healer | a5f1ff76e32c1eb65f3a11e85ff56d2726a672384ff611aa40fe2194278f84cd

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2023 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5f1ff76e32c1eb65f3a11e85ff56d2726a672384ff611aa40fe2194278f84cd.exe
Size

929KB
MD5

b2b1e6dd11463a204d9c7a92bf6bd853
SHA1

d8bc4217c19343dd4032279a3e88032127045319
SHA256

a5f1ff76e32c1eb65f3a11e85ff56d2726a672384ff611aa40fe2194278f84cd
SHA512

e08bcbfc673c7c989bd69b7bd67c8425eeb943c7a969e377919797d252477a676be956c225d8dc8dfa0efded0d1324bf737c08c4fa7a08f3a514a2af25fc10b9
SSDEEP

24576:byb42P+B0gjALYcd0Rl7eB3LPZML/LWS:ObPP+BXMZ6rG3rZsDW

Score

10^/10

healer redline stas dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

stas

77.91.124.82:19071

Attributes

auth_value
db6d96c4eade05afc28c31d9ad73a73c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000022ffd-33.dat	healer
behavioral1/files/0x0007000000022ffd-34.dat	healer
behavioral1/memory/5084-35-0x0000000000660000-0x000000000066A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q8896548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q8896548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q8896548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q8896548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q8896548.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q8896548.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2172	z8251413.exe
1884	z2646920.exe
2692	z5342853.exe
3644	z4674587.exe
5084	q8896548.exe
112	r9426331.exe
1044	s1709806.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q8896548.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8251413.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z2646920.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5342853.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4674587.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a5f1ff76e32c1eb65f3a11e85ff56d2726a672384ff611aa40fe2194278f84cd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5084	q8896548.exe
5084	q8896548.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5084	q8896548.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 2172	3960	a5f1ff76e32c1eb65f3a11e85ff56d2726a672384ff611aa40fe2194278f84cd.exe	84
PID 3960 wrote to memory of 2172	3960	a5f1ff76e32c1eb65f3a11e85ff56d2726a672384ff611aa40fe2194278f84cd.exe	84
PID 3960 wrote to memory of 2172	3960	a5f1ff76e32c1eb65f3a11e85ff56d2726a672384ff611aa40fe2194278f84cd.exe	84
PID 2172 wrote to memory of 1884	2172	z8251413.exe	85
PID 2172 wrote to memory of 1884	2172	z8251413.exe	85
PID 2172 wrote to memory of 1884	2172	z8251413.exe	85
PID 1884 wrote to memory of 2692	1884	z2646920.exe	87
PID 1884 wrote to memory of 2692	1884	z2646920.exe	87
PID 1884 wrote to memory of 2692	1884	z2646920.exe	87
PID 2692 wrote to memory of 3644	2692	z5342853.exe	88
PID 2692 wrote to memory of 3644	2692	z5342853.exe	88
PID 2692 wrote to memory of 3644	2692	z5342853.exe	88
PID 3644 wrote to memory of 5084	3644	z4674587.exe	89
PID 3644 wrote to memory of 5084	3644	z4674587.exe	89
PID 3644 wrote to memory of 112	3644	z4674587.exe	91
PID 3644 wrote to memory of 112	3644	z4674587.exe	91
PID 3644 wrote to memory of 112	3644	z4674587.exe	91
PID 2692 wrote to memory of 1044	2692	z5342853.exe	92
PID 2692 wrote to memory of 1044	2692	z5342853.exe	92
PID 2692 wrote to memory of 1044	2692	z5342853.exe	92

C:\Users\Admin\AppData\Local\Temp\a5f1ff76e32c1eb65f3a11e85ff56d2726a672384ff611aa40fe2194278f84cd.exe
"C:\Users\Admin\AppData\Local\Temp\a5f1ff76e32c1eb65f3a11e85ff56d2726a672384ff611aa40fe2194278f84cd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8251413.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8251413.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2646920.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2646920.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5342853.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5342853.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4674587.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4674587.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8896548.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8896548.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9426331.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9426331.exe
        6⤵
        Executes dropped EXE
        
        PID:112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1709806.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1709806.exe
        5⤵
        Executes dropped EXE
        
        PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8251413.exe

Filesize
823KB

MD5
022e9e7a26e7a49a54b7b964e55d77d8

SHA1
f33e0dc717076814ad62779ddb8fa5a123c778df

SHA256
83e7f60dcffc0be6bdd4eec6abedc4d69160fb160ef081620bcf9be92edad249

SHA512
4124a879a59f5355d921bb1a641a857ae79735aaa6c8170d4fd08ac2e95fd84fc8744ff6ee6218ffdfc4c460a5de7103531fed6b5c655b0a609ccfb172437595

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8251413.exe

Filesize
823KB

MD5
022e9e7a26e7a49a54b7b964e55d77d8

SHA1
f33e0dc717076814ad62779ddb8fa5a123c778df

SHA256
83e7f60dcffc0be6bdd4eec6abedc4d69160fb160ef081620bcf9be92edad249

SHA512
4124a879a59f5355d921bb1a641a857ae79735aaa6c8170d4fd08ac2e95fd84fc8744ff6ee6218ffdfc4c460a5de7103531fed6b5c655b0a609ccfb172437595

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2646920.exe

Filesize
597KB

MD5
6fef13171a191ea249a53c36a32da6f4

SHA1
48b188d5c1a00af3077a874482dd124717b24973

SHA256
1c56dea97bd3f2f199af0e4de7156bc53c04a95fc44d14a8838c31d42495efb3

SHA512
1ac19fa09ee35fb180b1395a4a2f0ae537fc73054841dfbb9efe56581f206187f0a907e247e9623247fadadec8edbdca81e5233f879d2f63176cd9e0c0923bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z2646920.exe

Filesize
597KB

MD5
6fef13171a191ea249a53c36a32da6f4

SHA1
48b188d5c1a00af3077a874482dd124717b24973

SHA256
1c56dea97bd3f2f199af0e4de7156bc53c04a95fc44d14a8838c31d42495efb3

SHA512
1ac19fa09ee35fb180b1395a4a2f0ae537fc73054841dfbb9efe56581f206187f0a907e247e9623247fadadec8edbdca81e5233f879d2f63176cd9e0c0923bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5342853.exe

Filesize
372KB

MD5
aad1dc4b328c87e7d53c6c3fe3c9af94

SHA1
99540ac0250ea5ece1a3731aa92e2dfd2bed4141

SHA256
3d76739a8c598ed2f4530b6eba732c6f92c0f1752cd522d974b6db7c1740c091

SHA512
d859d2a4805a1388ad5e94991bb6eaf9f30143d5d86b0891728667307069cb6bab729b48d38b4e631284de3eb5d4bb7945944dacfceb0c0070dc0d199681f6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5342853.exe

Filesize
372KB

MD5
aad1dc4b328c87e7d53c6c3fe3c9af94

SHA1
99540ac0250ea5ece1a3731aa92e2dfd2bed4141

SHA256
3d76739a8c598ed2f4530b6eba732c6f92c0f1752cd522d974b6db7c1740c091

SHA512
d859d2a4805a1388ad5e94991bb6eaf9f30143d5d86b0891728667307069cb6bab729b48d38b4e631284de3eb5d4bb7945944dacfceb0c0070dc0d199681f6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1709806.exe

Filesize
175KB

MD5
414d69f3bd1f11bb208ef38642d76037

SHA1
eea6d60fee5e213df8b63e6b7d3a4cfb2b75899f

SHA256
051c7db1cf8835ff9a014e54857c6222bbc8980405d254f561f3f37e508f1376

SHA512
8677c9fac5d281d51f8873e3e9e6b71b6cffc9fa4364f233e8560800c05cbb14bf9b437735baff4c31974c30b2328e670ce23c916d101d0c2056d985fdb2f39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1709806.exe

Filesize
175KB

MD5
414d69f3bd1f11bb208ef38642d76037

SHA1
eea6d60fee5e213df8b63e6b7d3a4cfb2b75899f

SHA256
051c7db1cf8835ff9a014e54857c6222bbc8980405d254f561f3f37e508f1376

SHA512
8677c9fac5d281d51f8873e3e9e6b71b6cffc9fa4364f233e8560800c05cbb14bf9b437735baff4c31974c30b2328e670ce23c916d101d0c2056d985fdb2f39a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4674587.exe

Filesize
217KB

MD5
51df2374d4462c413257521b40f4d344

SHA1
78e0bcbd8a5df2644d070841dfcb8eadf1a8a536

SHA256
3cefd5e0152c92dd6a0a17cbc1f2b30ccae092111e50a9d6d44c39abf2cf44aa

SHA512
ed3bda1af3077ebbe70cbb6ba97b271a0dda0dbb6f597cff789b1a680a1b3c852a39f9c4ad4f5f1f96144a1295f2b77ef4483b9282d920d99a80fdc525947467

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4674587.exe

Filesize
217KB

MD5
51df2374d4462c413257521b40f4d344

SHA1
78e0bcbd8a5df2644d070841dfcb8eadf1a8a536

SHA256
3cefd5e0152c92dd6a0a17cbc1f2b30ccae092111e50a9d6d44c39abf2cf44aa

SHA512
ed3bda1af3077ebbe70cbb6ba97b271a0dda0dbb6f597cff789b1a680a1b3c852a39f9c4ad4f5f1f96144a1295f2b77ef4483b9282d920d99a80fdc525947467

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8896548.exe

Filesize
16KB

MD5
8234212ee3a13a8c659d45bb12c8c9dd

SHA1
832a0bfeec93513d02b20a8e3d7fb7052080a742

SHA256
44876b170e48a2f4b09a6c8159a7a8d1fef390f8aba294ffd9a477b8b7450d2b

SHA512
0b99baf1979194c729bdc242b3aedca44ff52a64af42b322cdd29b4feb6a0d37d665a47cc7a2195f2fdad69871e3dcbb2e26712d53dc2d992da7137776f9fffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8896548.exe

Filesize
16KB

MD5
8234212ee3a13a8c659d45bb12c8c9dd

SHA1
832a0bfeec93513d02b20a8e3d7fb7052080a742

SHA256
44876b170e48a2f4b09a6c8159a7a8d1fef390f8aba294ffd9a477b8b7450d2b

SHA512
0b99baf1979194c729bdc242b3aedca44ff52a64af42b322cdd29b4feb6a0d37d665a47cc7a2195f2fdad69871e3dcbb2e26712d53dc2d992da7137776f9fffe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9426331.exe

Filesize
140KB

MD5
354e5441a83d49c2449a5a905b82c64c

SHA1
bb94a8601ae5357b61b4348a663c71ea5daf5f40

SHA256
c1454b35eb044a8cd9ee7637c62671f02920b5a346e1669dbfcc4a1647bcb791

SHA512
202ceaa9c517117d84975502c332afa179caa49e8a57caecef8c57bf3e8e3c3df696cd80a6457236884978601cc785a20467622ef34b2a8ae3e8b410c395f194

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9426331.exe

Filesize
140KB

MD5
354e5441a83d49c2449a5a905b82c64c

SHA1
bb94a8601ae5357b61b4348a663c71ea5daf5f40

SHA256
c1454b35eb044a8cd9ee7637c62671f02920b5a346e1669dbfcc4a1647bcb791

SHA512
202ceaa9c517117d84975502c332afa179caa49e8a57caecef8c57bf3e8e3c3df696cd80a6457236884978601cc785a20467622ef34b2a8ae3e8b410c395f194

Download Submit
memory/1044-46-0x0000000000D70000-0x0000000000DA0000-memory.dmp

Filesize
192KB

Download
memory/1044-45-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1044-47-0x000000000B1C0000-0x000000000B7D8000-memory.dmp

Filesize
6.1MB

Download
memory/1044-48-0x000000000AD10000-0x000000000AE1A000-memory.dmp

Filesize
1.0MB

Download
memory/1044-49-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/1044-50-0x000000000AC50000-0x000000000AC62000-memory.dmp

Filesize
72KB

Download
memory/1044-51-0x000000000ACB0000-0x000000000ACEC000-memory.dmp

Filesize
240KB

Download
memory/1044-52-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/1044-53-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/5084-38-0x00007FFD37F20000-0x00007FFD389E1000-memory.dmp

Filesize
10.8MB

Download
memory/5084-36-0x00007FFD37F20000-0x00007FFD389E1000-memory.dmp

Filesize
10.8MB

Download
memory/5084-35-0x0000000000660000-0x000000000066A000-memory.dmp

Filesize
40KB

Download