healer | a662c867fe00170256ea33d27484cd8f189878445c44e24f119e4a4fc2c1693e

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a662c867fe00170256ea33d27484cd8f189878445c44e24f119e4a4fc2c1693e.exe
Size

829KB
MD5

c76e3290929937b437c6080eb56425ab
SHA1

6e654b823529203b5fb7df56bafda2c0a4d68521
SHA256

a662c867fe00170256ea33d27484cd8f189878445c44e24f119e4a4fc2c1693e
SHA512

ba369d7a60cc891a546225ea9f139af1a1f08666596716405a06b592466e35347ee074f47de3aae765ecdb90bf439d02db5b11d318579b4d19d6e572c51cb648
SSDEEP

24576:xy99bEq0QczUtk6ygTyjNngO9/AZ/FW2KpX:kDh0QsIyhgWAA

Score

10^/10

healer redline jang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jang

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00060000000232be-33.dat	healer
behavioral1/files/0x00060000000232be-34.dat	healer
behavioral1/memory/232-35-0x0000000000380000-0x000000000038A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6982254.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6982254.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6982254.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6982254.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6982254.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6982254.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3864	v3352113.exe
2296	v7484034.exe
2772	v1874615.exe
1500	v8642757.exe
232	a6982254.exe
644	b5906468.exe
4728	c2142177.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6982254.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3352113.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7484034.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1874615.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8642757.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a662c867fe00170256ea33d27484cd8f189878445c44e24f119e4a4fc2c1693e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
232	a6982254.exe
232	a6982254.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	232	a6982254.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 3864	4520	a662c867fe00170256ea33d27484cd8f189878445c44e24f119e4a4fc2c1693e.exe	84
PID 4520 wrote to memory of 3864	4520	a662c867fe00170256ea33d27484cd8f189878445c44e24f119e4a4fc2c1693e.exe	84
PID 4520 wrote to memory of 3864	4520	a662c867fe00170256ea33d27484cd8f189878445c44e24f119e4a4fc2c1693e.exe	84
PID 3864 wrote to memory of 2296	3864	v3352113.exe	85
PID 3864 wrote to memory of 2296	3864	v3352113.exe	85
PID 3864 wrote to memory of 2296	3864	v3352113.exe	85
PID 2296 wrote to memory of 2772	2296	v7484034.exe	86
PID 2296 wrote to memory of 2772	2296	v7484034.exe	86
PID 2296 wrote to memory of 2772	2296	v7484034.exe	86
PID 2772 wrote to memory of 1500	2772	v1874615.exe	88
PID 2772 wrote to memory of 1500	2772	v1874615.exe	88
PID 2772 wrote to memory of 1500	2772	v1874615.exe	88
PID 1500 wrote to memory of 232	1500	v8642757.exe	89
PID 1500 wrote to memory of 232	1500	v8642757.exe	89
PID 1500 wrote to memory of 644	1500	v8642757.exe	90
PID 1500 wrote to memory of 644	1500	v8642757.exe	90
PID 1500 wrote to memory of 644	1500	v8642757.exe	90
PID 2772 wrote to memory of 4728	2772	v1874615.exe	91
PID 2772 wrote to memory of 4728	2772	v1874615.exe	91
PID 2772 wrote to memory of 4728	2772	v1874615.exe	91

C:\Users\Admin\AppData\Local\Temp\a662c867fe00170256ea33d27484cd8f189878445c44e24f119e4a4fc2c1693e.exe
"C:\Users\Admin\AppData\Local\Temp\a662c867fe00170256ea33d27484cd8f189878445c44e24f119e4a4fc2c1693e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3352113.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3352113.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3864
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7484034.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7484034.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1874615.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1874615.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8642757.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8642757.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6982254.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6982254.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5906468.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5906468.exe
        6⤵
        Executes dropped EXE
        
        PID:644
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2142177.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2142177.exe
        5⤵
        Executes dropped EXE
        
        PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3352113.exe

Filesize
724KB

MD5
f71778fafb807601d4c5b56c1e95ad03

SHA1
47fe1219077321ebc6441065630bbf9322dc0fa0

SHA256
0a82c1cf3f4ed1820b89d3a2bff3f2ab4d2688d7948f9aa7fddfb483ba28dc61

SHA512
33bb4c60a594ed1128cc1166a080226ce40bcd5a1e8ee8853ae2e9ad36fe351eb90a67cf5ea826018731fc0a6e4aeab818d1c8095b33aee021bf4a73e578af3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3352113.exe

Filesize
724KB

MD5
f71778fafb807601d4c5b56c1e95ad03

SHA1
47fe1219077321ebc6441065630bbf9322dc0fa0

SHA256
0a82c1cf3f4ed1820b89d3a2bff3f2ab4d2688d7948f9aa7fddfb483ba28dc61

SHA512
33bb4c60a594ed1128cc1166a080226ce40bcd5a1e8ee8853ae2e9ad36fe351eb90a67cf5ea826018731fc0a6e4aeab818d1c8095b33aee021bf4a73e578af3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7484034.exe

Filesize
497KB

MD5
05f70e8e881d562affb20c687f2866db

SHA1
809454580822c66641e8b09ffd125bdff19267ee

SHA256
fe0bdcc0c68d70efa57456cbbe93651a5933ad41151a1eab87e940579e7f8e51

SHA512
24b41557c0f994f9133607cffb24e4a0c98cca644fb6145067c9ca207b47b7eb19cc6734281cae2afdc9278015f9c39f77529702f73c2b438d2485953672997d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7484034.exe

Filesize
497KB

MD5
05f70e8e881d562affb20c687f2866db

SHA1
809454580822c66641e8b09ffd125bdff19267ee

SHA256
fe0bdcc0c68d70efa57456cbbe93651a5933ad41151a1eab87e940579e7f8e51

SHA512
24b41557c0f994f9133607cffb24e4a0c98cca644fb6145067c9ca207b47b7eb19cc6734281cae2afdc9278015f9c39f77529702f73c2b438d2485953672997d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1874615.exe

Filesize
373KB

MD5
8d54588d6d8f4f540b4779aa59ecf106

SHA1
330484fed7241184b81a2f5aaadba8c90d154032

SHA256
81a66758357a9552e955b30f5e7539078b3a261c432b8906e9454c20598a639d

SHA512
921e42d6489fda2b5293e6f5d0c3eded4addf439727d3aa66451077c61f19735d5596a19b8eb9535799a6a800fa4be88407fbdc5df40a328f0742676ecd425aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1874615.exe

Filesize
373KB

MD5
8d54588d6d8f4f540b4779aa59ecf106

SHA1
330484fed7241184b81a2f5aaadba8c90d154032

SHA256
81a66758357a9552e955b30f5e7539078b3a261c432b8906e9454c20598a639d

SHA512
921e42d6489fda2b5293e6f5d0c3eded4addf439727d3aa66451077c61f19735d5596a19b8eb9535799a6a800fa4be88407fbdc5df40a328f0742676ecd425aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2142177.exe

Filesize
174KB

MD5
3ed1b4b3fb7b2edb13128c50cb2d5110

SHA1
998e871ff6871362c6e37c6c3f207a2ba37309bc

SHA256
b261c09c287183ae7cda1808d4a8c35ad80f9c08645248e8fff6065cadb335bc

SHA512
d0f91cc5005bf99db53ef2b6d29a8ab2d2b14fc61d9dc1d1e3ce2ecad5189ccd2a8bbcca7a99dbbeba9340ea2dcd99ca8ee6475f4d82c5ded032c1efbb9d1579

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2142177.exe

Filesize
174KB

MD5
3ed1b4b3fb7b2edb13128c50cb2d5110

SHA1
998e871ff6871362c6e37c6c3f207a2ba37309bc

SHA256
b261c09c287183ae7cda1808d4a8c35ad80f9c08645248e8fff6065cadb335bc

SHA512
d0f91cc5005bf99db53ef2b6d29a8ab2d2b14fc61d9dc1d1e3ce2ecad5189ccd2a8bbcca7a99dbbeba9340ea2dcd99ca8ee6475f4d82c5ded032c1efbb9d1579

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8642757.exe

Filesize
217KB

MD5
3cc8174edeec51eba76050235a3b0e22

SHA1
3afabd48689b120046f74660de16396f0846c8af

SHA256
4d2a2fd6973bbb27430fa66ea0beb44805ea18e34ce3a511c4676f10874b5a3e

SHA512
c05382951d1b3a2c0fe4959547a175c54df50b0a99c0b2d7a716743f4a6a6dab41339bc767f7227c9e709cf10bf42cc41bcee06fd84e75a7af1f9cee52b80a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8642757.exe

Filesize
217KB

MD5
3cc8174edeec51eba76050235a3b0e22

SHA1
3afabd48689b120046f74660de16396f0846c8af

SHA256
4d2a2fd6973bbb27430fa66ea0beb44805ea18e34ce3a511c4676f10874b5a3e

SHA512
c05382951d1b3a2c0fe4959547a175c54df50b0a99c0b2d7a716743f4a6a6dab41339bc767f7227c9e709cf10bf42cc41bcee06fd84e75a7af1f9cee52b80a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6982254.exe

Filesize
19KB

MD5
4f2fcd205021b01a04bacda8b14b5763

SHA1
8ce2a71aa9e021dcfe9990929e2374deb86a3440

SHA256
0a00eec06836a9b005e4003f4d9f9a6302740ce5f113dc4808197fefc79c0965

SHA512
f44e255e41c247f4adfb64ec1039d60f09b5f4330b3a18af86b79c2dc7edeac851f350613369e5bef8fdb0e3ea134aa418038df244187eeb55bd3a9ca2137d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6982254.exe

Filesize
19KB

MD5
4f2fcd205021b01a04bacda8b14b5763

SHA1
8ce2a71aa9e021dcfe9990929e2374deb86a3440

SHA256
0a00eec06836a9b005e4003f4d9f9a6302740ce5f113dc4808197fefc79c0965

SHA512
f44e255e41c247f4adfb64ec1039d60f09b5f4330b3a18af86b79c2dc7edeac851f350613369e5bef8fdb0e3ea134aa418038df244187eeb55bd3a9ca2137d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5906468.exe

Filesize
140KB

MD5
995c5fd3cac4c6c24c59ba7815615bf9

SHA1
a53db4bb5fa80dd14a01bda9b67f4b77c71a1e68

SHA256
d417703d8c8fd0d920ac5652acc1e3d847adc6812b4767aa4163e77d7dad96ce

SHA512
b1308d6bb724c274203c69b740e08b801db13fb2fa4d92ba9a9ab5f7988241641180ca1eeebf545e9ae9f61d92e8b3102089f494fdbf126bbe5961eaf79eb903

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5906468.exe

Filesize
140KB

MD5
995c5fd3cac4c6c24c59ba7815615bf9

SHA1
a53db4bb5fa80dd14a01bda9b67f4b77c71a1e68

SHA256
d417703d8c8fd0d920ac5652acc1e3d847adc6812b4767aa4163e77d7dad96ce

SHA512
b1308d6bb724c274203c69b740e08b801db13fb2fa4d92ba9a9ab5f7988241641180ca1eeebf545e9ae9f61d92e8b3102089f494fdbf126bbe5961eaf79eb903

Download Submit
memory/232-38-0x00007FFAEE460000-0x00007FFAEEF21000-memory.dmp

Filesize
10.8MB

Download
memory/232-36-0x00007FFAEE460000-0x00007FFAEEF21000-memory.dmp

Filesize
10.8MB

Download
memory/232-35-0x0000000000380000-0x000000000038A000-memory.dmp

Filesize
40KB

Download
memory/4728-45-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4728-46-0x0000000000B30000-0x0000000000B60000-memory.dmp

Filesize
192KB

Download
memory/4728-47-0x000000000AEB0000-0x000000000B4C8000-memory.dmp

Filesize
6.1MB

Download
memory/4728-48-0x000000000A9A0000-0x000000000AAAA000-memory.dmp

Filesize
1.0MB

Download
memory/4728-50-0x000000000A8E0000-0x000000000A8F2000-memory.dmp

Filesize
72KB

Download
memory/4728-49-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4728-51-0x000000000A940000-0x000000000A97C000-memory.dmp

Filesize
240KB

Download
memory/4728-52-0x0000000074BA0000-0x0000000075350000-memory.dmp

Filesize
7.7MB

Download
memory/4728-53-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download