healer | 41a7859d9b1994a0d3b960e28682f10d848738d1daf9a7eddc0060660b0f679c

Analysis

max time kernel
145s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
01/09/2023, 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41a7859d9b1994a0d3b960e28682f10d848738d1daf9a7eddc0060660b0f679c.exe
Size

929KB
MD5

d9ac40ce04249f9324e90c52cc3883e4
SHA1

45bb638184fb72d9947225188d35d439d895372d
SHA256

41a7859d9b1994a0d3b960e28682f10d848738d1daf9a7eddc0060660b0f679c
SHA512

861e17d2e75b83e2721dc6339f23ff0966ce2868bc22c1119115e6b82f70d1ae4f1a918efa520e8262143ed3db8ba4bd1b5e3c619cd46cd850c203492154618c
SSDEEP

24576:kyCNMMKmtyAYVKzDADsylVgnMGjQG08Ju9zuh:zzMKmgAYVKg4wxPGzg9zu

Score

10^/10

healer redline jang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jang

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af66-33.dat	healer
behavioral1/files/0x000700000001af66-34.dat	healer
behavioral1/memory/4188-35-0x0000000000620000-0x000000000062A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q6380276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q6380276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q6380276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q6380276.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q6380276.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4272	z7736892.exe
4304	z8043927.exe
1096	z5038095.exe
1492	z1507760.exe
4188	q6380276.exe
3644	r2757673.exe
2320	s4359168.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q6380276.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	41a7859d9b1994a0d3b960e28682f10d848738d1daf9a7eddc0060660b0f679c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7736892.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8043927.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5038095.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z1507760.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4188	q6380276.exe
4188	q6380276.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4188	q6380276.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4220 wrote to memory of 4272	4220	41a7859d9b1994a0d3b960e28682f10d848738d1daf9a7eddc0060660b0f679c.exe	69
PID 4220 wrote to memory of 4272	4220	41a7859d9b1994a0d3b960e28682f10d848738d1daf9a7eddc0060660b0f679c.exe	69
PID 4220 wrote to memory of 4272	4220	41a7859d9b1994a0d3b960e28682f10d848738d1daf9a7eddc0060660b0f679c.exe	69
PID 4272 wrote to memory of 4304	4272	z7736892.exe	70
PID 4272 wrote to memory of 4304	4272	z7736892.exe	70
PID 4272 wrote to memory of 4304	4272	z7736892.exe	70
PID 4304 wrote to memory of 1096	4304	z8043927.exe	71
PID 4304 wrote to memory of 1096	4304	z8043927.exe	71
PID 4304 wrote to memory of 1096	4304	z8043927.exe	71
PID 1096 wrote to memory of 1492	1096	z5038095.exe	72
PID 1096 wrote to memory of 1492	1096	z5038095.exe	72
PID 1096 wrote to memory of 1492	1096	z5038095.exe	72
PID 1492 wrote to memory of 4188	1492	z1507760.exe	73
PID 1492 wrote to memory of 4188	1492	z1507760.exe	73
PID 1492 wrote to memory of 3644	1492	z1507760.exe	74
PID 1492 wrote to memory of 3644	1492	z1507760.exe	74
PID 1492 wrote to memory of 3644	1492	z1507760.exe	74
PID 1096 wrote to memory of 2320	1096	z5038095.exe	75
PID 1096 wrote to memory of 2320	1096	z5038095.exe	75
PID 1096 wrote to memory of 2320	1096	z5038095.exe	75

C:\Users\Admin\AppData\Local\Temp\41a7859d9b1994a0d3b960e28682f10d848738d1daf9a7eddc0060660b0f679c.exe
"C:\Users\Admin\AppData\Local\Temp\41a7859d9b1994a0d3b960e28682f10d848738d1daf9a7eddc0060660b0f679c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7736892.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7736892.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8043927.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8043927.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5038095.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5038095.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1096
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1507760.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1507760.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6380276.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6380276.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2757673.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2757673.exe
        6⤵
        Executes dropped EXE
        
        PID:3644
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4359168.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4359168.exe
        5⤵
        Executes dropped EXE
        
        PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7736892.exe

Filesize
823KB

MD5
76826c800c6694c68b4caebffc3865e3

SHA1
09d43dcbf2312d9252b3353c8fafcdc7497071c1

SHA256
77784d997da6fea514a7468d4b1cadcd742178c49a4d1311334cd50372cad38a

SHA512
c18431d204c9f68d6a6c223e9fe5fed70e2645af86862f1766f16d1af77ee1730d198aff2ecc591d4a64691da40c4688185714694feeb2929e6e77da7fb3cad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7736892.exe

Filesize
823KB

MD5
76826c800c6694c68b4caebffc3865e3

SHA1
09d43dcbf2312d9252b3353c8fafcdc7497071c1

SHA256
77784d997da6fea514a7468d4b1cadcd742178c49a4d1311334cd50372cad38a

SHA512
c18431d204c9f68d6a6c223e9fe5fed70e2645af86862f1766f16d1af77ee1730d198aff2ecc591d4a64691da40c4688185714694feeb2929e6e77da7fb3cad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8043927.exe

Filesize
598KB

MD5
3d07374fe59af648d5364731de3fcb90

SHA1
ec64b60fdbe172096997c3c18f6e9240baf4adcc

SHA256
cd0b9e335efaee397f0f7e36737bd803510b764bafae9b61918380b6767285a6

SHA512
f7d8792ac522653e2943a235f86560bfd8bc1ff5282703f63bf1b67c7863c0918b5fcd421fffec0db85a1b3209e43748bd0b940fa7e9dbca1e01c1f20f092e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8043927.exe

Filesize
598KB

MD5
3d07374fe59af648d5364731de3fcb90

SHA1
ec64b60fdbe172096997c3c18f6e9240baf4adcc

SHA256
cd0b9e335efaee397f0f7e36737bd803510b764bafae9b61918380b6767285a6

SHA512
f7d8792ac522653e2943a235f86560bfd8bc1ff5282703f63bf1b67c7863c0918b5fcd421fffec0db85a1b3209e43748bd0b940fa7e9dbca1e01c1f20f092e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5038095.exe

Filesize
372KB

MD5
c08630ab459bc40b41421285e74a4bc2

SHA1
3a9f4367adfd256b5129806fb8bfacc7fbd097c1

SHA256
8aecb5fd74044eab133301e95bde31380a9935c97ad5df7ae2cf7f81e45c3f20

SHA512
4b891a98984a38782f61aa57b0298009ebcebabd1bf89b7a2a91b517f724d66fc721985e15f91e236dd5661e13bf745798eb083afcee448a71d626207dfbd2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5038095.exe

Filesize
372KB

MD5
c08630ab459bc40b41421285e74a4bc2

SHA1
3a9f4367adfd256b5129806fb8bfacc7fbd097c1

SHA256
8aecb5fd74044eab133301e95bde31380a9935c97ad5df7ae2cf7f81e45c3f20

SHA512
4b891a98984a38782f61aa57b0298009ebcebabd1bf89b7a2a91b517f724d66fc721985e15f91e236dd5661e13bf745798eb083afcee448a71d626207dfbd2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4359168.exe

Filesize
174KB

MD5
e7ba7f8456e9e7726a720c25e8ea2ccc

SHA1
44ece50406e503646471cb3b719e0caba097e0c2

SHA256
11ea1595b74d8538ca5d2d666e1c387df4341c2ee2a9271d07bfd8edf6a98fcf

SHA512
b332115430b9fb45d0375c6c7cb92075e365022c24eb5b32e2c2d7bc741decc98fe5d75003b9933326901f0aed106c42eb64ed1af766ed45d6b9c602701dbfec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s4359168.exe

Filesize
174KB

MD5
e7ba7f8456e9e7726a720c25e8ea2ccc

SHA1
44ece50406e503646471cb3b719e0caba097e0c2

SHA256
11ea1595b74d8538ca5d2d666e1c387df4341c2ee2a9271d07bfd8edf6a98fcf

SHA512
b332115430b9fb45d0375c6c7cb92075e365022c24eb5b32e2c2d7bc741decc98fe5d75003b9933326901f0aed106c42eb64ed1af766ed45d6b9c602701dbfec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1507760.exe

Filesize
217KB

MD5
0dc23db733a8d1d7abbea9f567c73a98

SHA1
d2d402fbcc9ba783c34f676d26ae11f946a27433

SHA256
61e9ec45eccf485a3a5406ba6cf02a8e1f2bd0ab6a40595a909c8d9fefd50664

SHA512
e4feae79fee569954c9736d2db30320053af0d5f3a895f9a5bc5da39efc87adf5dd358f50a5035d6722b2a7193820ef5f7d27e700213b4d54e7b6ba359c8eeba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1507760.exe

Filesize
217KB

MD5
0dc23db733a8d1d7abbea9f567c73a98

SHA1
d2d402fbcc9ba783c34f676d26ae11f946a27433

SHA256
61e9ec45eccf485a3a5406ba6cf02a8e1f2bd0ab6a40595a909c8d9fefd50664

SHA512
e4feae79fee569954c9736d2db30320053af0d5f3a895f9a5bc5da39efc87adf5dd358f50a5035d6722b2a7193820ef5f7d27e700213b4d54e7b6ba359c8eeba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6380276.exe

Filesize
19KB

MD5
732a47eb3f9b1d63e35ac32e72723fd5

SHA1
46b194742ab66e9d34fe4895b937adeeed9e0a35

SHA256
4e8642248dc714b9c4c10293cb1b2f23bb2d07fd5ed41a79cf2668011c7c8356

SHA512
5d2fff4c040ddbac3d20c787475e1f3f7f8c2a2a0acb0b099205f59e49ee23095af114b6dc60e74ee80e380619bb77bf5752db3ac192dcd461f9c54e4a1ce51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q6380276.exe

Filesize
19KB

MD5
732a47eb3f9b1d63e35ac32e72723fd5

SHA1
46b194742ab66e9d34fe4895b937adeeed9e0a35

SHA256
4e8642248dc714b9c4c10293cb1b2f23bb2d07fd5ed41a79cf2668011c7c8356

SHA512
5d2fff4c040ddbac3d20c787475e1f3f7f8c2a2a0acb0b099205f59e49ee23095af114b6dc60e74ee80e380619bb77bf5752db3ac192dcd461f9c54e4a1ce51b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2757673.exe

Filesize
141KB

MD5
e73aad7d5feaf74752e455e1ae2c7f3b

SHA1
89222ffc7aff68ae1ce24a06fe22b0c9415a556b

SHA256
1cac45082a9ab00aa89c994246306105ab6f45cdc2145b4897cd8da21a8f7461

SHA512
2e61c014cad2ac41ddd24e450702f58bc53c307c8fe882548e912b7ff9c566a926f5985d0bd0f6d3d9ddd2351d3363b14338b52e3a5d3fe17e72aef50c0dd782

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2757673.exe

Filesize
141KB

MD5
e73aad7d5feaf74752e455e1ae2c7f3b

SHA1
89222ffc7aff68ae1ce24a06fe22b0c9415a556b

SHA256
1cac45082a9ab00aa89c994246306105ab6f45cdc2145b4897cd8da21a8f7461

SHA512
2e61c014cad2ac41ddd24e450702f58bc53c307c8fe882548e912b7ff9c566a926f5985d0bd0f6d3d9ddd2351d3363b14338b52e3a5d3fe17e72aef50c0dd782

Download Submit
memory/2320-45-0x0000000000260000-0x0000000000290000-memory.dmp

Filesize
192KB

Download
memory/2320-46-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/2320-47-0x0000000000C40000-0x0000000000C46000-memory.dmp

Filesize
24KB

Download
memory/2320-48-0x000000000A5D0000-0x000000000ABD6000-memory.dmp

Filesize
6.0MB

Download
memory/2320-49-0x000000000A0D0000-0x000000000A1DA000-memory.dmp

Filesize
1.0MB

Download
memory/2320-50-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/2320-51-0x000000000A000000-0x000000000A03E000-memory.dmp

Filesize
248KB

Download
memory/2320-52-0x000000000A050000-0x000000000A09B000-memory.dmp

Filesize
300KB

Download
memory/2320-53-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/4188-38-0x00007FF925B10000-0x00007FF9264FC000-memory.dmp

Filesize
9.9MB

Download
memory/4188-36-0x00007FF925B10000-0x00007FF9264FC000-memory.dmp

Filesize
9.9MB

Download
memory/4188-35-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download