healer | 410473d46372282290eb20df2aa96408d4d1aa7308041684d717cb72c49a8e7e

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

410473d46372282290eb20df2aa96408d4d1aa7308041684d717cb72c49a8e7e.exe
Size

826KB
MD5

49a34057cfdc6923302ce73755809785
SHA1

88e14ed3dc956002c8b00dba7ed3e3eb7aa84a61
SHA256

410473d46372282290eb20df2aa96408d4d1aa7308041684d717cb72c49a8e7e
SHA512

3a5f62ea352f4b97915fc95eebedb5785d6401e41a33709a91d30a385cf61bc34061aa2d373d00e04cd9a8d4d00d9511f6a0627a00fed12cbef3d62a647c9469
SSDEEP

12288:7Mrhy90Ieu4nC6QQKZN/QyCoDiZvPsh0AHzLlfEE35EpUWJFA99lQwxUasxlCEWR:CyndzoyCoGhPmfTpsE3Wp/A99lmAE8J

Score

10^/10

healer redline jang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jang

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000900000002329f-33.dat	healer
behavioral1/files/0x000900000002329f-34.dat	healer
behavioral1/memory/1648-35-0x0000000000FB0000-0x0000000000FBA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5925094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5925094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5925094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5925094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5925094.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5925094.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
848	v6225680.exe
4288	v9325019.exe
1496	v9333683.exe
1456	v5720784.exe
1648	a5925094.exe
1840	b2376143.exe
2248	c7422071.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5925094.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	410473d46372282290eb20df2aa96408d4d1aa7308041684d717cb72c49a8e7e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6225680.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9325019.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9333683.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5720784.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1648	a5925094.exe
1648	a5925094.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1648	a5925094.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 848	1348	410473d46372282290eb20df2aa96408d4d1aa7308041684d717cb72c49a8e7e.exe	85
PID 1348 wrote to memory of 848	1348	410473d46372282290eb20df2aa96408d4d1aa7308041684d717cb72c49a8e7e.exe	85
PID 1348 wrote to memory of 848	1348	410473d46372282290eb20df2aa96408d4d1aa7308041684d717cb72c49a8e7e.exe	85
PID 848 wrote to memory of 4288	848	v6225680.exe	86
PID 848 wrote to memory of 4288	848	v6225680.exe	86
PID 848 wrote to memory of 4288	848	v6225680.exe	86
PID 4288 wrote to memory of 1496	4288	v9325019.exe	87
PID 4288 wrote to memory of 1496	4288	v9325019.exe	87
PID 4288 wrote to memory of 1496	4288	v9325019.exe	87
PID 1496 wrote to memory of 1456	1496	v9333683.exe	89
PID 1496 wrote to memory of 1456	1496	v9333683.exe	89
PID 1496 wrote to memory of 1456	1496	v9333683.exe	89
PID 1456 wrote to memory of 1648	1456	v5720784.exe	88
PID 1456 wrote to memory of 1648	1456	v5720784.exe	88
PID 1456 wrote to memory of 1840	1456	v5720784.exe	90
PID 1456 wrote to memory of 1840	1456	v5720784.exe	90
PID 1456 wrote to memory of 1840	1456	v5720784.exe	90
PID 1496 wrote to memory of 2248	1496	v9333683.exe	91
PID 1496 wrote to memory of 2248	1496	v9333683.exe	91
PID 1496 wrote to memory of 2248	1496	v9333683.exe	91

C:\Users\Admin\AppData\Local\Temp\410473d46372282290eb20df2aa96408d4d1aa7308041684d717cb72c49a8e7e.exe
"C:\Users\Admin\AppData\Local\Temp\410473d46372282290eb20df2aa96408d4d1aa7308041684d717cb72c49a8e7e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225680.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225680.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9325019.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9325019.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4288
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9333683.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9333683.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5720784.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5720784.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2376143.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2376143.exe
        6⤵
        Executes dropped EXE
        
        PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7422071.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7422071.exe
        5⤵
        Executes dropped EXE
        
        PID:2248

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5925094.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5925094.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225680.exe

Filesize
722KB

MD5
e74a3497708267d5e960268129aefddc

SHA1
256f6fe9c2165e50eb2b4ea04712d1509ccb6e4c

SHA256
2bfb904dbaca6365660636dc7d2ba7ea8febe1ac4db5ef6f94a016d9c2e31f12

SHA512
d251b27ea3da570b3ac2528ba5628b59a36133b8b1088dc79134e00f40a721965460b0a14ce192f146ef93abb54e91de1897f7a75d9c8f502b29786667efbca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6225680.exe

Filesize
722KB

MD5
e74a3497708267d5e960268129aefddc

SHA1
256f6fe9c2165e50eb2b4ea04712d1509ccb6e4c

SHA256
2bfb904dbaca6365660636dc7d2ba7ea8febe1ac4db5ef6f94a016d9c2e31f12

SHA512
d251b27ea3da570b3ac2528ba5628b59a36133b8b1088dc79134e00f40a721965460b0a14ce192f146ef93abb54e91de1897f7a75d9c8f502b29786667efbca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9325019.exe

Filesize
496KB

MD5
821982c794cc4ac8f3ae89ec177fdb21

SHA1
eb81f8054ca2424a9f682b23fd9dd24c482d2b0e

SHA256
facc413981ecc2efecf3dce4000b423f27c545f0549c5c054e244dfb8005f8c5

SHA512
f1eb9999e4ac9ee55c656b6cb63eccf4531cf931175c597a542aea26f68161d5eef9b8c971613a5082f8a6c11f9352da86b24aa9a9d81eaa03cbce887067683a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9325019.exe

Filesize
496KB

MD5
821982c794cc4ac8f3ae89ec177fdb21

SHA1
eb81f8054ca2424a9f682b23fd9dd24c482d2b0e

SHA256
facc413981ecc2efecf3dce4000b423f27c545f0549c5c054e244dfb8005f8c5

SHA512
f1eb9999e4ac9ee55c656b6cb63eccf4531cf931175c597a542aea26f68161d5eef9b8c971613a5082f8a6c11f9352da86b24aa9a9d81eaa03cbce887067683a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9333683.exe

Filesize
372KB

MD5
9173058b3282f0392bc3a17b4590a220

SHA1
c5458508cf28d8568b1be7b98c6b319654ce44a6

SHA256
64bccbfa13b34d0ee0206b600960e79755cfd3f9a4bab47f2008c0a90bdade74

SHA512
8b8bfdd4c9a1382c49a4de641f691fbda41b41e6b11371755b67bb6f74db79188d68b6710f3d600c3ce0d09acb1ecce1f055d2033c89f19e018b0e42fe78495e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9333683.exe

Filesize
372KB

MD5
9173058b3282f0392bc3a17b4590a220

SHA1
c5458508cf28d8568b1be7b98c6b319654ce44a6

SHA256
64bccbfa13b34d0ee0206b600960e79755cfd3f9a4bab47f2008c0a90bdade74

SHA512
8b8bfdd4c9a1382c49a4de641f691fbda41b41e6b11371755b67bb6f74db79188d68b6710f3d600c3ce0d09acb1ecce1f055d2033c89f19e018b0e42fe78495e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7422071.exe

Filesize
174KB

MD5
a2f6dbf4d6dd2e0611c27bdd1e5fe535

SHA1
b23573205c1541ff21477cef9f511aac977874b9

SHA256
3eef7c2c38c385d1d375f49e7410aaa3ffd95c5721bfee9f796b6fca5951f7d8

SHA512
230546614835c38bf005d3ad940e46b09b8d912a62506fde40909462940d1949c73083124b18d7eb48abce00d685b9775c177395c5febaf391221f2d49046a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7422071.exe

Filesize
174KB

MD5
a2f6dbf4d6dd2e0611c27bdd1e5fe535

SHA1
b23573205c1541ff21477cef9f511aac977874b9

SHA256
3eef7c2c38c385d1d375f49e7410aaa3ffd95c5721bfee9f796b6fca5951f7d8

SHA512
230546614835c38bf005d3ad940e46b09b8d912a62506fde40909462940d1949c73083124b18d7eb48abce00d685b9775c177395c5febaf391221f2d49046a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5720784.exe

Filesize
217KB

MD5
1c7972b0c87b469f3c94097a25d9fd5c

SHA1
9936c28d7b16864b47f918a2b333602b9468c3d5

SHA256
81dbae6ba7acd3835529e84242cb2c2567ad264bb7bf34c06f9825b472fe1360

SHA512
6ec73627fb7f743487ed5caf66e380fdb9b39977808ab9ef537505689f3153305099535185a5050622414585cff5223f89807a1e7a6c672aeb4b95b4a415688e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5720784.exe

Filesize
217KB

MD5
1c7972b0c87b469f3c94097a25d9fd5c

SHA1
9936c28d7b16864b47f918a2b333602b9468c3d5

SHA256
81dbae6ba7acd3835529e84242cb2c2567ad264bb7bf34c06f9825b472fe1360

SHA512
6ec73627fb7f743487ed5caf66e380fdb9b39977808ab9ef537505689f3153305099535185a5050622414585cff5223f89807a1e7a6c672aeb4b95b4a415688e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5925094.exe

Filesize
19KB

MD5
1823129b3a6ebf6f62c4f759ba9e0f28

SHA1
e7a61b04aea03d5190326647c42551a4c4ef5358

SHA256
6ff02ed81d286052a3ea1221cca5816ba91c13553b56791023b3835e8acb83be

SHA512
a97f90c9982ce9e00877e3f9ad3b3f5beba35102505f06567d354f6fd853d80c1336e8ffbeb1f0f0af51dfecf863bba086a9ada9197d36790281af9aaa062c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5925094.exe

Filesize
19KB

MD5
1823129b3a6ebf6f62c4f759ba9e0f28

SHA1
e7a61b04aea03d5190326647c42551a4c4ef5358

SHA256
6ff02ed81d286052a3ea1221cca5816ba91c13553b56791023b3835e8acb83be

SHA512
a97f90c9982ce9e00877e3f9ad3b3f5beba35102505f06567d354f6fd853d80c1336e8ffbeb1f0f0af51dfecf863bba086a9ada9197d36790281af9aaa062c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2376143.exe

Filesize
140KB

MD5
c427b499b32f243558ca07066adf6db7

SHA1
0bc6b01c3e0509893e612ab86a4729dd7f734cc0

SHA256
5edcf27d01892965ff54063f6ba75ec6392ec5b1c56c666104a029083d3e38ac

SHA512
44e2f25eb225fc1786847b1f1b68df163ca3dfb1c24c10be0550facb471a38f968ff2c922562efbff642b351691708a6debe1e3e112b90820959741d4c4f5f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2376143.exe

Filesize
140KB

MD5
c427b499b32f243558ca07066adf6db7

SHA1
0bc6b01c3e0509893e612ab86a4729dd7f734cc0

SHA256
5edcf27d01892965ff54063f6ba75ec6392ec5b1c56c666104a029083d3e38ac

SHA512
44e2f25eb225fc1786847b1f1b68df163ca3dfb1c24c10be0550facb471a38f968ff2c922562efbff642b351691708a6debe1e3e112b90820959741d4c4f5f64

Download Submit
memory/1648-38-0x00007FFA5AA20000-0x00007FFA5B4E1000-memory.dmp

Filesize
10.8MB

Download
memory/1648-36-0x00007FFA5AA20000-0x00007FFA5B4E1000-memory.dmp

Filesize
10.8MB

Download
memory/1648-35-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

Filesize
40KB

Download
memory/2248-45-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/2248-46-0x0000000000650000-0x0000000000680000-memory.dmp

Filesize
192KB

Download
memory/2248-47-0x00000000055F0000-0x0000000005C08000-memory.dmp

Filesize
6.1MB

Download
memory/2248-48-0x00000000050E0000-0x00000000051EA000-memory.dmp

Filesize
1.0MB

Download
memory/2248-50-0x0000000004FF0000-0x0000000005002000-memory.dmp

Filesize
72KB

Download
memory/2248-49-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/2248-51-0x0000000005050000-0x000000000508C000-memory.dmp

Filesize
240KB

Download
memory/2248-52-0x0000000074750000-0x0000000074F00000-memory.dmp

Filesize
7.7MB

Download
memory/2248-53-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download