healer | 3a4566bfb4bd01d45e557e2fd57c882f23104b285345f544a3f86fb65eebd6e8

Analysis

max time kernel
139s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a4566bfb4bd01d45e557e2fd57c882f23104b285345f544a3f86fb65eebd6e8.exe
Size

828KB
MD5

20b854fb97a6826a9357b527e87bccf3
SHA1

8882a025adf9f08b522dca4579f4dd695324c0ab
SHA256

3a4566bfb4bd01d45e557e2fd57c882f23104b285345f544a3f86fb65eebd6e8
SHA512

c3e8e3feea92d53195523d2955066a4bcbfb2f39904f5e1e466c6fdc12506180019ff51b1a8ec007450b45a0ad731412fa261eecd58c70afc81979b9462ff048
SSDEEP

24576:KyumXjnQeLTfAEbStgwYhgxo/wPaGRNbSze+JLwP:Ru8jQeLLAR62xNaGRNb

Score

10^/10

healer redline bobik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

bobik

77.91.124.82:19071

Attributes

auth_value
d639522ae3c9dda998264d691a19eb33

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000232ac-34.dat	healer
behavioral1/files/0x00070000000232ac-35.dat	healer
behavioral1/memory/3068-40-0x0000000000130000-0x000000000013A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0632739.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0632739.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0632739.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0632739.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0632739.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0632739.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
680	v0414750.exe
5072	v1242281.exe
4224	v2912844.exe
1976	v7613723.exe
3068	a0632739.exe
3092	b9007586.exe
3520	c1751059.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0632739.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v7613723.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a4566bfb4bd01d45e557e2fd57c882f23104b285345f544a3f86fb65eebd6e8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0414750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1242281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2912844.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{0D39A205-E409-41F5-9E74-1561159E356B}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3068	a0632739.exe
3068	a0632739.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	a0632739.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 680	5112	3a4566bfb4bd01d45e557e2fd57c882f23104b285345f544a3f86fb65eebd6e8.exe	85
PID 5112 wrote to memory of 680	5112	3a4566bfb4bd01d45e557e2fd57c882f23104b285345f544a3f86fb65eebd6e8.exe	85
PID 5112 wrote to memory of 680	5112	3a4566bfb4bd01d45e557e2fd57c882f23104b285345f544a3f86fb65eebd6e8.exe	85
PID 680 wrote to memory of 5072	680	v0414750.exe	87
PID 680 wrote to memory of 5072	680	v0414750.exe	87
PID 680 wrote to memory of 5072	680	v0414750.exe	87
PID 5072 wrote to memory of 4224	5072	v1242281.exe	88
PID 5072 wrote to memory of 4224	5072	v1242281.exe	88
PID 5072 wrote to memory of 4224	5072	v1242281.exe	88
PID 4224 wrote to memory of 1976	4224	v2912844.exe	89
PID 4224 wrote to memory of 1976	4224	v2912844.exe	89
PID 4224 wrote to memory of 1976	4224	v2912844.exe	89
PID 1976 wrote to memory of 3068	1976	v7613723.exe	90
PID 1976 wrote to memory of 3068	1976	v7613723.exe	90
PID 1976 wrote to memory of 3092	1976	v7613723.exe	92
PID 1976 wrote to memory of 3092	1976	v7613723.exe	92
PID 1976 wrote to memory of 3092	1976	v7613723.exe	92
PID 4224 wrote to memory of 3520	4224	v2912844.exe	93
PID 4224 wrote to memory of 3520	4224	v2912844.exe	93
PID 4224 wrote to memory of 3520	4224	v2912844.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3088

C:\Users\Admin\AppData\Local\Temp\3a4566bfb4bd01d45e557e2fd57c882f23104b285345f544a3f86fb65eebd6e8.exe
"C:\Users\Admin\AppData\Local\Temp\3a4566bfb4bd01d45e557e2fd57c882f23104b285345f544a3f86fb65eebd6e8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0414750.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0414750.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1242281.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1242281.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2912844.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2912844.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7613723.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7613723.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1976
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0632739.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0632739.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9007586.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9007586.exe
        6⤵
        Executes dropped EXE
        
        PID:3092
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1751059.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1751059.exe
        5⤵
        Executes dropped EXE
        
        PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0414750.exe

Filesize
722KB

MD5
0c517954df297062d9b473a7cbfe6c7d

SHA1
a2319e398b00352d229c69ceb91426143210971c

SHA256
aef1339610b8130d726455c646542b6eaf12966204078ffc7a29ac70d1623d24

SHA512
157489cbf21adeabd9027cc51dcd1c63aa0c7f64a121713e728965db693f189662d57bfffda1a4aa175e449aa348cc296ff0368ab331c1a317f55ff9e50783e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0414750.exe

Filesize
722KB

MD5
0c517954df297062d9b473a7cbfe6c7d

SHA1
a2319e398b00352d229c69ceb91426143210971c

SHA256
aef1339610b8130d726455c646542b6eaf12966204078ffc7a29ac70d1623d24

SHA512
157489cbf21adeabd9027cc51dcd1c63aa0c7f64a121713e728965db693f189662d57bfffda1a4aa175e449aa348cc296ff0368ab331c1a317f55ff9e50783e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1242281.exe

Filesize
497KB

MD5
0b6722d1a65d87a74afee771ad8c63cf

SHA1
fbeebef7c4eae389b909bd732084ae4242d7f1e7

SHA256
52866c92cb95a55f6ace176e61879443d5da7809629b465138dba9d92b7066bc

SHA512
4db2351b5a71485154d9718e4c458823c4b3b96a1b9fa8ff4fb8770d9e500bce9fa7458b6baa30c7f86668c8701fdaa7e2077b92fd40f94c2843bf164310aa5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1242281.exe

Filesize
497KB

MD5
0b6722d1a65d87a74afee771ad8c63cf

SHA1
fbeebef7c4eae389b909bd732084ae4242d7f1e7

SHA256
52866c92cb95a55f6ace176e61879443d5da7809629b465138dba9d92b7066bc

SHA512
4db2351b5a71485154d9718e4c458823c4b3b96a1b9fa8ff4fb8770d9e500bce9fa7458b6baa30c7f86668c8701fdaa7e2077b92fd40f94c2843bf164310aa5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2912844.exe

Filesize
372KB

MD5
be7eea4ab12ffc9a62180902a6aad86e

SHA1
cd1fa95fcba8702a7cf960be391a58d75cf7e336

SHA256
b32ccf7c68d6891035d8303a656d4c82b3b96f03d84059e5cfa76634c03981a5

SHA512
d794be1fd97416f1ee1c244d56dfcd464ee754983dded9de2ed470feb9e3c9d590d5efbf54cb5ecbf3ea0a7e521e2fd93a221935940f70829a30acec348eca71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2912844.exe

Filesize
372KB

MD5
be7eea4ab12ffc9a62180902a6aad86e

SHA1
cd1fa95fcba8702a7cf960be391a58d75cf7e336

SHA256
b32ccf7c68d6891035d8303a656d4c82b3b96f03d84059e5cfa76634c03981a5

SHA512
d794be1fd97416f1ee1c244d56dfcd464ee754983dded9de2ed470feb9e3c9d590d5efbf54cb5ecbf3ea0a7e521e2fd93a221935940f70829a30acec348eca71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1751059.exe

Filesize
174KB

MD5
ae228f2bafbc9cbbb8ea66646ff24742

SHA1
f009ea30422dd9f666461130d12f55bcbb617332

SHA256
988fbd178c70d6bfcfa09a62f1b334e7357e57f84e697c2a8fd7dd44ead0da8b

SHA512
c72cf517ff0a7f87e5597ffac98c661dcab3db7ce161a7f57cfa0063436f7a88eeda7a628fd4fef6e45fb0e2b36a2509bce8caf9c766922a799e0b111783e28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1751059.exe

Filesize
174KB

MD5
ae228f2bafbc9cbbb8ea66646ff24742

SHA1
f009ea30422dd9f666461130d12f55bcbb617332

SHA256
988fbd178c70d6bfcfa09a62f1b334e7357e57f84e697c2a8fd7dd44ead0da8b

SHA512
c72cf517ff0a7f87e5597ffac98c661dcab3db7ce161a7f57cfa0063436f7a88eeda7a628fd4fef6e45fb0e2b36a2509bce8caf9c766922a799e0b111783e28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7613723.exe

Filesize
217KB

MD5
498ff5dd4e5753739c6c7655c59cf0bc

SHA1
26782433a7aca7894685f37a3d2b2b62171807e0

SHA256
35d5473b94e015715c0f05d01c40a70987c0a9fcec8a3b69dc0a1201f0410c01

SHA512
f459204c2b61087855e93b488f5af860706106ba226408706320173820a975d1aac7b290909d21470bd9ac2d37dc8b797485476a396b0a1c646a931098a8edf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7613723.exe

Filesize
217KB

MD5
498ff5dd4e5753739c6c7655c59cf0bc

SHA1
26782433a7aca7894685f37a3d2b2b62171807e0

SHA256
35d5473b94e015715c0f05d01c40a70987c0a9fcec8a3b69dc0a1201f0410c01

SHA512
f459204c2b61087855e93b488f5af860706106ba226408706320173820a975d1aac7b290909d21470bd9ac2d37dc8b797485476a396b0a1c646a931098a8edf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0632739.exe

Filesize
20KB

MD5
88aaa6517be585a9423c92ba4ab5b9b8

SHA1
1fcca46957fe0028ec5039e21fc92171ffab108f

SHA256
c6e6b7236c606e1c358e597cf77d01a1f5daadf0eab1326a8b08fd112074fdd8

SHA512
eab6d00b8ffbe07aa9baf0be3e35022bcf555f33734152e62058e8f7688fa156ca4671e8667cc6416c3c1e12cc62bc9f710831e9a3b586ccccdeef7d4ec5a9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0632739.exe

Filesize
20KB

MD5
88aaa6517be585a9423c92ba4ab5b9b8

SHA1
1fcca46957fe0028ec5039e21fc92171ffab108f

SHA256
c6e6b7236c606e1c358e597cf77d01a1f5daadf0eab1326a8b08fd112074fdd8

SHA512
eab6d00b8ffbe07aa9baf0be3e35022bcf555f33734152e62058e8f7688fa156ca4671e8667cc6416c3c1e12cc62bc9f710831e9a3b586ccccdeef7d4ec5a9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9007586.exe

Filesize
140KB

MD5
4235e5b242718a9e2b2fc08082fc891c

SHA1
770afba7e6215e5147bfe51908199faa6dae6799

SHA256
ad1188bd2b6903e4905883fa75ce747ab8e2b7dcc787a6590e6be986a3c4adb2

SHA512
baa9d2357f7f66e8ca409cf7fe0323596fe64cdc931b6876b804246381a5db4d60d6ebff7ce982782f37322909da1501210c7e826a49b127f0044a3b8a3170f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9007586.exe

Filesize
140KB

MD5
4235e5b242718a9e2b2fc08082fc891c

SHA1
770afba7e6215e5147bfe51908199faa6dae6799

SHA256
ad1188bd2b6903e4905883fa75ce747ab8e2b7dcc787a6590e6be986a3c4adb2

SHA512
baa9d2357f7f66e8ca409cf7fe0323596fe64cdc931b6876b804246381a5db4d60d6ebff7ce982782f37322909da1501210c7e826a49b127f0044a3b8a3170f0

Download Submit
memory/3068-45-0x00007FF999600000-0x00007FF99A0C1000-memory.dmp

Filesize
10.8MB

Download
memory/3068-43-0x00007FF999600000-0x00007FF99A0C1000-memory.dmp

Filesize
10.8MB

Download
memory/3068-40-0x0000000000130000-0x000000000013A000-memory.dmp

Filesize
40KB

Download
memory/3520-52-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/3520-53-0x0000000000EC0000-0x0000000000EF0000-memory.dmp

Filesize
192KB

Download
memory/3520-54-0x000000000B200000-0x000000000B818000-memory.dmp

Filesize
6.1MB

Download
memory/3520-55-0x000000000AD30000-0x000000000AE3A000-memory.dmp

Filesize
1.0MB

Download
memory/3520-56-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download
memory/3520-57-0x000000000AC70000-0x000000000AC82000-memory.dmp

Filesize
72KB

Download
memory/3520-58-0x000000000ACD0000-0x000000000AD0C000-memory.dmp

Filesize
240KB

Download
memory/3520-59-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/3520-60-0x0000000005850000-0x0000000005860000-memory.dmp

Filesize
64KB

Download