healer | b84e90b211bc6a989dfd13d9e38737d0154d712b49a9b073e4c3e051b32d3f94

Analysis

max time kernel
145s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
01/09/2023, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b84e90b211bc6a989dfd13d9e38737d0154d712b49a9b073e4c3e051b32d3f94.exe
Size

829KB
MD5

4c52b28159410778b707dad8dd4ef3ed
SHA1

5e0910d7d13605203b99e9e36492352c9499d8d2
SHA256

b84e90b211bc6a989dfd13d9e38737d0154d712b49a9b073e4c3e051b32d3f94
SHA512

2f46f7e96cde99d4b7d686ca5b98400ff101cd6a210929336d6e8b8644537f3f04e0eccf77c0ac33528cee8113eeb96999927ac67538487a200bdc49005df2c6
SSDEEP

12288:tMrLy90AHy6088MVuefap5+5hdJfg2mrXLMLrV2OElKfYmTSQRhrQw6T9C0Q:OyZHt8Bp4bfg2mDLy/R6c0Q

Score

10^/10

healer redline domka dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

domka

77.91.124.82:19071

Attributes

auth_value
74e19436acac85e44d691aebcc617529

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af70-32.dat	healer
behavioral1/files/0x000700000001af70-34.dat	healer
behavioral1/memory/308-35-0x0000000000110000-0x000000000011A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2679165.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2679165.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2679165.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2679165.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2679165.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3764	v7906575.exe
4820	v6086934.exe
3756	v1628857.exe
1564	v7832893.exe
308	a2679165.exe
4048	b2845254.exe
1412	c4397469.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2679165.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b84e90b211bc6a989dfd13d9e38737d0154d712b49a9b073e4c3e051b32d3f94.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7906575.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6086934.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1628857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7832893.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
308	a2679165.exe
308	a2679165.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	308	a2679165.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 3764	2212	b84e90b211bc6a989dfd13d9e38737d0154d712b49a9b073e4c3e051b32d3f94.exe	70
PID 2212 wrote to memory of 3764	2212	b84e90b211bc6a989dfd13d9e38737d0154d712b49a9b073e4c3e051b32d3f94.exe	70
PID 2212 wrote to memory of 3764	2212	b84e90b211bc6a989dfd13d9e38737d0154d712b49a9b073e4c3e051b32d3f94.exe	70
PID 3764 wrote to memory of 4820	3764	v7906575.exe	71
PID 3764 wrote to memory of 4820	3764	v7906575.exe	71
PID 3764 wrote to memory of 4820	3764	v7906575.exe	71
PID 4820 wrote to memory of 3756	4820	v6086934.exe	72
PID 4820 wrote to memory of 3756	4820	v6086934.exe	72
PID 4820 wrote to memory of 3756	4820	v6086934.exe	72
PID 3756 wrote to memory of 1564	3756	v1628857.exe	73
PID 3756 wrote to memory of 1564	3756	v1628857.exe	73
PID 3756 wrote to memory of 1564	3756	v1628857.exe	73
PID 1564 wrote to memory of 308	1564	v7832893.exe	74
PID 1564 wrote to memory of 308	1564	v7832893.exe	74
PID 1564 wrote to memory of 4048	1564	v7832893.exe	75
PID 1564 wrote to memory of 4048	1564	v7832893.exe	75
PID 1564 wrote to memory of 4048	1564	v7832893.exe	75
PID 3756 wrote to memory of 1412	3756	v1628857.exe	76
PID 3756 wrote to memory of 1412	3756	v1628857.exe	76
PID 3756 wrote to memory of 1412	3756	v1628857.exe	76

C:\Users\Admin\AppData\Local\Temp\b84e90b211bc6a989dfd13d9e38737d0154d712b49a9b073e4c3e051b32d3f94.exe
"C:\Users\Admin\AppData\Local\Temp\b84e90b211bc6a989dfd13d9e38737d0154d712b49a9b073e4c3e051b32d3f94.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7906575.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7906575.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6086934.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6086934.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1628857.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1628857.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7832893.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7832893.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1564
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2679165.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2679165.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2845254.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2845254.exe
        6⤵
        Executes dropped EXE
        
        PID:4048
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4397469.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4397469.exe
        5⤵
        Executes dropped EXE
        
        PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7906575.exe

Filesize
724KB

MD5
6f65f7f08154c0c5067cc110bd6c3884

SHA1
02f001377647220c81b657b952c1bea2c0e36141

SHA256
e0a0a4d5796c67367c2938ae048bf101a3db7c6a0907576cbef78183db9a8b86

SHA512
563f4eac94d3aa83efb48aa1c4c0b4c40a5cbd360145227616455825ced77f2c037a7e505ca3ec3fbb359943827e5990f6f533819f7d1804b8b711a429b8ce3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7906575.exe

Filesize
724KB

MD5
6f65f7f08154c0c5067cc110bd6c3884

SHA1
02f001377647220c81b657b952c1bea2c0e36141

SHA256
e0a0a4d5796c67367c2938ae048bf101a3db7c6a0907576cbef78183db9a8b86

SHA512
563f4eac94d3aa83efb48aa1c4c0b4c40a5cbd360145227616455825ced77f2c037a7e505ca3ec3fbb359943827e5990f6f533819f7d1804b8b711a429b8ce3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6086934.exe

Filesize
498KB

MD5
4a715cc6bf9c98818940aa761706eeba

SHA1
90683dc7282ce1e4fd5eec844eff512ea049bcb4

SHA256
3b2f65d6ffa9a9646c27f943973a763bf6f7bd2c72e809532e3ce55bdaa482a9

SHA512
b4753a8a84d070e67685dc832f661f8e010b774a9f0c2ec68a514ac53fb1e14b362d54946f77b63ff4d8de7719328dc308d000f95ea35440e68d5768b1cfd080

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6086934.exe

Filesize
498KB

MD5
4a715cc6bf9c98818940aa761706eeba

SHA1
90683dc7282ce1e4fd5eec844eff512ea049bcb4

SHA256
3b2f65d6ffa9a9646c27f943973a763bf6f7bd2c72e809532e3ce55bdaa482a9

SHA512
b4753a8a84d070e67685dc832f661f8e010b774a9f0c2ec68a514ac53fb1e14b362d54946f77b63ff4d8de7719328dc308d000f95ea35440e68d5768b1cfd080

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1628857.exe

Filesize
373KB

MD5
be57b75addadce47899962ebc349e07f

SHA1
4284116f479260b9adba77c5f32fa99e741ac05f

SHA256
5c452a634053d6a0927d9fb84012482647fde12fde46cc0f42e51f1a4d9763d6

SHA512
e049d6329ac79a32380bb19894cdf12b6a2ce1c3a79aeca8ac48837d04e891463d9ca0b029cf1dd4df782c91b400f42bd291f4b5ca309a02dce7b3c62f9ca173

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1628857.exe

Filesize
373KB

MD5
be57b75addadce47899962ebc349e07f

SHA1
4284116f479260b9adba77c5f32fa99e741ac05f

SHA256
5c452a634053d6a0927d9fb84012482647fde12fde46cc0f42e51f1a4d9763d6

SHA512
e049d6329ac79a32380bb19894cdf12b6a2ce1c3a79aeca8ac48837d04e891463d9ca0b029cf1dd4df782c91b400f42bd291f4b5ca309a02dce7b3c62f9ca173

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4397469.exe

Filesize
174KB

MD5
3f0289cb1712c5b3e4d2e53f316d93f4

SHA1
db62fb9c819aa63a9babb1d17c38d7362caeab74

SHA256
6707cc7e62d11611696355402c9b066cbe9b0eca9b36c7ed2fd8bab27d78bd1f

SHA512
29fd78a2bbfe7581c06b2365ada7dab14668da1aa3660d9fe7cb2c4f166faa1ec520264c3923d1baf47fdd714e8ea30e99485013732d5120781682e620bef598

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4397469.exe

Filesize
174KB

MD5
3f0289cb1712c5b3e4d2e53f316d93f4

SHA1
db62fb9c819aa63a9babb1d17c38d7362caeab74

SHA256
6707cc7e62d11611696355402c9b066cbe9b0eca9b36c7ed2fd8bab27d78bd1f

SHA512
29fd78a2bbfe7581c06b2365ada7dab14668da1aa3660d9fe7cb2c4f166faa1ec520264c3923d1baf47fdd714e8ea30e99485013732d5120781682e620bef598

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7832893.exe

Filesize
217KB

MD5
2b068b7260bb9b1e11d4df646b035457

SHA1
850212f20ab9a0a7db935004e2e097a4fcb555fe

SHA256
ff5efad75a378e9b65de8274ad1b475b17911cad6e5a5faf4c4cec42193ec527

SHA512
e30ef5dbbbd0df9e03d1d4c33db3b13698ffa77a4e06933289d7af0e92d6c5d1f2edcf3e6352bbf3ab586092a9ab06b06d545bdb657513703ae2a7ee48dec039

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7832893.exe

Filesize
217KB

MD5
2b068b7260bb9b1e11d4df646b035457

SHA1
850212f20ab9a0a7db935004e2e097a4fcb555fe

SHA256
ff5efad75a378e9b65de8274ad1b475b17911cad6e5a5faf4c4cec42193ec527

SHA512
e30ef5dbbbd0df9e03d1d4c33db3b13698ffa77a4e06933289d7af0e92d6c5d1f2edcf3e6352bbf3ab586092a9ab06b06d545bdb657513703ae2a7ee48dec039

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2679165.exe

Filesize
19KB

MD5
a669ebb6e73912b71ceb1a79e5ad0b61

SHA1
decc34ee5c29207e54476a8b1208abcde2ce993d

SHA256
fe72d23dbc5c0ec5a97a73f03187f59725a8340c477663a8d4c10b8997237a6b

SHA512
1572e6c32a0865a7c39c186cafd30ed89e1e38de45af0535a54396227e1cd2c7339d92a5448266508dfdb42b71f2b5637dfdce6b0eb00e5a8e4552e90bc74407

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2679165.exe

Filesize
19KB

MD5
a669ebb6e73912b71ceb1a79e5ad0b61

SHA1
decc34ee5c29207e54476a8b1208abcde2ce993d

SHA256
fe72d23dbc5c0ec5a97a73f03187f59725a8340c477663a8d4c10b8997237a6b

SHA512
1572e6c32a0865a7c39c186cafd30ed89e1e38de45af0535a54396227e1cd2c7339d92a5448266508dfdb42b71f2b5637dfdce6b0eb00e5a8e4552e90bc74407

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2845254.exe

Filesize
140KB

MD5
2fccf1ee4331a51d048a6a5d52fa21bb

SHA1
17733a372077e5221664172ee90b451d84ea066b

SHA256
4d4bc5622ca6bf2ee9b0a305026408e268a778bf8115c2db663a5f72ba538c73

SHA512
644dc40ce542cef253844cfccf5aaa1f295a2dbb09856d72f45595394e6af103fb766e80e80ff1d747e31817f8c78653357ff15a8e11eef2969dc804d837ddad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2845254.exe

Filesize
140KB

MD5
2fccf1ee4331a51d048a6a5d52fa21bb

SHA1
17733a372077e5221664172ee90b451d84ea066b

SHA256
4d4bc5622ca6bf2ee9b0a305026408e268a778bf8115c2db663a5f72ba538c73

SHA512
644dc40ce542cef253844cfccf5aaa1f295a2dbb09856d72f45595394e6af103fb766e80e80ff1d747e31817f8c78653357ff15a8e11eef2969dc804d837ddad

Download Submit
memory/308-38-0x00007FFDFF860000-0x00007FFE0024C000-memory.dmp

Filesize
9.9MB

Download
memory/308-36-0x00007FFDFF860000-0x00007FFE0024C000-memory.dmp

Filesize
9.9MB

Download
memory/308-35-0x0000000000110000-0x000000000011A000-memory.dmp

Filesize
40KB

Download
memory/1412-45-0x0000000000350000-0x0000000000380000-memory.dmp

Filesize
192KB

Download
memory/1412-46-0x00000000738E0000-0x0000000073FCE000-memory.dmp

Filesize
6.9MB

Download
memory/1412-47-0x0000000002490000-0x0000000002496000-memory.dmp

Filesize
24KB

Download
memory/1412-48-0x000000000A630000-0x000000000AC36000-memory.dmp

Filesize
6.0MB

Download
memory/1412-49-0x000000000A160000-0x000000000A26A000-memory.dmp

Filesize
1.0MB

Download
memory/1412-50-0x000000000A090000-0x000000000A0A2000-memory.dmp

Filesize
72KB

Download
memory/1412-51-0x000000000A0F0000-0x000000000A12E000-memory.dmp

Filesize
248KB

Download
memory/1412-52-0x000000000A270000-0x000000000A2BB000-memory.dmp

Filesize
300KB

Download
memory/1412-53-0x00000000738E0000-0x0000000073FCE000-memory.dmp

Filesize
6.9MB

Download