healer | d262b08c1fe1cc7489726d06c9b7b8a53ef8ce2d31d71d529df258f68f5bf199

Analysis

max time kernel
145s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
02/09/2023, 02:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d262b08c1fe1cc7489726d06c9b7b8a53ef8ce2d31d71d529df258f68f5bf199.exe
Size

829KB
MD5

921c0feb0e0ccde61669ff0e47ceb183
SHA1

a66cc3f66f8972384303dc1b6986713590525ee7
SHA256

d262b08c1fe1cc7489726d06c9b7b8a53ef8ce2d31d71d529df258f68f5bf199
SHA512

77f81acdb72dd009e2404f24d08686d0842bc9f8b40a6b2646859e2d0bf5ca75bde30cc082fce5140a4b4adbd19a801bbd27c7a01080997a78e95cd342870263
SSDEEP

24576:PyMZSkoBOkZtEuzfmrP5KEbm/CgibxHr6yX:aVko6h5KEbm6gib56y

Score

10^/10

healer redline bobik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

bobik

77.91.124.82:19071

Attributes

auth_value
d639522ae3c9dda998264d691a19eb33

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af9b-33.dat	healer
behavioral1/files/0x000700000001af9b-34.dat	healer
behavioral1/memory/5004-35-0x0000000000EE0000-0x0000000000EEA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0315859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0315859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0315859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0315859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0315859.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4968	v5731514.exe
4568	v9789597.exe
1048	v6175597.exe
212	v8737474.exe
5004	a0315859.exe
2100	b5001713.exe
4588	c0855522.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0315859.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d262b08c1fe1cc7489726d06c9b7b8a53ef8ce2d31d71d529df258f68f5bf199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5731514.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9789597.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6175597.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8737474.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5004	a0315859.exe
5004	a0315859.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	a0315859.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2608 wrote to memory of 4968	2608	d262b08c1fe1cc7489726d06c9b7b8a53ef8ce2d31d71d529df258f68f5bf199.exe	70
PID 2608 wrote to memory of 4968	2608	d262b08c1fe1cc7489726d06c9b7b8a53ef8ce2d31d71d529df258f68f5bf199.exe	70
PID 2608 wrote to memory of 4968	2608	d262b08c1fe1cc7489726d06c9b7b8a53ef8ce2d31d71d529df258f68f5bf199.exe	70
PID 4968 wrote to memory of 4568	4968	v5731514.exe	71
PID 4968 wrote to memory of 4568	4968	v5731514.exe	71
PID 4968 wrote to memory of 4568	4968	v5731514.exe	71
PID 4568 wrote to memory of 1048	4568	v9789597.exe	72
PID 4568 wrote to memory of 1048	4568	v9789597.exe	72
PID 4568 wrote to memory of 1048	4568	v9789597.exe	72
PID 1048 wrote to memory of 212	1048	v6175597.exe	73
PID 1048 wrote to memory of 212	1048	v6175597.exe	73
PID 1048 wrote to memory of 212	1048	v6175597.exe	73
PID 212 wrote to memory of 5004	212	v8737474.exe	74
PID 212 wrote to memory of 5004	212	v8737474.exe	74
PID 212 wrote to memory of 2100	212	v8737474.exe	75
PID 212 wrote to memory of 2100	212	v8737474.exe	75
PID 212 wrote to memory of 2100	212	v8737474.exe	75
PID 1048 wrote to memory of 4588	1048	v6175597.exe	76
PID 1048 wrote to memory of 4588	1048	v6175597.exe	76
PID 1048 wrote to memory of 4588	1048	v6175597.exe	76

C:\Users\Admin\AppData\Local\Temp\d262b08c1fe1cc7489726d06c9b7b8a53ef8ce2d31d71d529df258f68f5bf199.exe
"C:\Users\Admin\AppData\Local\Temp\d262b08c1fe1cc7489726d06c9b7b8a53ef8ce2d31d71d529df258f68f5bf199.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2608
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5731514.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5731514.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9789597.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9789597.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6175597.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6175597.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8737474.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8737474.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:212
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0315859.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0315859.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5001713.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5001713.exe
        6⤵
        Executes dropped EXE
        
        PID:2100
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0855522.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0855522.exe
        5⤵
        Executes dropped EXE
        
        PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5731514.exe

Filesize
723KB

MD5
ce2c5c4f3cedb42ea7a07109d6beaafa

SHA1
d9b2d913ba113608d4c4152262d2bea2f5df5edc

SHA256
62206c4426825d01785875c60eea837d1d4332b7d51ceb8a5777d23d9520bba8

SHA512
10ef29b699aac9856974729396c95d22a3c2c06f3596ad0e213d5acc12ea91b3afcb860a3d4002846eca420f444d9ad3b2dd97d05af9d0755d97448759bcc1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5731514.exe

Filesize
723KB

MD5
ce2c5c4f3cedb42ea7a07109d6beaafa

SHA1
d9b2d913ba113608d4c4152262d2bea2f5df5edc

SHA256
62206c4426825d01785875c60eea837d1d4332b7d51ceb8a5777d23d9520bba8

SHA512
10ef29b699aac9856974729396c95d22a3c2c06f3596ad0e213d5acc12ea91b3afcb860a3d4002846eca420f444d9ad3b2dd97d05af9d0755d97448759bcc1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9789597.exe

Filesize
497KB

MD5
355d7d079fef0b8bfb0b645394515bed

SHA1
8b82b214fe7ee0096c65f5e0b295a30a1301692f

SHA256
d3219602fd29f6487a7f18ca5493cd50e00814f8d5db5d2357e049067c5c6718

SHA512
f2f8575a8e9577593fe32e2c872d07b1c6002215102a3068b2a5fe642be46bd822822856a151d19b1bae71e96d5763a28e05b330985c3550f827f210991f831d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9789597.exe

Filesize
497KB

MD5
355d7d079fef0b8bfb0b645394515bed

SHA1
8b82b214fe7ee0096c65f5e0b295a30a1301692f

SHA256
d3219602fd29f6487a7f18ca5493cd50e00814f8d5db5d2357e049067c5c6718

SHA512
f2f8575a8e9577593fe32e2c872d07b1c6002215102a3068b2a5fe642be46bd822822856a151d19b1bae71e96d5763a28e05b330985c3550f827f210991f831d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6175597.exe

Filesize
373KB

MD5
13821043d2c233f099b71b585e9b5c98

SHA1
4acdd841b68aaea94712f4c65ba6b1fc49e36781

SHA256
0cac1bd1ac52e0c83b153ba6a58bae391e2428c10f3f8b9a1d94f074d4e1061f

SHA512
80c2438d910ad62b7898eaa37c3e733fb42c08bead3f1ceb3cb1b844e9ca9d3e91aef389ff508a0ac969a2cb9a98e240b350c6164912a6864858bb6680fbda18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6175597.exe

Filesize
373KB

MD5
13821043d2c233f099b71b585e9b5c98

SHA1
4acdd841b68aaea94712f4c65ba6b1fc49e36781

SHA256
0cac1bd1ac52e0c83b153ba6a58bae391e2428c10f3f8b9a1d94f074d4e1061f

SHA512
80c2438d910ad62b7898eaa37c3e733fb42c08bead3f1ceb3cb1b844e9ca9d3e91aef389ff508a0ac969a2cb9a98e240b350c6164912a6864858bb6680fbda18

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0855522.exe

Filesize
174KB

MD5
788f0e04263edb13e0635be5e47d09df

SHA1
327560b63d73d4fe7fe7c64362b8c90743071a41

SHA256
fa67891524d20908df1a4d4190b8711eed377e603e10205883975ece0b3d93ea

SHA512
217a126dfbff9a9a9d4a3120657b6321b372658468c8f305232290222e58af28ddaa484f999caad64158a4e3a89897b602e0b43cbb88a3766a8f8cea614a7fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0855522.exe

Filesize
174KB

MD5
788f0e04263edb13e0635be5e47d09df

SHA1
327560b63d73d4fe7fe7c64362b8c90743071a41

SHA256
fa67891524d20908df1a4d4190b8711eed377e603e10205883975ece0b3d93ea

SHA512
217a126dfbff9a9a9d4a3120657b6321b372658468c8f305232290222e58af28ddaa484f999caad64158a4e3a89897b602e0b43cbb88a3766a8f8cea614a7fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8737474.exe

Filesize
217KB

MD5
7b8b652839d1594273fc580a7047bf98

SHA1
dc3e86a943b647af9136133b769be3d7aeeb5d13

SHA256
16877d92e86d2387da09912e800f93678c839b3c4c2bd290f1e8fb6b2a912628

SHA512
ce3488a4c5f341786d722c3799cbeb0c319edb6322ac0bd92bbb23c423440d511e61293ffea4a444e5235418943cbe69350850789e825fe8224af4cc065f25ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8737474.exe

Filesize
217KB

MD5
7b8b652839d1594273fc580a7047bf98

SHA1
dc3e86a943b647af9136133b769be3d7aeeb5d13

SHA256
16877d92e86d2387da09912e800f93678c839b3c4c2bd290f1e8fb6b2a912628

SHA512
ce3488a4c5f341786d722c3799cbeb0c319edb6322ac0bd92bbb23c423440d511e61293ffea4a444e5235418943cbe69350850789e825fe8224af4cc065f25ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0315859.exe

Filesize
19KB

MD5
570fd13a708501a17414061b7c4cfd1c

SHA1
e295ce97bda2d4f8e1a77f7a107d075252d5a286

SHA256
bf9203b924cbe7ffcb321d520c8d6f943f6e4ec6a90fa21c15630d71b37d361d

SHA512
b772e4f6a2eba40a11a9ed104a2959578413821a2aebf9ce5df09769bf9ac587209e3a19a7795aeec602e7e1c619c4cf7e6b67811203762a2ee2e91de5be9119

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0315859.exe

Filesize
19KB

MD5
570fd13a708501a17414061b7c4cfd1c

SHA1
e295ce97bda2d4f8e1a77f7a107d075252d5a286

SHA256
bf9203b924cbe7ffcb321d520c8d6f943f6e4ec6a90fa21c15630d71b37d361d

SHA512
b772e4f6a2eba40a11a9ed104a2959578413821a2aebf9ce5df09769bf9ac587209e3a19a7795aeec602e7e1c619c4cf7e6b67811203762a2ee2e91de5be9119

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5001713.exe

Filesize
140KB

MD5
4947a55b5b4c14f0620c599a2689174b

SHA1
702748e7b904146d372fe5023ef480c9a09135e3

SHA256
14a6624d8bca334995d4ce93f2c7241aefa3354c0e1bf277c1864a4e21299609

SHA512
a0e514f84cbfa06af2f3f2410267c20f42bc2544474b90b8ed4a2768aa1b31a9a44bd924fd81057ebb943a0bd6e563f19962c32504c84dc5558ed5e8a8e1f217

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5001713.exe

Filesize
140KB

MD5
4947a55b5b4c14f0620c599a2689174b

SHA1
702748e7b904146d372fe5023ef480c9a09135e3

SHA256
14a6624d8bca334995d4ce93f2c7241aefa3354c0e1bf277c1864a4e21299609

SHA512
a0e514f84cbfa06af2f3f2410267c20f42bc2544474b90b8ed4a2768aa1b31a9a44bd924fd81057ebb943a0bd6e563f19962c32504c84dc5558ed5e8a8e1f217

Download Submit
memory/4588-45-0x0000000000EE0000-0x0000000000F10000-memory.dmp

Filesize
192KB

Download
memory/4588-46-0x0000000072EF0000-0x00000000735DE000-memory.dmp

Filesize
6.9MB

Download
memory/4588-47-0x00000000056A0000-0x00000000056A6000-memory.dmp

Filesize
24KB

Download
memory/4588-48-0x000000000B1B0000-0x000000000B7B6000-memory.dmp

Filesize
6.0MB

Download
memory/4588-49-0x000000000ACF0000-0x000000000ADFA000-memory.dmp

Filesize
1.0MB

Download
memory/4588-50-0x000000000AC20000-0x000000000AC32000-memory.dmp

Filesize
72KB

Download
memory/4588-51-0x000000000AC80000-0x000000000ACBE000-memory.dmp

Filesize
248KB

Download
memory/4588-52-0x000000000AE00000-0x000000000AE4B000-memory.dmp

Filesize
300KB

Download
memory/4588-53-0x0000000072EF0000-0x00000000735DE000-memory.dmp

Filesize
6.9MB

Download
memory/5004-38-0x00007FFCF8640000-0x00007FFCF902C000-memory.dmp

Filesize
9.9MB

Download
memory/5004-36-0x00007FFCF8640000-0x00007FFCF902C000-memory.dmp

Filesize
9.9MB

Download
memory/5004-35-0x0000000000EE0000-0x0000000000EEA000-memory.dmp

Filesize
40KB

Download