healer | 80aeb339921513c6df9bdf9cae6ef8ee31b435313294f7b797966040599ab4c3

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 11:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JC_80aeb339921513c6df9bdf9cae6ef8ee31b435313294f7b797966040599ab4c3.exe
Size

829KB
MD5

eda8d3fae2b34c9008a25863c69950f5
SHA1

83e700b7277929b07b5319f1002bc5e789bc21d6
SHA256

80aeb339921513c6df9bdf9cae6ef8ee31b435313294f7b797966040599ab4c3
SHA512

b1f840fb12f95e05a9d0e6d71d32ee34e0c7ddf5524beb9105fc3c2f9cf991fc96937bee3559736d56f1be541a5abac7d47eedc3eb5cee11843860314e0bb226
SSDEEP

12288:RMr9y90a2+VHlvV5pPCEaRxbNT6SleZfr6u4RsR++yxMi9MM5jCi9onN//M8HKvB:wy32G9ZqEYvYNViqy6i9MJiuN3ap

Score

10^/10

healer redline bobik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

bobik

77.91.124.82:19071

Attributes

auth_value
d639522ae3c9dda998264d691a19eb33

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023250-34.dat	healer
behavioral2/files/0x0007000000023250-33.dat	healer
behavioral2/memory/3604-35-0x0000000000C20000-0x0000000000C2A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9962696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9962696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9962696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9962696.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9962696.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9962696.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3792	v9558954.exe
4544	v1052935.exe
732	v1494727.exe
744	v1308060.exe
3604	a9962696.exe
768	b5073614.exe
4328	c1091389.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9962696.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JC_80aeb339921513c6df9bdf9cae6ef8ee31b435313294f7b797966040599ab4c3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9558954.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1052935.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1494727.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1308060.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3604	a9962696.exe
3604	a9962696.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	a9962696.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 3792	5024	JC_80aeb339921513c6df9bdf9cae6ef8ee31b435313294f7b797966040599ab4c3.exe	85
PID 5024 wrote to memory of 3792	5024	JC_80aeb339921513c6df9bdf9cae6ef8ee31b435313294f7b797966040599ab4c3.exe	85
PID 5024 wrote to memory of 3792	5024	JC_80aeb339921513c6df9bdf9cae6ef8ee31b435313294f7b797966040599ab4c3.exe	85
PID 3792 wrote to memory of 4544	3792	v9558954.exe	86
PID 3792 wrote to memory of 4544	3792	v9558954.exe	86
PID 3792 wrote to memory of 4544	3792	v9558954.exe	86
PID 4544 wrote to memory of 732	4544	v1052935.exe	87
PID 4544 wrote to memory of 732	4544	v1052935.exe	87
PID 4544 wrote to memory of 732	4544	v1052935.exe	87
PID 732 wrote to memory of 744	732	v1494727.exe	88
PID 732 wrote to memory of 744	732	v1494727.exe	88
PID 732 wrote to memory of 744	732	v1494727.exe	88
PID 744 wrote to memory of 3604	744	v1308060.exe	89
PID 744 wrote to memory of 3604	744	v1308060.exe	89
PID 744 wrote to memory of 768	744	v1308060.exe	92
PID 744 wrote to memory of 768	744	v1308060.exe	92
PID 744 wrote to memory of 768	744	v1308060.exe	92
PID 732 wrote to memory of 4328	732	v1494727.exe	93
PID 732 wrote to memory of 4328	732	v1494727.exe	93
PID 732 wrote to memory of 4328	732	v1494727.exe	93

C:\Users\Admin\AppData\Local\Temp\JC_80aeb339921513c6df9bdf9cae6ef8ee31b435313294f7b797966040599ab4c3.exe
"C:\Users\Admin\AppData\Local\Temp\JC_80aeb339921513c6df9bdf9cae6ef8ee31b435313294f7b797966040599ab4c3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9558954.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9558954.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1052935.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1052935.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1494727.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1494727.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:732
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1308060.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1308060.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:744
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9962696.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9962696.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5073614.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5073614.exe
        6⤵
        Executes dropped EXE
        
        PID:768
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1091389.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1091389.exe
        5⤵
        Executes dropped EXE
        
        PID:4328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9558954.exe

Filesize
723KB

MD5
746610c49253f186d3001d8ae08d6ea2

SHA1
26c4c21d923641ae880d163393fbe5ac3bc80b86

SHA256
fd4d9bcb128cae2d9098b7309d1a7b8426b5c64164a447f21634f213f755f852

SHA512
55ec6b1dbfcd3c21adde18c68a179833df01a2858391c3b7615e91ceb284963573a9d98e1ab948ac062b2fdea32ca1bcfaa1f1c4cd159320b1ae0a7c81868487

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9558954.exe

Filesize
723KB

MD5
746610c49253f186d3001d8ae08d6ea2

SHA1
26c4c21d923641ae880d163393fbe5ac3bc80b86

SHA256
fd4d9bcb128cae2d9098b7309d1a7b8426b5c64164a447f21634f213f755f852

SHA512
55ec6b1dbfcd3c21adde18c68a179833df01a2858391c3b7615e91ceb284963573a9d98e1ab948ac062b2fdea32ca1bcfaa1f1c4cd159320b1ae0a7c81868487

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1052935.exe

Filesize
498KB

MD5
5b6204b19acbf2e198eaf64a670ce3b6

SHA1
c8c4b7bb8182bdf45c2daa0b12f21c5abf3c1b53

SHA256
3060f911f8dcc564ecdc56b62b244342439be82141d5d283d704ac491a34a27b

SHA512
880ded7624d9288a0729a6b5ea2dc7a4ef634ce966dc84c46e9ac98c5579343cabb8b8e315b75e8959e6ab8f4f42a8fbb4aefc15c0c7c4b4c28911c31ad1f4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1052935.exe

Filesize
498KB

MD5
5b6204b19acbf2e198eaf64a670ce3b6

SHA1
c8c4b7bb8182bdf45c2daa0b12f21c5abf3c1b53

SHA256
3060f911f8dcc564ecdc56b62b244342439be82141d5d283d704ac491a34a27b

SHA512
880ded7624d9288a0729a6b5ea2dc7a4ef634ce966dc84c46e9ac98c5579343cabb8b8e315b75e8959e6ab8f4f42a8fbb4aefc15c0c7c4b4c28911c31ad1f4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1494727.exe

Filesize
373KB

MD5
731d70f1ced7570330d3b380bc3d3d56

SHA1
79df8e7eb9a0ea0818f5054dc00aa0859ff4aec4

SHA256
2036b36147635d8a522e1db2f2aeba3fdee188e61543954ef5613d98057c1a37

SHA512
bed5c7f89068f64846f239c19d7766b418534c2ab98535184fc28c4078603ba00b7324d46284c0db07503c63555b7e43f2119bd41ca64e8811d603bdce384156

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1494727.exe

Filesize
373KB

MD5
731d70f1ced7570330d3b380bc3d3d56

SHA1
79df8e7eb9a0ea0818f5054dc00aa0859ff4aec4

SHA256
2036b36147635d8a522e1db2f2aeba3fdee188e61543954ef5613d98057c1a37

SHA512
bed5c7f89068f64846f239c19d7766b418534c2ab98535184fc28c4078603ba00b7324d46284c0db07503c63555b7e43f2119bd41ca64e8811d603bdce384156

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1091389.exe

Filesize
174KB

MD5
435004f6f06fec49209cb676ee1bf4f7

SHA1
a5807e92b854ee64b3d0ce21c52942fcb7f25fbc

SHA256
8b1dfd69e4635f7d1a85b064d50f323efab0138a43b44a542e16e611512e5ffd

SHA512
35ed2d517ed961de54a7afc42dfd4585c4e2fb6e57def42ff373fa10e225419ce76afc79d0030fc207b756ed4518d22bea6267442e0134351cf0bd4f8009f268

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c1091389.exe

Filesize
174KB

MD5
435004f6f06fec49209cb676ee1bf4f7

SHA1
a5807e92b854ee64b3d0ce21c52942fcb7f25fbc

SHA256
8b1dfd69e4635f7d1a85b064d50f323efab0138a43b44a542e16e611512e5ffd

SHA512
35ed2d517ed961de54a7afc42dfd4585c4e2fb6e57def42ff373fa10e225419ce76afc79d0030fc207b756ed4518d22bea6267442e0134351cf0bd4f8009f268

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1308060.exe

Filesize
217KB

MD5
a679bc282ee280a54b56aaa1d511a4a2

SHA1
d50272d67d55a1f797410975c62bc817e71fee4a

SHA256
7eeaae12fde5d4f9bf15a5ec94bbce2df4106b79b7804ec66b2f31a8e54e98c5

SHA512
7826cf04d6b95730209f1a434041a7ce24814f94f17b0b94677874bd4c2a92e5df07d3b961cb3fee08e649fceca9b489b6237924b899ad50f9b4aaf1810373fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1308060.exe

Filesize
217KB

MD5
a679bc282ee280a54b56aaa1d511a4a2

SHA1
d50272d67d55a1f797410975c62bc817e71fee4a

SHA256
7eeaae12fde5d4f9bf15a5ec94bbce2df4106b79b7804ec66b2f31a8e54e98c5

SHA512
7826cf04d6b95730209f1a434041a7ce24814f94f17b0b94677874bd4c2a92e5df07d3b961cb3fee08e649fceca9b489b6237924b899ad50f9b4aaf1810373fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9962696.exe

Filesize
19KB

MD5
d6ce7c6fdbfe24babb449e20f0da7ab7

SHA1
07ab3822986beb45d62dd7ac3e742c6f2ad5545b

SHA256
dbd711f7e598350db824f64a61a217d1378c5d255faa3ef06b3231c7e823cb46

SHA512
f6983c752d3688489c6d4cb8a4245381db9d68994c637de6a763df9556294b24cbb8bc9927a5b84454bd90805e28e9dc3888ba334b8fb7635e94a8a50dc75c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9962696.exe

Filesize
19KB

MD5
d6ce7c6fdbfe24babb449e20f0da7ab7

SHA1
07ab3822986beb45d62dd7ac3e742c6f2ad5545b

SHA256
dbd711f7e598350db824f64a61a217d1378c5d255faa3ef06b3231c7e823cb46

SHA512
f6983c752d3688489c6d4cb8a4245381db9d68994c637de6a763df9556294b24cbb8bc9927a5b84454bd90805e28e9dc3888ba334b8fb7635e94a8a50dc75c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5073614.exe

Filesize
140KB

MD5
aaed57265252729fe6891ba9d5254952

SHA1
daf0f1ee5f5db008d71f6178e98d8b5c3ff786ad

SHA256
d8caa4b53d51978a825c6af0f5b443503325021fc20e9b13f713780dafb7156d

SHA512
7d76d691d2c53ee972fef4187f9c6683669195d2a643f35387647821887a0c8e84ae76964be890315868aeb33228c81ac9d80704a24f0eaa01919f5cc88d7f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5073614.exe

Filesize
140KB

MD5
aaed57265252729fe6891ba9d5254952

SHA1
daf0f1ee5f5db008d71f6178e98d8b5c3ff786ad

SHA256
d8caa4b53d51978a825c6af0f5b443503325021fc20e9b13f713780dafb7156d

SHA512
7d76d691d2c53ee972fef4187f9c6683669195d2a643f35387647821887a0c8e84ae76964be890315868aeb33228c81ac9d80704a24f0eaa01919f5cc88d7f33

Download Submit
memory/3604-38-0x00007FFF0BC40000-0x00007FFF0C701000-memory.dmp

Filesize
10.8MB

Download
memory/3604-36-0x00007FFF0BC40000-0x00007FFF0C701000-memory.dmp

Filesize
10.8MB

Download
memory/3604-35-0x0000000000C20000-0x0000000000C2A000-memory.dmp

Filesize
40KB

Download
memory/4328-45-0x0000000000B30000-0x0000000000B60000-memory.dmp

Filesize
192KB

Download
memory/4328-46-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4328-47-0x000000000B030000-0x000000000B648000-memory.dmp

Filesize
6.1MB

Download
memory/4328-48-0x000000000AB20000-0x000000000AC2A000-memory.dmp

Filesize
1.0MB

Download
memory/4328-50-0x000000000AA30000-0x000000000AA42000-memory.dmp

Filesize
72KB

Download
memory/4328-49-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download
memory/4328-51-0x000000000AA90000-0x000000000AACC000-memory.dmp

Filesize
240KB

Download
memory/4328-52-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/4328-53-0x0000000005580000-0x0000000005590000-memory.dmp

Filesize
64KB

Download