healer | b50c453d7d8938e018801c0db09cd812e47f3fd767fdcc49a53d8ef977ce9574

Analysis

max time kernel
137s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230824-en
resource tags

arch:x64arch:x86image:win10v2004-20230824-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2023 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b50c453d7d8938e018801c0db09cd812e47f3fd767fdcc49a53d8ef977ce9574.exe
Size

929KB
MD5

cc9fb2fb50a7d5215940b77050b1d06c
SHA1

9a3074786fac91cdcc963898d0cadd39f02f020d
SHA256

b50c453d7d8938e018801c0db09cd812e47f3fd767fdcc49a53d8ef977ce9574
SHA512

f1cfd017cf4a9bd57e916cafbad3023c432f35c245e082ae026a602ee8f21aeccac67e344ffd426430b29af1b377cfe3e97fbc220d82e3990875bc15de109081
SSDEEP

12288:4MrCy90FvWjXmJwze2bP7caM5g63suFkz1ky0s+JLS2FybytC/4bpz1JPiPd34Dy:KyAvWjPS0caEkJkvs+pOLkdLPw3fD

Score

10^/10

healer redline jang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jang

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023021-33.dat	healer
behavioral1/files/0x0008000000023021-34.dat	healer
behavioral1/memory/1664-35-0x0000000000DA0000-0x0000000000DAA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q6759287.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q6759287.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q6759287.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q6759287.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q6759287.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q6759287.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1992	z1092809.exe
4328	z4234808.exe
4948	z4401955.exe
1200	z6814966.exe
1664	q6759287.exe
3880	r1095316.exe
4848	s4716952.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q6759287.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b50c453d7d8938e018801c0db09cd812e47f3fd767fdcc49a53d8ef977ce9574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1092809.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4234808.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z4401955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z6814966.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1664	q6759287.exe
1664	q6759287.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1664	q6759287.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 1992	2892	b50c453d7d8938e018801c0db09cd812e47f3fd767fdcc49a53d8ef977ce9574.exe	86
PID 2892 wrote to memory of 1992	2892	b50c453d7d8938e018801c0db09cd812e47f3fd767fdcc49a53d8ef977ce9574.exe	86
PID 2892 wrote to memory of 1992	2892	b50c453d7d8938e018801c0db09cd812e47f3fd767fdcc49a53d8ef977ce9574.exe	86
PID 1992 wrote to memory of 4328	1992	z1092809.exe	88
PID 1992 wrote to memory of 4328	1992	z1092809.exe	88
PID 1992 wrote to memory of 4328	1992	z1092809.exe	88
PID 4328 wrote to memory of 4948	4328	z4234808.exe	89
PID 4328 wrote to memory of 4948	4328	z4234808.exe	89
PID 4328 wrote to memory of 4948	4328	z4234808.exe	89
PID 4948 wrote to memory of 1200	4948	z4401955.exe	90
PID 4948 wrote to memory of 1200	4948	z4401955.exe	90
PID 4948 wrote to memory of 1200	4948	z4401955.exe	90
PID 1200 wrote to memory of 1664	1200	z6814966.exe	91
PID 1200 wrote to memory of 1664	1200	z6814966.exe	91
PID 1200 wrote to memory of 3880	1200	z6814966.exe	92
PID 1200 wrote to memory of 3880	1200	z6814966.exe	92
PID 1200 wrote to memory of 3880	1200	z6814966.exe	92
PID 4948 wrote to memory of 4848	4948	z4401955.exe	93
PID 4948 wrote to memory of 4848	4948	z4401955.exe	93
PID 4948 wrote to memory of 4848	4948	z4401955.exe	93

C:\Users\Admin\AppData\Local\Temp\b50c453d7d8938e018801c0db09cd812e47f3fd767fdcc49a53d8ef977ce9574.exe
"C:\Users\Admin\AppData\Local\Temp\b50c453d7d8938e018801c0db09cd812e47f3fd767fdcc49a53d8ef977ce9574.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1092809.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1092809.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4234808.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4234808.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4401955.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4401955.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6814966.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6814966.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6759287.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6759287.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1095316.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1095316.exe
        6⤵
        Executes dropped EXE
        
        PID:3880
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4716952.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4716952.exe
        5⤵
        Executes dropped EXE
        
        PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1092809.exe

Filesize
824KB

MD5
95f7c98e4868f8af853e5761e4197fdf

SHA1
79d182e727047db6c98c7d99a83581f456da1d8e

SHA256
8a0b48cc84fb2fd39e8ef22f8270c8bbc131a1efe988cc176eea36abca602018

SHA512
ecc5fd0fdaea95073c5d7363a638ce9173d2401b2fe8dd7ebb3f70ae89d279fdb181f026f9ad9aa06424654b8b4a8c54870488a5b613f94612e28e4a293ec9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1092809.exe

Filesize
824KB

MD5
95f7c98e4868f8af853e5761e4197fdf

SHA1
79d182e727047db6c98c7d99a83581f456da1d8e

SHA256
8a0b48cc84fb2fd39e8ef22f8270c8bbc131a1efe988cc176eea36abca602018

SHA512
ecc5fd0fdaea95073c5d7363a638ce9173d2401b2fe8dd7ebb3f70ae89d279fdb181f026f9ad9aa06424654b8b4a8c54870488a5b613f94612e28e4a293ec9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4234808.exe

Filesize
598KB

MD5
21329d9e5294a55621dd887391454155

SHA1
918c931225c1cd270dc2a4f4744c58ae0a40fcb7

SHA256
96f67e8ae2ef457e31b60e272b4424efe26e84fd1011c00bf55f2eff47ed331e

SHA512
7cbf43fbb82916782b3adbbebed35f395d03c758b3b6504aa020177ef493ec328572133792380953e36d453ba25e97087e3a8beaaea11cec5e16f58a975e622c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4234808.exe

Filesize
598KB

MD5
21329d9e5294a55621dd887391454155

SHA1
918c931225c1cd270dc2a4f4744c58ae0a40fcb7

SHA256
96f67e8ae2ef457e31b60e272b4424efe26e84fd1011c00bf55f2eff47ed331e

SHA512
7cbf43fbb82916782b3adbbebed35f395d03c758b3b6504aa020177ef493ec328572133792380953e36d453ba25e97087e3a8beaaea11cec5e16f58a975e622c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4401955.exe

Filesize
373KB

MD5
86338c550248340f9921ae99efe9e599

SHA1
ac92e4e85d5a541b58c242ccd7cfba7935cb3aef

SHA256
337586a44a5dbcb62ce85d2c25325465a517364b5d8ee41024265084e184f12d

SHA512
ea62228f5e10101d7d89cd2e082aebb443bc27746d4722cf0fb4a3f5a85f6a2067770112514ba11c15a6f6760de05ba8fae328907d152f208eebffe404243a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z4401955.exe

Filesize
373KB

MD5
86338c550248340f9921ae99efe9e599

SHA1
ac92e4e85d5a541b58c242ccd7cfba7935cb3aef

SHA256
337586a44a5dbcb62ce85d2c25325465a517364b5d8ee41024265084e184f12d

SHA512
ea62228f5e10101d7d89cd2e082aebb443bc27746d4722cf0fb4a3f5a85f6a2067770112514ba11c15a6f6760de05ba8fae328907d152f208eebffe404243a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4716952.exe

Filesize
174KB

MD5
0416a3ae9c4e0d6ffc913f19211e6eb3

SHA1
c9d53959a0627906ee89e4eeaefbbc86995fce77

SHA256
f70616b8d217fa49bf89e9d4aa50698cd608b9b9b6aa4420483a796905be6b04

SHA512
e3b9fa2576a1f208fc8908dece80621f6c111cb69d63448d98dfe210b7cedd410ef5cd4aa5e8ad9eb5cd17022123f6db4d745559604cc794fab01048112f7819

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4716952.exe

Filesize
174KB

MD5
0416a3ae9c4e0d6ffc913f19211e6eb3

SHA1
c9d53959a0627906ee89e4eeaefbbc86995fce77

SHA256
f70616b8d217fa49bf89e9d4aa50698cd608b9b9b6aa4420483a796905be6b04

SHA512
e3b9fa2576a1f208fc8908dece80621f6c111cb69d63448d98dfe210b7cedd410ef5cd4aa5e8ad9eb5cd17022123f6db4d745559604cc794fab01048112f7819

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6814966.exe

Filesize
217KB

MD5
e2cda0f4d7d19009b19995f01f06f78d

SHA1
150ff51064348a65f4d2ee262a97d0814a6183d1

SHA256
21512480a05f1405fa58bc7853b568d7404bac716b7c5f3d7097c9a0bfea1e2f

SHA512
6b303f9b964ca9296ed2c6ea96c5b4f4e35091292a971ac2320a594481a4af3687509c6c28fde73c058d673113a6c17d3d82807388a2fbcb4c46d391432ea50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6814966.exe

Filesize
217KB

MD5
e2cda0f4d7d19009b19995f01f06f78d

SHA1
150ff51064348a65f4d2ee262a97d0814a6183d1

SHA256
21512480a05f1405fa58bc7853b568d7404bac716b7c5f3d7097c9a0bfea1e2f

SHA512
6b303f9b964ca9296ed2c6ea96c5b4f4e35091292a971ac2320a594481a4af3687509c6c28fde73c058d673113a6c17d3d82807388a2fbcb4c46d391432ea50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6759287.exe

Filesize
18KB

MD5
dca56abd77ce3bcc2df4b23a1c591e40

SHA1
4a52725fee8a492d0ed94a4fa614a8c2cb20c3e3

SHA256
f52753410223a25e85b8e0df0696644141601d7e1dc059de7b4cf7c65d87fc3e

SHA512
71560d1f593a0fc0ca36a3d47eace4be1e4b41607d3ce94b174246a914aa9a95755732ce72639c4766f15a2aec0ec3a48d45f5a9c8b6e17be0f31fd811350000

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6759287.exe

Filesize
18KB

MD5
dca56abd77ce3bcc2df4b23a1c591e40

SHA1
4a52725fee8a492d0ed94a4fa614a8c2cb20c3e3

SHA256
f52753410223a25e85b8e0df0696644141601d7e1dc059de7b4cf7c65d87fc3e

SHA512
71560d1f593a0fc0ca36a3d47eace4be1e4b41607d3ce94b174246a914aa9a95755732ce72639c4766f15a2aec0ec3a48d45f5a9c8b6e17be0f31fd811350000

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1095316.exe

Filesize
140KB

MD5
a052f7b14b0c888d62188bb9e1a5befa

SHA1
47a6f45e44e3b7c0a0552f28c9da26da7679e8eb

SHA256
73ef58d9914cc20d42888c0e96d3e88041a4c9637cd75e4fd29eb625dbcb519b

SHA512
c6148b5ae1e28473e4caedca0625f215adf9b4bca0e79e4bb19224eb5add7787c7320d9b4558cf1ccfbd4b545de9b4648b865cceb248198c819fdcbc9cb3aae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1095316.exe

Filesize
140KB

MD5
a052f7b14b0c888d62188bb9e1a5befa

SHA1
47a6f45e44e3b7c0a0552f28c9da26da7679e8eb

SHA256
73ef58d9914cc20d42888c0e96d3e88041a4c9637cd75e4fd29eb625dbcb519b

SHA512
c6148b5ae1e28473e4caedca0625f215adf9b4bca0e79e4bb19224eb5add7787c7320d9b4558cf1ccfbd4b545de9b4648b865cceb248198c819fdcbc9cb3aae0

Download Submit
memory/1664-38-0x00007FFD95BC0000-0x00007FFD96681000-memory.dmp

Filesize
10.8MB

Download
memory/1664-36-0x00007FFD95BC0000-0x00007FFD96681000-memory.dmp

Filesize
10.8MB

Download
memory/1664-35-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download
memory/4848-45-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4848-46-0x0000000000EB0000-0x0000000000EE0000-memory.dmp

Filesize
192KB

Download
memory/4848-47-0x000000000B1C0000-0x000000000B7D8000-memory.dmp

Filesize
6.1MB

Download
memory/4848-48-0x000000000AD10000-0x000000000AE1A000-memory.dmp

Filesize
1.0MB

Download
memory/4848-49-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download
memory/4848-50-0x000000000AC50000-0x000000000AC62000-memory.dmp

Filesize
72KB

Download
memory/4848-51-0x000000000ACB0000-0x000000000ACEC000-memory.dmp

Filesize
240KB

Download
memory/4848-52-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4848-53-0x0000000005710000-0x0000000005720000-memory.dmp

Filesize
64KB

Download