healer | ee36d54ef8ac7ca3067f3f047c3e95727a6af2a82f77c499e889b5eebbe8da30

Analysis

max time kernel
146s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
28/08/2023, 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee36d54ef8ac7ca3067f3f047c3e95727a6af2a82f77c499e889b5eebbe8da30.exe
Size

929KB
MD5

bca07a88549aa5b88e6e6a96ae7ec882
SHA1

ed0efc2c39acd1d53fdd19a7a7f6bc539d4a7734
SHA256

ee36d54ef8ac7ca3067f3f047c3e95727a6af2a82f77c499e889b5eebbe8da30
SHA512

defb4bb770520e7756f2d2ce048881645c21afb511ee312c842df8d9bc8979a7158e552f36cb9c9966c94a683d5c74f3da5ea7b29db9a6f26ef2f4c25f1b22f9
SSDEEP

24576:Vy/MmzTGgUANylM0LN4d5q0iRh9MMdr1b7duQtz3UeB45CsfU:w/MYzUAYtqdk1Rh9MMLbd3Wg

Score

10^/10

healer redline stas dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

stas

77.91.124.82:19071

Attributes

auth_value
db6d96c4eade05afc28c31d9ad73a73c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b07d-33.dat	healer
behavioral1/files/0x000700000001b07d-34.dat	healer
behavioral1/memory/316-35-0x0000000000E80000-0x0000000000E8A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q1495438.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q1495438.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q1495438.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q1495438.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q1495438.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1544	z4283573.exe
4492	z9332208.exe
4340	z4108112.exe
3320	z8667277.exe
316	q1495438.exe
4880	r2420480.exe
4996	s9591449.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q1495438.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z8667277.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ee36d54ef8ac7ca3067f3f047c3e95727a6af2a82f77c499e889b5eebbe8da30.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4283573.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9332208.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z4108112.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
316	q1495438.exe
316	q1495438.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	q1495438.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 1544	3996	ee36d54ef8ac7ca3067f3f047c3e95727a6af2a82f77c499e889b5eebbe8da30.exe	70
PID 3996 wrote to memory of 1544	3996	ee36d54ef8ac7ca3067f3f047c3e95727a6af2a82f77c499e889b5eebbe8da30.exe	70
PID 3996 wrote to memory of 1544	3996	ee36d54ef8ac7ca3067f3f047c3e95727a6af2a82f77c499e889b5eebbe8da30.exe	70
PID 1544 wrote to memory of 4492	1544	z4283573.exe	71
PID 1544 wrote to memory of 4492	1544	z4283573.exe	71
PID 1544 wrote to memory of 4492	1544	z4283573.exe	71
PID 4492 wrote to memory of 4340	4492	z9332208.exe	72
PID 4492 wrote to memory of 4340	4492	z9332208.exe	72
PID 4492 wrote to memory of 4340	4492	z9332208.exe	72
PID 4340 wrote to memory of 3320	4340	z4108112.exe	73
PID 4340 wrote to memory of 3320	4340	z4108112.exe	73
PID 4340 wrote to memory of 3320	4340	z4108112.exe	73
PID 3320 wrote to memory of 316	3320	z8667277.exe	74
PID 3320 wrote to memory of 316	3320	z8667277.exe	74
PID 3320 wrote to memory of 4880	3320	z8667277.exe	75
PID 3320 wrote to memory of 4880	3320	z8667277.exe	75
PID 3320 wrote to memory of 4880	3320	z8667277.exe	75
PID 4340 wrote to memory of 4996	4340	z4108112.exe	76
PID 4340 wrote to memory of 4996	4340	z4108112.exe	76
PID 4340 wrote to memory of 4996	4340	z4108112.exe	76

C:\Users\Admin\AppData\Local\Temp\ee36d54ef8ac7ca3067f3f047c3e95727a6af2a82f77c499e889b5eebbe8da30.exe
"C:\Users\Admin\AppData\Local\Temp\ee36d54ef8ac7ca3067f3f047c3e95727a6af2a82f77c499e889b5eebbe8da30.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4283573.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4283573.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9332208.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9332208.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4108112.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4108112.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8667277.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8667277.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3320
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1495438.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1495438.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2420480.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2420480.exe
        6⤵
        Executes dropped EXE
        
        PID:4880
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9591449.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9591449.exe
        5⤵
        Executes dropped EXE
        
        PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4283573.exe

Filesize
824KB

MD5
91d2510cf5c5e3e0fd22f99dbba1f09d

SHA1
21c4fd264db9be5eb8d2a48e59bea52086f10e8b

SHA256
f5611d6971868d58295876a8b75f7d51e5aa9735c53cbe50906d853d9f9c494f

SHA512
b700f55d29c7c53520d9df9ebeedd517dd91a7abb9acc2a8779d652efcbdc7a3d61138f16c332259cb6f67cf5e752a4f0b5795adcf9f5dc72fb393fa73953aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4283573.exe

Filesize
824KB

MD5
91d2510cf5c5e3e0fd22f99dbba1f09d

SHA1
21c4fd264db9be5eb8d2a48e59bea52086f10e8b

SHA256
f5611d6971868d58295876a8b75f7d51e5aa9735c53cbe50906d853d9f9c494f

SHA512
b700f55d29c7c53520d9df9ebeedd517dd91a7abb9acc2a8779d652efcbdc7a3d61138f16c332259cb6f67cf5e752a4f0b5795adcf9f5dc72fb393fa73953aab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9332208.exe

Filesize
598KB

MD5
a5f53a3df5fbc7fb1d0dbc90bd3d5b5f

SHA1
c144af4d6dc75a7f205ca6520d7aec981cbf1c7a

SHA256
63c136f63ee9df05c0344988885c7b5867bb191047c10aac277bbb85170650ce

SHA512
85f078bd15008dad7acc3b278052fd3b98d9886956a435718410d89febddf45a7ef067a6b19221e39b0b5c266c76dc8436f66b6ec92593731f4e77e384e9fa05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9332208.exe

Filesize
598KB

MD5
a5f53a3df5fbc7fb1d0dbc90bd3d5b5f

SHA1
c144af4d6dc75a7f205ca6520d7aec981cbf1c7a

SHA256
63c136f63ee9df05c0344988885c7b5867bb191047c10aac277bbb85170650ce

SHA512
85f078bd15008dad7acc3b278052fd3b98d9886956a435718410d89febddf45a7ef067a6b19221e39b0b5c266c76dc8436f66b6ec92593731f4e77e384e9fa05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4108112.exe

Filesize
372KB

MD5
c273465bf2b1b8ec948c178203fed6f5

SHA1
39f8e815eaa1b1533f1209ca9dae83296db2431c

SHA256
8bdc0ae2f726ce09212318ce0afbae3a0903f564615cefc28eca8faf336343c8

SHA512
ef7331d96cd4e65baca0ed8966cba23ba303f99a00bc18072c29a92abf4dd7f8c4ce23dcdc3ea36772fab7917b112b6d3a2ca616f8f950023bcda896247d3f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4108112.exe

Filesize
372KB

MD5
c273465bf2b1b8ec948c178203fed6f5

SHA1
39f8e815eaa1b1533f1209ca9dae83296db2431c

SHA256
8bdc0ae2f726ce09212318ce0afbae3a0903f564615cefc28eca8faf336343c8

SHA512
ef7331d96cd4e65baca0ed8966cba23ba303f99a00bc18072c29a92abf4dd7f8c4ce23dcdc3ea36772fab7917b112b6d3a2ca616f8f950023bcda896247d3f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9591449.exe

Filesize
174KB

MD5
79cfbf61b1d95248af51fe95b01064af

SHA1
8cf5fd9c5097f1e4be318821cf64d3eb87972f36

SHA256
6a4f40d448e5f7e0fa9a41454af2d21092efd027ba7ad0b9a17584aaeb904141

SHA512
a3912454450bfdd9e4efa96e75653d0d5f2818b75a290faf982330d40bbbb9b9cc97c05d843ab03ade7c43a936e27e0da2993d469dccd890eccc2d3e6892fd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9591449.exe

Filesize
174KB

MD5
79cfbf61b1d95248af51fe95b01064af

SHA1
8cf5fd9c5097f1e4be318821cf64d3eb87972f36

SHA256
6a4f40d448e5f7e0fa9a41454af2d21092efd027ba7ad0b9a17584aaeb904141

SHA512
a3912454450bfdd9e4efa96e75653d0d5f2818b75a290faf982330d40bbbb9b9cc97c05d843ab03ade7c43a936e27e0da2993d469dccd890eccc2d3e6892fd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8667277.exe

Filesize
217KB

MD5
450310a920466259207bf43e8a3d266b

SHA1
43090e846779770841120dd80cb3333372af0b6b

SHA256
760f5d59062a47e0db6eece78df20cff67695a12fbbd3ec2ee9a4f5a67b9f50b

SHA512
7f0a3105176f0f9e4d6d763d038be2b667381df1f27888cd5095aef434e6cd41d41e7103ccb9dec21456a6f385ceaf56b4d4d8f2f44d3bf86397669dfccaa2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8667277.exe

Filesize
217KB

MD5
450310a920466259207bf43e8a3d266b

SHA1
43090e846779770841120dd80cb3333372af0b6b

SHA256
760f5d59062a47e0db6eece78df20cff67695a12fbbd3ec2ee9a4f5a67b9f50b

SHA512
7f0a3105176f0f9e4d6d763d038be2b667381df1f27888cd5095aef434e6cd41d41e7103ccb9dec21456a6f385ceaf56b4d4d8f2f44d3bf86397669dfccaa2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1495438.exe

Filesize
16KB

MD5
808abd6ae7f033e20efd9817a8f0c147

SHA1
1c1c6526566df71094e797a9c2f15b18ae27d2a7

SHA256
0c7e7f3d9c74e90c7412159360254484ce31b03ac9fbd156e279800826a5aca6

SHA512
0b7cb3198c2c4c722c75bc0614f9648f370f0e9737efe7342becdf228fe8cedd53e03c0dbf89b7125735aaa80f6b7e279c709bdbec07962daa4a05a13d200796

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1495438.exe

Filesize
16KB

MD5
808abd6ae7f033e20efd9817a8f0c147

SHA1
1c1c6526566df71094e797a9c2f15b18ae27d2a7

SHA256
0c7e7f3d9c74e90c7412159360254484ce31b03ac9fbd156e279800826a5aca6

SHA512
0b7cb3198c2c4c722c75bc0614f9648f370f0e9737efe7342becdf228fe8cedd53e03c0dbf89b7125735aaa80f6b7e279c709bdbec07962daa4a05a13d200796

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2420480.exe

Filesize
141KB

MD5
2a42542ecc3737d70fa2c7a3afb79cad

SHA1
470c39b524c5bfb341744c4db1460dd3e7aee26a

SHA256
2b91f16e4ca7f9a04accffbc8c37d31e5787ddf153f6608be919659252779cb5

SHA512
e53093f76357e0e86adf625d15ab20300a40d7bff7ff8cffff658a4adb6235adcae18d1b23b3d65d49bfdc4166224fdac9187cc28d8db4fd3c15616bd2a974a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2420480.exe

Filesize
141KB

MD5
2a42542ecc3737d70fa2c7a3afb79cad

SHA1
470c39b524c5bfb341744c4db1460dd3e7aee26a

SHA256
2b91f16e4ca7f9a04accffbc8c37d31e5787ddf153f6608be919659252779cb5

SHA512
e53093f76357e0e86adf625d15ab20300a40d7bff7ff8cffff658a4adb6235adcae18d1b23b3d65d49bfdc4166224fdac9187cc28d8db4fd3c15616bd2a974a1

Download Submit
memory/316-38-0x00007FFBB9210000-0x00007FFBB9BFC000-memory.dmp

Filesize
9.9MB

Download
memory/316-36-0x00007FFBB9210000-0x00007FFBB9BFC000-memory.dmp

Filesize
9.9MB

Download
memory/316-35-0x0000000000E80000-0x0000000000E8A000-memory.dmp

Filesize
40KB

Download
memory/4996-45-0x0000000000FD0000-0x0000000001000000-memory.dmp

Filesize
192KB

Download
memory/4996-46-0x0000000073070000-0x000000007375E000-memory.dmp

Filesize
6.9MB

Download
memory/4996-47-0x0000000005750000-0x0000000005756000-memory.dmp

Filesize
24KB

Download
memory/4996-48-0x000000000B250000-0x000000000B856000-memory.dmp

Filesize
6.0MB

Download
memory/4996-49-0x000000000ADE0000-0x000000000AEEA000-memory.dmp

Filesize
1.0MB

Download
memory/4996-50-0x000000000AD10000-0x000000000AD22000-memory.dmp

Filesize
72KB

Download
memory/4996-51-0x000000000AD70000-0x000000000ADAE000-memory.dmp

Filesize
248KB

Download
memory/4996-52-0x000000000AEF0000-0x000000000AF3B000-memory.dmp

Filesize
300KB

Download
memory/4996-53-0x0000000073070000-0x000000007375E000-memory.dmp

Filesize
6.9MB

Download