healer | 7f1729fd0325ff6ce383a3ce24810eec50f7143c062ac958ca67dcfe4e0ec604

Analysis

max time kernel
146s
max time network
157s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
28/08/2023, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f1729fd0325ff6ce383a3ce24810eec50f7143c062ac958ca67dcfe4e0ec604.exe
Size

828KB
MD5

124f290be8d18d42ca3e663c05f96a03
SHA1

d9a546e3fc761ec2206039d68c3714618c132158
SHA256

7f1729fd0325ff6ce383a3ce24810eec50f7143c062ac958ca67dcfe4e0ec604
SHA512

8ebccc937567fedb167d09a0eea2fbb1fd9171a5190d1a542f8a25d735f90cff3e28b5d30fde5a8148d727d6ce341ea236e3d8f0ed5677d59d65b8f3de49e6b3
SSDEEP

24576:uyuwj473lw3h5ToVj7TgxyZinDeU1fIf:9kZa8VLyiinf1w

Score

10^/10

healer redline stas dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

stas

77.91.124.82:19071

Attributes

auth_value
db6d96c4eade05afc28c31d9ad73a73c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001aff0-33.dat	healer
behavioral1/files/0x000700000001aff0-34.dat	healer
behavioral1/memory/960-35-0x0000000000960000-0x000000000096A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7662609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7662609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7662609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7662609.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7662609.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
204	v7263942.exe
3064	v9018093.exe
4136	v5773550.exe
4204	v5250785.exe
960	a7662609.exe
4828	b4798248.exe
364	c7434238.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7662609.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7f1729fd0325ff6ce383a3ce24810eec50f7143c062ac958ca67dcfe4e0ec604.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7263942.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9018093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5773550.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5250785.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
960	a7662609.exe
960	a7662609.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	960	a7662609.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4312 wrote to memory of 204	4312	7f1729fd0325ff6ce383a3ce24810eec50f7143c062ac958ca67dcfe4e0ec604.exe	70
PID 4312 wrote to memory of 204	4312	7f1729fd0325ff6ce383a3ce24810eec50f7143c062ac958ca67dcfe4e0ec604.exe	70
PID 4312 wrote to memory of 204	4312	7f1729fd0325ff6ce383a3ce24810eec50f7143c062ac958ca67dcfe4e0ec604.exe	70
PID 204 wrote to memory of 3064	204	v7263942.exe	71
PID 204 wrote to memory of 3064	204	v7263942.exe	71
PID 204 wrote to memory of 3064	204	v7263942.exe	71
PID 3064 wrote to memory of 4136	3064	v9018093.exe	72
PID 3064 wrote to memory of 4136	3064	v9018093.exe	72
PID 3064 wrote to memory of 4136	3064	v9018093.exe	72
PID 4136 wrote to memory of 4204	4136	v5773550.exe	73
PID 4136 wrote to memory of 4204	4136	v5773550.exe	73
PID 4136 wrote to memory of 4204	4136	v5773550.exe	73
PID 4204 wrote to memory of 960	4204	v5250785.exe	74
PID 4204 wrote to memory of 960	4204	v5250785.exe	74
PID 4204 wrote to memory of 4828	4204	v5250785.exe	75
PID 4204 wrote to memory of 4828	4204	v5250785.exe	75
PID 4204 wrote to memory of 4828	4204	v5250785.exe	75
PID 4136 wrote to memory of 364	4136	v5773550.exe	76
PID 4136 wrote to memory of 364	4136	v5773550.exe	76
PID 4136 wrote to memory of 364	4136	v5773550.exe	76

C:\Users\Admin\AppData\Local\Temp\7f1729fd0325ff6ce383a3ce24810eec50f7143c062ac958ca67dcfe4e0ec604.exe
"C:\Users\Admin\AppData\Local\Temp\7f1729fd0325ff6ce383a3ce24810eec50f7143c062ac958ca67dcfe4e0ec604.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7263942.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7263942.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9018093.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9018093.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5773550.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5773550.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5250785.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5250785.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4204
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7662609.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7662609.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4798248.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4798248.exe
        6⤵
        Executes dropped EXE
        
        PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7434238.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7434238.exe
        5⤵
        Executes dropped EXE
        
        PID:364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7263942.exe

Filesize
723KB

MD5
d932778fad3142cf309b2984e054fdc9

SHA1
460a1f3d2a8b62d1d7b856b54d4c0d851f9a245d

SHA256
7e68eeef216de08e990cac5a2acb23427bab724fa886a7c42553e241815bd57b

SHA512
d883914afef679c5a8a4c7a9351336b1f3f44ecb12de3619ba3a1831c291a452071abeca7550407e0c4893a23a8e581624829e9d356ecf196037fe5776759219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7263942.exe

Filesize
723KB

MD5
d932778fad3142cf309b2984e054fdc9

SHA1
460a1f3d2a8b62d1d7b856b54d4c0d851f9a245d

SHA256
7e68eeef216de08e990cac5a2acb23427bab724fa886a7c42553e241815bd57b

SHA512
d883914afef679c5a8a4c7a9351336b1f3f44ecb12de3619ba3a1831c291a452071abeca7550407e0c4893a23a8e581624829e9d356ecf196037fe5776759219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9018093.exe

Filesize
497KB

MD5
76cb38929cc0cc72a0a21e812df8f82b

SHA1
d6d2785c269337a9d4db25626e188e98b6c37f89

SHA256
d4a3c410a8aff6c5d9ecdfe1e23680f04d8b9c152d5db3c5e887bc00914f9f50

SHA512
d01794388fc90378eed5f01de9a8bd04e7c86745c8403bba1e19d8cf6138952bbad8406c3c511f792e3530ceece15eb6ad5218678de45898ebb9f071984fc687

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9018093.exe

Filesize
497KB

MD5
76cb38929cc0cc72a0a21e812df8f82b

SHA1
d6d2785c269337a9d4db25626e188e98b6c37f89

SHA256
d4a3c410a8aff6c5d9ecdfe1e23680f04d8b9c152d5db3c5e887bc00914f9f50

SHA512
d01794388fc90378eed5f01de9a8bd04e7c86745c8403bba1e19d8cf6138952bbad8406c3c511f792e3530ceece15eb6ad5218678de45898ebb9f071984fc687

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5773550.exe

Filesize
373KB

MD5
26dc330bf4f307f1765792b0c127bfc7

SHA1
18a91e5e2b52c40734b9f42c0674b44d34b036b3

SHA256
b4157cd4545edcea652903c4f18a09abbe4e0e97d9d40e7b4ea34f4e5e47202c

SHA512
e7e7e47f9c1fa50f87e60b61f57746648f7bacb55370850f86c91bbeb724c0165895f45517d4f7ed1a310765635911a5f9ed86d2899ec0e90bdd720861afad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5773550.exe

Filesize
373KB

MD5
26dc330bf4f307f1765792b0c127bfc7

SHA1
18a91e5e2b52c40734b9f42c0674b44d34b036b3

SHA256
b4157cd4545edcea652903c4f18a09abbe4e0e97d9d40e7b4ea34f4e5e47202c

SHA512
e7e7e47f9c1fa50f87e60b61f57746648f7bacb55370850f86c91bbeb724c0165895f45517d4f7ed1a310765635911a5f9ed86d2899ec0e90bdd720861afad81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7434238.exe

Filesize
174KB

MD5
5c02512f3fab4aa13fd7af14ac287ca4

SHA1
2ee3bbccbe22302adc9718acf8afc4213a25c33e

SHA256
b71bd6c3e6d272491449a27d4cc32835e47f7af777a7f74012976d7bb68a20b0

SHA512
5cda53d94e32838e04a74660ef9d5026fe1a8f403d27a197105189129ea08c63a665bb7071a49187d0b19be22d0b8820fc82e41495744251e02accd7b0c15894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7434238.exe

Filesize
174KB

MD5
5c02512f3fab4aa13fd7af14ac287ca4

SHA1
2ee3bbccbe22302adc9718acf8afc4213a25c33e

SHA256
b71bd6c3e6d272491449a27d4cc32835e47f7af777a7f74012976d7bb68a20b0

SHA512
5cda53d94e32838e04a74660ef9d5026fe1a8f403d27a197105189129ea08c63a665bb7071a49187d0b19be22d0b8820fc82e41495744251e02accd7b0c15894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5250785.exe

Filesize
217KB

MD5
44b2555323bae78105d865b99c317c2c

SHA1
302bbdb575cf115a3e9000ec1f756dd2c56d0a4b

SHA256
710727139cd14606f2ec3832a472ba88c2a14996a5642ef421db4ccba92bcc7e

SHA512
f78f1a28c3c0d5c86f92228a8926fb72d5e25d602e0027f303f451df316f6dc4663a9fc31b51b7aa8e8ed96bc51c2d8fabb762e9cf1cc685fa4844ecc6d935e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5250785.exe

Filesize
217KB

MD5
44b2555323bae78105d865b99c317c2c

SHA1
302bbdb575cf115a3e9000ec1f756dd2c56d0a4b

SHA256
710727139cd14606f2ec3832a472ba88c2a14996a5642ef421db4ccba92bcc7e

SHA512
f78f1a28c3c0d5c86f92228a8926fb72d5e25d602e0027f303f451df316f6dc4663a9fc31b51b7aa8e8ed96bc51c2d8fabb762e9cf1cc685fa4844ecc6d935e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7662609.exe

Filesize
15KB

MD5
dbbe1b9e3565e00454b9692d72fa81fd

SHA1
6e1cbed9bdae1985426b849d055c407e12e15f6d

SHA256
701abad9353d50bbc4b24864acbc82e4a43cae87171eca00da47e5b93df4b660

SHA512
ce0150aa87e37d933a5b068a43da4a299238d7697ec111b22e2ccff02c7e6d78508c2590d732587e3f8f8eb55e72514d002aaac620894663ecdc77844b98ba0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a7662609.exe

Filesize
15KB

MD5
dbbe1b9e3565e00454b9692d72fa81fd

SHA1
6e1cbed9bdae1985426b849d055c407e12e15f6d

SHA256
701abad9353d50bbc4b24864acbc82e4a43cae87171eca00da47e5b93df4b660

SHA512
ce0150aa87e37d933a5b068a43da4a299238d7697ec111b22e2ccff02c7e6d78508c2590d732587e3f8f8eb55e72514d002aaac620894663ecdc77844b98ba0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4798248.exe

Filesize
140KB

MD5
630b4bd4b947f97752194b86b24b31d7

SHA1
195458b1c21d01bd601be3aa01394300a2046eda

SHA256
4914b2f312c6cf8c815676edc3a9740f95c9e7a16d81b39ce82b06ccdc690d64

SHA512
5270e841b520aff8f29bbb1e9acbb155baf4ee50cde828d60d5eca04420a37d73310923fe0734c74350f34a4ee7d750ab003f4d7f82e993fe109f110fba1fc4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4798248.exe

Filesize
140KB

MD5
630b4bd4b947f97752194b86b24b31d7

SHA1
195458b1c21d01bd601be3aa01394300a2046eda

SHA256
4914b2f312c6cf8c815676edc3a9740f95c9e7a16d81b39ce82b06ccdc690d64

SHA512
5270e841b520aff8f29bbb1e9acbb155baf4ee50cde828d60d5eca04420a37d73310923fe0734c74350f34a4ee7d750ab003f4d7f82e993fe109f110fba1fc4b

Download Submit
memory/364-45-0x0000000000D90000-0x0000000000DC0000-memory.dmp

Filesize
192KB

Download
memory/364-46-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/364-47-0x00000000030C0000-0x00000000030C6000-memory.dmp

Filesize
24KB

Download
memory/364-48-0x000000000B1A0000-0x000000000B7A6000-memory.dmp

Filesize
6.0MB

Download
memory/364-49-0x000000000ACE0000-0x000000000ADEA000-memory.dmp

Filesize
1.0MB

Download
memory/364-50-0x000000000AC10000-0x000000000AC22000-memory.dmp

Filesize
72KB

Download
memory/364-51-0x000000000AC70000-0x000000000ACAE000-memory.dmp

Filesize
248KB

Download
memory/364-52-0x000000000ADF0000-0x000000000AE3B000-memory.dmp

Filesize
300KB

Download
memory/364-53-0x0000000073A00000-0x00000000740EE000-memory.dmp

Filesize
6.9MB

Download
memory/960-38-0x00007FFDE89E0000-0x00007FFDE93CC000-memory.dmp

Filesize
9.9MB

Download
memory/960-36-0x00007FFDE89E0000-0x00007FFDE93CC000-memory.dmp

Filesize
9.9MB

Download
memory/960-35-0x0000000000960000-0x000000000096A000-memory.dmp

Filesize
40KB

Download