healer | 6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2023, 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe
Size

828KB
MD5

4f6173c4eabece2880bb330193777340
SHA1

8c37da2e48e9d9db4e7807ca090b66601b8be9aa
SHA256

6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839
SHA512

c065f8ac1cf5c0fdee2c4ce0433fb111f27b56694f5b6fb6405167bfad1d24547fbffcaf1e29ade3e39f81b1613dc1ea5dec99b7e6291e2327878d71c6264ec2
SSDEEP

24576:/yBaeSkYgBrjpsamJTuBn8kO/a+sAwhX:KBaexbSVT48kO/gAw

Score

10^/10

healer redline stas dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

stas

77.91.124.82:19071

Attributes

auth_value
db6d96c4eade05afc28c31d9ad73a73c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231be-33.dat	healer
behavioral1/files/0x00070000000231be-34.dat	healer
behavioral1/memory/2980-35-0x0000000000C30000-0x0000000000C3A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9911182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9911182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9911182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9911182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9911182.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9911182.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4972	v9643266.exe
3068	v0013958.exe
60	v1743440.exe
3728	v6768733.exe
2980	a9911182.exe
4164	b1779535.exe
3840	c9201930.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9911182.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0013958.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1743440.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6768733.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9643266.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2980	a9911182.exe
2980	a9911182.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	a9911182.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 4972	2740	6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe	81
PID 2740 wrote to memory of 4972	2740	6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe	81
PID 2740 wrote to memory of 4972	2740	6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe	81
PID 4972 wrote to memory of 3068	4972	v9643266.exe	82
PID 4972 wrote to memory of 3068	4972	v9643266.exe	82
PID 4972 wrote to memory of 3068	4972	v9643266.exe	82
PID 3068 wrote to memory of 60	3068	v0013958.exe	83
PID 3068 wrote to memory of 60	3068	v0013958.exe	83
PID 3068 wrote to memory of 60	3068	v0013958.exe	83
PID 60 wrote to memory of 3728	60	v1743440.exe	84
PID 60 wrote to memory of 3728	60	v1743440.exe	84
PID 60 wrote to memory of 3728	60	v1743440.exe	84
PID 3728 wrote to memory of 2980	3728	v6768733.exe	85
PID 3728 wrote to memory of 2980	3728	v6768733.exe	85
PID 3728 wrote to memory of 4164	3728	v6768733.exe	93
PID 3728 wrote to memory of 4164	3728	v6768733.exe	93
PID 3728 wrote to memory of 4164	3728	v6768733.exe	93
PID 60 wrote to memory of 3840	60	v1743440.exe	94
PID 60 wrote to memory of 3840	60	v1743440.exe	94
PID 60 wrote to memory of 3840	60	v1743440.exe	94

C:\Users\Admin\AppData\Local\Temp\6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe
"C:\Users\Admin\AppData\Local\Temp\6a5561b278982a03be09711fe755012aef3cefd04fc5a1d501a34c8dac8b8839.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9643266.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9643266.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0013958.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0013958.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1743440.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1743440.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6768733.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6768733.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9911182.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9911182.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1779535.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1779535.exe
        6⤵
        Executes dropped EXE
        
        PID:4164
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9201930.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9201930.exe
        5⤵
        Executes dropped EXE
        
        PID:3840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9643266.exe

Filesize
723KB

MD5
bdb86b8daaedc1724fb4587ec3d9a72e

SHA1
0048130b594d6f456b12131251d2acc762a20eea

SHA256
49bda02a05128989c164dadcb281e079a5e8d4c3b44091ceac66025dc0111118

SHA512
9ec4c661eccdb3be3646cd76a836db8c0eb8f1c0823468bb2b75734fe943b5804c0b946a0404fdb93920e3f2148fb2740da729d260cdd17d384dfbe6bec608bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9643266.exe

Filesize
723KB

MD5
bdb86b8daaedc1724fb4587ec3d9a72e

SHA1
0048130b594d6f456b12131251d2acc762a20eea

SHA256
49bda02a05128989c164dadcb281e079a5e8d4c3b44091ceac66025dc0111118

SHA512
9ec4c661eccdb3be3646cd76a836db8c0eb8f1c0823468bb2b75734fe943b5804c0b946a0404fdb93920e3f2148fb2740da729d260cdd17d384dfbe6bec608bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0013958.exe

Filesize
497KB

MD5
5a9f1568fbf7aacb6539408403134e49

SHA1
b4544aa18b65f4a70360d2f1d6a74144915873a5

SHA256
0e6dbecb9e2763d76f2a9e1ff9d1d76b2a872b83969cbc5df4a496626ace9c1f

SHA512
5f01bea39ded3f17a44561ee6539a5d9d063c1236cd72f66254b8f3daeb15cccf315d90ea429c51bb71be02ebe649b4e9669534f1c2f926386293462546544b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0013958.exe

Filesize
497KB

MD5
5a9f1568fbf7aacb6539408403134e49

SHA1
b4544aa18b65f4a70360d2f1d6a74144915873a5

SHA256
0e6dbecb9e2763d76f2a9e1ff9d1d76b2a872b83969cbc5df4a496626ace9c1f

SHA512
5f01bea39ded3f17a44561ee6539a5d9d063c1236cd72f66254b8f3daeb15cccf315d90ea429c51bb71be02ebe649b4e9669534f1c2f926386293462546544b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1743440.exe

Filesize
373KB

MD5
88c9825e3b7a0ad85bd3c867e87262ee

SHA1
1316ed1fbb0ea9e3644e939b6300afe7daf5d32f

SHA256
38268cfe206cfbede31e91d6a7b89e98c4b515bb3514c7f0ea9f60e4ab9b13a2

SHA512
06245823defe2aaeb8fe13f4948350dbfa7e831adc119326351b4558082d27d16ef1013d4015532256393233ec8782257988ab35fd96caf19dce015c93948962

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1743440.exe

Filesize
373KB

MD5
88c9825e3b7a0ad85bd3c867e87262ee

SHA1
1316ed1fbb0ea9e3644e939b6300afe7daf5d32f

SHA256
38268cfe206cfbede31e91d6a7b89e98c4b515bb3514c7f0ea9f60e4ab9b13a2

SHA512
06245823defe2aaeb8fe13f4948350dbfa7e831adc119326351b4558082d27d16ef1013d4015532256393233ec8782257988ab35fd96caf19dce015c93948962

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9201930.exe

Filesize
174KB

MD5
df9755ffba1513ac55d2fcf9b679073f

SHA1
2b9d312ca66bbc66027501274de1662790ca3f61

SHA256
d08acf9df35e8b135761054266cd9e31309869d75019ea5adcd27c83d0e7568f

SHA512
c7a85355a2b8fbe7277c1786496d69d1b76598b1de32805ed43f34a60619a19d72e7b75bb6d099a2409d7fba5196324b3ef0d94a1d78bcfd6e75000fde902db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9201930.exe

Filesize
174KB

MD5
df9755ffba1513ac55d2fcf9b679073f

SHA1
2b9d312ca66bbc66027501274de1662790ca3f61

SHA256
d08acf9df35e8b135761054266cd9e31309869d75019ea5adcd27c83d0e7568f

SHA512
c7a85355a2b8fbe7277c1786496d69d1b76598b1de32805ed43f34a60619a19d72e7b75bb6d099a2409d7fba5196324b3ef0d94a1d78bcfd6e75000fde902db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6768733.exe

Filesize
217KB

MD5
6e6855e3048ed663c09404dda64cb872

SHA1
7f4cfd8c66257fb94f4e36fcc199ead3d2331f9a

SHA256
7d258a04da431a6354cab503a0a9d55f4ea92f335d2b3579a797100066ffcf12

SHA512
d3e4923dc264d86bf19426a1fea5fed8ff64b8a19cecbdad4cc4facb4cdba5ce397cc84ff54a3d69ca5fd6204519ed5e807a3243b45203d0dd5c80b100e8dacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6768733.exe

Filesize
217KB

MD5
6e6855e3048ed663c09404dda64cb872

SHA1
7f4cfd8c66257fb94f4e36fcc199ead3d2331f9a

SHA256
7d258a04da431a6354cab503a0a9d55f4ea92f335d2b3579a797100066ffcf12

SHA512
d3e4923dc264d86bf19426a1fea5fed8ff64b8a19cecbdad4cc4facb4cdba5ce397cc84ff54a3d69ca5fd6204519ed5e807a3243b45203d0dd5c80b100e8dacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9911182.exe

Filesize
16KB

MD5
8971c60174b719a25c0b92c8a47e59f8

SHA1
42b2ecfcd2cacb57aeca81f5520c4e0ef843093f

SHA256
f90f8a469088df2b720e283bf8156131f731e2f8db13d18a2d89c8cd03c7ba34

SHA512
e43fa3a265dcdba8c15a6f8e3459a8be4ff2be23188bc2d182d5409032d23e666a71bef19d8dacd56e732449f31e2c4da839a88ea3a750deb8032370ac5fe6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9911182.exe

Filesize
16KB

MD5
8971c60174b719a25c0b92c8a47e59f8

SHA1
42b2ecfcd2cacb57aeca81f5520c4e0ef843093f

SHA256
f90f8a469088df2b720e283bf8156131f731e2f8db13d18a2d89c8cd03c7ba34

SHA512
e43fa3a265dcdba8c15a6f8e3459a8be4ff2be23188bc2d182d5409032d23e666a71bef19d8dacd56e732449f31e2c4da839a88ea3a750deb8032370ac5fe6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1779535.exe

Filesize
141KB

MD5
fa45e130582c49b172c556cf7639e451

SHA1
174ad9b3ea41b6a2edda25e043419785ce21a9b8

SHA256
1d6b538032c0d3f2bf99f72d6dab68dbc794223529373faf24362c66c7e84aa0

SHA512
c39a36498f50a5e7e0231a873bb71ce6e4a6ea8c8e283caa0dc07ad438f3dfeb971f13336f8f516ccaac1283fa79480524f7da9b83e1a5d28bef9434144e8879

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1779535.exe

Filesize
141KB

MD5
fa45e130582c49b172c556cf7639e451

SHA1
174ad9b3ea41b6a2edda25e043419785ce21a9b8

SHA256
1d6b538032c0d3f2bf99f72d6dab68dbc794223529373faf24362c66c7e84aa0

SHA512
c39a36498f50a5e7e0231a873bb71ce6e4a6ea8c8e283caa0dc07ad438f3dfeb971f13336f8f516ccaac1283fa79480524f7da9b83e1a5d28bef9434144e8879

Download Submit
memory/2980-38-0x00007FFB53E40000-0x00007FFB54901000-memory.dmp

Filesize
10.8MB

Download
memory/2980-36-0x00007FFB53E40000-0x00007FFB54901000-memory.dmp

Filesize
10.8MB

Download
memory/2980-35-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/3840-45-0x0000000000540000-0x0000000000570000-memory.dmp

Filesize
192KB

Download
memory/3840-46-0x0000000074040000-0x00000000747F0000-memory.dmp

Filesize
7.7MB

Download
memory/3840-47-0x00000000054D0000-0x0000000005AE8000-memory.dmp

Filesize
6.1MB

Download
memory/3840-48-0x0000000004FC0000-0x00000000050CA000-memory.dmp

Filesize
1.0MB

Download
memory/3840-50-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download
memory/3840-49-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

Filesize
72KB

Download
memory/3840-51-0x0000000004F30000-0x0000000004F6C000-memory.dmp

Filesize
240KB

Download
memory/3840-52-0x0000000074040000-0x00000000747F0000-memory.dmp

Filesize
7.7MB

Download
memory/3840-53-0x0000000002890000-0x00000000028A0000-memory.dmp

Filesize
64KB

Download