healer | 227ddce63c26bea0579d66b7217899f422b2a9a185316ef40ece8b737984e8e9

Analysis

max time kernel
147s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2023 07:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

227ddce63c26bea0579d66b7217899f422b2a9a185316ef40ece8b737984e8e9.exe
Size

827KB
MD5

f370523fe7a107180d54b5ac8b34e8f7
SHA1

cb4bdcfa51faa8a9b9c8465df3280fd3206f7990
SHA256

227ddce63c26bea0579d66b7217899f422b2a9a185316ef40ece8b737984e8e9
SHA512

2666e6d9ab95740b6c8f5f9f8e32759096ece98582fe9a4404214583ab22f4f5a87513f286b7ff81a5f8dad88bbbb6b805b8211f71ad3843c88cb7d9061e44fd
SSDEEP

24576:LyWJsKTtJ0Tq4N3ZBBJtTFREsef175NSsBi:+WJsjuYJBzhxef13Ss

Score

10^/10

healer redline bobik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

bobik

77.91.124.82:19071

Attributes

auth_value
d639522ae3c9dda998264d691a19eb33

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023233-33.dat	healer
behavioral1/files/0x0007000000023233-34.dat	healer
behavioral1/memory/4912-35-0x0000000000DF0000-0x0000000000DFA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2836238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2836238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2836238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2836238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2836238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2836238.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2536	v5700625.exe
3464	v3357705.exe
4936	v6954355.exe
4712	v7322059.exe
4912	a2836238.exe
2088	b3823907.exe
2480	c1774567.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2836238.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	227ddce63c26bea0579d66b7217899f422b2a9a185316ef40ece8b737984e8e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5700625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3357705.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6954355.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7322059.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4912	a2836238.exe
4912	a2836238.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	a2836238.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2536	1884	227ddce63c26bea0579d66b7217899f422b2a9a185316ef40ece8b737984e8e9.exe	86
PID 1884 wrote to memory of 2536	1884	227ddce63c26bea0579d66b7217899f422b2a9a185316ef40ece8b737984e8e9.exe	86
PID 1884 wrote to memory of 2536	1884	227ddce63c26bea0579d66b7217899f422b2a9a185316ef40ece8b737984e8e9.exe	86
PID 2536 wrote to memory of 3464	2536	v5700625.exe	87
PID 2536 wrote to memory of 3464	2536	v5700625.exe	87
PID 2536 wrote to memory of 3464	2536	v5700625.exe	87
PID 3464 wrote to memory of 4936	3464	v3357705.exe	88
PID 3464 wrote to memory of 4936	3464	v3357705.exe	88
PID 3464 wrote to memory of 4936	3464	v3357705.exe	88
PID 4936 wrote to memory of 4712	4936	v6954355.exe	89
PID 4936 wrote to memory of 4712	4936	v6954355.exe	89
PID 4936 wrote to memory of 4712	4936	v6954355.exe	89
PID 4712 wrote to memory of 4912	4712	v7322059.exe	90
PID 4712 wrote to memory of 4912	4712	v7322059.exe	90
PID 4712 wrote to memory of 2088	4712	v7322059.exe	93
PID 4712 wrote to memory of 2088	4712	v7322059.exe	93
PID 4712 wrote to memory of 2088	4712	v7322059.exe	93
PID 4936 wrote to memory of 2480	4936	v6954355.exe	94
PID 4936 wrote to memory of 2480	4936	v6954355.exe	94
PID 4936 wrote to memory of 2480	4936	v6954355.exe	94

C:\Users\Admin\AppData\Local\Temp\227ddce63c26bea0579d66b7217899f422b2a9a185316ef40ece8b737984e8e9.exe
"C:\Users\Admin\AppData\Local\Temp\227ddce63c26bea0579d66b7217899f422b2a9a185316ef40ece8b737984e8e9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5700625.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5700625.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3357705.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3357705.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6954355.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6954355.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4936
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7322059.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7322059.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2836238.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2836238.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4912
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3823907.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3823907.exe
        6⤵
        Executes dropped EXE
        
        PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1774567.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1774567.exe
        5⤵
        Executes dropped EXE
        
        PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5700625.exe

Filesize
721KB

MD5
28e91849af9f9ed905338499197a0c42

SHA1
714d2c2e49b27bc7576dd46b7352b7284f860e3a

SHA256
141b50c21db586cd8b409fd98e66f86d36a424246dc5b25a7ca86859a1cb81c1

SHA512
c7f56e36beb1b7393466e5146f12f0258ebd78dc981db7a57c0cc691c9e8a7692a0c1201674b0e0fafe543eb7ae8db1e22515f09aa6157e96ff59ce3ad0a730c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5700625.exe

Filesize
721KB

MD5
28e91849af9f9ed905338499197a0c42

SHA1
714d2c2e49b27bc7576dd46b7352b7284f860e3a

SHA256
141b50c21db586cd8b409fd98e66f86d36a424246dc5b25a7ca86859a1cb81c1

SHA512
c7f56e36beb1b7393466e5146f12f0258ebd78dc981db7a57c0cc691c9e8a7692a0c1201674b0e0fafe543eb7ae8db1e22515f09aa6157e96ff59ce3ad0a730c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3357705.exe

Filesize
497KB

MD5
73071e9d3b5da88022dc419ee7c6c74b

SHA1
aff5d413e7c87ddd39b5852c256cd91ed9a87c20

SHA256
6690572b32edc8e33662716bbfa9bbeb46d1b354398beae95bd89ac3965e2edd

SHA512
c4b00c30b9df7e317db18955ff1ba0edd69d1e27e8347395b3dd19e43452f7972418688133004c5467ae782f31f6acb55777dd5a6e14b0dccd4b0170ea911062

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3357705.exe

Filesize
497KB

MD5
73071e9d3b5da88022dc419ee7c6c74b

SHA1
aff5d413e7c87ddd39b5852c256cd91ed9a87c20

SHA256
6690572b32edc8e33662716bbfa9bbeb46d1b354398beae95bd89ac3965e2edd

SHA512
c4b00c30b9df7e317db18955ff1ba0edd69d1e27e8347395b3dd19e43452f7972418688133004c5467ae782f31f6acb55777dd5a6e14b0dccd4b0170ea911062

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6954355.exe

Filesize
373KB

MD5
cd1a4499c7b1cc2bb46b37bdebeb4a9c

SHA1
47051854f8536b65e0a390adbdbc2a68a6d6b2ef

SHA256
df37c6306269d522c7908d28a78b3d48e321529ac57335dbe38c9dccdafabf4f

SHA512
5a3d03f61924bb59d86b02a3756637da58a2e9dd2e3e843b5d43cce7af87414ceee73786ca5ecc307b9240fe64d3ecc99d72ba549e30da3248c12e9964f33f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6954355.exe

Filesize
373KB

MD5
cd1a4499c7b1cc2bb46b37bdebeb4a9c

SHA1
47051854f8536b65e0a390adbdbc2a68a6d6b2ef

SHA256
df37c6306269d522c7908d28a78b3d48e321529ac57335dbe38c9dccdafabf4f

SHA512
5a3d03f61924bb59d86b02a3756637da58a2e9dd2e3e843b5d43cce7af87414ceee73786ca5ecc307b9240fe64d3ecc99d72ba549e30da3248c12e9964f33f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1774567.exe

Filesize
174KB

MD5
8954efeab65c11155df9608489727c7e

SHA1
e4f5edafe1c156f8f8f384c3ca7bac1593f1cb04

SHA256
04f6c621d38ebd00fb173eec6b3034a94032a918e352be4b5495b4131b425e9c

SHA512
bcc81668f095ab3eacd7f48edf845e79e925d0aca0b58b3353956dad7be456de98d60e915278de4ab73dd13dc07f3c8dc3c7618b36f02881e4ab6fca3a0f4b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1774567.exe

Filesize
174KB

MD5
8954efeab65c11155df9608489727c7e

SHA1
e4f5edafe1c156f8f8f384c3ca7bac1593f1cb04

SHA256
04f6c621d38ebd00fb173eec6b3034a94032a918e352be4b5495b4131b425e9c

SHA512
bcc81668f095ab3eacd7f48edf845e79e925d0aca0b58b3353956dad7be456de98d60e915278de4ab73dd13dc07f3c8dc3c7618b36f02881e4ab6fca3a0f4b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7322059.exe

Filesize
217KB

MD5
c6892207ba783495e8f6277235e98da7

SHA1
e1ab08809e45d1130c981d0cc09c37b085ac9ffb

SHA256
23f980b57030a7c94d92a15fe0157386e5618d33a82f061ce2cfae094a94f273

SHA512
2effc6f5846376f36f961f5197814079d4ae7854efad7b9b4fc8a3f411fbd4ff557389bd081fbf10c483ee0f4beb5772a3b3a9b0d5da7f30eab84a7cddd3e74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7322059.exe

Filesize
217KB

MD5
c6892207ba783495e8f6277235e98da7

SHA1
e1ab08809e45d1130c981d0cc09c37b085ac9ffb

SHA256
23f980b57030a7c94d92a15fe0157386e5618d33a82f061ce2cfae094a94f273

SHA512
2effc6f5846376f36f961f5197814079d4ae7854efad7b9b4fc8a3f411fbd4ff557389bd081fbf10c483ee0f4beb5772a3b3a9b0d5da7f30eab84a7cddd3e74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2836238.exe

Filesize
19KB

MD5
19f11edd972cde35d558b4df50a1c5d8

SHA1
b174275b7e78309304978acc0f3df5ebfea21c95

SHA256
c640f713394e9b2642e3a1b1b7d0d6233b8471a9d0047b9d0192eb64fae00a15

SHA512
15499cf2b64ed8b18ee530baaa21484be407a25e40b8aa4ac9798cccf9d2ed9e98e517e590c9cc45611d05e75d1ac618dd28cb65036ab35004be6a88e4d19b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2836238.exe

Filesize
19KB

MD5
19f11edd972cde35d558b4df50a1c5d8

SHA1
b174275b7e78309304978acc0f3df5ebfea21c95

SHA256
c640f713394e9b2642e3a1b1b7d0d6233b8471a9d0047b9d0192eb64fae00a15

SHA512
15499cf2b64ed8b18ee530baaa21484be407a25e40b8aa4ac9798cccf9d2ed9e98e517e590c9cc45611d05e75d1ac618dd28cb65036ab35004be6a88e4d19b88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3823907.exe

Filesize
140KB

MD5
ecd29d41290750d7bcc70437a13ce5ff

SHA1
7ca7176e3d949badf3e0056c88aadd66290e488f

SHA256
a417be0a0600fecb9a18ea217b53084f49124dba3df7d0a8eb79b70a4e991e22

SHA512
399e879bf0292df951f9d7e42577f6704bf1521d3a691b02185120f049d0af5e45979755115042155dc96eb4d2f0870c220f323a36f815aca6ae1ab4ba20cb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3823907.exe

Filesize
140KB

MD5
ecd29d41290750d7bcc70437a13ce5ff

SHA1
7ca7176e3d949badf3e0056c88aadd66290e488f

SHA256
a417be0a0600fecb9a18ea217b53084f49124dba3df7d0a8eb79b70a4e991e22

SHA512
399e879bf0292df951f9d7e42577f6704bf1521d3a691b02185120f049d0af5e45979755115042155dc96eb4d2f0870c220f323a36f815aca6ae1ab4ba20cb24

Download Submit
memory/2480-46-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/2480-45-0x0000000000430000-0x0000000000460000-memory.dmp

Filesize
192KB

Download
memory/2480-47-0x000000000A880000-0x000000000AE98000-memory.dmp

Filesize
6.1MB

Download
memory/2480-48-0x000000000A3E0000-0x000000000A4EA000-memory.dmp

Filesize
1.0MB

Download
memory/2480-49-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/2480-50-0x000000000A320000-0x000000000A332000-memory.dmp

Filesize
72KB

Download
memory/2480-51-0x000000000A380000-0x000000000A3BC000-memory.dmp

Filesize
240KB

Download
memory/2480-52-0x0000000074A00000-0x00000000751B0000-memory.dmp

Filesize
7.7MB

Download
memory/2480-53-0x0000000004E90000-0x0000000004EA0000-memory.dmp

Filesize
64KB

Download
memory/4912-38-0x00007FFA61800000-0x00007FFA622C1000-memory.dmp

Filesize
10.8MB

Download
memory/4912-36-0x00007FFA61800000-0x00007FFA622C1000-memory.dmp

Filesize
10.8MB

Download
memory/4912-35-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

Filesize
40KB

Download