healer | 33526bc3a19fe44ee8aa475ceeb7508098ebaa599015949a398d3c49770e6d13

Analysis

max time kernel
146s
max time network
157s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
02/09/2023, 06:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

33526bc3a19fe44ee8aa475ceeb7508098ebaa599015949a398d3c49770e6d13.exe
Size

931KB
MD5

3c917159cc4b0705c635f85404b0969c
SHA1

ba13f1e5e8067455f5159a8161500e23d629a70f
SHA256

33526bc3a19fe44ee8aa475ceeb7508098ebaa599015949a398d3c49770e6d13
SHA512

18c29bf0b0567fb7d5652e8b7322a19aeefe09e53237ebb04fc80c3b195174de7834942079cd46aa934628b099b81072de946a9cac772ab28308cc7e1bc3a252
SSDEEP

12288:AMrTy900aOeF3aCbEqOPTsm6peUI1NoDU61LRc1BCv/IrX6tSn9eDXp0zv8zkQ8n:Dy2k6EPPNlohJgCvgLAs9ed3APn//

Score

10^/10

healer redline bobik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

bobik

77.91.124.82:19071

Attributes

auth_value
d639522ae3c9dda998264d691a19eb33

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af56-32.dat	healer
behavioral1/files/0x000700000001af56-34.dat	healer
behavioral1/memory/1264-35-0x00000000000D0000-0x00000000000DA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q8239118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q8239118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q8239118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q8239118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q8239118.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2364	z0687811.exe
4576	z4014363.exe
4136	z5598233.exe
3760	z0511745.exe
1264	q8239118.exe
4020	r7303689.exe
4996	s5484632.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q8239118.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0687811.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4014363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5598233.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z0511745.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	33526bc3a19fe44ee8aa475ceeb7508098ebaa599015949a398d3c49770e6d13.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1264	q8239118.exe
1264	q8239118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1264	q8239118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 2364	3852	33526bc3a19fe44ee8aa475ceeb7508098ebaa599015949a398d3c49770e6d13.exe	69
PID 3852 wrote to memory of 2364	3852	33526bc3a19fe44ee8aa475ceeb7508098ebaa599015949a398d3c49770e6d13.exe	69
PID 3852 wrote to memory of 2364	3852	33526bc3a19fe44ee8aa475ceeb7508098ebaa599015949a398d3c49770e6d13.exe	69
PID 2364 wrote to memory of 4576	2364	z0687811.exe	70
PID 2364 wrote to memory of 4576	2364	z0687811.exe	70
PID 2364 wrote to memory of 4576	2364	z0687811.exe	70
PID 4576 wrote to memory of 4136	4576	z4014363.exe	71
PID 4576 wrote to memory of 4136	4576	z4014363.exe	71
PID 4576 wrote to memory of 4136	4576	z4014363.exe	71
PID 4136 wrote to memory of 3760	4136	z5598233.exe	72
PID 4136 wrote to memory of 3760	4136	z5598233.exe	72
PID 4136 wrote to memory of 3760	4136	z5598233.exe	72
PID 3760 wrote to memory of 1264	3760	z0511745.exe	73
PID 3760 wrote to memory of 1264	3760	z0511745.exe	73
PID 3760 wrote to memory of 4020	3760	z0511745.exe	74
PID 3760 wrote to memory of 4020	3760	z0511745.exe	74
PID 3760 wrote to memory of 4020	3760	z0511745.exe	74
PID 4136 wrote to memory of 4996	4136	z5598233.exe	75
PID 4136 wrote to memory of 4996	4136	z5598233.exe	75
PID 4136 wrote to memory of 4996	4136	z5598233.exe	75

C:\Users\Admin\AppData\Local\Temp\33526bc3a19fe44ee8aa475ceeb7508098ebaa599015949a398d3c49770e6d13.exe
"C:\Users\Admin\AppData\Local\Temp\33526bc3a19fe44ee8aa475ceeb7508098ebaa599015949a398d3c49770e6d13.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0687811.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0687811.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4014363.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4014363.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5598233.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5598233.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0511745.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0511745.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3760
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8239118.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8239118.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7303689.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7303689.exe
        6⤵
        Executes dropped EXE
        
        PID:4020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5484632.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5484632.exe
        5⤵
        Executes dropped EXE
        
        PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0687811.exe

Filesize
826KB

MD5
ddd79d3c72ddece07306aa6e6f3e8f4e

SHA1
0656b475c43efed4dcfd471d05acd889c2d25c13

SHA256
3e21fd9cd3582c3635aa579173983ba80801d6cf14f50846628db2f4bc008084

SHA512
b6dc5a6154e487ef9e4cdfe98ea675821df46f221b6c11c1386bde768878937dd6b258447c20d616b50cd45023222f343e32e67b9d68613cb730331506a1262c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0687811.exe

Filesize
826KB

MD5
ddd79d3c72ddece07306aa6e6f3e8f4e

SHA1
0656b475c43efed4dcfd471d05acd889c2d25c13

SHA256
3e21fd9cd3582c3635aa579173983ba80801d6cf14f50846628db2f4bc008084

SHA512
b6dc5a6154e487ef9e4cdfe98ea675821df46f221b6c11c1386bde768878937dd6b258447c20d616b50cd45023222f343e32e67b9d68613cb730331506a1262c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4014363.exe

Filesize
600KB

MD5
7f867dc0eb0e1c2d8d4c8a244b9f5c66

SHA1
0eb0d6a79b733498bee94129f0c9404d6530d661

SHA256
cb0278ac1894a3895c15e6763fcc5ebd326f6ae0a1ee34635f23a49406e19f1a

SHA512
416d5ca02ab840e4c198d0a28ea1b79c848929efcfae6c4020918f396df1d957d0ab93f7a01b876fc0e6606aeaff00faabc2359ebf5769e8e78ffa821cc6385b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4014363.exe

Filesize
600KB

MD5
7f867dc0eb0e1c2d8d4c8a244b9f5c66

SHA1
0eb0d6a79b733498bee94129f0c9404d6530d661

SHA256
cb0278ac1894a3895c15e6763fcc5ebd326f6ae0a1ee34635f23a49406e19f1a

SHA512
416d5ca02ab840e4c198d0a28ea1b79c848929efcfae6c4020918f396df1d957d0ab93f7a01b876fc0e6606aeaff00faabc2359ebf5769e8e78ffa821cc6385b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5598233.exe

Filesize
374KB

MD5
375b9d1cbd531777721294fe55f78cb3

SHA1
f877726da741a216c1eb832d71bd9ea18ef05419

SHA256
627cccd19e79f7678aa41a45dfd9ad2d902e7ea5b12daf8503a7f947de0b7d55

SHA512
071c0756542f772a020a46788811a6999197153c4be18f415cea9fa0940f606ee878f1c5657a2039b9cb0e1f5da9b7b114ffe81eab658ab6b89ae5e68bad9c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5598233.exe

Filesize
374KB

MD5
375b9d1cbd531777721294fe55f78cb3

SHA1
f877726da741a216c1eb832d71bd9ea18ef05419

SHA256
627cccd19e79f7678aa41a45dfd9ad2d902e7ea5b12daf8503a7f947de0b7d55

SHA512
071c0756542f772a020a46788811a6999197153c4be18f415cea9fa0940f606ee878f1c5657a2039b9cb0e1f5da9b7b114ffe81eab658ab6b89ae5e68bad9c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5484632.exe

Filesize
174KB

MD5
09919b2cdb1be63abc3354df092fcd9e

SHA1
18a49366f4cddc8699a63ab638d1b183f1fea334

SHA256
760e1bffde54a4c7a3b2447aeba3aa4d46f7ece9111ae3114029e4b3c4ada023

SHA512
9c973f6572b972bd6ce9560b3b1cb80a55315bc67abce60bee523ef833e72d403d5a2a11449b7fa55b38d2c168c8a4def2f97e33100f352df370458f09af290e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s5484632.exe

Filesize
174KB

MD5
09919b2cdb1be63abc3354df092fcd9e

SHA1
18a49366f4cddc8699a63ab638d1b183f1fea334

SHA256
760e1bffde54a4c7a3b2447aeba3aa4d46f7ece9111ae3114029e4b3c4ada023

SHA512
9c973f6572b972bd6ce9560b3b1cb80a55315bc67abce60bee523ef833e72d403d5a2a11449b7fa55b38d2c168c8a4def2f97e33100f352df370458f09af290e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0511745.exe

Filesize
217KB

MD5
f67152ee0670837533816278074f41e1

SHA1
2c5d9b99002213f954a215b6c8b134a02f162cb7

SHA256
ca25b0b04e23f0b8d4ae893f978d411b26c6f4935e9356ee3cb8587553e72f67

SHA512
1824db07a790a5cd3eb6c52454dc2bdceba865574d8541ed5890922eb02fb692fef704a700aac08f723c004339f5c2f6f443519cd63771c6f699effd7e0387c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0511745.exe

Filesize
217KB

MD5
f67152ee0670837533816278074f41e1

SHA1
2c5d9b99002213f954a215b6c8b134a02f162cb7

SHA256
ca25b0b04e23f0b8d4ae893f978d411b26c6f4935e9356ee3cb8587553e72f67

SHA512
1824db07a790a5cd3eb6c52454dc2bdceba865574d8541ed5890922eb02fb692fef704a700aac08f723c004339f5c2f6f443519cd63771c6f699effd7e0387c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8239118.exe

Filesize
19KB

MD5
06525c322fa0753bd4811883c22fe53f

SHA1
c1a0519d79705d026b9c1fe89f96682aa2d77769

SHA256
5ae9273717a3b4ea3bc1583abf2f19e8de1eb5076b891b00d75900643f6c6fa9

SHA512
78b21b3262e8e66d45d367d82066bfaadd413a07036cf4708ce7a903fd1d16293b5de40980c71271fd94f6d869da976f38d1960a7b3f87930606e66e5d46d2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8239118.exe

Filesize
19KB

MD5
06525c322fa0753bd4811883c22fe53f

SHA1
c1a0519d79705d026b9c1fe89f96682aa2d77769

SHA256
5ae9273717a3b4ea3bc1583abf2f19e8de1eb5076b891b00d75900643f6c6fa9

SHA512
78b21b3262e8e66d45d367d82066bfaadd413a07036cf4708ce7a903fd1d16293b5de40980c71271fd94f6d869da976f38d1960a7b3f87930606e66e5d46d2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7303689.exe

Filesize
140KB

MD5
481417a1ecfaece2d6512156a199274f

SHA1
e790d3a55a1340555638e8038191a26169cee84d

SHA256
bc6e66bf4bb52784b132cb0289b5cf925cacba93fb25b49093d33ee886e8aab1

SHA512
3dcad0ad6e92e402be14aeb1304d9ba02c46089eedb5132166000651b864bc32f7dd915f85c13d9bff4fa8aaec7d0160a32b5a5ca920f259c930a50faa9716fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7303689.exe

Filesize
140KB

MD5
481417a1ecfaece2d6512156a199274f

SHA1
e790d3a55a1340555638e8038191a26169cee84d

SHA256
bc6e66bf4bb52784b132cb0289b5cf925cacba93fb25b49093d33ee886e8aab1

SHA512
3dcad0ad6e92e402be14aeb1304d9ba02c46089eedb5132166000651b864bc32f7dd915f85c13d9bff4fa8aaec7d0160a32b5a5ca920f259c930a50faa9716fb

Download Submit
memory/1264-38-0x00007FFB40850000-0x00007FFB4123C000-memory.dmp

Filesize
9.9MB

Download
memory/1264-36-0x00007FFB40850000-0x00007FFB4123C000-memory.dmp

Filesize
9.9MB

Download
memory/1264-35-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/4996-45-0x0000000000020000-0x0000000000050000-memory.dmp

Filesize
192KB

Download
memory/4996-46-0x0000000073740000-0x0000000073E2E000-memory.dmp

Filesize
6.9MB

Download
memory/4996-47-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/4996-48-0x000000000A450000-0x000000000AA56000-memory.dmp

Filesize
6.0MB

Download
memory/4996-49-0x0000000009F70000-0x000000000A07A000-memory.dmp

Filesize
1.0MB

Download
memory/4996-50-0x0000000009EA0000-0x0000000009EB2000-memory.dmp

Filesize
72KB

Download
memory/4996-51-0x0000000009F00000-0x0000000009F3E000-memory.dmp

Filesize
248KB

Download
memory/4996-52-0x000000000A080000-0x000000000A0CB000-memory.dmp

Filesize
300KB

Download
memory/4996-53-0x0000000073740000-0x0000000073E2E000-memory.dmp

Filesize
6.9MB

Download