healer | 9c5bea7052f6a470c3fcb520b3785458684e006c0254ae0c0ac5631ed2454a08

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 05:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9c5bea7052f6a470c3fcb520b3785458684e006c0254ae0c0ac5631ed2454a08.exe
Size

821KB
MD5

ffd44cd0e293b6aadddf0e0c555e0abc
SHA1

a11275e7d6e1a79511471c81924bab617c84361d
SHA256

9c5bea7052f6a470c3fcb520b3785458684e006c0254ae0c0ac5631ed2454a08
SHA512

34857a479412f836c595e6ddec40af23d5fca429d5a22e7e7a14657ac8fec24a1a3696cc39952482015ed2db6cf1bae1ba4f655ab4eaa86cfef36e38683a4c19
SSDEEP

24576:Zydd/1uyvgNnOlrIZlLiYubl6yxP4Yfg/TfhJP:Mdd/1uyvgNnOlrGmJXd4Yfgrb

Score

10^/10

healer redline stas dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

stas

77.91.124.82:19071

Attributes

auth_value
db6d96c4eade05afc28c31d9ad73a73c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023233-33.dat	healer
behavioral1/files/0x0007000000023233-34.dat	healer
behavioral1/memory/1960-35-0x0000000000C20000-0x0000000000C2A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0462440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0462440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0462440.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0462440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0462440.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0462440.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1520	v1581401.exe
736	v4433811.exe
112	v8730506.exe
2072	v3790751.exe
1960	a0462440.exe
2820	b9918546.exe
1964	c9584588.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0462440.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4433811.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8730506.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3790751.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9c5bea7052f6a470c3fcb520b3785458684e006c0254ae0c0ac5631ed2454a08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1581401.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1960	a0462440.exe
1960	a0462440.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	a0462440.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1520	956	9c5bea7052f6a470c3fcb520b3785458684e006c0254ae0c0ac5631ed2454a08.exe	81
PID 956 wrote to memory of 1520	956	9c5bea7052f6a470c3fcb520b3785458684e006c0254ae0c0ac5631ed2454a08.exe	81
PID 956 wrote to memory of 1520	956	9c5bea7052f6a470c3fcb520b3785458684e006c0254ae0c0ac5631ed2454a08.exe	81
PID 1520 wrote to memory of 736	1520	v1581401.exe	82
PID 1520 wrote to memory of 736	1520	v1581401.exe	82
PID 1520 wrote to memory of 736	1520	v1581401.exe	82
PID 736 wrote to memory of 112	736	v4433811.exe	83
PID 736 wrote to memory of 112	736	v4433811.exe	83
PID 736 wrote to memory of 112	736	v4433811.exe	83
PID 112 wrote to memory of 2072	112	v8730506.exe	84
PID 112 wrote to memory of 2072	112	v8730506.exe	84
PID 112 wrote to memory of 2072	112	v8730506.exe	84
PID 2072 wrote to memory of 1960	2072	v3790751.exe	85
PID 2072 wrote to memory of 1960	2072	v3790751.exe	85
PID 2072 wrote to memory of 2820	2072	v3790751.exe	91
PID 2072 wrote to memory of 2820	2072	v3790751.exe	91
PID 2072 wrote to memory of 2820	2072	v3790751.exe	91
PID 112 wrote to memory of 1964	112	v8730506.exe	92
PID 112 wrote to memory of 1964	112	v8730506.exe	92
PID 112 wrote to memory of 1964	112	v8730506.exe	92

C:\Users\Admin\AppData\Local\Temp\9c5bea7052f6a470c3fcb520b3785458684e006c0254ae0c0ac5631ed2454a08.exe
"C:\Users\Admin\AppData\Local\Temp\9c5bea7052f6a470c3fcb520b3785458684e006c0254ae0c0ac5631ed2454a08.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1581401.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1581401.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4433811.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4433811.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8730506.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8730506.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3790751.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3790751.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2072
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0462440.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0462440.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9918546.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9918546.exe
        6⤵
        Executes dropped EXE
        
        PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9584588.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9584588.exe
        5⤵
        Executes dropped EXE
        
        PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1581401.exe

Filesize
723KB

MD5
ad0d8389d92d3a735ace0ce9a938aff6

SHA1
060348f4aa5b790648df78b71e9b48c8d771b8dc

SHA256
940bd400f9f9add8d35b58a66dc1652880cb051b7e8993aadc2ac5c94ea586e6

SHA512
61af346a8a6e759099e0b5a9ca270e710a57eb8dbb3ed572637def0384f17f4c6ad023e83491009d9ff842eaaafaa3a4f94f4e55d3054105d0a76f3b4ab26cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1581401.exe

Filesize
723KB

MD5
ad0d8389d92d3a735ace0ce9a938aff6

SHA1
060348f4aa5b790648df78b71e9b48c8d771b8dc

SHA256
940bd400f9f9add8d35b58a66dc1652880cb051b7e8993aadc2ac5c94ea586e6

SHA512
61af346a8a6e759099e0b5a9ca270e710a57eb8dbb3ed572637def0384f17f4c6ad023e83491009d9ff842eaaafaa3a4f94f4e55d3054105d0a76f3b4ab26cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4433811.exe

Filesize
497KB

MD5
4929ba4c34ba6af247c5a0c8dce43667

SHA1
7be95cd8e97bf5230fe7c820a03ee778a8c4c08a

SHA256
fe53e31d29ceae2f1dbf61327c496028bba0120fca9b5a4632382660a521dca4

SHA512
d8da2120f1534a767ebe126338785d93224d7f8fdb91487b2243ef678a7c690d55cac278305a5f4b8afbef07fca8f5557c8899ef597768f4df19e2ed3fd87bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4433811.exe

Filesize
497KB

MD5
4929ba4c34ba6af247c5a0c8dce43667

SHA1
7be95cd8e97bf5230fe7c820a03ee778a8c4c08a

SHA256
fe53e31d29ceae2f1dbf61327c496028bba0120fca9b5a4632382660a521dca4

SHA512
d8da2120f1534a767ebe126338785d93224d7f8fdb91487b2243ef678a7c690d55cac278305a5f4b8afbef07fca8f5557c8899ef597768f4df19e2ed3fd87bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8730506.exe

Filesize
373KB

MD5
f05b526042264071d48c1e31d5a19605

SHA1
055bd22e1117e7cc21b71cab87934a44eb27289a

SHA256
6f083da88081a79fdbe8eb669c2acba354b0efb6684a28ec592ad5277fb78508

SHA512
ae7e33ebdd75fb14c8366c7a6caa8a090e6a4a484afe4071c39881aa04a7ae11b1f122586bf3be83c78436dd5dd45ed01c6c9fb310db6b5eb4754b3f8a292a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8730506.exe

Filesize
373KB

MD5
f05b526042264071d48c1e31d5a19605

SHA1
055bd22e1117e7cc21b71cab87934a44eb27289a

SHA256
6f083da88081a79fdbe8eb669c2acba354b0efb6684a28ec592ad5277fb78508

SHA512
ae7e33ebdd75fb14c8366c7a6caa8a090e6a4a484afe4071c39881aa04a7ae11b1f122586bf3be83c78436dd5dd45ed01c6c9fb310db6b5eb4754b3f8a292a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9584588.exe

Filesize
174KB

MD5
8b5831f8816e7e846880134f8132d950

SHA1
014f0c6fd6905afb4d6272473b5952a908065d59

SHA256
4f8b3e1791f353c46d77bc0e82ae7efe3ac9c20810242a583699cc4e8831d5d8

SHA512
bbb20a56f364659e17282ffadbea8f593390b2c0ba87deb213cf09d5dd340a09526a6a5f705664ac7d685660e888cbedb4a7c6704992fdd2fde19efb7615408e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9584588.exe

Filesize
174KB

MD5
8b5831f8816e7e846880134f8132d950

SHA1
014f0c6fd6905afb4d6272473b5952a908065d59

SHA256
4f8b3e1791f353c46d77bc0e82ae7efe3ac9c20810242a583699cc4e8831d5d8

SHA512
bbb20a56f364659e17282ffadbea8f593390b2c0ba87deb213cf09d5dd340a09526a6a5f705664ac7d685660e888cbedb4a7c6704992fdd2fde19efb7615408e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3790751.exe

Filesize
217KB

MD5
861db938e7884bac4947071ea5757976

SHA1
b7d0f5533c93d44346e9710bc6cf710a107ec805

SHA256
09ea1e39dc284a4be9848913fc9174d7f51148d622aea4835cb928f626567454

SHA512
57605056c57a707511bb404c1659b07a496ff2f2134bbfaf452bb05f1ab52997936589faa5711421117f556203063ba23dddd8cb50332ac2e3161f7b6bb38f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3790751.exe

Filesize
217KB

MD5
861db938e7884bac4947071ea5757976

SHA1
b7d0f5533c93d44346e9710bc6cf710a107ec805

SHA256
09ea1e39dc284a4be9848913fc9174d7f51148d622aea4835cb928f626567454

SHA512
57605056c57a707511bb404c1659b07a496ff2f2134bbfaf452bb05f1ab52997936589faa5711421117f556203063ba23dddd8cb50332ac2e3161f7b6bb38f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0462440.exe

Filesize
16KB

MD5
e41a0dd34a5184d15093af2b3e064390

SHA1
ac00f46bb1b9a7b08702a1f945d089daff3a582a

SHA256
63bc504dff51b9ace15e1bd51ffafa72527fd097bcd6d0a38c0a3536f63b96fe

SHA512
96ddf9bdb9e4d75c9d419fa5a21f340a6264de8a6f53d70442ba51919676d819f744587a89293b65be105432e8c2e8e33cb0e953a09d6d0c18ee036820d1c56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0462440.exe

Filesize
16KB

MD5
e41a0dd34a5184d15093af2b3e064390

SHA1
ac00f46bb1b9a7b08702a1f945d089daff3a582a

SHA256
63bc504dff51b9ace15e1bd51ffafa72527fd097bcd6d0a38c0a3536f63b96fe

SHA512
96ddf9bdb9e4d75c9d419fa5a21f340a6264de8a6f53d70442ba51919676d819f744587a89293b65be105432e8c2e8e33cb0e953a09d6d0c18ee036820d1c56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9918546.exe

Filesize
140KB

MD5
de5d2beee6e39fa11aae81c557fb182d

SHA1
c718c337545599bcd38b542310782787e34e2223

SHA256
67ce15c95558a8d87de4f9375836d5122473cbdd61d246543c9fa7fb838ae7f0

SHA512
86133c373b47d823340c661ec80878e020d010a9ed666c356639755c63adb5f50976012e787c9864ad6908453145c3a60d2abfc1336980c1daca92b06b350725

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9918546.exe

Filesize
140KB

MD5
de5d2beee6e39fa11aae81c557fb182d

SHA1
c718c337545599bcd38b542310782787e34e2223

SHA256
67ce15c95558a8d87de4f9375836d5122473cbdd61d246543c9fa7fb838ae7f0

SHA512
86133c373b47d823340c661ec80878e020d010a9ed666c356639755c63adb5f50976012e787c9864ad6908453145c3a60d2abfc1336980c1daca92b06b350725

Download Submit
memory/1960-38-0x00007FFD45430000-0x00007FFD45EF1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-36-0x00007FFD45430000-0x00007FFD45EF1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-35-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/1964-45-0x0000000000510000-0x0000000000540000-memory.dmp

Filesize
192KB

Download
memory/1964-46-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/1964-47-0x000000000A940000-0x000000000AF58000-memory.dmp

Filesize
6.1MB

Download
memory/1964-48-0x000000000A4C0000-0x000000000A5CA000-memory.dmp

Filesize
1.0MB

Download
memory/1964-49-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download
memory/1964-50-0x000000000A400000-0x000000000A412000-memory.dmp

Filesize
72KB

Download
memory/1964-51-0x000000000A460000-0x000000000A49C000-memory.dmp

Filesize
240KB

Download
memory/1964-52-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/1964-53-0x0000000004E80000-0x0000000004E90000-memory.dmp

Filesize
64KB

Download