healer | 21931e9b46dc5a9929cf82f9f851203882eac493f7dc33429e1c40cb1b75305b

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21931e9b46dc5a9929cf82f9f851203882eac493f7dc33429e1c40cb1b75305b.exe
Size

829KB
MD5

57db2ae32f4f19b342c42f145da41fe9
SHA1

827e839cdbda5d4ad5ddf125616853cd3c84d516
SHA256

21931e9b46dc5a9929cf82f9f851203882eac493f7dc33429e1c40cb1b75305b
SHA512

b2bde8152a54c4dd5fb337fc8653d4ddda16beb5fc74688c81d16c3c14009a493d5159265c106e5249e8d8061b6e8947b0977f9fd0e71db257d54dd52d18e3c3
SSDEEP

12288:cMr7y90mXuvntJ0i4oRtKqeTLwMGJ0+msG2PUqRe1g6vEYWdJwRuz1d:fy3XuPLOoqVIM3sGEUUHdJSc1d

Score

10^/10

healer redline bobik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

bobik

77.91.124.82:19071

Attributes

auth_value
d639522ae3c9dda998264d691a19eb33

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231c9-33.dat	healer
behavioral1/files/0x00070000000231c9-34.dat	healer
behavioral1/memory/1864-35-0x00000000008C0000-0x00000000008CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5254244.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5254244.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5254244.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5254244.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5254244.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5254244.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4588	v4833606.exe
2444	v2582951.exe
2288	v7382766.exe
1952	v6036034.exe
1864	a5254244.exe
3608	b4342216.exe
2280	c4093293.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5254244.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	21931e9b46dc5a9929cf82f9f851203882eac493f7dc33429e1c40cb1b75305b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4833606.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2582951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7382766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6036034.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1864	a5254244.exe
1864	a5254244.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1864	a5254244.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4588	4116	21931e9b46dc5a9929cf82f9f851203882eac493f7dc33429e1c40cb1b75305b.exe	85
PID 4116 wrote to memory of 4588	4116	21931e9b46dc5a9929cf82f9f851203882eac493f7dc33429e1c40cb1b75305b.exe	85
PID 4116 wrote to memory of 4588	4116	21931e9b46dc5a9929cf82f9f851203882eac493f7dc33429e1c40cb1b75305b.exe	85
PID 4588 wrote to memory of 2444	4588	v4833606.exe	86
PID 4588 wrote to memory of 2444	4588	v4833606.exe	86
PID 4588 wrote to memory of 2444	4588	v4833606.exe	86
PID 2444 wrote to memory of 2288	2444	v2582951.exe	87
PID 2444 wrote to memory of 2288	2444	v2582951.exe	87
PID 2444 wrote to memory of 2288	2444	v2582951.exe	87
PID 2288 wrote to memory of 1952	2288	v7382766.exe	88
PID 2288 wrote to memory of 1952	2288	v7382766.exe	88
PID 2288 wrote to memory of 1952	2288	v7382766.exe	88
PID 1952 wrote to memory of 1864	1952	v6036034.exe	89
PID 1952 wrote to memory of 1864	1952	v6036034.exe	89
PID 1952 wrote to memory of 3608	1952	v6036034.exe	92
PID 1952 wrote to memory of 3608	1952	v6036034.exe	92
PID 1952 wrote to memory of 3608	1952	v6036034.exe	92
PID 2288 wrote to memory of 2280	2288	v7382766.exe	93
PID 2288 wrote to memory of 2280	2288	v7382766.exe	93
PID 2288 wrote to memory of 2280	2288	v7382766.exe	93

C:\Users\Admin\AppData\Local\Temp\21931e9b46dc5a9929cf82f9f851203882eac493f7dc33429e1c40cb1b75305b.exe
"C:\Users\Admin\AppData\Local\Temp\21931e9b46dc5a9929cf82f9f851203882eac493f7dc33429e1c40cb1b75305b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4833606.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4833606.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4588
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2582951.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2582951.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7382766.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7382766.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6036034.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6036034.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5254244.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5254244.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4342216.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4342216.exe
        6⤵
        Executes dropped EXE
        
        PID:3608
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4093293.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4093293.exe
        5⤵
        Executes dropped EXE
        
        PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4833606.exe

Filesize
724KB

MD5
22e8ab08bc50562d18f64d6c24bb875f

SHA1
51386c3f7e123d4742021d6354b036aa55cbde76

SHA256
10208cd5f3a69e0d5c910e634b438de644d829779e9c63f9b0e9f11ec17eeb82

SHA512
6ff6659aae6682d9773b3abb2da71c10c954474e33a0a5a5c49c1ec71dbbdcb08ccbe1f9f43a82e18edc8a1924f0a757455f6e41acf6f9de1fba29b4025633dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4833606.exe

Filesize
724KB

MD5
22e8ab08bc50562d18f64d6c24bb875f

SHA1
51386c3f7e123d4742021d6354b036aa55cbde76

SHA256
10208cd5f3a69e0d5c910e634b438de644d829779e9c63f9b0e9f11ec17eeb82

SHA512
6ff6659aae6682d9773b3abb2da71c10c954474e33a0a5a5c49c1ec71dbbdcb08ccbe1f9f43a82e18edc8a1924f0a757455f6e41acf6f9de1fba29b4025633dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2582951.exe

Filesize
498KB

MD5
016a63c63202f7020be0ad4081595959

SHA1
a8b67a8146b09d53e8057cde682307685fe272b1

SHA256
b54415954200c2d9e936e31171bad33bb9ed003f61539b3b43f2f522470b1892

SHA512
728e4572e7d89c8617ed5c535f31cded81ec290b4a820fa5baa7fbae76a60f9c52a9621758cf2377e0c9625aee0916df6df38ecae276195f1554127b3629905a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2582951.exe

Filesize
498KB

MD5
016a63c63202f7020be0ad4081595959

SHA1
a8b67a8146b09d53e8057cde682307685fe272b1

SHA256
b54415954200c2d9e936e31171bad33bb9ed003f61539b3b43f2f522470b1892

SHA512
728e4572e7d89c8617ed5c535f31cded81ec290b4a820fa5baa7fbae76a60f9c52a9621758cf2377e0c9625aee0916df6df38ecae276195f1554127b3629905a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7382766.exe

Filesize
373KB

MD5
6e09c61086ae44b81c50a8ff0d50a1a9

SHA1
9a7e4ff8792d069db4334650c3c3d817778cddf7

SHA256
994d870153808d19a3e0a0d4bf14e3a9b20ffd5ba2cd01e7e8ebab67e7265411

SHA512
b91889e6d4c941a7553113159f6e8eabd141ee6cca6ed80f897da89a501654916a1bec3296af2bf19f57bece2280520bd0f0aee0dc2bc4007dbcd9d0e5ea002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7382766.exe

Filesize
373KB

MD5
6e09c61086ae44b81c50a8ff0d50a1a9

SHA1
9a7e4ff8792d069db4334650c3c3d817778cddf7

SHA256
994d870153808d19a3e0a0d4bf14e3a9b20ffd5ba2cd01e7e8ebab67e7265411

SHA512
b91889e6d4c941a7553113159f6e8eabd141ee6cca6ed80f897da89a501654916a1bec3296af2bf19f57bece2280520bd0f0aee0dc2bc4007dbcd9d0e5ea002a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4093293.exe

Filesize
174KB

MD5
171cc29c7e9697111a479193ad9c8aa5

SHA1
0def0ce1998c66f3608a5a79a12dfdc4638a9070

SHA256
6ac23504b1b44d01c616b6c9cfc2f2bcd07bd548e7b64ce28cafa2796c858cb1

SHA512
6ed7f27c01135fd253e66077e2c1f14d5990b5ccfbd6d5c8e7d032155785f43e37656d049c4bcc601c270c750bd0449ed30598e40c7b69b9cb277d50ed39a888

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4093293.exe

Filesize
174KB

MD5
171cc29c7e9697111a479193ad9c8aa5

SHA1
0def0ce1998c66f3608a5a79a12dfdc4638a9070

SHA256
6ac23504b1b44d01c616b6c9cfc2f2bcd07bd548e7b64ce28cafa2796c858cb1

SHA512
6ed7f27c01135fd253e66077e2c1f14d5990b5ccfbd6d5c8e7d032155785f43e37656d049c4bcc601c270c750bd0449ed30598e40c7b69b9cb277d50ed39a888

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6036034.exe

Filesize
217KB

MD5
a7dc897d762ce6484d09ef0ad4fe3874

SHA1
6684a9972ee4c41e698f278cb742c09bdabaf556

SHA256
b5aee5e2a9f5c5f75723c69f15d416c4ef880eac2051d01a4e68b69d75d4f85d

SHA512
5da840547d467749f388f0f524237ab0d9bd0295c79fbda8737c0c48acc97273be4dcb0db45b7fd13624815fa25d2ff585d0869ae854ed2b4ee7ba9264ba6e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6036034.exe

Filesize
217KB

MD5
a7dc897d762ce6484d09ef0ad4fe3874

SHA1
6684a9972ee4c41e698f278cb742c09bdabaf556

SHA256
b5aee5e2a9f5c5f75723c69f15d416c4ef880eac2051d01a4e68b69d75d4f85d

SHA512
5da840547d467749f388f0f524237ab0d9bd0295c79fbda8737c0c48acc97273be4dcb0db45b7fd13624815fa25d2ff585d0869ae854ed2b4ee7ba9264ba6e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5254244.exe

Filesize
19KB

MD5
3d907d021895edb1aa22be405d30edff

SHA1
f85cddba2492a00e81929ffc363248322ec549ce

SHA256
154a8091568ec9f5201901a80e890d98f261fb946a041c4c141d6d884f50e63d

SHA512
3112ff0644a5f0060ceae352bce9290c0106f1b5e94b8848455b0b40118efab4d045ca427f96b8a5a61018c0a322364c34831c267839306867d186c2484f7073

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5254244.exe

Filesize
19KB

MD5
3d907d021895edb1aa22be405d30edff

SHA1
f85cddba2492a00e81929ffc363248322ec549ce

SHA256
154a8091568ec9f5201901a80e890d98f261fb946a041c4c141d6d884f50e63d

SHA512
3112ff0644a5f0060ceae352bce9290c0106f1b5e94b8848455b0b40118efab4d045ca427f96b8a5a61018c0a322364c34831c267839306867d186c2484f7073

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4342216.exe

Filesize
140KB

MD5
65e36908828c5ea536950521dd3823bc

SHA1
973a27b687bef12bc263049c4f6a975460077978

SHA256
3438d028a73ac879a0cc5f10db085a71b746f2b7619ccd0d4c01b399cd996822

SHA512
8a685a8b4460de9f7cdd6492952f0882a785469c4e2e18b1ba195a268f7e965687b8d8822b410a6c77318c29eb98568423d7cfd8bf6dae488ee11836222b6ed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4342216.exe

Filesize
140KB

MD5
65e36908828c5ea536950521dd3823bc

SHA1
973a27b687bef12bc263049c4f6a975460077978

SHA256
3438d028a73ac879a0cc5f10db085a71b746f2b7619ccd0d4c01b399cd996822

SHA512
8a685a8b4460de9f7cdd6492952f0882a785469c4e2e18b1ba195a268f7e965687b8d8822b410a6c77318c29eb98568423d7cfd8bf6dae488ee11836222b6ed6

Download Submit
memory/1864-38-0x00007FFAF7CA0000-0x00007FFAF8761000-memory.dmp

Filesize
10.8MB

Download
memory/1864-36-0x00007FFAF7CA0000-0x00007FFAF8761000-memory.dmp

Filesize
10.8MB

Download
memory/1864-35-0x00000000008C0000-0x00000000008CA000-memory.dmp

Filesize
40KB

Download
memory/2280-46-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/2280-45-0x0000000000860000-0x0000000000890000-memory.dmp

Filesize
192KB

Download
memory/2280-47-0x000000000ACC0000-0x000000000B2D8000-memory.dmp

Filesize
6.1MB

Download
memory/2280-48-0x000000000A810000-0x000000000A91A000-memory.dmp

Filesize
1.0MB

Download
memory/2280-49-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download
memory/2280-50-0x000000000A750000-0x000000000A762000-memory.dmp

Filesize
72KB

Download
memory/2280-51-0x000000000A7B0000-0x000000000A7EC000-memory.dmp

Filesize
240KB

Download
memory/2280-52-0x0000000073C70000-0x0000000074420000-memory.dmp

Filesize
7.7MB

Download
memory/2280-53-0x0000000005190000-0x00000000051A0000-memory.dmp

Filesize
64KB

Download