healer | a9a1ce32e9ea314a5b78ab6f119cde9331b7b77e13b205ef50050eb298c5ac94

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_a9a1ce32e9ea314a5b78ab6f119cde9331b7b77e13b205ef50050eb298c5ac94.exe
Size

829KB
MD5

66fd8603446bca9eac3c199c2cb75540
SHA1

e6ab59135af3a8cbcdad32357085d132d0d40339
SHA256

a9a1ce32e9ea314a5b78ab6f119cde9331b7b77e13b205ef50050eb298c5ac94
SHA512

9d97aada3d05d01c2ecdb2ad2e2828f674d74de26c1edfe9a1c7961b2a3619566c8e92213ae7cac4ce7a51f0ed192074d320fc0a619e88d8096240a299330a23
SSDEEP

12288:uMrdy90Lq2eBlXwW/f53iLY8gygcSrMRRy5NO4n4mVH2fa8c4XHnyl8tdi2l/87:7ycG9w6f1T8g3MLy5NPpvQ1tdi2lO

Score

10^/10

healer redline bobik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

bobik

77.91.124.82:19071

Attributes

auth_value
d639522ae3c9dda998264d691a19eb33

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231c9-33.dat	healer
behavioral2/files/0x00080000000231c9-34.dat	healer
behavioral2/memory/3932-35-0x0000000000D50000-0x0000000000D5A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9536726.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9536726.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9536726.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9536726.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9536726.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9536726.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
760	v4900640.exe
4136	v1567689.exe
4492	v7024962.exe
4676	v8732552.exe
3932	a9536726.exe
5016	b1655094.exe
232	c4959001.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9536726.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4900640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1567689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7024962.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8732552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JC_a9a1ce32e9ea314a5b78ab6f119cde9331b7b77e13b205ef50050eb298c5ac94.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3932	a9536726.exe
3932	a9536726.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3932	a9536726.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 908 wrote to memory of 760	908	JC_a9a1ce32e9ea314a5b78ab6f119cde9331b7b77e13b205ef50050eb298c5ac94.exe	85
PID 908 wrote to memory of 760	908	JC_a9a1ce32e9ea314a5b78ab6f119cde9331b7b77e13b205ef50050eb298c5ac94.exe	85
PID 908 wrote to memory of 760	908	JC_a9a1ce32e9ea314a5b78ab6f119cde9331b7b77e13b205ef50050eb298c5ac94.exe	85
PID 760 wrote to memory of 4136	760	v4900640.exe	86
PID 760 wrote to memory of 4136	760	v4900640.exe	86
PID 760 wrote to memory of 4136	760	v4900640.exe	86
PID 4136 wrote to memory of 4492	4136	v1567689.exe	87
PID 4136 wrote to memory of 4492	4136	v1567689.exe	87
PID 4136 wrote to memory of 4492	4136	v1567689.exe	87
PID 4492 wrote to memory of 4676	4492	v7024962.exe	88
PID 4492 wrote to memory of 4676	4492	v7024962.exe	88
PID 4492 wrote to memory of 4676	4492	v7024962.exe	88
PID 4676 wrote to memory of 3932	4676	v8732552.exe	89
PID 4676 wrote to memory of 3932	4676	v8732552.exe	89
PID 4676 wrote to memory of 5016	4676	v8732552.exe	90
PID 4676 wrote to memory of 5016	4676	v8732552.exe	90
PID 4676 wrote to memory of 5016	4676	v8732552.exe	90
PID 4492 wrote to memory of 232	4492	v7024962.exe	91
PID 4492 wrote to memory of 232	4492	v7024962.exe	91
PID 4492 wrote to memory of 232	4492	v7024962.exe	91

C:\Users\Admin\AppData\Local\Temp\JC_a9a1ce32e9ea314a5b78ab6f119cde9331b7b77e13b205ef50050eb298c5ac94.exe
"C:\Users\Admin\AppData\Local\Temp\JC_a9a1ce32e9ea314a5b78ab6f119cde9331b7b77e13b205ef50050eb298c5ac94.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:908
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4900640.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4900640.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1567689.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1567689.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7024962.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7024962.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8732552.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8732552.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9536726.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9536726.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1655094.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1655094.exe
        6⤵
        Executes dropped EXE
        
        PID:5016
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4959001.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4959001.exe
        5⤵
        Executes dropped EXE
        
        PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4900640.exe

Filesize
724KB

MD5
95ee580491b88f3b93a2264b3a842e12

SHA1
95f1df3253a782c9cef6d2c808a0865dc643b7f7

SHA256
caa2ff8476983f8cea1b9a0838552c9fa6c23fd0c8492a8bec54dc9abbdae07a

SHA512
0a63dde14cda7e6fab8abd135cee96fdd4c3a35c3fb3de9f92100c91f91b41d047d52977610f306d34771e2e1cfd9c7b210f0688232368c72d1379a629a50904

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4900640.exe

Filesize
724KB

MD5
95ee580491b88f3b93a2264b3a842e12

SHA1
95f1df3253a782c9cef6d2c808a0865dc643b7f7

SHA256
caa2ff8476983f8cea1b9a0838552c9fa6c23fd0c8492a8bec54dc9abbdae07a

SHA512
0a63dde14cda7e6fab8abd135cee96fdd4c3a35c3fb3de9f92100c91f91b41d047d52977610f306d34771e2e1cfd9c7b210f0688232368c72d1379a629a50904

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1567689.exe

Filesize
498KB

MD5
2fc39bb15070ac52e31af1d59687d523

SHA1
4d6ec26005554d79ce34492d70df52e799090bc3

SHA256
33334a956c81992b59a01e051a16e93339382c7f04978d1cb3e833b83f214e1b

SHA512
e717b76414583c82b94a18a921526b0c655ff607b3407d97e2510b5bd898c2681d7aeace1a31b6948f006b68270364005be66bc5da841ab3967fed9072b27c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1567689.exe

Filesize
498KB

MD5
2fc39bb15070ac52e31af1d59687d523

SHA1
4d6ec26005554d79ce34492d70df52e799090bc3

SHA256
33334a956c81992b59a01e051a16e93339382c7f04978d1cb3e833b83f214e1b

SHA512
e717b76414583c82b94a18a921526b0c655ff607b3407d97e2510b5bd898c2681d7aeace1a31b6948f006b68270364005be66bc5da841ab3967fed9072b27c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7024962.exe

Filesize
373KB

MD5
54ba2df68673d589033a18b4d1865c6a

SHA1
abf75e5426007f51ea4a4f04d56fa4073c8dfa17

SHA256
ccae280a2dc9d7d6c036808aae1e4db687ffff8edca0a8ee2a7da178487b3c55

SHA512
3d3998d31dd1de926ac1a3b46ffc02baf8cb9ae3cc37f6dba7a38d1636753b86bb29ba38377290bba07609356fc72bb475edb41f38309d56094fff4acd471993

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7024962.exe

Filesize
373KB

MD5
54ba2df68673d589033a18b4d1865c6a

SHA1
abf75e5426007f51ea4a4f04d56fa4073c8dfa17

SHA256
ccae280a2dc9d7d6c036808aae1e4db687ffff8edca0a8ee2a7da178487b3c55

SHA512
3d3998d31dd1de926ac1a3b46ffc02baf8cb9ae3cc37f6dba7a38d1636753b86bb29ba38377290bba07609356fc72bb475edb41f38309d56094fff4acd471993

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4959001.exe

Filesize
174KB

MD5
8032377a85a0272db65eb914c0f9429a

SHA1
7666ca27983944d6082b86b5da98983a39edd8f8

SHA256
6cf7ce6e96b8c9664126c2795230ede9bdda2ca1c2059523cf8049cc9baa291c

SHA512
1175f45e95d0eecc95423a6349803635c36b640158d688eba0bd04ca21b02d28c49d27fc98f4c645151abd057a0f43b8a39d89cc54a61df0da98c845b654b1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4959001.exe

Filesize
174KB

MD5
8032377a85a0272db65eb914c0f9429a

SHA1
7666ca27983944d6082b86b5da98983a39edd8f8

SHA256
6cf7ce6e96b8c9664126c2795230ede9bdda2ca1c2059523cf8049cc9baa291c

SHA512
1175f45e95d0eecc95423a6349803635c36b640158d688eba0bd04ca21b02d28c49d27fc98f4c645151abd057a0f43b8a39d89cc54a61df0da98c845b654b1d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8732552.exe

Filesize
217KB

MD5
d1d2ee1ee17d5136b79e7231e0e9efdc

SHA1
bd716378f72993f6e3852f098dddfe44aae8aedb

SHA256
d74afa8303df1bcdb034ccce9dacdd2cb819c8e24f454003601249a22155ee05

SHA512
63ef13a1eb5c22d35d6e89a19ba35f0b5e119d11025d140e674ab5d5a5b5787e334ba60fcc1484d7497059626eed5eb8cf4008b33b03004f81e45dc45b542599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8732552.exe

Filesize
217KB

MD5
d1d2ee1ee17d5136b79e7231e0e9efdc

SHA1
bd716378f72993f6e3852f098dddfe44aae8aedb

SHA256
d74afa8303df1bcdb034ccce9dacdd2cb819c8e24f454003601249a22155ee05

SHA512
63ef13a1eb5c22d35d6e89a19ba35f0b5e119d11025d140e674ab5d5a5b5787e334ba60fcc1484d7497059626eed5eb8cf4008b33b03004f81e45dc45b542599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9536726.exe

Filesize
19KB

MD5
34abdebf802bc8e18b04062fd342061f

SHA1
899d66d14eece6fc2ec590473779c59c1cbb86e4

SHA256
6cd3dfd54d7af5fe031ccb76ae9d2e88bfa48ac30a28645cd9bca9f432a6219e

SHA512
8438ee562e55f6b9ab6af75f55f20d53285067f14e7246c3df57e82cfda4259e2b30cc7b8bc080c5beff917a335fa8c924ed8f34c11d528a54d5437e91fa37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9536726.exe

Filesize
19KB

MD5
34abdebf802bc8e18b04062fd342061f

SHA1
899d66d14eece6fc2ec590473779c59c1cbb86e4

SHA256
6cd3dfd54d7af5fe031ccb76ae9d2e88bfa48ac30a28645cd9bca9f432a6219e

SHA512
8438ee562e55f6b9ab6af75f55f20d53285067f14e7246c3df57e82cfda4259e2b30cc7b8bc080c5beff917a335fa8c924ed8f34c11d528a54d5437e91fa37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1655094.exe

Filesize
140KB

MD5
3019cdfc20c05fa7db42fea0b5709607

SHA1
b11b297de0ba6055ba304814472953cd80b74dba

SHA256
3c1feaf914eb673e985be551769cfd8da6538bec30daf8ddf2723c69e6b8c8be

SHA512
066407d89c5239bab3ba79fb85593b4a8041ca8786645f15077e32ac7dd2718e13b29024f02fc34bb94cc4fa2b169c717c28b8cb120ba82c9fd38edd95947979

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1655094.exe

Filesize
140KB

MD5
3019cdfc20c05fa7db42fea0b5709607

SHA1
b11b297de0ba6055ba304814472953cd80b74dba

SHA256
3c1feaf914eb673e985be551769cfd8da6538bec30daf8ddf2723c69e6b8c8be

SHA512
066407d89c5239bab3ba79fb85593b4a8041ca8786645f15077e32ac7dd2718e13b29024f02fc34bb94cc4fa2b169c717c28b8cb120ba82c9fd38edd95947979

Download Submit
memory/232-46-0x0000000073E70000-0x0000000074620000-memory.dmp

Filesize
7.7MB

Download
memory/232-45-0x00000000009C0000-0x00000000009F0000-memory.dmp

Filesize
192KB

Download
memory/232-47-0x000000000AE50000-0x000000000B468000-memory.dmp

Filesize
6.1MB

Download
memory/232-48-0x000000000A970000-0x000000000AA7A000-memory.dmp

Filesize
1.0MB

Download
memory/232-50-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/232-49-0x000000000A8B0000-0x000000000A8C2000-memory.dmp

Filesize
72KB

Download
memory/232-51-0x000000000A910000-0x000000000A94C000-memory.dmp

Filesize
240KB

Download
memory/232-52-0x0000000073E70000-0x0000000074620000-memory.dmp

Filesize
7.7MB

Download
memory/232-53-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3932-38-0x00007FFF12B90000-0x00007FFF13651000-memory.dmp

Filesize
10.8MB

Download
memory/3932-36-0x00007FFF12B90000-0x00007FFF13651000-memory.dmp

Filesize
10.8MB

Download
memory/3932-35-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download