healer | 37d3d302f778e88ec7adf9002418c0c415b49c9c0b193b90617bd33dd732b24e

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2023, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_37d3d302f778e88ec7adf9002418c0c415b49c9c0b193b90617bd33dd732b24e.exe
Size

830KB
MD5

5d689a5c721a45dbf0fc61d1782affdd
SHA1

698f8a2a4ad2d00e8272359b2f8e463b59fc7427
SHA256

37d3d302f778e88ec7adf9002418c0c415b49c9c0b193b90617bd33dd732b24e
SHA512

a7290533fd7937f733782370bd76cb335d430df92e1bac466414d7793dd219bf89410ac0ac90ef0aeaa56b59cb510fb8cc8fc3918168db51b4851ad6df0563ae
SSDEEP

24576:XyukBE/CGtOggmZjln50k4M/YxB45h2JaDKx:iukBEKqOuJ5yMQxBqaaW

Score

10^/10

healer redline domka dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

domka

77.91.124.82:19071

Attributes

auth_value
74e19436acac85e44d691aebcc617529

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x000800000002320c-33.dat	healer
behavioral2/files/0x000800000002320c-34.dat	healer
behavioral2/memory/3372-35-0x00000000000B0000-0x00000000000BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9200332.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9200332.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9200332.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9200332.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9200332.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9200332.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3340	v6502060.exe
4620	v5963776.exe
60	v4172832.exe
220	v6223876.exe
3372	a9200332.exe
1992	b2617426.exe
2772	c0922111.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9200332.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JC_37d3d302f778e88ec7adf9002418c0c415b49c9c0b193b90617bd33dd732b24e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6502060.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5963776.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4172832.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6223876.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3372	a9200332.exe
3372	a9200332.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3372	a9200332.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 3340	628	JC_37d3d302f778e88ec7adf9002418c0c415b49c9c0b193b90617bd33dd732b24e.exe	84
PID 628 wrote to memory of 3340	628	JC_37d3d302f778e88ec7adf9002418c0c415b49c9c0b193b90617bd33dd732b24e.exe	84
PID 628 wrote to memory of 3340	628	JC_37d3d302f778e88ec7adf9002418c0c415b49c9c0b193b90617bd33dd732b24e.exe	84
PID 3340 wrote to memory of 4620	3340	v6502060.exe	85
PID 3340 wrote to memory of 4620	3340	v6502060.exe	85
PID 3340 wrote to memory of 4620	3340	v6502060.exe	85
PID 4620 wrote to memory of 60	4620	v5963776.exe	87
PID 4620 wrote to memory of 60	4620	v5963776.exe	87
PID 4620 wrote to memory of 60	4620	v5963776.exe	87
PID 60 wrote to memory of 220	60	v4172832.exe	88
PID 60 wrote to memory of 220	60	v4172832.exe	88
PID 60 wrote to memory of 220	60	v4172832.exe	88
PID 220 wrote to memory of 3372	220	v6223876.exe	89
PID 220 wrote to memory of 3372	220	v6223876.exe	89
PID 220 wrote to memory of 1992	220	v6223876.exe	92
PID 220 wrote to memory of 1992	220	v6223876.exe	92
PID 220 wrote to memory of 1992	220	v6223876.exe	92
PID 60 wrote to memory of 2772	60	v4172832.exe	93
PID 60 wrote to memory of 2772	60	v4172832.exe	93
PID 60 wrote to memory of 2772	60	v4172832.exe	93

C:\Users\Admin\AppData\Local\Temp\JC_37d3d302f778e88ec7adf9002418c0c415b49c9c0b193b90617bd33dd732b24e.exe
"C:\Users\Admin\AppData\Local\Temp\JC_37d3d302f778e88ec7adf9002418c0c415b49c9c0b193b90617bd33dd732b24e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6502060.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6502060.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5963776.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5963776.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4172832.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4172832.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6223876.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6223876.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9200332.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9200332.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3372
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2617426.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2617426.exe
        6⤵
        Executes dropped EXE
        
        PID:1992
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0922111.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0922111.exe
        5⤵
        Executes dropped EXE
        
        PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6502060.exe

Filesize
724KB

MD5
1c8bd9bfa3d255e9db7130feb233a2a1

SHA1
9f7717111d5370f7578c9d77d51574f00da6b26d

SHA256
f8608633d8da80b27d6153f9d4b7ff0f98b22e8dadd80187961a9ade0acfa44c

SHA512
63e560390b7f925d4bf4b9620b927b3e97450250f407e9c696abeba94f06fe5848ebd2b1309b10361c5aaa9bf3d15b653699604cab9f9741930a398d4a96c953

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6502060.exe

Filesize
724KB

MD5
1c8bd9bfa3d255e9db7130feb233a2a1

SHA1
9f7717111d5370f7578c9d77d51574f00da6b26d

SHA256
f8608633d8da80b27d6153f9d4b7ff0f98b22e8dadd80187961a9ade0acfa44c

SHA512
63e560390b7f925d4bf4b9620b927b3e97450250f407e9c696abeba94f06fe5848ebd2b1309b10361c5aaa9bf3d15b653699604cab9f9741930a398d4a96c953

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5963776.exe

Filesize
498KB

MD5
f72b21370de42b3beab8950a0dc85e27

SHA1
8dd0923d365911372de577004d33b79c5d16588a

SHA256
085eeb93b3f9d668d704063c0972c266d12b070b677e311c102236f4c6520f98

SHA512
a114926ba2a35fb05da43d1ca73dfe08d347d2528cfcb38f7bf7c7f949c16cbae77166c9b32da368890bf2b722fa10f9b4ba7ea3fa5abe113b1fdbeca2e1ee28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5963776.exe

Filesize
498KB

MD5
f72b21370de42b3beab8950a0dc85e27

SHA1
8dd0923d365911372de577004d33b79c5d16588a

SHA256
085eeb93b3f9d668d704063c0972c266d12b070b677e311c102236f4c6520f98

SHA512
a114926ba2a35fb05da43d1ca73dfe08d347d2528cfcb38f7bf7c7f949c16cbae77166c9b32da368890bf2b722fa10f9b4ba7ea3fa5abe113b1fdbeca2e1ee28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4172832.exe

Filesize
373KB

MD5
2a5e33d08c599be9eeba525fb948af75

SHA1
d96e0590df7fedd264e3c1d52fe07666548229d1

SHA256
e05189ce372418eec996440c9b026f643b94ce5e80c4dac5e1d7d80c15af2c67

SHA512
64b0afc14ff4dd3ebc708b72fc973e1d221fb36797a5f84f62d6408477122939ef550335bfc41beacb0c60d8ef7dbb6048c913c16a9f31783cd9baca5bb57839

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4172832.exe

Filesize
373KB

MD5
2a5e33d08c599be9eeba525fb948af75

SHA1
d96e0590df7fedd264e3c1d52fe07666548229d1

SHA256
e05189ce372418eec996440c9b026f643b94ce5e80c4dac5e1d7d80c15af2c67

SHA512
64b0afc14ff4dd3ebc708b72fc973e1d221fb36797a5f84f62d6408477122939ef550335bfc41beacb0c60d8ef7dbb6048c913c16a9f31783cd9baca5bb57839

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0922111.exe

Filesize
174KB

MD5
13bee6c999325c4cf877109d5323e21e

SHA1
6e9dafc21124644244f1cc9cd32f016522312bae

SHA256
cd79e27d948ee6ac953cc319fa1eb6597bdc5cbdeb2308940c96d43821fdd9f3

SHA512
d54306b939dc4c37f5d76aa32a1e2f681b6c3bebd401b760c855e123e8a1e85fa2920cbe2ed4ee60476648d72bdde7e7a80bfe93ae6e40f8135feadeeac680c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0922111.exe

Filesize
174KB

MD5
13bee6c999325c4cf877109d5323e21e

SHA1
6e9dafc21124644244f1cc9cd32f016522312bae

SHA256
cd79e27d948ee6ac953cc319fa1eb6597bdc5cbdeb2308940c96d43821fdd9f3

SHA512
d54306b939dc4c37f5d76aa32a1e2f681b6c3bebd401b760c855e123e8a1e85fa2920cbe2ed4ee60476648d72bdde7e7a80bfe93ae6e40f8135feadeeac680c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6223876.exe

Filesize
217KB

MD5
8363cf8869bf2af58cfb55f36a7be4e5

SHA1
8fe51b20bdda6f1dfa60367482721dd94e15e44d

SHA256
b54c4a42c66ecf2c1e0516901cf1730077bff74a92f0e155ebb2c5e9da3362e9

SHA512
423f0a3df3d281e77e5028466792d69f617e35f81df1d7cb59d4619075347042a3b8cc3e3c42e7bdda9714dc5c35897f4913bf168a30846781c89b1da371a07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6223876.exe

Filesize
217KB

MD5
8363cf8869bf2af58cfb55f36a7be4e5

SHA1
8fe51b20bdda6f1dfa60367482721dd94e15e44d

SHA256
b54c4a42c66ecf2c1e0516901cf1730077bff74a92f0e155ebb2c5e9da3362e9

SHA512
423f0a3df3d281e77e5028466792d69f617e35f81df1d7cb59d4619075347042a3b8cc3e3c42e7bdda9714dc5c35897f4913bf168a30846781c89b1da371a07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9200332.exe

Filesize
19KB

MD5
0f26e99f257ca53c36fb29534f8d68b1

SHA1
2505e48ee2ba0369d0ad1e42f21f51c43d84a653

SHA256
c1280c9a0a0ea7e9d5c14a2d89a5e5edcb23e7cc9c536e897f0293b1502616ed

SHA512
c816741e2284189b37c289944625ab2e599dc82da4cce97ae2506e300811324848de39ff65a8171eb5d8c05573ad12f6bedd6adb4b2797a24c33ddf2e0f2cdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9200332.exe

Filesize
19KB

MD5
0f26e99f257ca53c36fb29534f8d68b1

SHA1
2505e48ee2ba0369d0ad1e42f21f51c43d84a653

SHA256
c1280c9a0a0ea7e9d5c14a2d89a5e5edcb23e7cc9c536e897f0293b1502616ed

SHA512
c816741e2284189b37c289944625ab2e599dc82da4cce97ae2506e300811324848de39ff65a8171eb5d8c05573ad12f6bedd6adb4b2797a24c33ddf2e0f2cdde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2617426.exe

Filesize
140KB

MD5
a8a7c3d85afa8b43614cc05ede583ba4

SHA1
9793825508b9b4e376ec88c7e6ed32f0fa1cf7bb

SHA256
cf0414b6cc71356140a21cf674cf195b44c3b36da7071814b562a8b3d13de557

SHA512
8140679ac65f7723f18a9381ef980930b09fc8f0336138c2bb40638fa1a6f8d160acc4b9995abade6afbff2b574bbf0582eb87d9e010433b130a98ba063e0ddf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2617426.exe

Filesize
140KB

MD5
a8a7c3d85afa8b43614cc05ede583ba4

SHA1
9793825508b9b4e376ec88c7e6ed32f0fa1cf7bb

SHA256
cf0414b6cc71356140a21cf674cf195b44c3b36da7071814b562a8b3d13de557

SHA512
8140679ac65f7723f18a9381ef980930b09fc8f0336138c2bb40638fa1a6f8d160acc4b9995abade6afbff2b574bbf0582eb87d9e010433b130a98ba063e0ddf

Download Submit
memory/2772-46-0x0000000074040000-0x00000000747F0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-45-0x0000000000F40000-0x0000000000F70000-memory.dmp

Filesize
192KB

Download
memory/2772-47-0x000000000B370000-0x000000000B988000-memory.dmp

Filesize
6.1MB

Download
memory/2772-48-0x000000000AEF0000-0x000000000AFFA000-memory.dmp

Filesize
1.0MB

Download
memory/2772-49-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/2772-50-0x000000000AE30000-0x000000000AE42000-memory.dmp

Filesize
72KB

Download
memory/2772-51-0x000000000AE90000-0x000000000AECC000-memory.dmp

Filesize
240KB

Download
memory/2772-52-0x0000000074040000-0x00000000747F0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-53-0x0000000003420000-0x0000000003430000-memory.dmp

Filesize
64KB

Download
memory/3372-38-0x00007FFC797F0000-0x00007FFC7A2B1000-memory.dmp

Filesize
10.8MB

Download
memory/3372-36-0x00007FFC797F0000-0x00007FFC7A2B1000-memory.dmp

Filesize
10.8MB

Download
memory/3372-35-0x00000000000B0000-0x00000000000BA000-memory.dmp

Filesize
40KB

Download