healer | 810a7e532ab14b6700e403944d44f6b508cfa4e79e1557a3f4a7f162cd012a43

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
02/09/2023, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

810a7e532ab14b6700e403944d44f6b508cfa4e79e1557a3f4a7f162cd012a43.exe
Size

829KB
MD5

72c0080c4764ffdd4506cac2888e33f2
SHA1

d19f296748713f2f86ce6393ed2f4e4412710df2
SHA256

810a7e532ab14b6700e403944d44f6b508cfa4e79e1557a3f4a7f162cd012a43
SHA512

4cfe6f90c856e8d2aed351a537f9338b7fc7844b18fe90e67957c057ee3cf1ce463497a4f1d71babf79d8ac62f5b43ba8e014378b33f206c8acdadbd8679a635
SSDEEP

24576:Vy8Nzt13YSQlfzjsFGKTeLFmWjj46Jw4HhjfhN26u:wazt5YSQVzj6GKeFdZJwW46

Score

10^/10

healer redline bobik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

bobik

77.91.124.82:19071

Attributes

auth_value
d639522ae3c9dda998264d691a19eb33

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b004-33.dat	healer
behavioral1/files/0x000700000001b004-34.dat	healer
behavioral1/memory/4440-35-0x0000000000540000-0x000000000054A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2242216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2242216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2242216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2242216.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2242216.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4280	v0460002.exe
4596	v7656202.exe
4660	v8493275.exe
5068	v8295295.exe
4440	a2242216.exe
2112	b8617732.exe
2260	c7688972.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2242216.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	810a7e532ab14b6700e403944d44f6b508cfa4e79e1557a3f4a7f162cd012a43.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0460002.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7656202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8493275.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8295295.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4440	a2242216.exe
4440	a2242216.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	a2242216.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 4280	2544	810a7e532ab14b6700e403944d44f6b508cfa4e79e1557a3f4a7f162cd012a43.exe	70
PID 2544 wrote to memory of 4280	2544	810a7e532ab14b6700e403944d44f6b508cfa4e79e1557a3f4a7f162cd012a43.exe	70
PID 2544 wrote to memory of 4280	2544	810a7e532ab14b6700e403944d44f6b508cfa4e79e1557a3f4a7f162cd012a43.exe	70
PID 4280 wrote to memory of 4596	4280	v0460002.exe	71
PID 4280 wrote to memory of 4596	4280	v0460002.exe	71
PID 4280 wrote to memory of 4596	4280	v0460002.exe	71
PID 4596 wrote to memory of 4660	4596	v7656202.exe	72
PID 4596 wrote to memory of 4660	4596	v7656202.exe	72
PID 4596 wrote to memory of 4660	4596	v7656202.exe	72
PID 4660 wrote to memory of 5068	4660	v8493275.exe	73
PID 4660 wrote to memory of 5068	4660	v8493275.exe	73
PID 4660 wrote to memory of 5068	4660	v8493275.exe	73
PID 5068 wrote to memory of 4440	5068	v8295295.exe	74
PID 5068 wrote to memory of 4440	5068	v8295295.exe	74
PID 5068 wrote to memory of 2112	5068	v8295295.exe	75
PID 5068 wrote to memory of 2112	5068	v8295295.exe	75
PID 5068 wrote to memory of 2112	5068	v8295295.exe	75
PID 4660 wrote to memory of 2260	4660	v8493275.exe	76
PID 4660 wrote to memory of 2260	4660	v8493275.exe	76
PID 4660 wrote to memory of 2260	4660	v8493275.exe	76

C:\Users\Admin\AppData\Local\Temp\810a7e532ab14b6700e403944d44f6b508cfa4e79e1557a3f4a7f162cd012a43.exe
"C:\Users\Admin\AppData\Local\Temp\810a7e532ab14b6700e403944d44f6b508cfa4e79e1557a3f4a7f162cd012a43.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0460002.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0460002.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4280
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7656202.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7656202.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8493275.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8493275.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8295295.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8295295.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5068
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2242216.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2242216.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8617732.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8617732.exe
        6⤵
        Executes dropped EXE
        
        PID:2112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7688972.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7688972.exe
        5⤵
        Executes dropped EXE
        
        PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0460002.exe

Filesize
724KB

MD5
b9f71ab5848ed148ed9c89176174ae9b

SHA1
c8cff58578e6f39383e12b01971b3b1cac54336a

SHA256
4963bc651a270a54737b1b0dbbad6b224206577e4d98f5abe7e9218854a1a505

SHA512
1f3cd0a8e5fe1014aa8f1f6e3174f685bb8e3da037919db1eb21b5bff0422e0f47cf5a1824af8261948761f495b8fb9328fd58a56bea6abd0021533d8e48fb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0460002.exe

Filesize
724KB

MD5
b9f71ab5848ed148ed9c89176174ae9b

SHA1
c8cff58578e6f39383e12b01971b3b1cac54336a

SHA256
4963bc651a270a54737b1b0dbbad6b224206577e4d98f5abe7e9218854a1a505

SHA512
1f3cd0a8e5fe1014aa8f1f6e3174f685bb8e3da037919db1eb21b5bff0422e0f47cf5a1824af8261948761f495b8fb9328fd58a56bea6abd0021533d8e48fb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7656202.exe

Filesize
498KB

MD5
f3091e3b2d327906c229da8ef81a8516

SHA1
911b93130eda5a8968a2222c2de126b85a014b85

SHA256
79afe280a1b5e34c226d8e15d2f0ea049fd20814ff805a3f36dce13f915860ff

SHA512
c90117919e33f873ec7e64c916a1ea431080db2b726d9bca24a695f86087d04ef94f5df854a4853add7f2c426423d8f2fc19da5859f8c0130b3c86e71acfe16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7656202.exe

Filesize
498KB

MD5
f3091e3b2d327906c229da8ef81a8516

SHA1
911b93130eda5a8968a2222c2de126b85a014b85

SHA256
79afe280a1b5e34c226d8e15d2f0ea049fd20814ff805a3f36dce13f915860ff

SHA512
c90117919e33f873ec7e64c916a1ea431080db2b726d9bca24a695f86087d04ef94f5df854a4853add7f2c426423d8f2fc19da5859f8c0130b3c86e71acfe16e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8493275.exe

Filesize
373KB

MD5
9e6e17bb297468553772fe7d14566d60

SHA1
69ff7b52c1e9f3409e8a622bd522b437d3856c95

SHA256
c4e29fb195516c00b90f86fc118942aa7dca39045d1b8de45bf5e30ad748e204

SHA512
5be7d49f7e017bc633137d4447db65b10b12d7d50126a53804e7783cb08d38476d7eace1a0ed60c114bd5d3991a77d0c3cc167136239d87f7ab758857f1c28a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8493275.exe

Filesize
373KB

MD5
9e6e17bb297468553772fe7d14566d60

SHA1
69ff7b52c1e9f3409e8a622bd522b437d3856c95

SHA256
c4e29fb195516c00b90f86fc118942aa7dca39045d1b8de45bf5e30ad748e204

SHA512
5be7d49f7e017bc633137d4447db65b10b12d7d50126a53804e7783cb08d38476d7eace1a0ed60c114bd5d3991a77d0c3cc167136239d87f7ab758857f1c28a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7688972.exe

Filesize
174KB

MD5
d6be287c9f0c3d27143d5436fa3f3fa0

SHA1
e0aa861978a537acf38e5b80f724a4c192e1b07d

SHA256
36e9dc63eed833793bd02b77224aec9ab32e81d59fb89103e472b6c5d2306ef5

SHA512
c06de409a9c5a880c796bbbd8f6c008620dbb2014df66838f5f984fa5485aae782aa7aca669ad1c1509a04c9ad0854e20dfe87b1174c14e9c82087487efd7df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7688972.exe

Filesize
174KB

MD5
d6be287c9f0c3d27143d5436fa3f3fa0

SHA1
e0aa861978a537acf38e5b80f724a4c192e1b07d

SHA256
36e9dc63eed833793bd02b77224aec9ab32e81d59fb89103e472b6c5d2306ef5

SHA512
c06de409a9c5a880c796bbbd8f6c008620dbb2014df66838f5f984fa5485aae782aa7aca669ad1c1509a04c9ad0854e20dfe87b1174c14e9c82087487efd7df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8295295.exe

Filesize
217KB

MD5
c14b7d4538dfef39d8c8e39660b0909a

SHA1
4f5b8ebeef172d15cd240c19ca3e09419cbd79dc

SHA256
f2a3a5d0e8566db07aacbc99baa0ec17dc7073918a4df55469d504892d6ad2b3

SHA512
d96036e56291e46408716054ff9e3f99c4fbbc9bb0e8b491ec0ba3e4853cb4f6ab6b73831d5b95c383d1494c4bf282a490e319c71ad244ff75da59373b5cff14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8295295.exe

Filesize
217KB

MD5
c14b7d4538dfef39d8c8e39660b0909a

SHA1
4f5b8ebeef172d15cd240c19ca3e09419cbd79dc

SHA256
f2a3a5d0e8566db07aacbc99baa0ec17dc7073918a4df55469d504892d6ad2b3

SHA512
d96036e56291e46408716054ff9e3f99c4fbbc9bb0e8b491ec0ba3e4853cb4f6ab6b73831d5b95c383d1494c4bf282a490e319c71ad244ff75da59373b5cff14

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2242216.exe

Filesize
19KB

MD5
0d82b6ddc80f94e7887338f0b36ca5db

SHA1
ced31348318299fe0efa5969e979aa3e505894a7

SHA256
f526313640ffb46caca9ca7ab5bf18fd3d2eeb053b3d39f85e31d3c7bf71a44a

SHA512
b475e740481e6360fb070b1030962712d1479ba3192b172a8d193bfa21c188e912e4e033e7012ffb35ccaa6944c180080134dca0ac0695b144a0a29d360ca522

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2242216.exe

Filesize
19KB

MD5
0d82b6ddc80f94e7887338f0b36ca5db

SHA1
ced31348318299fe0efa5969e979aa3e505894a7

SHA256
f526313640ffb46caca9ca7ab5bf18fd3d2eeb053b3d39f85e31d3c7bf71a44a

SHA512
b475e740481e6360fb070b1030962712d1479ba3192b172a8d193bfa21c188e912e4e033e7012ffb35ccaa6944c180080134dca0ac0695b144a0a29d360ca522

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8617732.exe

Filesize
140KB

MD5
27e684ee11f742765b2d60ebd61003a8

SHA1
49ad3ec639d419d2eae50c4893b342fa7e71717b

SHA256
887bd15444e3b8b0c63be40196db7ec05c357978056e4994e2fe2917bc5b28c0

SHA512
1df12c1de0a94155ac44f9f13a0617cd1c7ecd5ca99855e07b07d01977e54b32eafeceed3c653fd1f35524cadc5aafe3a1557e9216e6c555b81eb818a86d03a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8617732.exe

Filesize
140KB

MD5
27e684ee11f742765b2d60ebd61003a8

SHA1
49ad3ec639d419d2eae50c4893b342fa7e71717b

SHA256
887bd15444e3b8b0c63be40196db7ec05c357978056e4994e2fe2917bc5b28c0

SHA512
1df12c1de0a94155ac44f9f13a0617cd1c7ecd5ca99855e07b07d01977e54b32eafeceed3c653fd1f35524cadc5aafe3a1557e9216e6c555b81eb818a86d03a2

Download Submit
memory/2260-46-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/2260-45-0x0000000000490000-0x00000000004C0000-memory.dmp

Filesize
192KB

Download
memory/2260-47-0x00000000026B0000-0x00000000026B6000-memory.dmp

Filesize
24KB

Download
memory/2260-48-0x000000000A8B0000-0x000000000AEB6000-memory.dmp

Filesize
6.0MB

Download
memory/2260-49-0x000000000A3E0000-0x000000000A4EA000-memory.dmp

Filesize
1.0MB

Download
memory/2260-50-0x000000000A310000-0x000000000A322000-memory.dmp

Filesize
72KB

Download
memory/2260-51-0x000000000A370000-0x000000000A3AE000-memory.dmp

Filesize
248KB

Download
memory/2260-52-0x000000000A4F0000-0x000000000A53B000-memory.dmp

Filesize
300KB

Download
memory/2260-53-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/4440-38-0x00007FF9727B0000-0x00007FF97319C000-memory.dmp

Filesize
9.9MB

Download
memory/4440-36-0x00007FF9727B0000-0x00007FF97319C000-memory.dmp

Filesize
9.9MB

Download
memory/4440-35-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download