healer | 73b22f502e13421b0e4c73bd912e0428b9f5784164584d749895a639b2b8cc01

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73b22f502e13421b0e4c73bd912e0428b9f5784164584d749895a639b2b8cc01.exe
Size

829KB
MD5

f20519ef1d14b83bc9b09a97f1486ea1
SHA1

bcd50b06605bae10eec353894bf4e9536b73b508
SHA256

73b22f502e13421b0e4c73bd912e0428b9f5784164584d749895a639b2b8cc01
SHA512

19f5feaf6e328e6475dfef5caa3998f5f61e622c609da58e399724c2069bb40c458ba9e0cd66533c557f4e1cfb75efe90f88e65e1c92be0ec29c0eb3b92cdef2
SSDEEP

12288:UMrNy90iDTO0tPj1vSG7jIgKYdUL6HNdx9kEV9pW2TpHkFhcW9JbEZZlWUcDg:hyndjNSFVYdUmtdx6SpW6HIX9aZZl1

Score

10^/10

healer redline bobik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

bobik

77.91.124.82:19071

Attributes

auth_value
d639522ae3c9dda998264d691a19eb33

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023280-33.dat	healer
behavioral1/files/0x0009000000023280-34.dat	healer
behavioral1/memory/3188-35-0x00000000001B0000-0x00000000001BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2303374.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2303374.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2303374.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2303374.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2303374.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2303374.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
392	v1588285.exe
3452	v9672177.exe
4624	v5759741.exe
1528	v1082270.exe
3188	a2303374.exe
4996	b9808321.exe
2684	c2084317.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2303374.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	73b22f502e13421b0e4c73bd912e0428b9f5784164584d749895a639b2b8cc01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1588285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9672177.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5759741.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1082270.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3188	a2303374.exe
3188	a2303374.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3188	a2303374.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 392	1124	73b22f502e13421b0e4c73bd912e0428b9f5784164584d749895a639b2b8cc01.exe	86
PID 1124 wrote to memory of 392	1124	73b22f502e13421b0e4c73bd912e0428b9f5784164584d749895a639b2b8cc01.exe	86
PID 1124 wrote to memory of 392	1124	73b22f502e13421b0e4c73bd912e0428b9f5784164584d749895a639b2b8cc01.exe	86
PID 392 wrote to memory of 3452	392	v1588285.exe	87
PID 392 wrote to memory of 3452	392	v1588285.exe	87
PID 392 wrote to memory of 3452	392	v1588285.exe	87
PID 3452 wrote to memory of 4624	3452	v9672177.exe	89
PID 3452 wrote to memory of 4624	3452	v9672177.exe	89
PID 3452 wrote to memory of 4624	3452	v9672177.exe	89
PID 4624 wrote to memory of 1528	4624	v5759741.exe	90
PID 4624 wrote to memory of 1528	4624	v5759741.exe	90
PID 4624 wrote to memory of 1528	4624	v5759741.exe	90
PID 1528 wrote to memory of 3188	1528	v1082270.exe	91
PID 1528 wrote to memory of 3188	1528	v1082270.exe	91
PID 1528 wrote to memory of 4996	1528	v1082270.exe	92
PID 1528 wrote to memory of 4996	1528	v1082270.exe	92
PID 1528 wrote to memory of 4996	1528	v1082270.exe	92
PID 4624 wrote to memory of 2684	4624	v5759741.exe	93
PID 4624 wrote to memory of 2684	4624	v5759741.exe	93
PID 4624 wrote to memory of 2684	4624	v5759741.exe	93

C:\Users\Admin\AppData\Local\Temp\73b22f502e13421b0e4c73bd912e0428b9f5784164584d749895a639b2b8cc01.exe
"C:\Users\Admin\AppData\Local\Temp\73b22f502e13421b0e4c73bd912e0428b9f5784164584d749895a639b2b8cc01.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1588285.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1588285.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9672177.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9672177.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5759741.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5759741.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1082270.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1082270.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2303374.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2303374.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9808321.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9808321.exe
        6⤵
        Executes dropped EXE
        
        PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2084317.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2084317.exe
        5⤵
        Executes dropped EXE
        
        PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1588285.exe

Filesize
724KB

MD5
0a41cf5e3a54b6c6e19e58919fef3b56

SHA1
057dd5bff4518477da6a2e20dc575530d2b73d36

SHA256
941a11059e517facc865c4f62af9f15cc337b615d6de0e14914dfae2c36631f7

SHA512
ac941979be447184186c9bfad19aae0a5a18edcf4233276090f49f407cafe994a3eca713ea779f4d6433a81af5525a99d17d92096d5d82bc4ff3dee52d3a4d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1588285.exe

Filesize
724KB

MD5
0a41cf5e3a54b6c6e19e58919fef3b56

SHA1
057dd5bff4518477da6a2e20dc575530d2b73d36

SHA256
941a11059e517facc865c4f62af9f15cc337b615d6de0e14914dfae2c36631f7

SHA512
ac941979be447184186c9bfad19aae0a5a18edcf4233276090f49f407cafe994a3eca713ea779f4d6433a81af5525a99d17d92096d5d82bc4ff3dee52d3a4d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9672177.exe

Filesize
498KB

MD5
35a0a32412f0bc91917a531e517311d5

SHA1
f728f59b1b95d2a911130153b5ccc64b20c4e3d9

SHA256
1f9551658ae13ca0b5fc8b1038c103e297fb19cb8bccfc540a51845ca8288fcc

SHA512
63cabf5ca2c14144db7936a99c9d1210ab042b302320e90574282e9fd4259457b2a725dbd506f1c5b09a9b56e77c249876f227939f7f299c7287ed18cd1dcf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9672177.exe

Filesize
498KB

MD5
35a0a32412f0bc91917a531e517311d5

SHA1
f728f59b1b95d2a911130153b5ccc64b20c4e3d9

SHA256
1f9551658ae13ca0b5fc8b1038c103e297fb19cb8bccfc540a51845ca8288fcc

SHA512
63cabf5ca2c14144db7936a99c9d1210ab042b302320e90574282e9fd4259457b2a725dbd506f1c5b09a9b56e77c249876f227939f7f299c7287ed18cd1dcf01

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5759741.exe

Filesize
373KB

MD5
c7a7148c516893b3e69a79640ebad604

SHA1
2c86771b782956d880bedfa4242ffa799517e50c

SHA256
d0c4b05c89b81bf8b6bb592f0572899557f71ed175dfa0b2482fb223d5d4950c

SHA512
e236e8bc815505a7a84fba1b2770b58834a77eef8fea089f2163e3eb77c8ba1b77d3a8275a5a28395de394d4c45770f6a92ba68774a8a050265a58d0036b3989

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5759741.exe

Filesize
373KB

MD5
c7a7148c516893b3e69a79640ebad604

SHA1
2c86771b782956d880bedfa4242ffa799517e50c

SHA256
d0c4b05c89b81bf8b6bb592f0572899557f71ed175dfa0b2482fb223d5d4950c

SHA512
e236e8bc815505a7a84fba1b2770b58834a77eef8fea089f2163e3eb77c8ba1b77d3a8275a5a28395de394d4c45770f6a92ba68774a8a050265a58d0036b3989

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2084317.exe

Filesize
174KB

MD5
454d79e90acf7ed530e6e32faad26870

SHA1
5e402f2d2bed86011ab0342c1e53d9235bff02cf

SHA256
7e383148c49d8e0f18d964db7fa9c5a1db3b712b635b28a9b2cad75278ec7870

SHA512
42a906bc1aa30da6ae16e05cd4c66a14ef407ee84e4235db12208c0e2d9cf7303d019b7d704f77bd811969e0a80605518de6e6f1de6305e541f694296d932e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2084317.exe

Filesize
174KB

MD5
454d79e90acf7ed530e6e32faad26870

SHA1
5e402f2d2bed86011ab0342c1e53d9235bff02cf

SHA256
7e383148c49d8e0f18d964db7fa9c5a1db3b712b635b28a9b2cad75278ec7870

SHA512
42a906bc1aa30da6ae16e05cd4c66a14ef407ee84e4235db12208c0e2d9cf7303d019b7d704f77bd811969e0a80605518de6e6f1de6305e541f694296d932e51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1082270.exe

Filesize
217KB

MD5
42d6ed648bb37bda5bf1b54c355dbd5a

SHA1
d3e5ed36cd34d96e1bee83d10ac3c22f4c55607f

SHA256
2ca2693de6c440b0d12638f5761e2e169880e43fa90b37be5141bfeda05a378c

SHA512
85cf98be0b8d9de3f83b66c25faabd28ca5b0310e2799a006e6b9ab9b27f49865c5be50d470ed9759c90151e19cd3b7634fa111008606f3da1dd44721ed3d43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1082270.exe

Filesize
217KB

MD5
42d6ed648bb37bda5bf1b54c355dbd5a

SHA1
d3e5ed36cd34d96e1bee83d10ac3c22f4c55607f

SHA256
2ca2693de6c440b0d12638f5761e2e169880e43fa90b37be5141bfeda05a378c

SHA512
85cf98be0b8d9de3f83b66c25faabd28ca5b0310e2799a006e6b9ab9b27f49865c5be50d470ed9759c90151e19cd3b7634fa111008606f3da1dd44721ed3d43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2303374.exe

Filesize
19KB

MD5
8381497f5ba9fae6ec5388cb66b061d4

SHA1
c5db1d26afd609c5629973d912000d5981b02e04

SHA256
90d4f5f0e55a435ba536afc611cac5ee3acbfc4c48c61c6c548076201371c6a2

SHA512
1a43ab770c8d6bcd6683e210d3693f107d90f2e92458e946786cd303e94354e18dd8ccf1d406b94d3391cfa3d2126af31f5b73336d10455b49b49f63525943cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2303374.exe

Filesize
19KB

MD5
8381497f5ba9fae6ec5388cb66b061d4

SHA1
c5db1d26afd609c5629973d912000d5981b02e04

SHA256
90d4f5f0e55a435ba536afc611cac5ee3acbfc4c48c61c6c548076201371c6a2

SHA512
1a43ab770c8d6bcd6683e210d3693f107d90f2e92458e946786cd303e94354e18dd8ccf1d406b94d3391cfa3d2126af31f5b73336d10455b49b49f63525943cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9808321.exe

Filesize
140KB

MD5
7a5a3a5cbd7c7083dfff6fccf2bba072

SHA1
e3d44f00ca5fe5cdcbbab451f64534afc47cc915

SHA256
a7a60536d59a8e4ef27d7adf994dc434f521fe7a39af54716c590f53c9e4cb46

SHA512
d661a4f83a5847a11b9aa4b997a7efadd0543de2ae33b967465db43b8132ac027fec06cfe7ddfa1a182b7b4bd5647cd6b9f2efde915ae1861b1ef18be3c5bc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9808321.exe

Filesize
140KB

MD5
7a5a3a5cbd7c7083dfff6fccf2bba072

SHA1
e3d44f00ca5fe5cdcbbab451f64534afc47cc915

SHA256
a7a60536d59a8e4ef27d7adf994dc434f521fe7a39af54716c590f53c9e4cb46

SHA512
d661a4f83a5847a11b9aa4b997a7efadd0543de2ae33b967465db43b8132ac027fec06cfe7ddfa1a182b7b4bd5647cd6b9f2efde915ae1861b1ef18be3c5bc2e

Download Submit
memory/2684-46-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download
memory/2684-47-0x0000000000600000-0x0000000000630000-memory.dmp

Filesize
192KB

Download
memory/2684-48-0x0000000005720000-0x0000000005D38000-memory.dmp

Filesize
6.1MB

Download
memory/2684-49-0x0000000005210000-0x000000000531A000-memory.dmp

Filesize
1.0MB

Download
memory/2684-51-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/2684-50-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/2684-52-0x0000000005140000-0x000000000517C000-memory.dmp

Filesize
240KB

Download
memory/2684-53-0x0000000074270000-0x0000000074A20000-memory.dmp

Filesize
7.7MB

Download
memory/2684-54-0x0000000004EF0000-0x0000000004F00000-memory.dmp

Filesize
64KB

Download
memory/3188-39-0x00007FF9B21D0000-0x00007FF9B2C91000-memory.dmp

Filesize
10.8MB

Download
memory/3188-37-0x00007FF9B21D0000-0x00007FF9B2C91000-memory.dmp

Filesize
10.8MB

Download
memory/3188-36-0x00007FF9B21D0000-0x00007FF9B2C91000-memory.dmp

Filesize
10.8MB

Download
memory/3188-35-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download