healer | 1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe
Size

821KB
MD5

d1a4d86694839533a78a9a2bbac11c05
SHA1

a051ac20ad98ac14ae43e609a94107a8bb74313f
SHA256

1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805
SHA512

82eeaebe3081e5b4fffd70826957692ce29beeabb2509bfa77df343e14aebe382d3747693ceb1ec561f852c2c5bda1ac2b518ef356e5035b92bf4556f8144d8e
SSDEEP

24576:lyysJf1+Q2AbEw5Yi3uz58voZCmIpG9+rmbBw:AysN1SgEwSeu+G7b

Score

10^/10

healer redline domka dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

domka

77.91.124.82:19071

Attributes

auth_value
74e19436acac85e44d691aebcc617529

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023250-33.dat	healer
behavioral2/files/0x0008000000023250-34.dat	healer
behavioral2/memory/2724-35-0x0000000000BB0000-0x0000000000BBA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1349604.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1349604.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1349604.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1349604.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1349604.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1349604.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2548	v3173523.exe
4636	v5718877.exe
4456	v3572509.exe
4800	v8006400.exe
2724	a1349604.exe
3180	b0356693.exe
2776	c2455442.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1349604.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3173523.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5718877.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3572509.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8006400.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2724	a1349604.exe
2724	a1349604.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	a1349604.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2548	1284	JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe	84
PID 1284 wrote to memory of 2548	1284	JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe	84
PID 1284 wrote to memory of 2548	1284	JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe	84
PID 2548 wrote to memory of 4636	2548	v3173523.exe	85
PID 2548 wrote to memory of 4636	2548	v3173523.exe	85
PID 2548 wrote to memory of 4636	2548	v3173523.exe	85
PID 4636 wrote to memory of 4456	4636	v5718877.exe	86
PID 4636 wrote to memory of 4456	4636	v5718877.exe	86
PID 4636 wrote to memory of 4456	4636	v5718877.exe	86
PID 4456 wrote to memory of 4800	4456	v3572509.exe	87
PID 4456 wrote to memory of 4800	4456	v3572509.exe	87
PID 4456 wrote to memory of 4800	4456	v3572509.exe	87
PID 4800 wrote to memory of 2724	4800	v8006400.exe	89
PID 4800 wrote to memory of 2724	4800	v8006400.exe	89
PID 4800 wrote to memory of 3180	4800	v8006400.exe	92
PID 4800 wrote to memory of 3180	4800	v8006400.exe	92
PID 4800 wrote to memory of 3180	4800	v8006400.exe	92
PID 4456 wrote to memory of 2776	4456	v3572509.exe	93
PID 4456 wrote to memory of 2776	4456	v3572509.exe	93
PID 4456 wrote to memory of 2776	4456	v3572509.exe	93

C:\Users\Admin\AppData\Local\Temp\JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe
"C:\Users\Admin\AppData\Local\Temp\JC_1b1b6c41b66c60e8bb1f51ef0fbe493086413a9b48d3eda96809b94e4db2b805.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3173523.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3173523.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5718877.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5718877.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3572509.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3572509.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8006400.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8006400.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4800
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1349604.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1349604.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0356693.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0356693.exe
        6⤵
        Executes dropped EXE
        
        PID:3180
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2455442.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2455442.exe
        5⤵
        Executes dropped EXE
        
        PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3173523.exe

Filesize
716KB

MD5
6115e38d51b22efa5b8f7cde0c4c3d2f

SHA1
dfb9b496092b4936f196dee9013328bf515a9e0b

SHA256
2b55e962829b12e350522aec0de7c6af34bee4de40b27bea8db2043925ec66c4

SHA512
48691ed9b43a72fa4024ec6980435d4cb89a9395e0b41e2141f7b1318d1e0b2cc07f68c8258ecac4a9c0fcf697398d7f2d260c4a7a0fec97209d2b3a9d3975dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3173523.exe

Filesize
716KB

MD5
6115e38d51b22efa5b8f7cde0c4c3d2f

SHA1
dfb9b496092b4936f196dee9013328bf515a9e0b

SHA256
2b55e962829b12e350522aec0de7c6af34bee4de40b27bea8db2043925ec66c4

SHA512
48691ed9b43a72fa4024ec6980435d4cb89a9395e0b41e2141f7b1318d1e0b2cc07f68c8258ecac4a9c0fcf697398d7f2d260c4a7a0fec97209d2b3a9d3975dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5718877.exe

Filesize
497KB

MD5
1aaa0cf317a03097aa89c72144405a64

SHA1
80543750986161af11e06c09a1186ce2cf787de0

SHA256
af4011e92e4d7b4427085548a5a24f854fa6d59c177caac372fce3432aead396

SHA512
8a64028380db93835e3d1bb58d0b7b1fbbee9525b1356847dea142e0601d8cadbf3f7e3cda3d8f286655715b63642f4640f2276caab1c48bc9770dc2180538fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5718877.exe

Filesize
497KB

MD5
1aaa0cf317a03097aa89c72144405a64

SHA1
80543750986161af11e06c09a1186ce2cf787de0

SHA256
af4011e92e4d7b4427085548a5a24f854fa6d59c177caac372fce3432aead396

SHA512
8a64028380db93835e3d1bb58d0b7b1fbbee9525b1356847dea142e0601d8cadbf3f7e3cda3d8f286655715b63642f4640f2276caab1c48bc9770dc2180538fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3572509.exe

Filesize
372KB

MD5
7d90e491e20e813ae0d6d09ad1736534

SHA1
567371a7ba458a3b3d8b0fa4b1ad9c73450d0887

SHA256
93d2e9500329353614c0428d2e7d5af09555769e2005297e1e1c09f83b3a9658

SHA512
4dfdb0fd239ac6001ceb0890597173417bef2c35273882c6469910a8506b1d82b074ec839fdae274ef98c329346b3f0cb7c03181cd7ca4092f16ea5365364d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3572509.exe

Filesize
372KB

MD5
7d90e491e20e813ae0d6d09ad1736534

SHA1
567371a7ba458a3b3d8b0fa4b1ad9c73450d0887

SHA256
93d2e9500329353614c0428d2e7d5af09555769e2005297e1e1c09f83b3a9658

SHA512
4dfdb0fd239ac6001ceb0890597173417bef2c35273882c6469910a8506b1d82b074ec839fdae274ef98c329346b3f0cb7c03181cd7ca4092f16ea5365364d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2455442.exe

Filesize
174KB

MD5
ee38160df0e055f00b14a7fff3ac1062

SHA1
a03abb735bc389dd893a19901d9067c9b855fb4a

SHA256
9a1665fd499127757e85c601002292561626d4dc7fb9564f7aeb3cfa4e199558

SHA512
7fc6deccb21a2078389bfb75af0a5b570b076f2446613337fbdd5a159cb0d846c19be3fcdf3e0c55ff926d579cd00fb616e3b48618a9b08584004d77235ba17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2455442.exe

Filesize
174KB

MD5
ee38160df0e055f00b14a7fff3ac1062

SHA1
a03abb735bc389dd893a19901d9067c9b855fb4a

SHA256
9a1665fd499127757e85c601002292561626d4dc7fb9564f7aeb3cfa4e199558

SHA512
7fc6deccb21a2078389bfb75af0a5b570b076f2446613337fbdd5a159cb0d846c19be3fcdf3e0c55ff926d579cd00fb616e3b48618a9b08584004d77235ba17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8006400.exe

Filesize
217KB

MD5
55ec25f14434716f460537a897850a0c

SHA1
10f44f330be919edf7f89df7c58f6e69d03a21e5

SHA256
0a0ca06bbfecf9ace770fd9ed8a323309b5ee6adf696922d360ba896e7c546fb

SHA512
fd4e9024407280ef796a9c0764540d7e0c03a93dfa41e02808e8f361844f5f46033f3f40c5891fc206cad06e769a59a8c8e0c3d9f3d0cddadc6a1a19f2b73afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8006400.exe

Filesize
217KB

MD5
55ec25f14434716f460537a897850a0c

SHA1
10f44f330be919edf7f89df7c58f6e69d03a21e5

SHA256
0a0ca06bbfecf9ace770fd9ed8a323309b5ee6adf696922d360ba896e7c546fb

SHA512
fd4e9024407280ef796a9c0764540d7e0c03a93dfa41e02808e8f361844f5f46033f3f40c5891fc206cad06e769a59a8c8e0c3d9f3d0cddadc6a1a19f2b73afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1349604.exe

Filesize
19KB

MD5
d0f9c5fe093f19164d711fd9762b438f

SHA1
a2591dd96703899afaa9dd5cf7d3d69f3c81add7

SHA256
40bf99c7345d1335267301f014b0b88ceb07662e14f2fe5dca352314d21dd9b8

SHA512
75f67125582fcd033f6f9b4e946b21282e7c6656ec6823b8ff3f273b0f15a9a648341b40c28288e0e0f4b21b6dea73bd66a1de392d20aa5683ed2828ebb146ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1349604.exe

Filesize
19KB

MD5
d0f9c5fe093f19164d711fd9762b438f

SHA1
a2591dd96703899afaa9dd5cf7d3d69f3c81add7

SHA256
40bf99c7345d1335267301f014b0b88ceb07662e14f2fe5dca352314d21dd9b8

SHA512
75f67125582fcd033f6f9b4e946b21282e7c6656ec6823b8ff3f273b0f15a9a648341b40c28288e0e0f4b21b6dea73bd66a1de392d20aa5683ed2828ebb146ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0356693.exe

Filesize
140KB

MD5
ffbc15d96c69b3ad1ec9624f5a459fb7

SHA1
dc9489325a09d0f1f9ad37f07f7d16bc7e423366

SHA256
d614ec7127d1ec92e4cdbbbe1ff66a1ef835970d9dc5012af4b8b71b79085108

SHA512
f7e4f10923d2b49507f596da1a10fea10f3386619663a8a7037b45ab2694f20af2aa4fbdee45c8a75e9bb32b882a288fc269114dc37ae4ad007bcef7bc219cc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0356693.exe

Filesize
140KB

MD5
ffbc15d96c69b3ad1ec9624f5a459fb7

SHA1
dc9489325a09d0f1f9ad37f07f7d16bc7e423366

SHA256
d614ec7127d1ec92e4cdbbbe1ff66a1ef835970d9dc5012af4b8b71b79085108

SHA512
f7e4f10923d2b49507f596da1a10fea10f3386619663a8a7037b45ab2694f20af2aa4fbdee45c8a75e9bb32b882a288fc269114dc37ae4ad007bcef7bc219cc5

Download Submit
memory/2724-38-0x00007FFCE9940000-0x00007FFCEA401000-memory.dmp

Filesize
10.8MB

Download
memory/2724-36-0x00007FFCE9940000-0x00007FFCEA401000-memory.dmp

Filesize
10.8MB

Download
memory/2724-35-0x0000000000BB0000-0x0000000000BBA000-memory.dmp

Filesize
40KB

Download
memory/2776-45-0x0000000000C40000-0x0000000000C70000-memory.dmp

Filesize
192KB

Download
memory/2776-46-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2776-47-0x000000000AF40000-0x000000000B558000-memory.dmp

Filesize
6.1MB

Download
memory/2776-48-0x000000000AAB0000-0x000000000ABBA000-memory.dmp

Filesize
1.0MB

Download
memory/2776-50-0x000000000A9F0000-0x000000000AA02000-memory.dmp

Filesize
72KB

Download
memory/2776-49-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download
memory/2776-51-0x000000000AA50000-0x000000000AA8C000-memory.dmp

Filesize
240KB

Download
memory/2776-52-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/2776-53-0x0000000005490000-0x00000000054A0000-memory.dmp

Filesize
64KB

Download