healer | 9cfc92fd12351dd80d6637b9a8407e263f1f8239ce94877fa6947d000c9e2a43

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 22:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9cfc92fd12351dd80d6637b9a8407e263f1f8239ce94877fa6947d000c9e2a43.exe
Size

829KB
MD5

c3b6eec3a86933bfb3e05d116631abbf
SHA1

713c7c7ac552b59e41abb45c325aad09dac9381b
SHA256

9cfc92fd12351dd80d6637b9a8407e263f1f8239ce94877fa6947d000c9e2a43
SHA512

b499267ae5d80e278044aaf76cacb684ba60baaa1c350c78fa4689c9b6f82cc74a034613dcebfc663db30050d136ba03897c428dc38734dc9a33b87dfdc3b14a
SSDEEP

24576:My6n39z317/thu9IX/tL1FlbM9ZyVh5dgS:76n3V1Cm11FSZw5d

Score

10^/10

healer redline stas dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

stas

77.91.124.82:19071

Attributes

auth_value
db6d96c4eade05afc28c31d9ad73a73c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023228-34.dat	healer
behavioral1/files/0x0008000000023228-33.dat	healer
behavioral1/memory/4240-35-0x00000000001C0000-0x00000000001CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1541767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1541767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1541767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1541767.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1541767.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1541767.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4524	v7692079.exe
180	v0398672.exe
2652	v5800060.exe
1924	v4847853.exe
4240	a1541767.exe
924	b8734641.exe
3528	c9268234.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1541767.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9cfc92fd12351dd80d6637b9a8407e263f1f8239ce94877fa6947d000c9e2a43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7692079.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0398672.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5800060.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v4847853.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4240	a1541767.exe
4240	a1541767.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4240	a1541767.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 472 wrote to memory of 4524	472	9cfc92fd12351dd80d6637b9a8407e263f1f8239ce94877fa6947d000c9e2a43.exe	80
PID 472 wrote to memory of 4524	472	9cfc92fd12351dd80d6637b9a8407e263f1f8239ce94877fa6947d000c9e2a43.exe	80
PID 472 wrote to memory of 4524	472	9cfc92fd12351dd80d6637b9a8407e263f1f8239ce94877fa6947d000c9e2a43.exe	80
PID 4524 wrote to memory of 180	4524	v7692079.exe	81
PID 4524 wrote to memory of 180	4524	v7692079.exe	81
PID 4524 wrote to memory of 180	4524	v7692079.exe	81
PID 180 wrote to memory of 2652	180	v0398672.exe	82
PID 180 wrote to memory of 2652	180	v0398672.exe	82
PID 180 wrote to memory of 2652	180	v0398672.exe	82
PID 2652 wrote to memory of 1924	2652	v5800060.exe	83
PID 2652 wrote to memory of 1924	2652	v5800060.exe	83
PID 2652 wrote to memory of 1924	2652	v5800060.exe	83
PID 1924 wrote to memory of 4240	1924	v4847853.exe	84
PID 1924 wrote to memory of 4240	1924	v4847853.exe	84
PID 1924 wrote to memory of 924	1924	v4847853.exe	90
PID 1924 wrote to memory of 924	1924	v4847853.exe	90
PID 1924 wrote to memory of 924	1924	v4847853.exe	90
PID 2652 wrote to memory of 3528	2652	v5800060.exe	91
PID 2652 wrote to memory of 3528	2652	v5800060.exe	91
PID 2652 wrote to memory of 3528	2652	v5800060.exe	91

C:\Users\Admin\AppData\Local\Temp\9cfc92fd12351dd80d6637b9a8407e263f1f8239ce94877fa6947d000c9e2a43.exe
"C:\Users\Admin\AppData\Local\Temp\9cfc92fd12351dd80d6637b9a8407e263f1f8239ce94877fa6947d000c9e2a43.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:472
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7692079.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7692079.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0398672.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0398672.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:180
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5800060.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5800060.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4847853.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4847853.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1924
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1541767.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1541767.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4240
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8734641.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8734641.exe
        6⤵
        Executes dropped EXE
        
        PID:924
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9268234.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9268234.exe
        5⤵
        Executes dropped EXE
        
        PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7692079.exe

Filesize
723KB

MD5
e50f0e12ea8e1eafab772a6faec97d9b

SHA1
aadc78bec48d3cdb32aa2d4274c0ece056941dec

SHA256
53b252893dd9cf85b2f1832b92444a09426df6f214689e6a740b25f04d85de52

SHA512
ec0f90e39d4972911654a131126bfe58591424137e01f7c274e0194ca99c7d9b93470ab62056270bd77177094ba3906ed98d0ce5a3a1214ca05414a6902272bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7692079.exe

Filesize
723KB

MD5
e50f0e12ea8e1eafab772a6faec97d9b

SHA1
aadc78bec48d3cdb32aa2d4274c0ece056941dec

SHA256
53b252893dd9cf85b2f1832b92444a09426df6f214689e6a740b25f04d85de52

SHA512
ec0f90e39d4972911654a131126bfe58591424137e01f7c274e0194ca99c7d9b93470ab62056270bd77177094ba3906ed98d0ce5a3a1214ca05414a6902272bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0398672.exe

Filesize
497KB

MD5
8eb1d66844cb378216cf7d031e8b077b

SHA1
feaebaea4021cfd8b9fd31ff4e4993a71b29a2d9

SHA256
701627374d0b26f7c9c8f0d1b6d1a9d0c273eba204207f0f9da70f2a6fe4e58d

SHA512
d126d5cce19220cfe3aaf85b7108f7dbcbb53f9b9059276882f050ba4847ec43781efb54387f5361575838285ba377082f73a057a44d37384d411034c0541044

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0398672.exe

Filesize
497KB

MD5
8eb1d66844cb378216cf7d031e8b077b

SHA1
feaebaea4021cfd8b9fd31ff4e4993a71b29a2d9

SHA256
701627374d0b26f7c9c8f0d1b6d1a9d0c273eba204207f0f9da70f2a6fe4e58d

SHA512
d126d5cce19220cfe3aaf85b7108f7dbcbb53f9b9059276882f050ba4847ec43781efb54387f5361575838285ba377082f73a057a44d37384d411034c0541044

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5800060.exe

Filesize
372KB

MD5
aa41dc7cb6b07609fa11914877eb815d

SHA1
3eb7964adab5af6daf6da99d5ec6a9bbe4ccccc3

SHA256
f8325e33c13dbc97d72359356ab0784fdf65455e16a9540baa6184a67044d5c3

SHA512
69c10d23d217e17a733c6598fbeeef10277d8705f42de2f13086444c66ca09bc788dc3d7f798a21a23f432b54384a3692651ff2e0c84254597e8b6b6790e0cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5800060.exe

Filesize
372KB

MD5
aa41dc7cb6b07609fa11914877eb815d

SHA1
3eb7964adab5af6daf6da99d5ec6a9bbe4ccccc3

SHA256
f8325e33c13dbc97d72359356ab0784fdf65455e16a9540baa6184a67044d5c3

SHA512
69c10d23d217e17a733c6598fbeeef10277d8705f42de2f13086444c66ca09bc788dc3d7f798a21a23f432b54384a3692651ff2e0c84254597e8b6b6790e0cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9268234.exe

Filesize
175KB

MD5
2137c8e49b3fac5847be8581d77ad135

SHA1
4e533811ee31a04fccd88b4dfab8c9babd0e65b2

SHA256
394daadbfdfa037b34479b00a397ca96a079539798b0f48d613ab4cd5b65f567

SHA512
e204ee5f4ca696073583003a2b17bc4facb11f3bd1fad4967b8579aaf39e991ec133c48c2e81f148d1cabce0c1554ef257d55d765e787337e3b85a435b191597

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9268234.exe

Filesize
175KB

MD5
2137c8e49b3fac5847be8581d77ad135

SHA1
4e533811ee31a04fccd88b4dfab8c9babd0e65b2

SHA256
394daadbfdfa037b34479b00a397ca96a079539798b0f48d613ab4cd5b65f567

SHA512
e204ee5f4ca696073583003a2b17bc4facb11f3bd1fad4967b8579aaf39e991ec133c48c2e81f148d1cabce0c1554ef257d55d765e787337e3b85a435b191597

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4847853.exe

Filesize
217KB

MD5
75a079190aa748b5f4537c69755a1f38

SHA1
359b35fa1240198b26fcfdd3b300eb905287f358

SHA256
f9d843ece82ee868674d7f1a724210bf18870ef3cbd16d4870e812b27ccddd23

SHA512
c2a6fb549773749e6db1e39c0a4e8e1dbd4e410dbce2d5d95b612be0f561577fbdabf5c6d8041df00d7cee7ac655117902c732b18d31c5b0d10a38eefbfef72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4847853.exe

Filesize
217KB

MD5
75a079190aa748b5f4537c69755a1f38

SHA1
359b35fa1240198b26fcfdd3b300eb905287f358

SHA256
f9d843ece82ee868674d7f1a724210bf18870ef3cbd16d4870e812b27ccddd23

SHA512
c2a6fb549773749e6db1e39c0a4e8e1dbd4e410dbce2d5d95b612be0f561577fbdabf5c6d8041df00d7cee7ac655117902c732b18d31c5b0d10a38eefbfef72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1541767.exe

Filesize
16KB

MD5
0016de8a3ea20ee1efbef28c12efb71b

SHA1
a00620660b58b51cfe7563f38430c585c563e066

SHA256
3d430819f93ca65fd6338160d87e16cff61051274cbf06e62673c04a74e89612

SHA512
058b8528adfbf6cc0bdc6ad32ed760b35828ad5c4eb30566abc817808208b4caa71222e2afd6e4f8239076a72164859adc204e6417d451e03c09cc5f355c2d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1541767.exe

Filesize
16KB

MD5
0016de8a3ea20ee1efbef28c12efb71b

SHA1
a00620660b58b51cfe7563f38430c585c563e066

SHA256
3d430819f93ca65fd6338160d87e16cff61051274cbf06e62673c04a74e89612

SHA512
058b8528adfbf6cc0bdc6ad32ed760b35828ad5c4eb30566abc817808208b4caa71222e2afd6e4f8239076a72164859adc204e6417d451e03c09cc5f355c2d85

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8734641.exe

Filesize
140KB

MD5
5bfbf3ae916702ecf09a21b8acb584ca

SHA1
bcb07114b3fcf8cdc19c72e9fe42b7f326654615

SHA256
e7c8c5be20a3a1fbf7a97fe412d186ed5d986e62da82c51223395f3c8d9e6bb5

SHA512
a50dea3f7a5857d9abbad2a4a26803392a53d02e070a820d458ca48cd805a149440f925ec33a1045bb3fe68952cd7eb17aa285e9e397cd6dce7ff2a50d90fab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8734641.exe

Filesize
140KB

MD5
5bfbf3ae916702ecf09a21b8acb584ca

SHA1
bcb07114b3fcf8cdc19c72e9fe42b7f326654615

SHA256
e7c8c5be20a3a1fbf7a97fe412d186ed5d986e62da82c51223395f3c8d9e6bb5

SHA512
a50dea3f7a5857d9abbad2a4a26803392a53d02e070a820d458ca48cd805a149440f925ec33a1045bb3fe68952cd7eb17aa285e9e397cd6dce7ff2a50d90fab0

Download Submit
memory/3528-45-0x0000000000AE0000-0x0000000000B10000-memory.dmp

Filesize
192KB

Download
memory/3528-46-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/3528-47-0x0000000005B70000-0x0000000006188000-memory.dmp

Filesize
6.1MB

Download
memory/3528-48-0x0000000005670000-0x000000000577A000-memory.dmp

Filesize
1.0MB

Download
memory/3528-49-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/3528-50-0x00000000055B0000-0x00000000055C2000-memory.dmp

Filesize
72KB

Download
memory/3528-51-0x0000000005610000-0x000000000564C000-memory.dmp

Filesize
240KB

Download
memory/3528-52-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/3528-53-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/4240-38-0x00007FFAE3440000-0x00007FFAE3F01000-memory.dmp

Filesize
10.8MB

Download
memory/4240-36-0x00007FFAE3440000-0x00007FFAE3F01000-memory.dmp

Filesize
10.8MB

Download
memory/4240-35-0x00000000001C0000-0x00000000001CA000-memory.dmp

Filesize
40KB

Download