healer | 3468337caef24b6242c390c8b4d078afc8d36c7903e3387a5dee4cbc776b442d

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
28/08/2023, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3468337caef24b6242c390c8b4d078afc8d36c7903e3387a5dee4cbc776b442d.exe
Size

818KB
MD5

afb62f0e85c51165b28312a9e00e0efb
SHA1

7bf32ad943066412c0d7a59dd11c5bc9883541f4
SHA256

3468337caef24b6242c390c8b4d078afc8d36c7903e3387a5dee4cbc776b442d
SHA512

616ceb3ff73bbff3171db83dc12b0989b57bfd6dbc8af0c768908368564123589f56aca849dd6a1db0d0aa865b3b59dda3a3e9e5a8b7f4a4e9dedbee2cd3d18b
SSDEEP

12288:7Mrvy90JUsg3Ouxp+7U6Mef8ZaTgqV0MwCgNBhRGTdqy3GgQdJaSEekQZW7Mi2:IyMUsg3Xpq8gV4NxGTspX0/oZni2

Score

10^/10

healer redline stas dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

stas

77.91.124.82:19071

Attributes

auth_value
db6d96c4eade05afc28c31d9ad73a73c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af98-33.dat	healer
behavioral1/files/0x000700000001af98-34.dat	healer
behavioral1/memory/2764-35-0x0000000000E10000-0x0000000000E1A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9012263.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9012263.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9012263.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9012263.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9012263.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2056	v1759604.exe
3932	v1356161.exe
3800	v0376747.exe
2788	v6922168.exe
2764	a9012263.exe
4836	b1420641.exe
3172	c1616681.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9012263.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3468337caef24b6242c390c8b4d078afc8d36c7903e3387a5dee4cbc776b442d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1759604.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1356161.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0376747.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6922168.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2764	a9012263.exe
2764	a9012263.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	a9012263.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 2056	4152	3468337caef24b6242c390c8b4d078afc8d36c7903e3387a5dee4cbc776b442d.exe	69
PID 4152 wrote to memory of 2056	4152	3468337caef24b6242c390c8b4d078afc8d36c7903e3387a5dee4cbc776b442d.exe	69
PID 4152 wrote to memory of 2056	4152	3468337caef24b6242c390c8b4d078afc8d36c7903e3387a5dee4cbc776b442d.exe	69
PID 2056 wrote to memory of 3932	2056	v1759604.exe	70
PID 2056 wrote to memory of 3932	2056	v1759604.exe	70
PID 2056 wrote to memory of 3932	2056	v1759604.exe	70
PID 3932 wrote to memory of 3800	3932	v1356161.exe	71
PID 3932 wrote to memory of 3800	3932	v1356161.exe	71
PID 3932 wrote to memory of 3800	3932	v1356161.exe	71
PID 3800 wrote to memory of 2788	3800	v0376747.exe	72
PID 3800 wrote to memory of 2788	3800	v0376747.exe	72
PID 3800 wrote to memory of 2788	3800	v0376747.exe	72
PID 2788 wrote to memory of 2764	2788	v6922168.exe	73
PID 2788 wrote to memory of 2764	2788	v6922168.exe	73
PID 2788 wrote to memory of 4836	2788	v6922168.exe	74
PID 2788 wrote to memory of 4836	2788	v6922168.exe	74
PID 2788 wrote to memory of 4836	2788	v6922168.exe	74
PID 3800 wrote to memory of 3172	3800	v0376747.exe	75
PID 3800 wrote to memory of 3172	3800	v0376747.exe	75
PID 3800 wrote to memory of 3172	3800	v0376747.exe	75

C:\Users\Admin\AppData\Local\Temp\3468337caef24b6242c390c8b4d078afc8d36c7903e3387a5dee4cbc776b442d.exe
"C:\Users\Admin\AppData\Local\Temp\3468337caef24b6242c390c8b4d078afc8d36c7903e3387a5dee4cbc776b442d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1759604.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1759604.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1356161.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1356161.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0376747.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0376747.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3800
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6922168.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6922168.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9012263.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9012263.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1420641.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1420641.exe
        6⤵
        Executes dropped EXE
        
        PID:4836
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1616681.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1616681.exe
        5⤵
        Executes dropped EXE
        
        PID:3172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1759604.exe

Filesize
713KB

MD5
31224a91076d64f5074724ba49a4162d

SHA1
5d052946e12488c255120061823fc4f9614264fe

SHA256
b0cf04635d01f0f0471f52e65ab4880224742faa0f16dc3ef3f638233ae0130f

SHA512
20ae6a5d0e5574b62afddc869f63ef61c297baa53085235ec651e458a4d69ae0573ea0c88e0777ee6ae1b84c956d60de40aee87c3643eb4847869b2ee3cfb658

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1759604.exe

Filesize
713KB

MD5
31224a91076d64f5074724ba49a4162d

SHA1
5d052946e12488c255120061823fc4f9614264fe

SHA256
b0cf04635d01f0f0471f52e65ab4880224742faa0f16dc3ef3f638233ae0130f

SHA512
20ae6a5d0e5574b62afddc869f63ef61c297baa53085235ec651e458a4d69ae0573ea0c88e0777ee6ae1b84c956d60de40aee87c3643eb4847869b2ee3cfb658

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1356161.exe

Filesize
497KB

MD5
d983bdcb4d96fe583cc85e851c574f00

SHA1
9aecee2ac3a15e08b921c36541a8f31ba46f30a0

SHA256
ed1624cc1213cb7f77055492acbaeb1471ccdaa247c95dbee0ce045b939f75cc

SHA512
48e3a074992a09a3671495305c8083e65fe9214f8854d488dd50033bfc0413140474b41fc1bd0d5c8b4a20d71c69270815341bb10ee187e0de84a31a82c8caaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1356161.exe

Filesize
497KB

MD5
d983bdcb4d96fe583cc85e851c574f00

SHA1
9aecee2ac3a15e08b921c36541a8f31ba46f30a0

SHA256
ed1624cc1213cb7f77055492acbaeb1471ccdaa247c95dbee0ce045b939f75cc

SHA512
48e3a074992a09a3671495305c8083e65fe9214f8854d488dd50033bfc0413140474b41fc1bd0d5c8b4a20d71c69270815341bb10ee187e0de84a31a82c8caaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0376747.exe

Filesize
373KB

MD5
97b09b161f88bca0352f0cc46866453a

SHA1
b87eb166102eca447438fe8b03341a0d423e3398

SHA256
c8974bbf8735e2e89932464da143fb09fed23d5231d966ad2044368b1a78d432

SHA512
737f6dac2098f47e8fcdbf5bc4414be955914ef81676745e696fa5b188403abaff3dd2d52417416a6a653731e31d43eeb8557f153a210d579d9aec71bbc26f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0376747.exe

Filesize
373KB

MD5
97b09b161f88bca0352f0cc46866453a

SHA1
b87eb166102eca447438fe8b03341a0d423e3398

SHA256
c8974bbf8735e2e89932464da143fb09fed23d5231d966ad2044368b1a78d432

SHA512
737f6dac2098f47e8fcdbf5bc4414be955914ef81676745e696fa5b188403abaff3dd2d52417416a6a653731e31d43eeb8557f153a210d579d9aec71bbc26f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1616681.exe

Filesize
174KB

MD5
a780b6de4a818494be3523cc2d3c7164

SHA1
b731f83a3fe1b20b5899b1eaebd71c7868d59fa2

SHA256
cb3429328e442a28ba1c16927d0e71ed7d59238f3a9f836624201cd973a23e37

SHA512
0177dbca103a171237e02d0ed70528b5c46ae187646f1fed9be132838ff0ca3e94e4a24e7d8f8930456a2dca137cf44caba9c3e162955b957cd5d4670c2223e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1616681.exe

Filesize
174KB

MD5
a780b6de4a818494be3523cc2d3c7164

SHA1
b731f83a3fe1b20b5899b1eaebd71c7868d59fa2

SHA256
cb3429328e442a28ba1c16927d0e71ed7d59238f3a9f836624201cd973a23e37

SHA512
0177dbca103a171237e02d0ed70528b5c46ae187646f1fed9be132838ff0ca3e94e4a24e7d8f8930456a2dca137cf44caba9c3e162955b957cd5d4670c2223e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6922168.exe

Filesize
217KB

MD5
e1438c7ad6c4dad9fefb7c6f73cd486e

SHA1
bee42221d2d09afd5c8f6b4c355d73597385c3b1

SHA256
6b04203d63fe6ea0aea55741cdb9caf05bfe977b5e61a6506985001139c633c9

SHA512
1b40638285726e6c028f8da0421895cca071d6450150b8a75f932be30ef0d8d9b22c41479a390422dff655342ecf722fe5cac9d949d1ad4518631252a0dd78d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6922168.exe

Filesize
217KB

MD5
e1438c7ad6c4dad9fefb7c6f73cd486e

SHA1
bee42221d2d09afd5c8f6b4c355d73597385c3b1

SHA256
6b04203d63fe6ea0aea55741cdb9caf05bfe977b5e61a6506985001139c633c9

SHA512
1b40638285726e6c028f8da0421895cca071d6450150b8a75f932be30ef0d8d9b22c41479a390422dff655342ecf722fe5cac9d949d1ad4518631252a0dd78d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9012263.exe

Filesize
16KB

MD5
83c0ee95d47fa3d081c777c9dbcf2eae

SHA1
9618430d8a3efc66f8ce8314c5b89a140b66514f

SHA256
89d998e262c5579e11e0860efaf658e59e014f0c07cb869cd4c90ea3fe649792

SHA512
4bd943f01f8b4652a0738b195da54c7990c4508238b0b8b717137d4533caac3daa2cd81869ec6bae31ccd2388106c69c83d919fb00266bd8233ec6ded4f7e5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9012263.exe

Filesize
16KB

MD5
83c0ee95d47fa3d081c777c9dbcf2eae

SHA1
9618430d8a3efc66f8ce8314c5b89a140b66514f

SHA256
89d998e262c5579e11e0860efaf658e59e014f0c07cb869cd4c90ea3fe649792

SHA512
4bd943f01f8b4652a0738b195da54c7990c4508238b0b8b717137d4533caac3daa2cd81869ec6bae31ccd2388106c69c83d919fb00266bd8233ec6ded4f7e5a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1420641.exe

Filesize
141KB

MD5
0395b7fe1360e5a94e973a943c9cb43a

SHA1
30898d7e8c853df04bd1f37a693e51bde089e3f0

SHA256
9d555dddec6f13d393f4fcc416b7714f3dcc905d93f885679bb579ac9af7ea98

SHA512
dadc3f6220fbeef678c93c56e18da8d1136c856301e394e4114a6c7f3e8e088b21112c60fa8fc45b159563acb44ef333335b961b63a62a6b5c4133ced9dc2d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1420641.exe

Filesize
141KB

MD5
0395b7fe1360e5a94e973a943c9cb43a

SHA1
30898d7e8c853df04bd1f37a693e51bde089e3f0

SHA256
9d555dddec6f13d393f4fcc416b7714f3dcc905d93f885679bb579ac9af7ea98

SHA512
dadc3f6220fbeef678c93c56e18da8d1136c856301e394e4114a6c7f3e8e088b21112c60fa8fc45b159563acb44ef333335b961b63a62a6b5c4133ced9dc2d35

Download Submit
memory/2764-38-0x00007FF8FDC80000-0x00007FF8FE66C000-memory.dmp

Filesize
9.9MB

Download
memory/2764-36-0x00007FF8FDC80000-0x00007FF8FE66C000-memory.dmp

Filesize
9.9MB

Download
memory/2764-35-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/3172-45-0x00000000007A0000-0x00000000007D0000-memory.dmp

Filesize
192KB

Download
memory/3172-46-0x0000000073330000-0x0000000073A1E000-memory.dmp

Filesize
6.9MB

Download
memory/3172-47-0x0000000005060000-0x0000000005066000-memory.dmp

Filesize
24KB

Download
memory/3172-48-0x000000000ABB0000-0x000000000B1B6000-memory.dmp

Filesize
6.0MB

Download
memory/3172-49-0x000000000A6F0000-0x000000000A7FA000-memory.dmp

Filesize
1.0MB

Download
memory/3172-50-0x000000000A620000-0x000000000A632000-memory.dmp

Filesize
72KB

Download
memory/3172-51-0x000000000A680000-0x000000000A6BE000-memory.dmp

Filesize
248KB

Download
memory/3172-52-0x000000000A800000-0x000000000A84B000-memory.dmp

Filesize
300KB

Download
memory/3172-53-0x0000000073330000-0x0000000073A1E000-memory.dmp

Filesize
6.9MB

Download