healer | 2af40a3b4910b714915c754ec4932ea56de54c62196097e4e0938babefe8e199

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2023 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_2af40a3b4910b714915c754ec4932ea56de54c62196097e4e0938babefe8e199.exe
Size

829KB
MD5

0716527a972e074edbc0d866a98100aa
SHA1

f5df6609c87446d245aeb807a6e9740dbc48022b
SHA256

2af40a3b4910b714915c754ec4932ea56de54c62196097e4e0938babefe8e199
SHA512

db192ab2c66bc943801cf222a66aab87ca462d493852a596a6551e7277a6098c5fd21f4b5f8224b290d4f43a295a17af07a3acb4dd163fef6c424cf6c86bf4dc
SSDEEP

12288:tMrZy903vIMu3M/NB2rwNQnnMhnkHT/g7aYqFlTldyAN2Q0EWzSMBs1Q2HEz:QyIIZ3M/NBowingnkHT/gJKvMtrGMx

Score

10^/10

healer redline jang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jang

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023241-33.dat	healer
behavioral2/files/0x0007000000023241-34.dat	healer
behavioral2/memory/4456-35-0x0000000000520000-0x000000000052A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4106910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4106910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4106910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4106910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4106910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4106910.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
844	v7375466.exe
1272	v9247784.exe
2896	v5663578.exe
2728	v5149467.exe
4456	a4106910.exe
5104	b1675370.exe
1208	c5629138.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4106910.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5149467.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JC_2af40a3b4910b714915c754ec4932ea56de54c62196097e4e0938babefe8e199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7375466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9247784.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5663578.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4456	a4106910.exe
4456	a4106910.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4456	a4106910.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 844	2720	JC_2af40a3b4910b714915c754ec4932ea56de54c62196097e4e0938babefe8e199.exe	83
PID 2720 wrote to memory of 844	2720	JC_2af40a3b4910b714915c754ec4932ea56de54c62196097e4e0938babefe8e199.exe	83
PID 2720 wrote to memory of 844	2720	JC_2af40a3b4910b714915c754ec4932ea56de54c62196097e4e0938babefe8e199.exe	83
PID 844 wrote to memory of 1272	844	v7375466.exe	85
PID 844 wrote to memory of 1272	844	v7375466.exe	85
PID 844 wrote to memory of 1272	844	v7375466.exe	85
PID 1272 wrote to memory of 2896	1272	v9247784.exe	86
PID 1272 wrote to memory of 2896	1272	v9247784.exe	86
PID 1272 wrote to memory of 2896	1272	v9247784.exe	86
PID 2896 wrote to memory of 2728	2896	v5663578.exe	87
PID 2896 wrote to memory of 2728	2896	v5663578.exe	87
PID 2896 wrote to memory of 2728	2896	v5663578.exe	87
PID 2728 wrote to memory of 4456	2728	v5149467.exe	88
PID 2728 wrote to memory of 4456	2728	v5149467.exe	88
PID 2728 wrote to memory of 5104	2728	v5149467.exe	91
PID 2728 wrote to memory of 5104	2728	v5149467.exe	91
PID 2728 wrote to memory of 5104	2728	v5149467.exe	91
PID 2896 wrote to memory of 1208	2896	v5663578.exe	92
PID 2896 wrote to memory of 1208	2896	v5663578.exe	92
PID 2896 wrote to memory of 1208	2896	v5663578.exe	92

C:\Users\Admin\AppData\Local\Temp\JC_2af40a3b4910b714915c754ec4932ea56de54c62196097e4e0938babefe8e199.exe
"C:\Users\Admin\AppData\Local\Temp\JC_2af40a3b4910b714915c754ec4932ea56de54c62196097e4e0938babefe8e199.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7375466.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7375466.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9247784.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9247784.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5663578.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5663578.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5149467.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5149467.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2728
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4106910.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4106910.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1675370.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1675370.exe
        6⤵
        Executes dropped EXE
        
        PID:5104
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5629138.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5629138.exe
        5⤵
        Executes dropped EXE
        
        PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7375466.exe

Filesize
723KB

MD5
9b2d21d2d545402f523b0a85f45b8b45

SHA1
29b2052f660b61c9aa14249693d3fc899a5df04f

SHA256
d0e267ce3bbe21cb6705b19a08784853e29ee43bcaf0db6691d059a9e6b46495

SHA512
41a4823ac7e0d9a3babbbe85ef1352d5d7e1f30244aa1c7497ec8e7b897999d35f543dccce40caacd55ac0fc9998d2e39a1aace45567cd64b79f655c5f14adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7375466.exe

Filesize
723KB

MD5
9b2d21d2d545402f523b0a85f45b8b45

SHA1
29b2052f660b61c9aa14249693d3fc899a5df04f

SHA256
d0e267ce3bbe21cb6705b19a08784853e29ee43bcaf0db6691d059a9e6b46495

SHA512
41a4823ac7e0d9a3babbbe85ef1352d5d7e1f30244aa1c7497ec8e7b897999d35f543dccce40caacd55ac0fc9998d2e39a1aace45567cd64b79f655c5f14adc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9247784.exe

Filesize
497KB

MD5
b7df63815c17d7fced5f8f355b537178

SHA1
98bf8f79352004f4cb52b9d47c425cd37d7386ec

SHA256
6154746cdf730b9314e18d2518d20a07cbae34bddaed743a64882ecb43827913

SHA512
8563eaec8cd17c39e5873d682cf5fd20a8783a2b39a5c6e2a7e72721f45c091a41033fe0216036e6af048318c5a0aaf1e25703dde7e610f11056016b40fd7590

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9247784.exe

Filesize
497KB

MD5
b7df63815c17d7fced5f8f355b537178

SHA1
98bf8f79352004f4cb52b9d47c425cd37d7386ec

SHA256
6154746cdf730b9314e18d2518d20a07cbae34bddaed743a64882ecb43827913

SHA512
8563eaec8cd17c39e5873d682cf5fd20a8783a2b39a5c6e2a7e72721f45c091a41033fe0216036e6af048318c5a0aaf1e25703dde7e610f11056016b40fd7590

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5663578.exe

Filesize
373KB

MD5
a50159eddee7cc5d1f3c4b853fa33125

SHA1
17f793fde86734966f250838c56ccf71e3a5b7d5

SHA256
4aad119947a4a5864f9ec3879ff4d5d5f773a51193768cfe196c681bb41d4272

SHA512
a34a67b6897fb95bc16df1fefeba27bf01c7fb71aca362f7dd95da0faf95359ac0b4043e6086c0d1f68456c7544bffbf9c7b1d01b2e97e351b055e0926e015f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5663578.exe

Filesize
373KB

MD5
a50159eddee7cc5d1f3c4b853fa33125

SHA1
17f793fde86734966f250838c56ccf71e3a5b7d5

SHA256
4aad119947a4a5864f9ec3879ff4d5d5f773a51193768cfe196c681bb41d4272

SHA512
a34a67b6897fb95bc16df1fefeba27bf01c7fb71aca362f7dd95da0faf95359ac0b4043e6086c0d1f68456c7544bffbf9c7b1d01b2e97e351b055e0926e015f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5629138.exe

Filesize
174KB

MD5
3cdb080efe1ab2180e230502be1826f9

SHA1
73d2435dc57d0ef5952a67015bb1c3d2d93953f0

SHA256
e0b1d51b59ac8dd34474fa7840f6887d50399710795f0d187dae51ad070d6b25

SHA512
5e7f06d62be3c8ffe1c8b811046ea6d533d39d12df12b15d2a01e5ca6f0b4c1cd6e8b35fea91711f5aafc0be872fed50d9f3636de5bfafbe0a95edf763ab23c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5629138.exe

Filesize
174KB

MD5
3cdb080efe1ab2180e230502be1826f9

SHA1
73d2435dc57d0ef5952a67015bb1c3d2d93953f0

SHA256
e0b1d51b59ac8dd34474fa7840f6887d50399710795f0d187dae51ad070d6b25

SHA512
5e7f06d62be3c8ffe1c8b811046ea6d533d39d12df12b15d2a01e5ca6f0b4c1cd6e8b35fea91711f5aafc0be872fed50d9f3636de5bfafbe0a95edf763ab23c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5149467.exe

Filesize
217KB

MD5
cd19edea68d9e9fb7b53fcc5bec4dade

SHA1
bb50635d27e0c0e3ad99a3a9157bbb584444df39

SHA256
186a3b33aaedcbf335ff1a9ebc97644caaad963ea76039a24f2212680a30ab6a

SHA512
ae38831dec083bbde301918f2176344bf7583f2cae3f9f6e7fd5a6377d1bf120aae84c75e43989b2a87e80d6e9fbf98b8eb36707fadd5e8b7af9f2a2866bc306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5149467.exe

Filesize
217KB

MD5
cd19edea68d9e9fb7b53fcc5bec4dade

SHA1
bb50635d27e0c0e3ad99a3a9157bbb584444df39

SHA256
186a3b33aaedcbf335ff1a9ebc97644caaad963ea76039a24f2212680a30ab6a

SHA512
ae38831dec083bbde301918f2176344bf7583f2cae3f9f6e7fd5a6377d1bf120aae84c75e43989b2a87e80d6e9fbf98b8eb36707fadd5e8b7af9f2a2866bc306

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4106910.exe

Filesize
19KB

MD5
d3a22fd74fb7ec2ec66da0200ee00aa1

SHA1
52b644daac107e00e804eaa4754492a92f370a3c

SHA256
e63cff2a160f918a88e9b519b62fd797f84a3b055f726d2cbe666a138071ca29

SHA512
7ac3d27ab853ac49803a4e53d96af962d902d501706244148a56d1f882cb14fc6e5ce1acbc8b2c35221f883a5f600fd6a72d7ac879b0d55453c531f3b80744ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4106910.exe

Filesize
19KB

MD5
d3a22fd74fb7ec2ec66da0200ee00aa1

SHA1
52b644daac107e00e804eaa4754492a92f370a3c

SHA256
e63cff2a160f918a88e9b519b62fd797f84a3b055f726d2cbe666a138071ca29

SHA512
7ac3d27ab853ac49803a4e53d96af962d902d501706244148a56d1f882cb14fc6e5ce1acbc8b2c35221f883a5f600fd6a72d7ac879b0d55453c531f3b80744ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1675370.exe

Filesize
140KB

MD5
c01675c372963449025ad80a28934162

SHA1
acbf23da8072e2235bea9291ed4da54cdf8934d9

SHA256
d91f5eb43882a5a0daec4572c38fae11283ce3e7ea41542e94771c2bcd877592

SHA512
236dd245a93b00c316a4a0812f83eaee6b79fe7de70e0ea07c317fe3547663f7d04697d6bf7199004b3810bc6f117ec70469bbb43c1cb0545bbbe39137e6bfaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1675370.exe

Filesize
140KB

MD5
c01675c372963449025ad80a28934162

SHA1
acbf23da8072e2235bea9291ed4da54cdf8934d9

SHA256
d91f5eb43882a5a0daec4572c38fae11283ce3e7ea41542e94771c2bcd877592

SHA512
236dd245a93b00c316a4a0812f83eaee6b79fe7de70e0ea07c317fe3547663f7d04697d6bf7199004b3810bc6f117ec70469bbb43c1cb0545bbbe39137e6bfaf

Download Submit
memory/1208-46-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/1208-45-0x0000000000530000-0x0000000000560000-memory.dmp

Filesize
192KB

Download
memory/1208-47-0x000000000A9F0000-0x000000000B008000-memory.dmp

Filesize
6.1MB

Download
memory/1208-48-0x000000000A4E0000-0x000000000A5EA000-memory.dmp

Filesize
1.0MB

Download
memory/1208-49-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/1208-50-0x000000000A420000-0x000000000A432000-memory.dmp

Filesize
72KB

Download
memory/1208-51-0x000000000A480000-0x000000000A4BC000-memory.dmp

Filesize
240KB

Download
memory/1208-52-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/1208-53-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/4456-38-0x00007FF98AF90000-0x00007FF98BA51000-memory.dmp

Filesize
10.8MB

Download
memory/4456-36-0x00007FF98AF90000-0x00007FF98BA51000-memory.dmp

Filesize
10.8MB

Download
memory/4456-35-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download