healer | e8e6b982c21cb268c7e15a207ae7a6ca1825b947465621c2d19ca2840617a412

Analysis

max time kernel
155s
max time network
164s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
01/09/2023, 19:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e8e6b982c21cb268c7e15a207ae7a6ca1825b947465621c2d19ca2840617a412.exe
Size

930KB
MD5

0d4d837bf78e1f5c294e425c467e5595
SHA1

a66f5a0eaa2be26c190844071f5abb4d01645a0c
SHA256

e8e6b982c21cb268c7e15a207ae7a6ca1825b947465621c2d19ca2840617a412
SHA512

651b6263f823f2fd94c88ab9b736d0a76c21ef9176e202ba747b24588cb30d9c914e1830725143b27149bcf87e3563ab37061f2dce58144eae2eaa8c31fa196b
SSDEEP

24576:wyD41wM7ODfmhpNM4a18E+9iBagpLq/CBH1b1l+T:3AlODfmBVcp+GB1A

Score

10^/10

healer redline domka dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

domka

77.91.124.82:19071

Attributes

auth_value
74e19436acac85e44d691aebcc617529

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afea-33.dat	healer
behavioral1/files/0x000700000001afea-34.dat	healer
behavioral1/memory/3284-35-0x0000000000FB0000-0x0000000000FBA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q8859337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q8859337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q8859337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q8859337.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q8859337.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4456	z0576928.exe
4988	z9214007.exe
2592	z3315527.exe
3692	z6458524.exe
3284	q8859337.exe
4876	r3463119.exe
1896	s1685491.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q8859337.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e8e6b982c21cb268c7e15a207ae7a6ca1825b947465621c2d19ca2840617a412.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0576928.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9214007.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z3315527.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z6458524.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3284	q8859337.exe
3284	q8859337.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3284	q8859337.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 396 wrote to memory of 4456	396	e8e6b982c21cb268c7e15a207ae7a6ca1825b947465621c2d19ca2840617a412.exe	69
PID 396 wrote to memory of 4456	396	e8e6b982c21cb268c7e15a207ae7a6ca1825b947465621c2d19ca2840617a412.exe	69
PID 396 wrote to memory of 4456	396	e8e6b982c21cb268c7e15a207ae7a6ca1825b947465621c2d19ca2840617a412.exe	69
PID 4456 wrote to memory of 4988	4456	z0576928.exe	70
PID 4456 wrote to memory of 4988	4456	z0576928.exe	70
PID 4456 wrote to memory of 4988	4456	z0576928.exe	70
PID 4988 wrote to memory of 2592	4988	z9214007.exe	71
PID 4988 wrote to memory of 2592	4988	z9214007.exe	71
PID 4988 wrote to memory of 2592	4988	z9214007.exe	71
PID 2592 wrote to memory of 3692	2592	z3315527.exe	72
PID 2592 wrote to memory of 3692	2592	z3315527.exe	72
PID 2592 wrote to memory of 3692	2592	z3315527.exe	72
PID 3692 wrote to memory of 3284	3692	z6458524.exe	73
PID 3692 wrote to memory of 3284	3692	z6458524.exe	73
PID 3692 wrote to memory of 4876	3692	z6458524.exe	74
PID 3692 wrote to memory of 4876	3692	z6458524.exe	74
PID 3692 wrote to memory of 4876	3692	z6458524.exe	74
PID 2592 wrote to memory of 1896	2592	z3315527.exe	75
PID 2592 wrote to memory of 1896	2592	z3315527.exe	75
PID 2592 wrote to memory of 1896	2592	z3315527.exe	75

C:\Users\Admin\AppData\Local\Temp\e8e6b982c21cb268c7e15a207ae7a6ca1825b947465621c2d19ca2840617a412.exe
"C:\Users\Admin\AppData\Local\Temp\e8e6b982c21cb268c7e15a207ae7a6ca1825b947465621c2d19ca2840617a412.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0576928.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0576928.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9214007.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9214007.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3315527.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3315527.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6458524.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6458524.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3692
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8859337.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8859337.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3463119.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3463119.exe
        6⤵
        Executes dropped EXE
        
        PID:4876
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1685491.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1685491.exe
        5⤵
        Executes dropped EXE
        
        PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0576928.exe

Filesize
824KB

MD5
238ec74c058551ea24ccf515998f4b0d

SHA1
afebf0821279383582e183f7b94e41e9696520fd

SHA256
8ac9188eeb4d38a880ea78f66113fd59cea9788ba12b4b0b2e91ceed860aca13

SHA512
2ed69e9c6a14f47ea00207940349a6aa588cebc79d52f41a3e1a9db89eaf5bcdfe714250fd09c2beeb8c0de1bac6f1cf5b1611d707c2497d43ed23fde6994049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0576928.exe

Filesize
824KB

MD5
238ec74c058551ea24ccf515998f4b0d

SHA1
afebf0821279383582e183f7b94e41e9696520fd

SHA256
8ac9188eeb4d38a880ea78f66113fd59cea9788ba12b4b0b2e91ceed860aca13

SHA512
2ed69e9c6a14f47ea00207940349a6aa588cebc79d52f41a3e1a9db89eaf5bcdfe714250fd09c2beeb8c0de1bac6f1cf5b1611d707c2497d43ed23fde6994049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9214007.exe

Filesize
599KB

MD5
720fe4547630c85601eff73c2ffb1108

SHA1
55d32ff6c740c665fd1895c1cf792ab75c81b5e8

SHA256
34d8fd1fa375b6b85c19a45e474f1187099e53187e23d4eca689b6731f186cd6

SHA512
a9b91fd1c9dee7bb710023e6688545255594c033574898f635da93f14964375a237fd6824bf98f5a51368e1a2a0dc64d8a03223d0cfe6e323d8285de3283a1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9214007.exe

Filesize
599KB

MD5
720fe4547630c85601eff73c2ffb1108

SHA1
55d32ff6c740c665fd1895c1cf792ab75c81b5e8

SHA256
34d8fd1fa375b6b85c19a45e474f1187099e53187e23d4eca689b6731f186cd6

SHA512
a9b91fd1c9dee7bb710023e6688545255594c033574898f635da93f14964375a237fd6824bf98f5a51368e1a2a0dc64d8a03223d0cfe6e323d8285de3283a1f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3315527.exe

Filesize
373KB

MD5
49ee56e7adea9bb78aaccb70fcbfccf6

SHA1
d094c04363b8b0dcf9ae6d0b695e407b0a496780

SHA256
b65d2a0446a567efb124fd6e6cad3a3494b3f7a84156fc0cf700f2316d7dc0b5

SHA512
5939d53ededf2b57de14d73d392a2d5da57628ae2de778df4b3a46b0bc0943d9a04c89a4fd8a0df4f26824a56eb783863fc3d44593bc782b47a7858ef2c7961c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z3315527.exe

Filesize
373KB

MD5
49ee56e7adea9bb78aaccb70fcbfccf6

SHA1
d094c04363b8b0dcf9ae6d0b695e407b0a496780

SHA256
b65d2a0446a567efb124fd6e6cad3a3494b3f7a84156fc0cf700f2316d7dc0b5

SHA512
5939d53ededf2b57de14d73d392a2d5da57628ae2de778df4b3a46b0bc0943d9a04c89a4fd8a0df4f26824a56eb783863fc3d44593bc782b47a7858ef2c7961c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1685491.exe

Filesize
174KB

MD5
9fadad2f7f0f39b1c9f0f5bb93ddf7b6

SHA1
ba80c33c855e3f73ec71dd35afb905eab4aee6e6

SHA256
7969d274f97e0de72255930a58edf308b856e30efd969ca359e0a96efe18de10

SHA512
053c966914220db1c33766c9612c9d57d418c47c5cc71c1813ed3e88958c2d8b5f0a9533bd95bbd75631f6e4174d1eda8976479de1bda4d58e5ebd64b9c82837

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1685491.exe

Filesize
174KB

MD5
9fadad2f7f0f39b1c9f0f5bb93ddf7b6

SHA1
ba80c33c855e3f73ec71dd35afb905eab4aee6e6

SHA256
7969d274f97e0de72255930a58edf308b856e30efd969ca359e0a96efe18de10

SHA512
053c966914220db1c33766c9612c9d57d418c47c5cc71c1813ed3e88958c2d8b5f0a9533bd95bbd75631f6e4174d1eda8976479de1bda4d58e5ebd64b9c82837

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6458524.exe

Filesize
217KB

MD5
116c505fb0766202afd99aea36125268

SHA1
ce0653badd795178d7abdc1b744189a4fa188adf

SHA256
348331d4b436ad036bf11fde5d77c2bebe49e8fb90250c0d8e915c1d2c2a465c

SHA512
09b6a66f986f8b299ac604d85954dc84b97edcc48f0f7755f3022c844ae2567e0c87e6cb5a1a04339c950db529922ad00f76e4cb5c8b0b47c9b5902a226670ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6458524.exe

Filesize
217KB

MD5
116c505fb0766202afd99aea36125268

SHA1
ce0653badd795178d7abdc1b744189a4fa188adf

SHA256
348331d4b436ad036bf11fde5d77c2bebe49e8fb90250c0d8e915c1d2c2a465c

SHA512
09b6a66f986f8b299ac604d85954dc84b97edcc48f0f7755f3022c844ae2567e0c87e6cb5a1a04339c950db529922ad00f76e4cb5c8b0b47c9b5902a226670ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8859337.exe

Filesize
19KB

MD5
88c44c0b1ca607871e6008284a6b94fb

SHA1
c02c141c75c05ecdf9f4c0b2741c249cca1f4607

SHA256
0f8fe731eab85133de5a6b60329235aca4c32edbc6dedbf301588b59ce3d4820

SHA512
848fc54544708ff54482671e546d7c96963f117f7f1cb637f4a3435b59c5a14574abc18ad4d19e93470a085aabb7236d3dfc14b0b967abc445682dd8be9d0639

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8859337.exe

Filesize
19KB

MD5
88c44c0b1ca607871e6008284a6b94fb

SHA1
c02c141c75c05ecdf9f4c0b2741c249cca1f4607

SHA256
0f8fe731eab85133de5a6b60329235aca4c32edbc6dedbf301588b59ce3d4820

SHA512
848fc54544708ff54482671e546d7c96963f117f7f1cb637f4a3435b59c5a14574abc18ad4d19e93470a085aabb7236d3dfc14b0b967abc445682dd8be9d0639

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3463119.exe

Filesize
140KB

MD5
40ac7ef0e18b8d48f522c1c72956a1af

SHA1
f8121e23456c73e96c238ea9b4e5baaa6679056b

SHA256
2a0816a9f336265076d6843b950facdc67d5e3f1a15cfd6e208c8358ba22b4c4

SHA512
d47b3ca1435674917018d2856854d9c2b6e49e4257bf303a762a3b2bc5e47aa22942bf82eb8409af0c0fa03b28307a647a4d442b6d51813ccacd31e5e3a146e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3463119.exe

Filesize
140KB

MD5
40ac7ef0e18b8d48f522c1c72956a1af

SHA1
f8121e23456c73e96c238ea9b4e5baaa6679056b

SHA256
2a0816a9f336265076d6843b950facdc67d5e3f1a15cfd6e208c8358ba22b4c4

SHA512
d47b3ca1435674917018d2856854d9c2b6e49e4257bf303a762a3b2bc5e47aa22942bf82eb8409af0c0fa03b28307a647a4d442b6d51813ccacd31e5e3a146e0

Download Submit
memory/1896-46-0x0000000073830000-0x0000000073F1E000-memory.dmp

Filesize
6.9MB

Download
memory/1896-45-0x0000000000FB0000-0x0000000000FE0000-memory.dmp

Filesize
192KB

Download
memory/1896-47-0x0000000003130000-0x0000000003136000-memory.dmp

Filesize
24KB

Download
memory/1896-48-0x000000000B270000-0x000000000B876000-memory.dmp

Filesize
6.0MB

Download
memory/1896-49-0x000000000ADC0000-0x000000000AECA000-memory.dmp

Filesize
1.0MB

Download
memory/1896-50-0x000000000ACF0000-0x000000000AD02000-memory.dmp

Filesize
72KB

Download
memory/1896-51-0x000000000AD50000-0x000000000AD8E000-memory.dmp

Filesize
248KB

Download
memory/1896-52-0x000000000AED0000-0x000000000AF1B000-memory.dmp

Filesize
300KB

Download
memory/1896-53-0x0000000073830000-0x0000000073F1E000-memory.dmp

Filesize
6.9MB

Download
memory/3284-38-0x00007FF9001D0000-0x00007FF900BBC000-memory.dmp

Filesize
9.9MB

Download
memory/3284-36-0x00007FF9001D0000-0x00007FF900BBC000-memory.dmp

Filesize
9.9MB

Download
memory/3284-35-0x0000000000FB0000-0x0000000000FBA000-memory.dmp

Filesize
40KB

Download