healer | 2088bba64dc8a7b349e9eaf50a3a4a35daf9560734085f199085aa571e66286a

Analysis

max time kernel
141s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2023 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2088bba64dc8a7b349e9eaf50a3a4a35daf9560734085f199085aa571e66286a.exe
Size

931KB
MD5

a98c827016087a553ca6f231adee01f7
SHA1

f846f064421fe4a81933f925a101732cb2dda663
SHA256

2088bba64dc8a7b349e9eaf50a3a4a35daf9560734085f199085aa571e66286a
SHA512

7ba0e0b7b87bfa5551a1370d75473642e6804989f5960a143294cb9c159e69b83078eda265593c8be6d053d750cd7c22f2f0e9a3971e50cf22c71fed929cb8ab
SSDEEP

24576:EyxjOhh0K5bTxo0zLalyxk/BpjHAEjmfc:TxjOhhLxTxzLpxk/ffjmf

Score

10^/10

healer redline stas dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

stas

77.91.124.82:19071

Attributes

auth_value
db6d96c4eade05afc28c31d9ad73a73c

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000002300c-33.dat	healer
behavioral1/files/0x000800000002300c-34.dat	healer
behavioral1/memory/2932-35-0x0000000000F00000-0x0000000000F0A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q6442626.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q6442626.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q6442626.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q6442626.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q6442626.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q6442626.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2420	z1499064.exe
3476	z7174463.exe
4376	z3645619.exe
4544	z2219333.exe
2932	q6442626.exe
1684	r9997911.exe
3796	s5893445.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q6442626.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2219333.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2088bba64dc8a7b349e9eaf50a3a4a35daf9560734085f199085aa571e66286a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1499064.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7174463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3645619.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2932	q6442626.exe
2932	q6442626.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	q6442626.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 2420	4828	2088bba64dc8a7b349e9eaf50a3a4a35daf9560734085f199085aa571e66286a.exe	86
PID 4828 wrote to memory of 2420	4828	2088bba64dc8a7b349e9eaf50a3a4a35daf9560734085f199085aa571e66286a.exe	86
PID 4828 wrote to memory of 2420	4828	2088bba64dc8a7b349e9eaf50a3a4a35daf9560734085f199085aa571e66286a.exe	86
PID 2420 wrote to memory of 3476	2420	z1499064.exe	87
PID 2420 wrote to memory of 3476	2420	z1499064.exe	87
PID 2420 wrote to memory of 3476	2420	z1499064.exe	87
PID 3476 wrote to memory of 4376	3476	z7174463.exe	88
PID 3476 wrote to memory of 4376	3476	z7174463.exe	88
PID 3476 wrote to memory of 4376	3476	z7174463.exe	88
PID 4376 wrote to memory of 4544	4376	z3645619.exe	90
PID 4376 wrote to memory of 4544	4376	z3645619.exe	90
PID 4376 wrote to memory of 4544	4376	z3645619.exe	90
PID 4544 wrote to memory of 2932	4544	z2219333.exe	91
PID 4544 wrote to memory of 2932	4544	z2219333.exe	91
PID 4544 wrote to memory of 1684	4544	z2219333.exe	92
PID 4544 wrote to memory of 1684	4544	z2219333.exe	92
PID 4544 wrote to memory of 1684	4544	z2219333.exe	92
PID 4376 wrote to memory of 3796	4376	z3645619.exe	93
PID 4376 wrote to memory of 3796	4376	z3645619.exe	93
PID 4376 wrote to memory of 3796	4376	z3645619.exe	93

C:\Users\Admin\AppData\Local\Temp\2088bba64dc8a7b349e9eaf50a3a4a35daf9560734085f199085aa571e66286a.exe
"C:\Users\Admin\AppData\Local\Temp\2088bba64dc8a7b349e9eaf50a3a4a35daf9560734085f199085aa571e66286a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1499064.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1499064.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7174463.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7174463.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3645619.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3645619.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2219333.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2219333.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4544
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6442626.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6442626.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9997911.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9997911.exe
        6⤵
        Executes dropped EXE
        
        PID:1684
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5893445.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5893445.exe
        5⤵
        Executes dropped EXE
        
        PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1499064.exe

Filesize
825KB

MD5
e8d4fb2cd67e3e587c90a4995f09062c

SHA1
ff3b7a71d207446190fbfb981251e67b121e67b5

SHA256
fb6c9d2bd3688e617503f391424ae7eb5d1732512162db465827297b98c87d33

SHA512
3d04d31f716a436b32ab2dd4cd1987d5992230f91cee6a5cd0da3df0f8dccc3e8f4b104da457b7cd7fb519deff83e993ca592ad4671502198308ee2b1df251b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1499064.exe

Filesize
825KB

MD5
e8d4fb2cd67e3e587c90a4995f09062c

SHA1
ff3b7a71d207446190fbfb981251e67b121e67b5

SHA256
fb6c9d2bd3688e617503f391424ae7eb5d1732512162db465827297b98c87d33

SHA512
3d04d31f716a436b32ab2dd4cd1987d5992230f91cee6a5cd0da3df0f8dccc3e8f4b104da457b7cd7fb519deff83e993ca592ad4671502198308ee2b1df251b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7174463.exe

Filesize
599KB

MD5
eec714757b89b844f70711ec8b1236c7

SHA1
aa58126b79543301ab980bc5a92ecc106312b3ee

SHA256
a14c376ef1e540467aaf28dcdbe3a06205048760eeda57ac0906617d8c23b5f7

SHA512
7ae6e2a79c0662d005421039ccbcb6f78df18d1502cd74b2aa654a9cfe43232458a55e39fdd6fc6e0070667e525577377537753b7d5122b3020a6847659dfdb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7174463.exe

Filesize
599KB

MD5
eec714757b89b844f70711ec8b1236c7

SHA1
aa58126b79543301ab980bc5a92ecc106312b3ee

SHA256
a14c376ef1e540467aaf28dcdbe3a06205048760eeda57ac0906617d8c23b5f7

SHA512
7ae6e2a79c0662d005421039ccbcb6f78df18d1502cd74b2aa654a9cfe43232458a55e39fdd6fc6e0070667e525577377537753b7d5122b3020a6847659dfdb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3645619.exe

Filesize
373KB

MD5
cdf5c5965af98d470cb58061d85e7415

SHA1
528346adb02090fa47aeaa46384bdc5393560647

SHA256
853de95966e2a97ff9d96f655d036dc81426669f94b34293a97056ddcfb23c32

SHA512
f4551b1ac5ad32ba78d7533b4502bbc81c7d398790c6df5624da58c901d18cdcc3db81a7b615bae05143edc2edaf8938678f702a6317920343d94dfae3ff89d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3645619.exe

Filesize
373KB

MD5
cdf5c5965af98d470cb58061d85e7415

SHA1
528346adb02090fa47aeaa46384bdc5393560647

SHA256
853de95966e2a97ff9d96f655d036dc81426669f94b34293a97056ddcfb23c32

SHA512
f4551b1ac5ad32ba78d7533b4502bbc81c7d398790c6df5624da58c901d18cdcc3db81a7b615bae05143edc2edaf8938678f702a6317920343d94dfae3ff89d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5893445.exe

Filesize
175KB

MD5
270d2387cdfb8668c34725914a1ce8a7

SHA1
c691c3025b825410babf30fde41cf91b7adb4997

SHA256
d1a35bfa666afb91702b1c03492cc9816872e1b645283035eabb079ffa0f295e

SHA512
30582ce0b3a5eeedce5e517851ebf1c4df120ac4cced572c09d9d2967fbc7825027e01b052ca495b4639456ad21a141c0aca79b93c73c4bf64baee308d067923

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5893445.exe

Filesize
175KB

MD5
270d2387cdfb8668c34725914a1ce8a7

SHA1
c691c3025b825410babf30fde41cf91b7adb4997

SHA256
d1a35bfa666afb91702b1c03492cc9816872e1b645283035eabb079ffa0f295e

SHA512
30582ce0b3a5eeedce5e517851ebf1c4df120ac4cced572c09d9d2967fbc7825027e01b052ca495b4639456ad21a141c0aca79b93c73c4bf64baee308d067923

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2219333.exe

Filesize
217KB

MD5
22312aee7b619881c39fb8db760a96eb

SHA1
b81a4e2a2af0a3b1bb78d43df1aab43e55c51740

SHA256
63f141604fda1d3064427902c8daac26e42dfe84202fb5139a34a74c93d47252

SHA512
5b1b2eddc38992628f6f9bedae8ce0528523003dd555e03aa63146792caeb1bc191ddbe9d2f07a1f4f8f05d2dcb0eff9729aaa4e45a59b9e5d5b3f79dc8fdf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2219333.exe

Filesize
217KB

MD5
22312aee7b619881c39fb8db760a96eb

SHA1
b81a4e2a2af0a3b1bb78d43df1aab43e55c51740

SHA256
63f141604fda1d3064427902c8daac26e42dfe84202fb5139a34a74c93d47252

SHA512
5b1b2eddc38992628f6f9bedae8ce0528523003dd555e03aa63146792caeb1bc191ddbe9d2f07a1f4f8f05d2dcb0eff9729aaa4e45a59b9e5d5b3f79dc8fdf06

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6442626.exe

Filesize
16KB

MD5
9155713455b76f8b9739af1145d7689c

SHA1
7a3b55c5b611f738a4c8723f954be302369dd824

SHA256
5e945455fac3ca26417a868a774a375841a6501d80dd39f4ba9e9e44b4ad3182

SHA512
f9a40c8e0da5e087ece7d1201be2f5f85be0bc6fff72ab1bfb6eca44a9e4077b934650b3e7d86da75b75d1f6b17118a093ad175030c8ec3c6e12be3107dfbfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6442626.exe

Filesize
16KB

MD5
9155713455b76f8b9739af1145d7689c

SHA1
7a3b55c5b611f738a4c8723f954be302369dd824

SHA256
5e945455fac3ca26417a868a774a375841a6501d80dd39f4ba9e9e44b4ad3182

SHA512
f9a40c8e0da5e087ece7d1201be2f5f85be0bc6fff72ab1bfb6eca44a9e4077b934650b3e7d86da75b75d1f6b17118a093ad175030c8ec3c6e12be3107dfbfde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9997911.exe

Filesize
140KB

MD5
4487894843ab5484491056383795aea9

SHA1
8ecd3e32c3c08ed5fb0c65bb7bc2e0d149412acb

SHA256
aeb7a10dde603863228a7ffd24123a6f5a3ffa5c884f0360a84bfc889f987b2c

SHA512
454bad8a21777e603e3ac0b46d83edd8817551dfb89f445ef0b88a4340ef2bad3cd8704b0dbafd9f826ec37453edeb738bd4b133f77a28e6af339a3281285da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9997911.exe

Filesize
140KB

MD5
4487894843ab5484491056383795aea9

SHA1
8ecd3e32c3c08ed5fb0c65bb7bc2e0d149412acb

SHA256
aeb7a10dde603863228a7ffd24123a6f5a3ffa5c884f0360a84bfc889f987b2c

SHA512
454bad8a21777e603e3ac0b46d83edd8817551dfb89f445ef0b88a4340ef2bad3cd8704b0dbafd9f826ec37453edeb738bd4b133f77a28e6af339a3281285da5

Download Submit
memory/2932-37-0x00007FFA6FD80000-0x00007FFA70841000-memory.dmp

Filesize
10.8MB

Download
memory/2932-39-0x00007FFA6FD80000-0x00007FFA70841000-memory.dmp

Filesize
10.8MB

Download
memory/2932-36-0x00007FFA6FD80000-0x00007FFA70841000-memory.dmp

Filesize
10.8MB

Download
memory/2932-35-0x0000000000F00000-0x0000000000F0A000-memory.dmp

Filesize
40KB

Download
memory/3796-46-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3796-47-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download
memory/3796-48-0x000000000A910000-0x000000000AF28000-memory.dmp

Filesize
6.1MB

Download
memory/3796-49-0x000000000A480000-0x000000000A58A000-memory.dmp

Filesize
1.0MB

Download
memory/3796-50-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/3796-51-0x000000000A3C0000-0x000000000A3D2000-memory.dmp

Filesize
72KB

Download
memory/3796-52-0x000000000A420000-0x000000000A45C000-memory.dmp

Filesize
240KB

Download
memory/3796-53-0x0000000074710000-0x0000000074EC0000-memory.dmp

Filesize
7.7MB

Download
memory/3796-54-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download