healer | a3c95a918044e82a763b1c12153b69b730f2de3216e767678d9f075c73411b45

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3c95a918044e82a763b1c12153b69b730f2de3216e767678d9f075c73411b45.exe
Size

828KB
MD5

a4c0d6172f5d6306ef5626341b85bdb2
SHA1

8e990e390c3ff96c45ba8d83ebddad65e8a50cf0
SHA256

a3c95a918044e82a763b1c12153b69b730f2de3216e767678d9f075c73411b45
SHA512

bea21a9d1f262d3cdf2cc72e676da669cabe5e83f9dd3b09fb6a2748cf854d7f28e510d33f03e4d4b1d837e0b752589bc833c3823ea8fbdc8ffa405af9a72151
SSDEEP

12288:cMrzy90mRSX3Ltszff5W+J/Ca130VrtCAJlaqmw3rwR4NSJ5aqE29oljX9sJdgEa:nyQrtqxWKutCZqn3r44Sq2Y+JdgEa

Score

10^/10

healer redline jang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jang

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231fe-33.dat	healer
behavioral1/files/0x00070000000231fe-34.dat	healer
behavioral1/memory/3596-35-0x0000000000390000-0x000000000039A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5514163.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5514163.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5514163.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5514163.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5514163.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5514163.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
236	v5068375.exe
3880	v5316566.exe
3304	v1362006.exe
3712	v5374738.exe
3596	a5514163.exe
860	b7937297.exe
3540	c4412755.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5514163.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1362006.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5374738.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a3c95a918044e82a763b1c12153b69b730f2de3216e767678d9f075c73411b45.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5068375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5316566.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3596	a5514163.exe
3596	a5514163.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	a5514163.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4088 wrote to memory of 236	4088	a3c95a918044e82a763b1c12153b69b730f2de3216e767678d9f075c73411b45.exe	81
PID 4088 wrote to memory of 236	4088	a3c95a918044e82a763b1c12153b69b730f2de3216e767678d9f075c73411b45.exe	81
PID 4088 wrote to memory of 236	4088	a3c95a918044e82a763b1c12153b69b730f2de3216e767678d9f075c73411b45.exe	81
PID 236 wrote to memory of 3880	236	v5068375.exe	82
PID 236 wrote to memory of 3880	236	v5068375.exe	82
PID 236 wrote to memory of 3880	236	v5068375.exe	82
PID 3880 wrote to memory of 3304	3880	v5316566.exe	83
PID 3880 wrote to memory of 3304	3880	v5316566.exe	83
PID 3880 wrote to memory of 3304	3880	v5316566.exe	83
PID 3304 wrote to memory of 3712	3304	v1362006.exe	84
PID 3304 wrote to memory of 3712	3304	v1362006.exe	84
PID 3304 wrote to memory of 3712	3304	v1362006.exe	84
PID 3712 wrote to memory of 3596	3712	v5374738.exe	85
PID 3712 wrote to memory of 3596	3712	v5374738.exe	85
PID 3712 wrote to memory of 860	3712	v5374738.exe	89
PID 3712 wrote to memory of 860	3712	v5374738.exe	89
PID 3712 wrote to memory of 860	3712	v5374738.exe	89
PID 3304 wrote to memory of 3540	3304	v1362006.exe	90
PID 3304 wrote to memory of 3540	3304	v1362006.exe	90
PID 3304 wrote to memory of 3540	3304	v1362006.exe	90

C:\Users\Admin\AppData\Local\Temp\a3c95a918044e82a763b1c12153b69b730f2de3216e767678d9f075c73411b45.exe
"C:\Users\Admin\AppData\Local\Temp\a3c95a918044e82a763b1c12153b69b730f2de3216e767678d9f075c73411b45.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4088
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5068375.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5068375.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:236
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5316566.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5316566.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3880
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1362006.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1362006.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3304
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5374738.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5374738.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3712
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5514163.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5514163.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7937297.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7937297.exe
        6⤵
        Executes dropped EXE
        
        PID:860
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4412755.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4412755.exe
        5⤵
        Executes dropped EXE
        
        PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5068375.exe

Filesize
723KB

MD5
0ffd31754c8618022c6825f08981783c

SHA1
42a0df9a376cf60a8a7156cf70aa5e086c66b452

SHA256
c94e556f3a616332afc3298ec7039f12d0e17d9e02212a8f215e913b8275ef70

SHA512
89ab54e72be4ce1364ab042b9a289d3b561e2190077a6a57dafad4030ee659f7ff2da1e1ad1734c877ddc1d30882433b3a8da4a4fa1cf23fdd50cbb56fb37794

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5068375.exe

Filesize
723KB

MD5
0ffd31754c8618022c6825f08981783c

SHA1
42a0df9a376cf60a8a7156cf70aa5e086c66b452

SHA256
c94e556f3a616332afc3298ec7039f12d0e17d9e02212a8f215e913b8275ef70

SHA512
89ab54e72be4ce1364ab042b9a289d3b561e2190077a6a57dafad4030ee659f7ff2da1e1ad1734c877ddc1d30882433b3a8da4a4fa1cf23fdd50cbb56fb37794

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5316566.exe

Filesize
497KB

MD5
efeab99618ea73e42c7e940eeb04432d

SHA1
192a5200a1e07063db426e799b462ab7eb00b07a

SHA256
eb8f1298623fd204d8d159052cf255ba391a68cccf0e267efdafaf9f4a01c061

SHA512
902dcc1079f5479f8db070531587688ba473ac54a68053c544f882f6aa64816427f10ebc4e91717e4060adcc820f2dabd3fb290166e6b1d1379142109d81decd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5316566.exe

Filesize
497KB

MD5
efeab99618ea73e42c7e940eeb04432d

SHA1
192a5200a1e07063db426e799b462ab7eb00b07a

SHA256
eb8f1298623fd204d8d159052cf255ba391a68cccf0e267efdafaf9f4a01c061

SHA512
902dcc1079f5479f8db070531587688ba473ac54a68053c544f882f6aa64816427f10ebc4e91717e4060adcc820f2dabd3fb290166e6b1d1379142109d81decd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1362006.exe

Filesize
372KB

MD5
b45627fc6aabe5088e664c30c276f77c

SHA1
0ee82a92cf856413a33fbd4a138f0891334e8662

SHA256
1555066e67440998baff806780cc06740333c475a80219b641a962b357e2a13d

SHA512
35ea48e15cee4ca991b31f8624ab3b2a2629999c19fdaed963b7e93f5636c77f9ad4c737c7c08afbc236d7034685a9f4c2a9a50f42b8d6d0e4ac7c345a8bfdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1362006.exe

Filesize
372KB

MD5
b45627fc6aabe5088e664c30c276f77c

SHA1
0ee82a92cf856413a33fbd4a138f0891334e8662

SHA256
1555066e67440998baff806780cc06740333c475a80219b641a962b357e2a13d

SHA512
35ea48e15cee4ca991b31f8624ab3b2a2629999c19fdaed963b7e93f5636c77f9ad4c737c7c08afbc236d7034685a9f4c2a9a50f42b8d6d0e4ac7c345a8bfdeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4412755.exe

Filesize
174KB

MD5
9e9d240803fccbe6380bef90ce264950

SHA1
fc02d428fd3aed60c8baa50a4fae91aadedf636f

SHA256
de6f223df1f0d7c47166dc8250916ec363f4d8daac4ebaed839dcf3df115cfb3

SHA512
d561008f733278deed1f8fb6deec355872f669b43fa3e99ca7b5446e42ed44325787f7f22f98963ebe3f7ac12c3f1e48f2d5d6b167df9a66ccd1a9786a862eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4412755.exe

Filesize
174KB

MD5
9e9d240803fccbe6380bef90ce264950

SHA1
fc02d428fd3aed60c8baa50a4fae91aadedf636f

SHA256
de6f223df1f0d7c47166dc8250916ec363f4d8daac4ebaed839dcf3df115cfb3

SHA512
d561008f733278deed1f8fb6deec355872f669b43fa3e99ca7b5446e42ed44325787f7f22f98963ebe3f7ac12c3f1e48f2d5d6b167df9a66ccd1a9786a862eae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5374738.exe

Filesize
217KB

MD5
11c936b5a4bdcf7ad62112870ae7837a

SHA1
fe7438f994b3e576c0c5ae7876bb0d18afd7da00

SHA256
d58fca5b2e0427766561df3d0c8ef1437f2a8c34a71d49eb6fe661d17040ce00

SHA512
db45b85bd4b9fd31501e330a438c7044d8ef40fa2e03fb2fdd34b5c0d8b89d90e3fda46a4149c129044354e8491f79a0a5c66433ca8bb6e3fd38614e16f0539e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5374738.exe

Filesize
217KB

MD5
11c936b5a4bdcf7ad62112870ae7837a

SHA1
fe7438f994b3e576c0c5ae7876bb0d18afd7da00

SHA256
d58fca5b2e0427766561df3d0c8ef1437f2a8c34a71d49eb6fe661d17040ce00

SHA512
db45b85bd4b9fd31501e330a438c7044d8ef40fa2e03fb2fdd34b5c0d8b89d90e3fda46a4149c129044354e8491f79a0a5c66433ca8bb6e3fd38614e16f0539e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5514163.exe

Filesize
19KB

MD5
c350f7a45183968610907eb92766ebec

SHA1
58badf58741ffe2a9b63df9a8a4f27a469141232

SHA256
226c6c6947b6569bf8082c8a20980005db4868258593f32a31b2a97a2081a287

SHA512
ff193ed843db44a5f4be2ed5a265b59800925fe242ad3318b477ac91263e937e8b3e69b1a31187f075d272b004f2859db05487cca1ac892fc0e926f4b25da7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5514163.exe

Filesize
19KB

MD5
c350f7a45183968610907eb92766ebec

SHA1
58badf58741ffe2a9b63df9a8a4f27a469141232

SHA256
226c6c6947b6569bf8082c8a20980005db4868258593f32a31b2a97a2081a287

SHA512
ff193ed843db44a5f4be2ed5a265b59800925fe242ad3318b477ac91263e937e8b3e69b1a31187f075d272b004f2859db05487cca1ac892fc0e926f4b25da7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7937297.exe

Filesize
140KB

MD5
df5eb72a1ca5461a9b20ad2b059fbc6b

SHA1
71eb25dd68d2d2a9c0b6b8d17c80fac25dd3be88

SHA256
9b0186db34dfe3ccbd4b3c426a9f305ab04afa7331c446370f144b741d48fd52

SHA512
744f87fe7b7500258f7383e4fc67bfff845d05a1e89f52068dcf32efc784418af265d64a42db18a1ce31add9b7f72115c5158f4a6e0d9672c889b2710e70eadf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7937297.exe

Filesize
140KB

MD5
df5eb72a1ca5461a9b20ad2b059fbc6b

SHA1
71eb25dd68d2d2a9c0b6b8d17c80fac25dd3be88

SHA256
9b0186db34dfe3ccbd4b3c426a9f305ab04afa7331c446370f144b741d48fd52

SHA512
744f87fe7b7500258f7383e4fc67bfff845d05a1e89f52068dcf32efc784418af265d64a42db18a1ce31add9b7f72115c5158f4a6e0d9672c889b2710e70eadf

Download Submit
memory/3540-46-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/3540-45-0x0000000000D00000-0x0000000000D30000-memory.dmp

Filesize
192KB

Download
memory/3540-47-0x000000000B150000-0x000000000B768000-memory.dmp

Filesize
6.1MB

Download
memory/3540-48-0x000000000ACB0000-0x000000000ADBA000-memory.dmp

Filesize
1.0MB

Download
memory/3540-49-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/3540-50-0x000000000ABF0000-0x000000000AC02000-memory.dmp

Filesize
72KB

Download
memory/3540-51-0x000000000AC50000-0x000000000AC8C000-memory.dmp

Filesize
240KB

Download
memory/3540-52-0x0000000074070000-0x0000000074820000-memory.dmp

Filesize
7.7MB

Download
memory/3540-53-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/3596-38-0x00007FFA65C90000-0x00007FFA66751000-memory.dmp

Filesize
10.8MB

Download
memory/3596-36-0x00007FFA65C90000-0x00007FFA66751000-memory.dmp

Filesize
10.8MB

Download
memory/3596-35-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download