healer | c02e4d980362e5e0510721c418f4c6e19978bdcf04b23b27a11f1577392af959

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 00:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c02e4d980362e5e0510721c418f4c6e19978bdcf04b23b27a11f1577392af959.exe
Size

830KB
MD5

9323ad6268a8e86a53622a65f8d17c73
SHA1

1fa295ac42da8b69aaf0f26f478d66b148e0eb25
SHA256

c02e4d980362e5e0510721c418f4c6e19978bdcf04b23b27a11f1577392af959
SHA512

73958045691e937ae9a256bfef89998493a0f9b80cd0c59e848be84428585278b976133bbc6f8aee753127ca562b93c6fc8d15339b7ddeef515728611b7b32e4
SSDEEP

12288:IMr+y90ezBxoD4Es4kQUnmMI7q9SR+HddYBTkIqK2mJWX8/S77oRk+XKn7Jy:Wy3xoDkRo7jR+sOcvW8/S7EhXM7w

Score

10^/10

healer redline bobik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

bobik

77.91.124.82:19071

Attributes

auth_value
d639522ae3c9dda998264d691a19eb33

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000231d5-33.dat	healer
behavioral1/files/0x00080000000231d5-34.dat	healer
behavioral1/memory/3728-35-0x00000000000E0000-0x00000000000EA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0542295.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0542295.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0542295.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0542295.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0542295.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0542295.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2976	v2006509.exe
4468	v0129446.exe
3696	v2092401.exe
3888	v2396258.exe
3728	a0542295.exe
1752	b0557382.exe
2492	c9284779.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0542295.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c02e4d980362e5e0510721c418f4c6e19978bdcf04b23b27a11f1577392af959.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2006509.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0129446.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2092401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2396258.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3728	a0542295.exe
3728	a0542295.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3728	a0542295.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 2976	3512	c02e4d980362e5e0510721c418f4c6e19978bdcf04b23b27a11f1577392af959.exe	84
PID 3512 wrote to memory of 2976	3512	c02e4d980362e5e0510721c418f4c6e19978bdcf04b23b27a11f1577392af959.exe	84
PID 3512 wrote to memory of 2976	3512	c02e4d980362e5e0510721c418f4c6e19978bdcf04b23b27a11f1577392af959.exe	84
PID 2976 wrote to memory of 4468	2976	v2006509.exe	86
PID 2976 wrote to memory of 4468	2976	v2006509.exe	86
PID 2976 wrote to memory of 4468	2976	v2006509.exe	86
PID 4468 wrote to memory of 3696	4468	v0129446.exe	87
PID 4468 wrote to memory of 3696	4468	v0129446.exe	87
PID 4468 wrote to memory of 3696	4468	v0129446.exe	87
PID 3696 wrote to memory of 3888	3696	v2092401.exe	88
PID 3696 wrote to memory of 3888	3696	v2092401.exe	88
PID 3696 wrote to memory of 3888	3696	v2092401.exe	88
PID 3888 wrote to memory of 3728	3888	v2396258.exe	89
PID 3888 wrote to memory of 3728	3888	v2396258.exe	89
PID 3888 wrote to memory of 1752	3888	v2396258.exe	92
PID 3888 wrote to memory of 1752	3888	v2396258.exe	92
PID 3888 wrote to memory of 1752	3888	v2396258.exe	92
PID 3696 wrote to memory of 2492	3696	v2092401.exe	95
PID 3696 wrote to memory of 2492	3696	v2092401.exe	95
PID 3696 wrote to memory of 2492	3696	v2092401.exe	95

C:\Users\Admin\AppData\Local\Temp\c02e4d980362e5e0510721c418f4c6e19978bdcf04b23b27a11f1577392af959.exe
"C:\Users\Admin\AppData\Local\Temp\c02e4d980362e5e0510721c418f4c6e19978bdcf04b23b27a11f1577392af959.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2006509.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2006509.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0129446.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0129446.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2092401.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2092401.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2396258.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2396258.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3888
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0542295.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0542295.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0557382.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0557382.exe
        6⤵
        Executes dropped EXE
        
        PID:1752
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9284779.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9284779.exe
        5⤵
        Executes dropped EXE
        
        PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2006509.exe

Filesize
724KB

MD5
07527e417908543284c86b72fd5f01b4

SHA1
9b9d198313bf1b729bc78fd05549aa9d8eae408a

SHA256
7026f1999855c143e46b61c82af7a6a2bc0e2e5bfd984e2a032623089c1211bd

SHA512
608e46219fd08170908258dc279bf81db5602c2988af08cdaa3da3f3cd7957f1026e8298514f1a439ed1655488728bffe33889bc0489087d48ad67b0660d8dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2006509.exe

Filesize
724KB

MD5
07527e417908543284c86b72fd5f01b4

SHA1
9b9d198313bf1b729bc78fd05549aa9d8eae408a

SHA256
7026f1999855c143e46b61c82af7a6a2bc0e2e5bfd984e2a032623089c1211bd

SHA512
608e46219fd08170908258dc279bf81db5602c2988af08cdaa3da3f3cd7957f1026e8298514f1a439ed1655488728bffe33889bc0489087d48ad67b0660d8dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0129446.exe

Filesize
498KB

MD5
8ceb7ace4943c30ddfdd440304c682ae

SHA1
1b006257ed80444831befc5adbb6ec8919e5fbcd

SHA256
6f0e284e461aedfd3f5da9ed2cfe7b661c2a4a28800dfe4bff24e6c601af3b6f

SHA512
e47b86ac59fd3ff3fd1a1f9c1b33f193070e5d2f41a92fa33eed45e282e5abec9acd55fb90434fee4bacb85caf73fdfd359020a93a724fe4017e790eeb638f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0129446.exe

Filesize
498KB

MD5
8ceb7ace4943c30ddfdd440304c682ae

SHA1
1b006257ed80444831befc5adbb6ec8919e5fbcd

SHA256
6f0e284e461aedfd3f5da9ed2cfe7b661c2a4a28800dfe4bff24e6c601af3b6f

SHA512
e47b86ac59fd3ff3fd1a1f9c1b33f193070e5d2f41a92fa33eed45e282e5abec9acd55fb90434fee4bacb85caf73fdfd359020a93a724fe4017e790eeb638f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2092401.exe

Filesize
373KB

MD5
52abfaf84bdb2bf3331ab192f1ab8e25

SHA1
e49623f00513d97c228a6fb4c08282962c85126b

SHA256
f6be2e844246ccd71d8a01d021d6a0dee4ec536ee008a68f5c6041c19a42fcc3

SHA512
7351ec29128dd04aa508fcc41e74df2435c2e19673459ac48f674e4959943d132d6f72b842b60b99d78d45a2f27d5c6518d952ddad709bdf9bc78abdec5efd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2092401.exe

Filesize
373KB

MD5
52abfaf84bdb2bf3331ab192f1ab8e25

SHA1
e49623f00513d97c228a6fb4c08282962c85126b

SHA256
f6be2e844246ccd71d8a01d021d6a0dee4ec536ee008a68f5c6041c19a42fcc3

SHA512
7351ec29128dd04aa508fcc41e74df2435c2e19673459ac48f674e4959943d132d6f72b842b60b99d78d45a2f27d5c6518d952ddad709bdf9bc78abdec5efd19

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9284779.exe

Filesize
174KB

MD5
59f6986bec3238e617b2d4d661a1fb5d

SHA1
237f96ad1840fdb7890fc878bf7e44821274e89a

SHA256
0227ca5bd796f6394bfaca4eb1405acf3a41295f919d2856dc04c9b2d03b9a09

SHA512
b9f99cde0e047b118e26181f9be301a4db35a7414dc6c958038208bd8c9234c2f6b8280ed9defec994e022ac43ecc4d761137266b293c91645121c784727a5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9284779.exe

Filesize
174KB

MD5
59f6986bec3238e617b2d4d661a1fb5d

SHA1
237f96ad1840fdb7890fc878bf7e44821274e89a

SHA256
0227ca5bd796f6394bfaca4eb1405acf3a41295f919d2856dc04c9b2d03b9a09

SHA512
b9f99cde0e047b118e26181f9be301a4db35a7414dc6c958038208bd8c9234c2f6b8280ed9defec994e022ac43ecc4d761137266b293c91645121c784727a5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2396258.exe

Filesize
217KB

MD5
5577fb07644f5818a76b7ba4defd2ca3

SHA1
b6df781255d9721958b24af67bcb375090b55de0

SHA256
66969547b196475ff172b414a5732fa2cbbadc6871b5bf103f5b4108fb24f654

SHA512
73d6d4d2ae529df325f046caf0b5a08bec6bd39f2f4c68711c18d5845eaf5ec5d3d3b00eb0bad502e26aa1dbf3d2a3b4d8286b85a6057e37f30fb9ce270f06a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2396258.exe

Filesize
217KB

MD5
5577fb07644f5818a76b7ba4defd2ca3

SHA1
b6df781255d9721958b24af67bcb375090b55de0

SHA256
66969547b196475ff172b414a5732fa2cbbadc6871b5bf103f5b4108fb24f654

SHA512
73d6d4d2ae529df325f046caf0b5a08bec6bd39f2f4c68711c18d5845eaf5ec5d3d3b00eb0bad502e26aa1dbf3d2a3b4d8286b85a6057e37f30fb9ce270f06a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0542295.exe

Filesize
19KB

MD5
e6ac6a4654d417f641f04858667bb452

SHA1
be5902427c1c5edf4ba181eb1f96af6b31dcc32c

SHA256
a650e880ac0949f2d27c4c9201c97d261c50905ed1b50ca250edd46f1f173bff

SHA512
c6319423d8d5b7ea89d486162c74516a4544b692c1498245400a2eb8d2bde23032c8e7c41cfaca25153225531828c3b082fc204379fec11dd2650663a87b4e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0542295.exe

Filesize
19KB

MD5
e6ac6a4654d417f641f04858667bb452

SHA1
be5902427c1c5edf4ba181eb1f96af6b31dcc32c

SHA256
a650e880ac0949f2d27c4c9201c97d261c50905ed1b50ca250edd46f1f173bff

SHA512
c6319423d8d5b7ea89d486162c74516a4544b692c1498245400a2eb8d2bde23032c8e7c41cfaca25153225531828c3b082fc204379fec11dd2650663a87b4e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0557382.exe

Filesize
140KB

MD5
3fbde4f11c584c9d01e6f10ca4f16911

SHA1
50c46a64d5320f6cd45d8d7a996921adb02519b5

SHA256
3e2fda890afcfe21a0db2a8e05d70c70407e3cf809642b039b92266ab8972b64

SHA512
c0819beaf91aa4dc27df0910e6d1f05368bab333775677a3e0f0f5ce12ac465eaa79f5a6099af866f0603a4ce0ef4a900a3247dcda51bd277711959198f67fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0557382.exe

Filesize
140KB

MD5
3fbde4f11c584c9d01e6f10ca4f16911

SHA1
50c46a64d5320f6cd45d8d7a996921adb02519b5

SHA256
3e2fda890afcfe21a0db2a8e05d70c70407e3cf809642b039b92266ab8972b64

SHA512
c0819beaf91aa4dc27df0910e6d1f05368bab333775677a3e0f0f5ce12ac465eaa79f5a6099af866f0603a4ce0ef4a900a3247dcda51bd277711959198f67fa1

Download Submit
memory/2492-46-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/2492-45-0x00000000002E0000-0x0000000000310000-memory.dmp

Filesize
192KB

Download
memory/2492-47-0x000000000A610000-0x000000000AC28000-memory.dmp

Filesize
6.1MB

Download
memory/2492-48-0x000000000A150000-0x000000000A25A000-memory.dmp

Filesize
1.0MB

Download
memory/2492-49-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2492-50-0x000000000A090000-0x000000000A0A2000-memory.dmp

Filesize
72KB

Download
memory/2492-51-0x000000000A0F0000-0x000000000A12C000-memory.dmp

Filesize
240KB

Download
memory/2492-52-0x0000000074570000-0x0000000074D20000-memory.dmp

Filesize
7.7MB

Download
memory/2492-53-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/3728-38-0x00007FFB5F830000-0x00007FFB602F1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-36-0x00007FFB5F830000-0x00007FFB602F1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-35-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download