\d9c55523ab287281fb0b8e9638570193fb991e03c3fa62795b2805d3fd41247e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9195503.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9195503.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3320296.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3320296.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2118420.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2118420.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2721210.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2721210.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9061137.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9061137.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:164
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4033647.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4033647.exe
        6⤵
        Executes dropped EXE
        
        PID:1128
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8610590.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8610590.exe
        5⤵
        Executes dropped EXE
        
        PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9195503.exe

Filesize
723KB

MD5
78766970a97263f5b7abfcb82a5424d5

SHA1
a45baa418afb96361ebbff0c460fb096370fe4f5

SHA256
b6d600252ba928456dd7e47aad777e6762af4ae9ec6cdab92d1bf48dbdae5b64

SHA512
99e850a9df489796932ee713eae66c5aed7c878b66f46cdeae5891b9aeed555a0967b9e90860d77e6f104d02260a9dc11aa2ef645fc1df059feed0eae4546a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9195503.exe

Filesize
723KB

MD5
78766970a97263f5b7abfcb82a5424d5

SHA1
a45baa418afb96361ebbff0c460fb096370fe4f5

SHA256
b6d600252ba928456dd7e47aad777e6762af4ae9ec6cdab92d1bf48dbdae5b64

SHA512
99e850a9df489796932ee713eae66c5aed7c878b66f46cdeae5891b9aeed555a0967b9e90860d77e6f104d02260a9dc11aa2ef645fc1df059feed0eae4546a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3320296.exe

Filesize
497KB

MD5
1b9d97378df62b29f4e47080576c0628

SHA1
032882b10004ad06ca4ebb64967e773c5f89e590

SHA256
10341316bb4a190aecbdd37d945fd87fc7244de9c9bcfd3e012048beea78f079

SHA512
abebe49081832050ebe969722cbda3e2b5c640eec849a5d039fa977454558e464fa46ba2de6e590ce259c734f607dd29cd2122c99089ed14bf0ad0416983bac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3320296.exe

Filesize
497KB

MD5
1b9d97378df62b29f4e47080576c0628

SHA1
032882b10004ad06ca4ebb64967e773c5f89e590

SHA256
10341316bb4a190aecbdd37d945fd87fc7244de9c9bcfd3e012048beea78f079

SHA512
abebe49081832050ebe969722cbda3e2b5c640eec849a5d039fa977454558e464fa46ba2de6e590ce259c734f607dd29cd2122c99089ed14bf0ad0416983bac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2118420.exe

Filesize
372KB

MD5
5b691ad4f552a17fc34f804f9ae9568f

SHA1
221012c6fa7c16523da998cf45a1692f888e9026

SHA256
fb31cca8bac2994253ae813ebf96af1ed5f47f0f71ee7e7d6fa36586e5cad0f3

SHA512
772d8b01314eff26215ac8979c5438724a499f1bbb00636265a64c13d4ac2236e1a49de14a5efeb55ffec5648b9421d54434f7f1ec183546065a47c97a0ce13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2118420.exe

Filesize
372KB

MD5
5b691ad4f552a17fc34f804f9ae9568f

SHA1
221012c6fa7c16523da998cf45a1692f888e9026

SHA256
fb31cca8bac2994253ae813ebf96af1ed5f47f0f71ee7e7d6fa36586e5cad0f3

SHA512
772d8b01314eff26215ac8979c5438724a499f1bbb00636265a64c13d4ac2236e1a49de14a5efeb55ffec5648b9421d54434f7f1ec183546065a47c97a0ce13c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8610590.exe

Filesize
174KB

MD5
22d0002151da1ae9fb7a4e803381ae37

SHA1
fc61ad8bfd0050973ab8b2158c29b144ba493dca

SHA256
aecf28f453359a207c4f537a454650898e42158d677f8f5c10a8e2e94c454f90

SHA512
b36f979151dd4954f3ff8c7237ce27774eba547d0cd7e03a841548706b24da3435c776b277cb8ce0605c86115d3b53ea58abbb0a9d0ea3ed1a51256e28fd369e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8610590.exe

Filesize
174KB

MD5
22d0002151da1ae9fb7a4e803381ae37

SHA1
fc61ad8bfd0050973ab8b2158c29b144ba493dca

SHA256
aecf28f453359a207c4f537a454650898e42158d677f8f5c10a8e2e94c454f90

SHA512
b36f979151dd4954f3ff8c7237ce27774eba547d0cd7e03a841548706b24da3435c776b277cb8ce0605c86115d3b53ea58abbb0a9d0ea3ed1a51256e28fd369e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2721210.exe

Filesize
217KB

MD5
0189d02535f2fb049afe4bc34dded2f8

SHA1
002a39fab4c8ce0dcfcf6e4400c2ce14fbd96ab7

SHA256
2e6b34a2bf311b7654dd317902650c9b9aacaa5f4140f91ce9334a865ebca765

SHA512
7c55ce35df736be73fcbed20e0711c38d157f3acb1932173c9e6c5fa6694da8443cba6e8b7eb870835cd0fd8a1809ed1b0b4530feda05bc980206dfa19e73c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2721210.exe

Filesize
217KB

MD5
0189d02535f2fb049afe4bc34dded2f8

SHA1
002a39fab4c8ce0dcfcf6e4400c2ce14fbd96ab7

SHA256
2e6b34a2bf311b7654dd317902650c9b9aacaa5f4140f91ce9334a865ebca765

SHA512
7c55ce35df736be73fcbed20e0711c38d157f3acb1932173c9e6c5fa6694da8443cba6e8b7eb870835cd0fd8a1809ed1b0b4530feda05bc980206dfa19e73c68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9061137.exe

Filesize
15KB

MD5
e8fad6f3bfe67106a4fcd7173cf2ffe6

SHA1
df2f0e31be72e84e0e80936675c996c7c2a221f4

SHA256
505db1821cd27940799a3b5a2891679f66e2ab70a44cd03d3fad600d790f74c9

SHA512
19a2d0445bb6be6e2dfac626b3d78a84a624a35dc4bfcd3cd3cde66e829ec14b7f7789d7a357e768cb3c0a135d570fd92940fd3796633a489e92c3c9b0a2c93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9061137.exe

Filesize
15KB

MD5
e8fad6f3bfe67106a4fcd7173cf2ffe6

SHA1
df2f0e31be72e84e0e80936675c996c7c2a221f4

SHA256
505db1821cd27940799a3b5a2891679f66e2ab70a44cd03d3fad600d790f74c9

SHA512
19a2d0445bb6be6e2dfac626b3d78a84a624a35dc4bfcd3cd3cde66e829ec14b7f7789d7a357e768cb3c0a135d570fd92940fd3796633a489e92c3c9b0a2c93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4033647.exe

Filesize
140KB

MD5
b01797c08bac1a25457e45e0f942aeba

SHA1
4b4442be857625fb037cb8a5153a4cd07c9e3327

SHA256
16db12a19c15ff6a81785b1b49236e6c5d3f0193bf2cfc9733baa60eac0304f3

SHA512
200acb6f8a8ad37ce69b8b1090c936885e2a6d7bf77c95b942d0b9396f3bd28e9c5f4eff3a95784451b1652fc2a92f09b544d14b4862e11557a2552ebefaddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4033647.exe

Filesize
140KB

MD5
b01797c08bac1a25457e45e0f942aeba

SHA1
4b4442be857625fb037cb8a5153a4cd07c9e3327

SHA256
16db12a19c15ff6a81785b1b49236e6c5d3f0193bf2cfc9733baa60eac0304f3

SHA512
200acb6f8a8ad37ce69b8b1090c936885e2a6d7bf77c95b942d0b9396f3bd28e9c5f4eff3a95784451b1652fc2a92f09b544d14b4862e11557a2552ebefaddd0

Download Submit
memory/164-38-0x00007FFB90D90000-0x00007FFB9177C000-memory.dmp

Filesize
9.9MB

Download
memory/164-36-0x00007FFB90D90000-0x00007FFB9177C000-memory.dmp

Filesize
9.9MB

Download
memory/164-35-0x00000000000C0000-0x00000000000CA000-memory.dmp

Filesize
40KB

Download
memory/3240-45-0x0000000000C50000-0x0000000000C80000-memory.dmp

Filesize
192KB

Download
memory/3240-46-0x0000000073190000-0x000000007387E000-memory.dmp

Filesize
6.9MB

Download
memory/3240-47-0x0000000002EE0000-0x0000000002EE6000-memory.dmp

Filesize
24KB

Download
memory/3240-48-0x000000000AFA0000-0x000000000B5A6000-memory.dmp

Filesize
6.0MB

Download
memory/3240-49-0x000000000AAA0000-0x000000000ABAA000-memory.dmp

Filesize
1.0MB

Download
memory/3240-50-0x000000000A990000-0x000000000A9A2000-memory.dmp

Filesize
72KB

Download
memory/3240-51-0x000000000A9F0000-0x000000000AA2E000-memory.dmp

Filesize
248KB

Download
memory/3240-52-0x000000000AA40000-0x000000000AA8B000-memory.dmp

Filesize
300KB

Download
memory/3240-53-0x0000000073190000-0x000000007387E000-memory.dmp

Filesize
6.9MB

Download