healer | 87cbd11dc21a1d8ab83fad63e1d2ea8da6970b843455e6522e6d87747a4cc01b

Analysis

max time kernel
145s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
01-09-2023 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87cbd11dc21a1d8ab83fad63e1d2ea8da6970b843455e6522e6d87747a4cc01b.exe
Size

829KB
MD5

adf392614475570a4be8309398e97bdc
SHA1

628898d1e3a12013fad112537b20bacee20e97b2
SHA256

87cbd11dc21a1d8ab83fad63e1d2ea8da6970b843455e6522e6d87747a4cc01b
SHA512

8effef99cc6b26fb6f49e5357b3451db854a4dd1ca3abba76ef8693018d002d91fb94723b0f7a383c3c4552078f6f9702120891a3853a6a881fab5cdba494e56
SSDEEP

24576:byAjxlqKdfvcBPI8XyrWOgcqBtdYV0Fzty:OAjXqKdf0hzqgcq6VC5

Score

10^/10

healer redline jang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jang

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afe9-33.dat	healer
behavioral1/files/0x000700000001afe9-34.dat	healer
behavioral1/memory/4816-35-0x0000000000600000-0x000000000060A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0832965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0832965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0832965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0832965.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0832965.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4412	v7552807.exe
4780	v5898080.exe
4792	v8800665.exe
2264	v9289437.exe
4816	a0832965.exe
4404	b5748260.exe
2876	c8220955.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0832965.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7552807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5898080.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8800665.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9289437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	87cbd11dc21a1d8ab83fad63e1d2ea8da6970b843455e6522e6d87747a4cc01b.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4816	a0832965.exe
4816	a0832965.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4816	a0832965.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 4412	4364	87cbd11dc21a1d8ab83fad63e1d2ea8da6970b843455e6522e6d87747a4cc01b.exe	70
PID 4364 wrote to memory of 4412	4364	87cbd11dc21a1d8ab83fad63e1d2ea8da6970b843455e6522e6d87747a4cc01b.exe	70
PID 4364 wrote to memory of 4412	4364	87cbd11dc21a1d8ab83fad63e1d2ea8da6970b843455e6522e6d87747a4cc01b.exe	70
PID 4412 wrote to memory of 4780	4412	v7552807.exe	71
PID 4412 wrote to memory of 4780	4412	v7552807.exe	71
PID 4412 wrote to memory of 4780	4412	v7552807.exe	71
PID 4780 wrote to memory of 4792	4780	v5898080.exe	72
PID 4780 wrote to memory of 4792	4780	v5898080.exe	72
PID 4780 wrote to memory of 4792	4780	v5898080.exe	72
PID 4792 wrote to memory of 2264	4792	v8800665.exe	73
PID 4792 wrote to memory of 2264	4792	v8800665.exe	73
PID 4792 wrote to memory of 2264	4792	v8800665.exe	73
PID 2264 wrote to memory of 4816	2264	v9289437.exe	74
PID 2264 wrote to memory of 4816	2264	v9289437.exe	74
PID 2264 wrote to memory of 4404	2264	v9289437.exe	75
PID 2264 wrote to memory of 4404	2264	v9289437.exe	75
PID 2264 wrote to memory of 4404	2264	v9289437.exe	75
PID 4792 wrote to memory of 2876	4792	v8800665.exe	76
PID 4792 wrote to memory of 2876	4792	v8800665.exe	76
PID 4792 wrote to memory of 2876	4792	v8800665.exe	76

C:\Users\Admin\AppData\Local\Temp\87cbd11dc21a1d8ab83fad63e1d2ea8da6970b843455e6522e6d87747a4cc01b.exe
"C:\Users\Admin\AppData\Local\Temp\87cbd11dc21a1d8ab83fad63e1d2ea8da6970b843455e6522e6d87747a4cc01b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7552807.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7552807.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5898080.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5898080.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8800665.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8800665.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4792
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9289437.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9289437.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2264
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0832965.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0832965.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5748260.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5748260.exe
        6⤵
        Executes dropped EXE
        
        PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8220955.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8220955.exe
        5⤵
        Executes dropped EXE
        
        PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7552807.exe

Filesize
724KB

MD5
ad87fa84814f7f51a2ffc5ba507515aa

SHA1
e414b88cd0923232f34021d43607af33170b6b50

SHA256
20ef7cef043a43d36e2ae99b40e6bce6077f308b1aaeff56d15147b79bf9bce2

SHA512
0554dc1cb90015a138350db6a621af4dada89180167fd76610cdec71add26ed947989db43fb4524fd7e3b63fc8c95799dd0c7526acfe02539bbcd8b413a98c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7552807.exe

Filesize
724KB

MD5
ad87fa84814f7f51a2ffc5ba507515aa

SHA1
e414b88cd0923232f34021d43607af33170b6b50

SHA256
20ef7cef043a43d36e2ae99b40e6bce6077f308b1aaeff56d15147b79bf9bce2

SHA512
0554dc1cb90015a138350db6a621af4dada89180167fd76610cdec71add26ed947989db43fb4524fd7e3b63fc8c95799dd0c7526acfe02539bbcd8b413a98c2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5898080.exe

Filesize
497KB

MD5
d4d771223d803cbf2eccbdd47c50d59e

SHA1
aac7c897ffde812a753bee5fdccf5a8c40c29860

SHA256
c65d5a8f496a8bc8424cadd7ed6cdb7c3c7251c5344da4b7aaa75d69dbd1ad8d

SHA512
474c08ac89637f433436fd2cb9c82a1e8e55c5b0d6de97e286c79db31de9cead5546d900e3efc022a55c70ab6c1fdabdfc597cac03e3afed9b7a439d4c9bd422

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5898080.exe

Filesize
497KB

MD5
d4d771223d803cbf2eccbdd47c50d59e

SHA1
aac7c897ffde812a753bee5fdccf5a8c40c29860

SHA256
c65d5a8f496a8bc8424cadd7ed6cdb7c3c7251c5344da4b7aaa75d69dbd1ad8d

SHA512
474c08ac89637f433436fd2cb9c82a1e8e55c5b0d6de97e286c79db31de9cead5546d900e3efc022a55c70ab6c1fdabdfc597cac03e3afed9b7a439d4c9bd422

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8800665.exe

Filesize
373KB

MD5
80dcb27588d3caa8a43804a9e09492de

SHA1
8c879dbf848c5160f9b42e80ffd69d8519d5dfc2

SHA256
0f30849817c672a97c5ebf349eb5f115ee18b2d3e75cc8725be9e28acc794bd9

SHA512
68b96fb534c3a9f8d91e62d6be2282d65be9db2e7a8eaa78c17de4387e8ea4be9528e01fe259d5c9c64db3a26fde478f5623fe1ced5641ec9c237f4590e89ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8800665.exe

Filesize
373KB

MD5
80dcb27588d3caa8a43804a9e09492de

SHA1
8c879dbf848c5160f9b42e80ffd69d8519d5dfc2

SHA256
0f30849817c672a97c5ebf349eb5f115ee18b2d3e75cc8725be9e28acc794bd9

SHA512
68b96fb534c3a9f8d91e62d6be2282d65be9db2e7a8eaa78c17de4387e8ea4be9528e01fe259d5c9c64db3a26fde478f5623fe1ced5641ec9c237f4590e89ef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8220955.exe

Filesize
174KB

MD5
2f07092486fd88223819ed93d460f5f5

SHA1
e0b9f63beb94101494b4ea4cb16d69dcb02251c2

SHA256
24b2436e57c4ffcc82e4c2366b1b1d8861c93501ef81f1f93bab641453400f82

SHA512
497efc1859779e49b4bd397cfa90f5dea36860471a349f71973bf4c705ca74bd0cbff1efb2cc1f5f0a3635ca819a75aaf27b6f56157bbfd62095e7eb53c744e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8220955.exe

Filesize
174KB

MD5
2f07092486fd88223819ed93d460f5f5

SHA1
e0b9f63beb94101494b4ea4cb16d69dcb02251c2

SHA256
24b2436e57c4ffcc82e4c2366b1b1d8861c93501ef81f1f93bab641453400f82

SHA512
497efc1859779e49b4bd397cfa90f5dea36860471a349f71973bf4c705ca74bd0cbff1efb2cc1f5f0a3635ca819a75aaf27b6f56157bbfd62095e7eb53c744e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9289437.exe

Filesize
217KB

MD5
af5e2ece543d16cc7653306d0f637596

SHA1
07f12a4f74aeb1dcec97ea7f0660ee63fea43820

SHA256
66680d2a3cb3d9b105da05ba0d3f7bca499a614707ff1779558f302286eac939

SHA512
d7c7d89c0cadfd7f711f8123b68553acb7e52654635641137e5a0ad3fe8c7897e52f1db984e0dbcf79967d75098a1725b2545a2b92b3bccfac74d139e2b02e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9289437.exe

Filesize
217KB

MD5
af5e2ece543d16cc7653306d0f637596

SHA1
07f12a4f74aeb1dcec97ea7f0660ee63fea43820

SHA256
66680d2a3cb3d9b105da05ba0d3f7bca499a614707ff1779558f302286eac939

SHA512
d7c7d89c0cadfd7f711f8123b68553acb7e52654635641137e5a0ad3fe8c7897e52f1db984e0dbcf79967d75098a1725b2545a2b92b3bccfac74d139e2b02e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0832965.exe

Filesize
19KB

MD5
cea108b4d07fb41b2e474ee12f170126

SHA1
223d3da32a5be51477421c6b55cd1d995859e4a2

SHA256
4e1c0327636d11aef7b9cc55a25410521241ece3620ec0d14ac2f901c8df9cc6

SHA512
60231cdb5a57d8ae0ee70ded345f49a3364602f59ec89c75902348147bedbe4105b4c1a0ccc28082f2b6aea22865e97ecd846a3d2442c91875f3a3401eb958ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0832965.exe

Filesize
19KB

MD5
cea108b4d07fb41b2e474ee12f170126

SHA1
223d3da32a5be51477421c6b55cd1d995859e4a2

SHA256
4e1c0327636d11aef7b9cc55a25410521241ece3620ec0d14ac2f901c8df9cc6

SHA512
60231cdb5a57d8ae0ee70ded345f49a3364602f59ec89c75902348147bedbe4105b4c1a0ccc28082f2b6aea22865e97ecd846a3d2442c91875f3a3401eb958ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5748260.exe

Filesize
141KB

MD5
148d2847f1cf482b2ad44db77fe115be

SHA1
468a0964ede764d0686054984bbf1dacb975aaa1

SHA256
65b02d6f619152b24364f29501fc7b82d918f62226a8162c4cf6ed9df5378404

SHA512
c692752edd22ae8081e54392c45189cc1a75f59d7e865a2ece308b5461055a741ef40b7dd7355a003fd40e094fd0c436fb3b584183c34a8f47b468476b606886

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5748260.exe

Filesize
141KB

MD5
148d2847f1cf482b2ad44db77fe115be

SHA1
468a0964ede764d0686054984bbf1dacb975aaa1

SHA256
65b02d6f619152b24364f29501fc7b82d918f62226a8162c4cf6ed9df5378404

SHA512
c692752edd22ae8081e54392c45189cc1a75f59d7e865a2ece308b5461055a741ef40b7dd7355a003fd40e094fd0c436fb3b584183c34a8f47b468476b606886

Download Submit
memory/2876-46-0x0000000073580000-0x0000000073C6E000-memory.dmp

Filesize
6.9MB

Download
memory/2876-45-0x0000000000D40000-0x0000000000D70000-memory.dmp

Filesize
192KB

Download
memory/2876-47-0x0000000002EC0000-0x0000000002EC6000-memory.dmp

Filesize
24KB

Download
memory/2876-48-0x000000000B110000-0x000000000B716000-memory.dmp

Filesize
6.0MB

Download
memory/2876-49-0x000000000AC90000-0x000000000AD9A000-memory.dmp

Filesize
1.0MB

Download
memory/2876-50-0x000000000ABC0000-0x000000000ABD2000-memory.dmp

Filesize
72KB

Download
memory/2876-51-0x000000000AC20000-0x000000000AC5E000-memory.dmp

Filesize
248KB

Download
memory/2876-52-0x000000000ADA0000-0x000000000ADEB000-memory.dmp

Filesize
300KB

Download
memory/2876-53-0x0000000073580000-0x0000000073C6E000-memory.dmp

Filesize
6.9MB

Download
memory/4816-38-0x00007FFF4E8D0000-0x00007FFF4F2BC000-memory.dmp

Filesize
9.9MB

Download
memory/4816-36-0x00007FFF4E8D0000-0x00007FFF4F2BC000-memory.dmp

Filesize
9.9MB

Download
memory/4816-35-0x0000000000600000-0x000000000060A000-memory.dmp

Filesize
40KB

Download