healer | 2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec

Analysis

max time kernel
146s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
01/09/2023, 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe
Size

923KB
MD5

2a95892752ce9221e0e4dda530746b24
SHA1

2df82dcd76c16bc7b30d6052d89e65bc17548365
SHA256

2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec
SHA512

6d6c44f6b4dfbc90923d12fbc30ebf9b087dd7286b352f2cd16c29fa812ce2f646f7462ef88547f749c152c85cae5a6a3856580f20c1ccc6d89b839db8825563
SSDEEP

24576:OywszlydSyTFkcjPgdLPz2f6ay8NpY2z1B74Ec8aos:dkhFzP+LPD38NpY2JF4Ec8a

Score

10^/10

healer redline jang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jang

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af6a-33.dat	healer
behavioral1/files/0x000700000001af6a-34.dat	healer
behavioral1/memory/4996-35-0x00000000004E0000-0x00000000004EA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q6303559.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q6303559.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q6303559.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q6303559.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q6303559.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4212	z5581746.exe
2192	z8314766.exe
3136	z0467047.exe
4864	z9505533.exe
4996	q6303559.exe
3544	r1046409.exe
4940	s7672289.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q6303559.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5581746.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8314766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z0467047.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9505533.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4996	q6303559.exe
4996	q6303559.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4996	q6303559.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4212	4604	2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe	69
PID 4604 wrote to memory of 4212	4604	2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe	69
PID 4604 wrote to memory of 4212	4604	2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe	69
PID 4212 wrote to memory of 2192	4212	z5581746.exe	70
PID 4212 wrote to memory of 2192	4212	z5581746.exe	70
PID 4212 wrote to memory of 2192	4212	z5581746.exe	70
PID 2192 wrote to memory of 3136	2192	z8314766.exe	71
PID 2192 wrote to memory of 3136	2192	z8314766.exe	71
PID 2192 wrote to memory of 3136	2192	z8314766.exe	71
PID 3136 wrote to memory of 4864	3136	z0467047.exe	72
PID 3136 wrote to memory of 4864	3136	z0467047.exe	72
PID 3136 wrote to memory of 4864	3136	z0467047.exe	72
PID 4864 wrote to memory of 4996	4864	z9505533.exe	73
PID 4864 wrote to memory of 4996	4864	z9505533.exe	73
PID 4864 wrote to memory of 3544	4864	z9505533.exe	74
PID 4864 wrote to memory of 3544	4864	z9505533.exe	74
PID 4864 wrote to memory of 3544	4864	z9505533.exe	74
PID 3136 wrote to memory of 4940	3136	z0467047.exe	75
PID 3136 wrote to memory of 4940	3136	z0467047.exe	75
PID 3136 wrote to memory of 4940	3136	z0467047.exe	75

C:\Users\Admin\AppData\Local\Temp\2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe
"C:\Users\Admin\AppData\Local\Temp\2b752caeb4c4d5d3d976a4f18bdbbe85a9d33e45248c42e9804a0e0a0be474ec.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5581746.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5581746.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8314766.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8314766.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0467047.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0467047.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9505533.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9505533.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4864
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6303559.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6303559.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1046409.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1046409.exe
        6⤵
        Executes dropped EXE
        
        PID:3544
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7672289.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7672289.exe
        5⤵
        Executes dropped EXE
        
        PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5581746.exe

Filesize
817KB

MD5
de6d6d7a1f795b69f2c820cbb332a6ed

SHA1
38a97c650d89f271682f8baa6e9919a66ddcc2dc

SHA256
ad2cea62697af7b6ef0732fc6755ba6cce9187e11aa13630f61d03a4433ab650

SHA512
c78fdbb71345cf40ac9ba5e09511756d217ad34e336bfbaf581a003b7f00061e31aa1ba860b6940058d7ca604ee88c0c8eb49a84dbf9579dce34d70c50e5b648

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5581746.exe

Filesize
817KB

MD5
de6d6d7a1f795b69f2c820cbb332a6ed

SHA1
38a97c650d89f271682f8baa6e9919a66ddcc2dc

SHA256
ad2cea62697af7b6ef0732fc6755ba6cce9187e11aa13630f61d03a4433ab650

SHA512
c78fdbb71345cf40ac9ba5e09511756d217ad34e336bfbaf581a003b7f00061e31aa1ba860b6940058d7ca604ee88c0c8eb49a84dbf9579dce34d70c50e5b648

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8314766.exe

Filesize
599KB

MD5
fef2e10d8ca70f4a385538c9701ec2de

SHA1
28bf9b9637bbc94111f054b84e557bced51ccdc6

SHA256
dfd2c4c4264ee9c82c0da0ddf459546f21bcc7cf9b4bb22b950ddf16c72ba8b4

SHA512
f68392976a429055f1ea4ef99ebf4d4c5cba8f23c99c85f5f4a11c59a3e1a735525d1e246298b392d2d91a669a5c899fd205b26dd35635760d3c5bb8abc5d050

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8314766.exe

Filesize
599KB

MD5
fef2e10d8ca70f4a385538c9701ec2de

SHA1
28bf9b9637bbc94111f054b84e557bced51ccdc6

SHA256
dfd2c4c4264ee9c82c0da0ddf459546f21bcc7cf9b4bb22b950ddf16c72ba8b4

SHA512
f68392976a429055f1ea4ef99ebf4d4c5cba8f23c99c85f5f4a11c59a3e1a735525d1e246298b392d2d91a669a5c899fd205b26dd35635760d3c5bb8abc5d050

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0467047.exe

Filesize
373KB

MD5
d232d2232b326d442841792b9fe9d132

SHA1
c71160369d1df8c450c2601edb65d148a7674f6d

SHA256
cbb534b47052ce3653596ca790a0f026c48315cd390330f32fa69f8a08a36d62

SHA512
842cc1c91c50f725feb19b1e5af549b696856b96d9bafd33370defd2411af5ff60ad590302c568f8ab59408250399892d647c5282152c2f2e2223240791929d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0467047.exe

Filesize
373KB

MD5
d232d2232b326d442841792b9fe9d132

SHA1
c71160369d1df8c450c2601edb65d148a7674f6d

SHA256
cbb534b47052ce3653596ca790a0f026c48315cd390330f32fa69f8a08a36d62

SHA512
842cc1c91c50f725feb19b1e5af549b696856b96d9bafd33370defd2411af5ff60ad590302c568f8ab59408250399892d647c5282152c2f2e2223240791929d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7672289.exe

Filesize
174KB

MD5
7bd1038f0a305ab7e49dd8406aa17085

SHA1
1d504b4fad69e41d1b85da8ec9c2dac232227e17

SHA256
d3bdb68fbcb9ba85d21301f286944291bf26db3309e39600e347217df7b809ac

SHA512
50b40ba86564070c2b79f393ef1ebe81868c5e1ed63f4c6555637eaeb2ae818b46c0a4dd0cd0c5f5a6bdd5d0fd92cca9651632c8631fb93c3f9b2594ea22e583

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7672289.exe

Filesize
174KB

MD5
7bd1038f0a305ab7e49dd8406aa17085

SHA1
1d504b4fad69e41d1b85da8ec9c2dac232227e17

SHA256
d3bdb68fbcb9ba85d21301f286944291bf26db3309e39600e347217df7b809ac

SHA512
50b40ba86564070c2b79f393ef1ebe81868c5e1ed63f4c6555637eaeb2ae818b46c0a4dd0cd0c5f5a6bdd5d0fd92cca9651632c8631fb93c3f9b2594ea22e583

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9505533.exe

Filesize
217KB

MD5
5a71520dc80ab293b29288aaa4eaeb10

SHA1
fdeaf31f8463d9bb9cf2f93a7ff86a968e510bb7

SHA256
c6724edd2418f52d100ba7737fbff3f9a063f96bcd2a6da6db03d9dfd2bd31fc

SHA512
084859160c114921fa151e80d21b45e509d8706a715708f83a61566746629202788ebb28cbe0ef2f94a9b8309502e1fa8f133d19f6e817e6fc47a74e427e4079

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9505533.exe

Filesize
217KB

MD5
5a71520dc80ab293b29288aaa4eaeb10

SHA1
fdeaf31f8463d9bb9cf2f93a7ff86a968e510bb7

SHA256
c6724edd2418f52d100ba7737fbff3f9a063f96bcd2a6da6db03d9dfd2bd31fc

SHA512
084859160c114921fa151e80d21b45e509d8706a715708f83a61566746629202788ebb28cbe0ef2f94a9b8309502e1fa8f133d19f6e817e6fc47a74e427e4079

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6303559.exe

Filesize
19KB

MD5
53d033a197de5407c3b1622b23aefbd0

SHA1
e20d4da9aec3ea3d227d06d1fb0f75ef65c003fc

SHA256
09ff91d0eb56f131d3361e9f96b1ed65f9219a1071d40606bd96650017fb9b73

SHA512
e948ecb80bd83a673b11fe6c62ecf7cd875137a79e689dfc56e861f7a7cd7a44f8f408c1dd6a145aab7cd6c55f7e9c11ab84ab92a2ad09075d6acaf3ca395ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6303559.exe

Filesize
19KB

MD5
53d033a197de5407c3b1622b23aefbd0

SHA1
e20d4da9aec3ea3d227d06d1fb0f75ef65c003fc

SHA256
09ff91d0eb56f131d3361e9f96b1ed65f9219a1071d40606bd96650017fb9b73

SHA512
e948ecb80bd83a673b11fe6c62ecf7cd875137a79e689dfc56e861f7a7cd7a44f8f408c1dd6a145aab7cd6c55f7e9c11ab84ab92a2ad09075d6acaf3ca395ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1046409.exe

Filesize
141KB

MD5
731c1aa8a9ba69980dcaba32af03c07a

SHA1
c0d4c2a2ddd1e06b9e554aabc43cb916f3fcc547

SHA256
a39b10c36a6d5a26707993bf795535c75c01a67d78c1a54b8c1c355fc388b6dd

SHA512
b6eb07e6b803efbba8b9da8abbcc33389cb3923af48c495f4034592f93367f992692d81c095d66373275e9a9b17fccdaf4622a475e3a3b6e67f9c817c710481c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1046409.exe

Filesize
141KB

MD5
731c1aa8a9ba69980dcaba32af03c07a

SHA1
c0d4c2a2ddd1e06b9e554aabc43cb916f3fcc547

SHA256
a39b10c36a6d5a26707993bf795535c75c01a67d78c1a54b8c1c355fc388b6dd

SHA512
b6eb07e6b803efbba8b9da8abbcc33389cb3923af48c495f4034592f93367f992692d81c095d66373275e9a9b17fccdaf4622a475e3a3b6e67f9c817c710481c

Download Submit
memory/4940-46-0x0000000073680000-0x0000000073D6E000-memory.dmp

Filesize
6.9MB

Download
memory/4940-45-0x00000000006D0000-0x0000000000700000-memory.dmp

Filesize
192KB

Download
memory/4940-47-0x0000000000EA0000-0x0000000000EA6000-memory.dmp

Filesize
24KB

Download
memory/4940-48-0x000000000AAB0000-0x000000000B0B6000-memory.dmp

Filesize
6.0MB

Download
memory/4940-49-0x000000000A620000-0x000000000A72A000-memory.dmp

Filesize
1.0MB

Download
memory/4940-50-0x000000000A550000-0x000000000A562000-memory.dmp

Filesize
72KB

Download
memory/4940-51-0x000000000A5B0000-0x000000000A5EE000-memory.dmp

Filesize
248KB

Download
memory/4940-52-0x000000000A730000-0x000000000A77B000-memory.dmp

Filesize
300KB

Download
memory/4940-53-0x0000000073680000-0x0000000073D6E000-memory.dmp

Filesize
6.9MB

Download
memory/4996-38-0x00007FFC1EE60000-0x00007FFC1F84C000-memory.dmp

Filesize
9.9MB

Download
memory/4996-36-0x00007FFC1EE60000-0x00007FFC1F84C000-memory.dmp

Filesize
9.9MB

Download
memory/4996-35-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download