healer | f760709128505dad3c485825b3e72646cbf0702336e3f16e7cd609e1c88a8581

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2023 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f760709128505dad3c485825b3e72646cbf0702336e3f16e7cd609e1c88a8581_JC.exe
Size

829KB
MD5

b24eb3d6f4b192da47e778b693b9d8d6
SHA1

821401e6683f2038e2786cce49c423ea52c43e6b
SHA256

f760709128505dad3c485825b3e72646cbf0702336e3f16e7cd609e1c88a8581
SHA512

7f440bc0b46f3911c9237a40e8997dd282538f6822f19e04daeb51d81433710d603897fdb8e57fe6bf3c4791b737f8bae702d039d15022bf666712ba50db2755
SSDEEP

12288:IMrfy90wII/ZiX9pREwKEALkOO4ekPSllmzLTvfcd0dGXU5z67Eq8bCci18Ro0BU:HyqI/+9HEPED4eSzLTsdJ4jqLp8buSU

Score

10^/10

healer redline jang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jang

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000002327d-33.dat	healer
behavioral2/files/0x000700000002327d-34.dat	healer
behavioral2/memory/216-35-0x0000000000E20000-0x0000000000E2A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5722072.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5722072.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5722072.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5722072.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5722072.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5722072.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2192	v1697426.exe
1560	v9300151.exe
3420	v3507894.exe
5084	v0937333.exe
216	a5722072.exe
2492	b0086352.exe
3064	c0543259.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5722072.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9300151.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3507894.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v0937333.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f760709128505dad3c485825b3e72646cbf0702336e3f16e7cd609e1c88a8581_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1697426.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
216	a5722072.exe
216	a5722072.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	216	a5722072.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 2192	4432	f760709128505dad3c485825b3e72646cbf0702336e3f16e7cd609e1c88a8581_JC.exe	83
PID 4432 wrote to memory of 2192	4432	f760709128505dad3c485825b3e72646cbf0702336e3f16e7cd609e1c88a8581_JC.exe	83
PID 4432 wrote to memory of 2192	4432	f760709128505dad3c485825b3e72646cbf0702336e3f16e7cd609e1c88a8581_JC.exe	83
PID 2192 wrote to memory of 1560	2192	v1697426.exe	84
PID 2192 wrote to memory of 1560	2192	v1697426.exe	84
PID 2192 wrote to memory of 1560	2192	v1697426.exe	84
PID 1560 wrote to memory of 3420	1560	v9300151.exe	85
PID 1560 wrote to memory of 3420	1560	v9300151.exe	85
PID 1560 wrote to memory of 3420	1560	v9300151.exe	85
PID 3420 wrote to memory of 5084	3420	v3507894.exe	86
PID 3420 wrote to memory of 5084	3420	v3507894.exe	86
PID 3420 wrote to memory of 5084	3420	v3507894.exe	86
PID 5084 wrote to memory of 216	5084	v0937333.exe	87
PID 5084 wrote to memory of 216	5084	v0937333.exe	87
PID 5084 wrote to memory of 2492	5084	v0937333.exe	90
PID 5084 wrote to memory of 2492	5084	v0937333.exe	90
PID 5084 wrote to memory of 2492	5084	v0937333.exe	90
PID 3420 wrote to memory of 3064	3420	v3507894.exe	91
PID 3420 wrote to memory of 3064	3420	v3507894.exe	91
PID 3420 wrote to memory of 3064	3420	v3507894.exe	91

C:\Users\Admin\AppData\Local\Temp\f760709128505dad3c485825b3e72646cbf0702336e3f16e7cd609e1c88a8581_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f760709128505dad3c485825b3e72646cbf0702336e3f16e7cd609e1c88a8581_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1697426.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1697426.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9300151.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9300151.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3507894.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3507894.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0937333.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0937333.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5084
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5722072.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5722072.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0086352.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0086352.exe
        6⤵
        Executes dropped EXE
        
        PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0543259.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0543259.exe
        5⤵
        Executes dropped EXE
        
        PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1697426.exe

Filesize
723KB

MD5
259d99a52439d61aa285210836e9174f

SHA1
aedef2020df3a1e4898e32cf4bc86de42ca8aa1a

SHA256
c2f13d10b080f27a7e1c5fa10804705f885d370b8beca0afe3e30b5de18e44d0

SHA512
cb81fbcf34944c5a3ab67084d419ad8eb0bcb4ab63334b84a15d079d2015e22fcf0714958ba2f0bc409e36a65ff805959605b1e49a00be6fa8f94a3df6a264c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1697426.exe

Filesize
723KB

MD5
259d99a52439d61aa285210836e9174f

SHA1
aedef2020df3a1e4898e32cf4bc86de42ca8aa1a

SHA256
c2f13d10b080f27a7e1c5fa10804705f885d370b8beca0afe3e30b5de18e44d0

SHA512
cb81fbcf34944c5a3ab67084d419ad8eb0bcb4ab63334b84a15d079d2015e22fcf0714958ba2f0bc409e36a65ff805959605b1e49a00be6fa8f94a3df6a264c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9300151.exe

Filesize
497KB

MD5
e764f37b5a039c0aad9839d6b55a0d28

SHA1
402f4c4b83e8ac9a727fbf942566e6ea426e86b0

SHA256
b81d6594db82f59a08464229230398ffbc1d4be691f33eb42798c6d3bf50d46a

SHA512
32f09253a18d44502d0773c38e2ee2526edf7bc627b9cc7422d0fb24fd3c71fc2032b37864262e00a2ed9bff52421f6d6c06161480234cff2e3778c80d0fa074

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9300151.exe

Filesize
497KB

MD5
e764f37b5a039c0aad9839d6b55a0d28

SHA1
402f4c4b83e8ac9a727fbf942566e6ea426e86b0

SHA256
b81d6594db82f59a08464229230398ffbc1d4be691f33eb42798c6d3bf50d46a

SHA512
32f09253a18d44502d0773c38e2ee2526edf7bc627b9cc7422d0fb24fd3c71fc2032b37864262e00a2ed9bff52421f6d6c06161480234cff2e3778c80d0fa074

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3507894.exe

Filesize
373KB

MD5
becd1299ebd093e0607265ded764c5ee

SHA1
ce105f88742e58d460944c30b5cdf3abde7c2398

SHA256
5b339b51e7e142d454c4f41e097ecc3d18954c0f43cc173e37a768eacb90e228

SHA512
13504e7cf69f3367ba310c761bbc7b8aad6d84b9d340429c0a0436169a8a17ef737fe8a0f37399c16a74825b84e73dbf159ab1fca9b9cbd1634260afb511ac51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3507894.exe

Filesize
373KB

MD5
becd1299ebd093e0607265ded764c5ee

SHA1
ce105f88742e58d460944c30b5cdf3abde7c2398

SHA256
5b339b51e7e142d454c4f41e097ecc3d18954c0f43cc173e37a768eacb90e228

SHA512
13504e7cf69f3367ba310c761bbc7b8aad6d84b9d340429c0a0436169a8a17ef737fe8a0f37399c16a74825b84e73dbf159ab1fca9b9cbd1634260afb511ac51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0543259.exe

Filesize
174KB

MD5
8a1214ce4c33a197cc2220ec309cce03

SHA1
f45623d7018379c1d8dd330d365ea60899310011

SHA256
704b83b01ea884e2addae7150ee6dd3631e0f69d1af725adf36895d5ef07eb7a

SHA512
6341ac428b91402bfdcf5ae0fe6027adbbe284df0157f573a7cd92dd927230a56727afbe201d1a9dc8aba15b2f9578de18e31840c41f461c20841b8a7868e3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0543259.exe

Filesize
174KB

MD5
8a1214ce4c33a197cc2220ec309cce03

SHA1
f45623d7018379c1d8dd330d365ea60899310011

SHA256
704b83b01ea884e2addae7150ee6dd3631e0f69d1af725adf36895d5ef07eb7a

SHA512
6341ac428b91402bfdcf5ae0fe6027adbbe284df0157f573a7cd92dd927230a56727afbe201d1a9dc8aba15b2f9578de18e31840c41f461c20841b8a7868e3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0937333.exe

Filesize
217KB

MD5
2bc52f7cb8cbb5da7994f659597b22fa

SHA1
4aa5ba36409432e8105e07e2fba7f7884fe4ca5c

SHA256
be30b9c81059ef0f054a08203f20a25e6d76693d2e0c35650f134fbd3b2f1e85

SHA512
5295e4a1ff31016f2985c7bec17aa0b7ce0c927510a12c6a75319d00b1a2a737e6ff236665e06f40474547892e4d2c7c2a0ff3f85cd0bb0c1eedd92d6a07cb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0937333.exe

Filesize
217KB

MD5
2bc52f7cb8cbb5da7994f659597b22fa

SHA1
4aa5ba36409432e8105e07e2fba7f7884fe4ca5c

SHA256
be30b9c81059ef0f054a08203f20a25e6d76693d2e0c35650f134fbd3b2f1e85

SHA512
5295e4a1ff31016f2985c7bec17aa0b7ce0c927510a12c6a75319d00b1a2a737e6ff236665e06f40474547892e4d2c7c2a0ff3f85cd0bb0c1eedd92d6a07cb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5722072.exe

Filesize
18KB

MD5
7322becca14ea4315255a89d7be9cedb

SHA1
abbdf02731839c42d849cc3a50db5c16c47d4839

SHA256
229534871203b89e25d7a739e103e599190d340a160b18d8e65934f0315fdd06

SHA512
8e00b3f023e23dce845b52534c0d332f0f5c1648fe13254af133cdb11b9ec5444d3c81ad3d029123f7bc673743555dc698688f30bda29dbcd70707030f14db2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5722072.exe

Filesize
18KB

MD5
7322becca14ea4315255a89d7be9cedb

SHA1
abbdf02731839c42d849cc3a50db5c16c47d4839

SHA256
229534871203b89e25d7a739e103e599190d340a160b18d8e65934f0315fdd06

SHA512
8e00b3f023e23dce845b52534c0d332f0f5c1648fe13254af133cdb11b9ec5444d3c81ad3d029123f7bc673743555dc698688f30bda29dbcd70707030f14db2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0086352.exe

Filesize
140KB

MD5
a247e59a998942f30bafcbf068348d11

SHA1
68899e7a61959509aec0b937609913d60e22961c

SHA256
fa01d62aa5f00dad475376401126bc25e6f3f31ac6e45fce951a04f72f38ed77

SHA512
6dced6fc68d646dcd57ae8ec46d13d9bd03c30776d249d2bb2a298ffca0d7045f19e5b919e524632609b5ab9eb3ecf3a5cdf4c26a02ff7805ee2bf141bf87cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0086352.exe

Filesize
140KB

MD5
a247e59a998942f30bafcbf068348d11

SHA1
68899e7a61959509aec0b937609913d60e22961c

SHA256
fa01d62aa5f00dad475376401126bc25e6f3f31ac6e45fce951a04f72f38ed77

SHA512
6dced6fc68d646dcd57ae8ec46d13d9bd03c30776d249d2bb2a298ffca0d7045f19e5b919e524632609b5ab9eb3ecf3a5cdf4c26a02ff7805ee2bf141bf87cc8

Download Submit
memory/216-38-0x00007FFE55B50000-0x00007FFE56611000-memory.dmp

Filesize
10.8MB

Download
memory/216-36-0x00007FFE55B50000-0x00007FFE56611000-memory.dmp

Filesize
10.8MB

Download
memory/216-35-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/3064-46-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/3064-45-0x0000000000040000-0x0000000000070000-memory.dmp

Filesize
192KB

Download
memory/3064-47-0x0000000005040000-0x0000000005658000-memory.dmp

Filesize
6.1MB

Download
memory/3064-48-0x0000000004B30000-0x0000000004C3A000-memory.dmp

Filesize
1.0MB

Download
memory/3064-50-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download
memory/3064-49-0x00000000048C0000-0x00000000048D2000-memory.dmp

Filesize
72KB

Download
memory/3064-51-0x0000000004A60000-0x0000000004A9C000-memory.dmp

Filesize
240KB

Download
memory/3064-52-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/3064-53-0x0000000004910000-0x0000000004920000-memory.dmp

Filesize
64KB

Download