healer | cbe57d96651031a839b04e7e6b78845505a8111a77a33e6dead25e83c4154a5d

Analysis

max time kernel
145s
max time network
157s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
01/09/2023, 16:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cbe57d96651031a839b04e7e6b78845505a8111a77a33e6dead25e83c4154a5d.exe
Size

827KB
MD5

c279a22b1e241547107ab22df7371e8e
SHA1

283f6237458319a442d540bdcaa4a8eb56c90561
SHA256

cbe57d96651031a839b04e7e6b78845505a8111a77a33e6dead25e83c4154a5d
SHA512

5727af76d9ea28c6111cbf3521f6704a2c5c15d088b54aec9a3a44a9fc477687bd53614b3c27ff32e8b48646e863404481947c97d10a69d8055d41c045054f56
SSDEEP

12288:mMrpy901uHkyeli9PAX9Ub9QH0qCj1i6FeA/nVsIz51yDJSFxStdj2K/3OPxfL:ny7lPxGH03nn1yDJSFkndOPd

Score

10^/10

healer redline domka dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

domka

77.91.124.82:19071

Attributes

auth_value
74e19436acac85e44d691aebcc617529

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afaf-33.dat	healer
behavioral1/files/0x000700000001afaf-34.dat	healer
behavioral1/memory/3820-35-0x0000000000B80000-0x0000000000B8A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5910182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5910182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5910182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5910182.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5910182.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3612	v1487443.exe
380	v1216865.exe
4424	v0921893.exe
4240	v0978460.exe
3820	a5910182.exe
4528	b6348407.exe
5064	c0651711.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5910182.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v0978460.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	cbe57d96651031a839b04e7e6b78845505a8111a77a33e6dead25e83c4154a5d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1487443.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1216865.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0921893.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3820	a5910182.exe
3820	a5910182.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3820	a5910182.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 3612	3752	cbe57d96651031a839b04e7e6b78845505a8111a77a33e6dead25e83c4154a5d.exe	70
PID 3752 wrote to memory of 3612	3752	cbe57d96651031a839b04e7e6b78845505a8111a77a33e6dead25e83c4154a5d.exe	70
PID 3752 wrote to memory of 3612	3752	cbe57d96651031a839b04e7e6b78845505a8111a77a33e6dead25e83c4154a5d.exe	70
PID 3612 wrote to memory of 380	3612	v1487443.exe	71
PID 3612 wrote to memory of 380	3612	v1487443.exe	71
PID 3612 wrote to memory of 380	3612	v1487443.exe	71
PID 380 wrote to memory of 4424	380	v1216865.exe	72
PID 380 wrote to memory of 4424	380	v1216865.exe	72
PID 380 wrote to memory of 4424	380	v1216865.exe	72
PID 4424 wrote to memory of 4240	4424	v0921893.exe	73
PID 4424 wrote to memory of 4240	4424	v0921893.exe	73
PID 4424 wrote to memory of 4240	4424	v0921893.exe	73
PID 4240 wrote to memory of 3820	4240	v0978460.exe	74
PID 4240 wrote to memory of 3820	4240	v0978460.exe	74
PID 4240 wrote to memory of 4528	4240	v0978460.exe	75
PID 4240 wrote to memory of 4528	4240	v0978460.exe	75
PID 4240 wrote to memory of 4528	4240	v0978460.exe	75
PID 4424 wrote to memory of 5064	4424	v0921893.exe	76
PID 4424 wrote to memory of 5064	4424	v0921893.exe	76
PID 4424 wrote to memory of 5064	4424	v0921893.exe	76

C:\Users\Admin\AppData\Local\Temp\cbe57d96651031a839b04e7e6b78845505a8111a77a33e6dead25e83c4154a5d.exe
"C:\Users\Admin\AppData\Local\Temp\cbe57d96651031a839b04e7e6b78845505a8111a77a33e6dead25e83c4154a5d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3752
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1487443.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1487443.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1216865.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1216865.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0921893.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0921893.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0978460.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0978460.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4240
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5910182.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5910182.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6348407.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6348407.exe
        6⤵
        Executes dropped EXE
        
        PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0651711.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0651711.exe
        5⤵
        Executes dropped EXE
        
        PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1487443.exe

Filesize
722KB

MD5
910dd461eee0a175afc9e68745cc881b

SHA1
bae9253c7c10a82b79da9b9d425e3ab8f9f098d5

SHA256
4d6baca9e093b5ac610fcbd73632482717e0eef187097ddd6eb37fb4451c9b99

SHA512
0f5f643a40ce3a9b5148bd8d1530d7ba369e8a2aa36aa3c56abd98841032710c3cc8df23ea9ca041e6e0068e2b421d55ae9e37713494afc639f5678c34355d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1487443.exe

Filesize
722KB

MD5
910dd461eee0a175afc9e68745cc881b

SHA1
bae9253c7c10a82b79da9b9d425e3ab8f9f098d5

SHA256
4d6baca9e093b5ac610fcbd73632482717e0eef187097ddd6eb37fb4451c9b99

SHA512
0f5f643a40ce3a9b5148bd8d1530d7ba369e8a2aa36aa3c56abd98841032710c3cc8df23ea9ca041e6e0068e2b421d55ae9e37713494afc639f5678c34355d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1216865.exe

Filesize
497KB

MD5
0a45a4a85dd677901c3afb9c19e0600f

SHA1
fdd2c98c3d4d8fcfcdbe1801186f736042961065

SHA256
86f3ef72092442b6d949fe5291ac4ffc22e6fef0eee77d9e55f0292ea251b9c8

SHA512
977c263a621cd853e95237351ecee1b1b536c580e09b65429bf9398460c31098f187d58cb028d67bd0e6731243d5bd11ff07278b8715a49a341010a77fb8e33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1216865.exe

Filesize
497KB

MD5
0a45a4a85dd677901c3afb9c19e0600f

SHA1
fdd2c98c3d4d8fcfcdbe1801186f736042961065

SHA256
86f3ef72092442b6d949fe5291ac4ffc22e6fef0eee77d9e55f0292ea251b9c8

SHA512
977c263a621cd853e95237351ecee1b1b536c580e09b65429bf9398460c31098f187d58cb028d67bd0e6731243d5bd11ff07278b8715a49a341010a77fb8e33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0921893.exe

Filesize
372KB

MD5
86202baf09b211f327a8c6a5686a97ae

SHA1
9f55275e1d5efe7d61d6c219b0e02244647ca6bd

SHA256
142b1812c39e95ea9fd0cd6210fb83dd22152aeef10855cbc33c80438b870559

SHA512
57e16e7b058dece7d498cac77b41bf156346b55c4da237dc8a072a217d590559e06a8f9b154bbb38f9fd9a6292afd437984d17b41d375088882cb6155b3d172a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0921893.exe

Filesize
372KB

MD5
86202baf09b211f327a8c6a5686a97ae

SHA1
9f55275e1d5efe7d61d6c219b0e02244647ca6bd

SHA256
142b1812c39e95ea9fd0cd6210fb83dd22152aeef10855cbc33c80438b870559

SHA512
57e16e7b058dece7d498cac77b41bf156346b55c4da237dc8a072a217d590559e06a8f9b154bbb38f9fd9a6292afd437984d17b41d375088882cb6155b3d172a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0651711.exe

Filesize
174KB

MD5
55d75618000ecea1be9a81c555965bf7

SHA1
cd534e9c485f4025b381c01007305e973df0f18a

SHA256
8834a1fba0cc30b79c7067f6c01f44b9eece8416de0ef56e0a905968b3c44594

SHA512
7d66639c8c226c9f00e80425539c8b745b1c3ba3e55b1471c8d48c752cb3fa066ca3991407a7c7609bfb7c8c0e242a3145ad98611f6d3941c8db629fb4f55e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0651711.exe

Filesize
174KB

MD5
55d75618000ecea1be9a81c555965bf7

SHA1
cd534e9c485f4025b381c01007305e973df0f18a

SHA256
8834a1fba0cc30b79c7067f6c01f44b9eece8416de0ef56e0a905968b3c44594

SHA512
7d66639c8c226c9f00e80425539c8b745b1c3ba3e55b1471c8d48c752cb3fa066ca3991407a7c7609bfb7c8c0e242a3145ad98611f6d3941c8db629fb4f55e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0978460.exe

Filesize
217KB

MD5
01d102a68107086cd62aeb889ab6ff2e

SHA1
43162771cb6961bd2ec4f1ad762c4fb9f11d748e

SHA256
d6372f92ff7492e3ef47f66018e8bed84156d02508b18fd0a1c18e93a8b9a1f5

SHA512
09202cf88f1aa9b198f5c947f3c12de5f8a0946e0d8be39e901c24a7d1b80fd19a5a4f2579d25fc81c2c17a72ae6943e649291bd0475385e41b6485eaf3f0ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0978460.exe

Filesize
217KB

MD5
01d102a68107086cd62aeb889ab6ff2e

SHA1
43162771cb6961bd2ec4f1ad762c4fb9f11d748e

SHA256
d6372f92ff7492e3ef47f66018e8bed84156d02508b18fd0a1c18e93a8b9a1f5

SHA512
09202cf88f1aa9b198f5c947f3c12de5f8a0946e0d8be39e901c24a7d1b80fd19a5a4f2579d25fc81c2c17a72ae6943e649291bd0475385e41b6485eaf3f0ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5910182.exe

Filesize
19KB

MD5
6bdc0e07b180ddf5a240abf449ed8e82

SHA1
4b7d8ace19b2edb682eac9e4fd06b4168371e93d

SHA256
ca739debb805b1219c810224faeee941870a86761979a7d9aa444110e19f9367

SHA512
445b661ae0dc7fa19fe0ebf490506298b48402d333b65ceb6820bb5b55451652b554c1bb0ae77711e2d703a67a9bacb1954a16d06138f74a132f85a36641d49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5910182.exe

Filesize
19KB

MD5
6bdc0e07b180ddf5a240abf449ed8e82

SHA1
4b7d8ace19b2edb682eac9e4fd06b4168371e93d

SHA256
ca739debb805b1219c810224faeee941870a86761979a7d9aa444110e19f9367

SHA512
445b661ae0dc7fa19fe0ebf490506298b48402d333b65ceb6820bb5b55451652b554c1bb0ae77711e2d703a67a9bacb1954a16d06138f74a132f85a36641d49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6348407.exe

Filesize
140KB

MD5
9d88ca9a1227d609d7351103d275f00f

SHA1
7cf9fbee48392a162cffd2d60ce3ec2658771ffa

SHA256
415fae632c7bce9dccd596cb081d430202e8a00ec268df0121990885066edd8b

SHA512
694041196477e1dac686323197949538d27bbbe4b42cd61315ad84902fbd5357f3a55be6b5b0285cc7948303d49187c5809aba357faa5504a5292e198ea85387

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6348407.exe

Filesize
140KB

MD5
9d88ca9a1227d609d7351103d275f00f

SHA1
7cf9fbee48392a162cffd2d60ce3ec2658771ffa

SHA256
415fae632c7bce9dccd596cb081d430202e8a00ec268df0121990885066edd8b

SHA512
694041196477e1dac686323197949538d27bbbe4b42cd61315ad84902fbd5357f3a55be6b5b0285cc7948303d49187c5809aba357faa5504a5292e198ea85387

Download Submit
memory/3820-38-0x00007FF83F230000-0x00007FF83FC1C000-memory.dmp

Filesize
9.9MB

Download
memory/3820-36-0x00007FF83F230000-0x00007FF83FC1C000-memory.dmp

Filesize
9.9MB

Download
memory/3820-35-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download
memory/5064-46-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download
memory/5064-45-0x0000000000230000-0x0000000000260000-memory.dmp

Filesize
192KB

Download
memory/5064-47-0x0000000002410000-0x0000000002416000-memory.dmp

Filesize
24KB

Download
memory/5064-48-0x000000000A540000-0x000000000AB46000-memory.dmp

Filesize
6.0MB

Download
memory/5064-49-0x000000000A040000-0x000000000A14A000-memory.dmp

Filesize
1.0MB

Download
memory/5064-50-0x0000000009F70000-0x0000000009F82000-memory.dmp

Filesize
72KB

Download
memory/5064-51-0x0000000009FD0000-0x000000000A00E000-memory.dmp

Filesize
248KB

Download
memory/5064-52-0x000000000A150000-0x000000000A19B000-memory.dmp

Filesize
300KB

Download
memory/5064-53-0x0000000073050000-0x000000007373E000-memory.dmp

Filesize
6.9MB

Download