healer | 08a8f0fc2a50de55a3f7f1c18d61671063fd6901857325417dbc09256b9fef2a

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08a8f0fc2a50de55a3f7f1c18d61671063fd6901857325417dbc09256b9fef2a.exe
Size

828KB
MD5

9ac03c3dfd33dd14d00f642ea76bd9fb
SHA1

17a1c544ad383e32d3220a7159a0ac7bd0965e6d
SHA256

08a8f0fc2a50de55a3f7f1c18d61671063fd6901857325417dbc09256b9fef2a
SHA512

42b499574fa33c6fd32a66dcce2d981c0964fcda36dcec3d1d7865da9870c2f986d2b1d35be4701fba1fcd659feea216faaf5aaa9b72ae152e9141f69aeb7760
SSDEEP

24576:ApyTy5XCPGZsGVntaxtNm3yAeloQef9aS:AcTwXoGZPVnIwiAelO

Score

10^/10

healer redline domka dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

domka

77.91.124.82:19071

Attributes

auth_value
74e19436acac85e44d691aebcc617529

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023165-34.dat	healer
behavioral1/files/0x0007000000023165-33.dat	healer
behavioral1/memory/4620-35-0x0000000000590000-0x000000000059A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8152021.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a8152021.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8152021.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8152021.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8152021.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8152021.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3472	v0132572.exe
1600	v3936779.exe
4928	v0164219.exe
4880	v7138857.exe
4620	a8152021.exe
4668	b8169670.exe
3908	c5366957.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8152021.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0132572.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3936779.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0164219.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7138857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	08a8f0fc2a50de55a3f7f1c18d61671063fd6901857325417dbc09256b9fef2a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4620	a8152021.exe
4620	a8152021.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	a8152021.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3856 wrote to memory of 3472	3856	08a8f0fc2a50de55a3f7f1c18d61671063fd6901857325417dbc09256b9fef2a.exe	80
PID 3856 wrote to memory of 3472	3856	08a8f0fc2a50de55a3f7f1c18d61671063fd6901857325417dbc09256b9fef2a.exe	80
PID 3856 wrote to memory of 3472	3856	08a8f0fc2a50de55a3f7f1c18d61671063fd6901857325417dbc09256b9fef2a.exe	80
PID 3472 wrote to memory of 1600	3472	v0132572.exe	81
PID 3472 wrote to memory of 1600	3472	v0132572.exe	81
PID 3472 wrote to memory of 1600	3472	v0132572.exe	81
PID 1600 wrote to memory of 4928	1600	v3936779.exe	82
PID 1600 wrote to memory of 4928	1600	v3936779.exe	82
PID 1600 wrote to memory of 4928	1600	v3936779.exe	82
PID 4928 wrote to memory of 4880	4928	v0164219.exe	83
PID 4928 wrote to memory of 4880	4928	v0164219.exe	83
PID 4928 wrote to memory of 4880	4928	v0164219.exe	83
PID 4880 wrote to memory of 4620	4880	v7138857.exe	84
PID 4880 wrote to memory of 4620	4880	v7138857.exe	84
PID 4880 wrote to memory of 4668	4880	v7138857.exe	86
PID 4880 wrote to memory of 4668	4880	v7138857.exe	86
PID 4880 wrote to memory of 4668	4880	v7138857.exe	86
PID 4928 wrote to memory of 3908	4928	v0164219.exe	87
PID 4928 wrote to memory of 3908	4928	v0164219.exe	87
PID 4928 wrote to memory of 3908	4928	v0164219.exe	87

C:\Users\Admin\AppData\Local\Temp\08a8f0fc2a50de55a3f7f1c18d61671063fd6901857325417dbc09256b9fef2a.exe
"C:\Users\Admin\AppData\Local\Temp\08a8f0fc2a50de55a3f7f1c18d61671063fd6901857325417dbc09256b9fef2a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0132572.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0132572.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3936779.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3936779.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0164219.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0164219.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7138857.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7138857.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8152021.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8152021.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4620
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8169670.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8169670.exe
        6⤵
        Executes dropped EXE
        
        PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5366957.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5366957.exe
        5⤵
        Executes dropped EXE
        
        PID:3908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0132572.exe

Filesize
724KB

MD5
2f9850307ace27b8d83889c88ba85632

SHA1
fe9dee8df1976600e5a4e78fd7b50c1ee10c0182

SHA256
16ddba3707ba029f28e3b261cc3249718060af30b538c28f488666ade2ee2787

SHA512
85c5a73ef7a9caf01722c9f737f7d021f0ef0932d79a2caae928d04c766d672953c04703cb983624f182824b224561771d79793369795ea1d81f8364d48ef75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0132572.exe

Filesize
724KB

MD5
2f9850307ace27b8d83889c88ba85632

SHA1
fe9dee8df1976600e5a4e78fd7b50c1ee10c0182

SHA256
16ddba3707ba029f28e3b261cc3249718060af30b538c28f488666ade2ee2787

SHA512
85c5a73ef7a9caf01722c9f737f7d021f0ef0932d79a2caae928d04c766d672953c04703cb983624f182824b224561771d79793369795ea1d81f8364d48ef75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3936779.exe

Filesize
497KB

MD5
594d679a7c8253c85750eff1e00d9c18

SHA1
2fb01e72ece8dffd1209d2127d952b845bfed8de

SHA256
3a7aab8802d4dad9d6615a2aa990ff1bd53b8b92ee34348ab98270498ff219d3

SHA512
cd4015844c83885afe775a6665e1d9027cd9129f0b70a5422d9d0dce742293e5e2965c0bac5a6c96161ab553333449a2529a258eab02cf1ab3977a8e0922a101

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3936779.exe

Filesize
497KB

MD5
594d679a7c8253c85750eff1e00d9c18

SHA1
2fb01e72ece8dffd1209d2127d952b845bfed8de

SHA256
3a7aab8802d4dad9d6615a2aa990ff1bd53b8b92ee34348ab98270498ff219d3

SHA512
cd4015844c83885afe775a6665e1d9027cd9129f0b70a5422d9d0dce742293e5e2965c0bac5a6c96161ab553333449a2529a258eab02cf1ab3977a8e0922a101

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0164219.exe

Filesize
372KB

MD5
a6d514248ac8f9aaec149fd4396eb333

SHA1
96fb31b30caf1cd57ca638be5ab86c2a9be2ad56

SHA256
cecc6906ce33cc80201c29db4d00a0a9cdf99c7a30c6cae1ad89851f2535b5e2

SHA512
a707d4c355739776a8f2f1828f973aa74fc506d1d47320a6b2c66f82baaea6184340f9c8f5f92c79b494786da010c5f6a5a041f6ec75c1cd6a2255916ebae420

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0164219.exe

Filesize
372KB

MD5
a6d514248ac8f9aaec149fd4396eb333

SHA1
96fb31b30caf1cd57ca638be5ab86c2a9be2ad56

SHA256
cecc6906ce33cc80201c29db4d00a0a9cdf99c7a30c6cae1ad89851f2535b5e2

SHA512
a707d4c355739776a8f2f1828f973aa74fc506d1d47320a6b2c66f82baaea6184340f9c8f5f92c79b494786da010c5f6a5a041f6ec75c1cd6a2255916ebae420

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5366957.exe

Filesize
174KB

MD5
c7b1f1cb61aeed8a47dcc3a453aa8575

SHA1
63286a40d414b0dd7d0c1a14583bcdbc996cd18c

SHA256
95723e39a8cbc80fa672eac59ccf654549f06f8a816bc3e0bb7a0f80de090e85

SHA512
6d279c04efdc0d41046e85d2c9fd4599996914cbc82b1e9ee0f10973bb5dbc94f8e1f6ed70f4d77cf1bb0d4276db74d575b47109246f5658b93d12a25530b678

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5366957.exe

Filesize
174KB

MD5
c7b1f1cb61aeed8a47dcc3a453aa8575

SHA1
63286a40d414b0dd7d0c1a14583bcdbc996cd18c

SHA256
95723e39a8cbc80fa672eac59ccf654549f06f8a816bc3e0bb7a0f80de090e85

SHA512
6d279c04efdc0d41046e85d2c9fd4599996914cbc82b1e9ee0f10973bb5dbc94f8e1f6ed70f4d77cf1bb0d4276db74d575b47109246f5658b93d12a25530b678

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7138857.exe

Filesize
217KB

MD5
ce9cc38c59d8222e6fb89398ea43c916

SHA1
bad014533bf2adabba4da8875ac74b42c2427930

SHA256
8e02dc57234355cbe458f150adc7433e49cfaeca8d153137df508d331fc01d10

SHA512
6a740388031c320d250019e997f155856b5cec60625080677f13594a6d70ca98153f77ea55b5a9b573354f4daf5f5f409a46fba2af8933e1c44fbbda1496fd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7138857.exe

Filesize
217KB

MD5
ce9cc38c59d8222e6fb89398ea43c916

SHA1
bad014533bf2adabba4da8875ac74b42c2427930

SHA256
8e02dc57234355cbe458f150adc7433e49cfaeca8d153137df508d331fc01d10

SHA512
6a740388031c320d250019e997f155856b5cec60625080677f13594a6d70ca98153f77ea55b5a9b573354f4daf5f5f409a46fba2af8933e1c44fbbda1496fd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8152021.exe

Filesize
19KB

MD5
f06d5f7cbe1729ed1ae16404ea3df31b

SHA1
7c1ad61f3e2782ea0febeee5967806b3e118f393

SHA256
d7bcdd7a4720fc2c45e8749d7c977576dcd0853ec43838859a71d67d7c6b2d69

SHA512
9d03a5d21ecc05f389cd9e910962ccacfbb3def1a38c214510e6c2918b20df3dc32ca23488ac0147e8bc115edcc13c2cf22f8800f950227405b2ca186aee10ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8152021.exe

Filesize
19KB

MD5
f06d5f7cbe1729ed1ae16404ea3df31b

SHA1
7c1ad61f3e2782ea0febeee5967806b3e118f393

SHA256
d7bcdd7a4720fc2c45e8749d7c977576dcd0853ec43838859a71d67d7c6b2d69

SHA512
9d03a5d21ecc05f389cd9e910962ccacfbb3def1a38c214510e6c2918b20df3dc32ca23488ac0147e8bc115edcc13c2cf22f8800f950227405b2ca186aee10ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8169670.exe

Filesize
140KB

MD5
5fadbe1f22b30e9ab1deb90d99462f2d

SHA1
50c549365eb072f0d44ca0865e63b989c2e3ad28

SHA256
2013e760c99ffd6bf36b3290112e426f4e322724b211f27873ff70d69fcf6d88

SHA512
96b5fb633cbe439b236052049811566d739ed3013e74b84ddd1f49271293a112b53fbefc0843993928f792482c6b4bff62c3e13c0da3188e712a39d7b0069f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8169670.exe

Filesize
140KB

MD5
5fadbe1f22b30e9ab1deb90d99462f2d

SHA1
50c549365eb072f0d44ca0865e63b989c2e3ad28

SHA256
2013e760c99ffd6bf36b3290112e426f4e322724b211f27873ff70d69fcf6d88

SHA512
96b5fb633cbe439b236052049811566d739ed3013e74b84ddd1f49271293a112b53fbefc0843993928f792482c6b4bff62c3e13c0da3188e712a39d7b0069f7a

Download Submit
memory/3908-46-0x0000000073EB0000-0x0000000074660000-memory.dmp

Filesize
7.7MB

Download
memory/3908-45-0x0000000000030000-0x0000000000060000-memory.dmp

Filesize
192KB

Download
memory/3908-47-0x000000000A510000-0x000000000AB28000-memory.dmp

Filesize
6.1MB

Download
memory/3908-48-0x000000000A000000-0x000000000A10A000-memory.dmp

Filesize
1.0MB

Download
memory/3908-49-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/3908-50-0x0000000009F20000-0x0000000009F32000-memory.dmp

Filesize
72KB

Download
memory/3908-51-0x0000000009F80000-0x0000000009FBC000-memory.dmp

Filesize
240KB

Download
memory/3908-52-0x0000000073EB0000-0x0000000074660000-memory.dmp

Filesize
7.7MB

Download
memory/3908-53-0x0000000004A60000-0x0000000004A70000-memory.dmp

Filesize
64KB

Download
memory/4620-38-0x00007FFA50700000-0x00007FFA511C1000-memory.dmp

Filesize
10.8MB

Download
memory/4620-36-0x00007FFA50700000-0x00007FFA511C1000-memory.dmp

Filesize
10.8MB

Download
memory/4620-35-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download