healer | c32942e638646854d0d3a9373b3e592be13459c8533dc6662c65f2f2555f50e5

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2023 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c32942e638646854d0d3a9373b3e592be13459c8533dc6662c65f2f2555f50e5_JC.exe
Size

828KB
MD5

91deae4211c478675cc3d5de23bba12a
SHA1

dba18ace0166a8a6b6edb2849fc8527149753710
SHA256

c32942e638646854d0d3a9373b3e592be13459c8533dc6662c65f2f2555f50e5
SHA512

72de786be187fda522896a4afa96b7505d27727976e88a04224d0cf35dbf30f840c13e420c824d94cf1508705be5cb925458109fc77e78489a7e5855ed3668fa
SSDEEP

12288:KMrOy90VympjymDi3R5uluUMmaAPawHADdwwE4NWTKbTa4ZM5DJgI00:syDI+mDi5ul7MZiAdBEPTIal9vZ

Score

10^/10

healer redline jang dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

jang

77.91.124.82:19071

Attributes

auth_value
662102010afcbe9e22b13116b1c1a088

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x000700000002324f-33.dat	healer
behavioral2/files/0x000700000002324f-34.dat	healer
behavioral2/memory/4736-35-0x0000000000880000-0x000000000088A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a4801457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4801457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4801457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4801457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4801457.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4801457.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1412	v7795964.exe
4768	v3186335.exe
4052	v6219541.exe
4448	v1806195.exe
4736	a4801457.exe
3740	b3868682.exe
1876	c9950690.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4801457.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c32942e638646854d0d3a9373b3e592be13459c8533dc6662c65f2f2555f50e5_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7795964.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3186335.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6219541.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1806195.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4736	a4801457.exe
4736	a4801457.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4736	a4801457.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 1412	2448	c32942e638646854d0d3a9373b3e592be13459c8533dc6662c65f2f2555f50e5_JC.exe	85
PID 2448 wrote to memory of 1412	2448	c32942e638646854d0d3a9373b3e592be13459c8533dc6662c65f2f2555f50e5_JC.exe	85
PID 2448 wrote to memory of 1412	2448	c32942e638646854d0d3a9373b3e592be13459c8533dc6662c65f2f2555f50e5_JC.exe	85
PID 1412 wrote to memory of 4768	1412	v7795964.exe	86
PID 1412 wrote to memory of 4768	1412	v7795964.exe	86
PID 1412 wrote to memory of 4768	1412	v7795964.exe	86
PID 4768 wrote to memory of 4052	4768	v3186335.exe	87
PID 4768 wrote to memory of 4052	4768	v3186335.exe	87
PID 4768 wrote to memory of 4052	4768	v3186335.exe	87
PID 4052 wrote to memory of 4448	4052	v6219541.exe	88
PID 4052 wrote to memory of 4448	4052	v6219541.exe	88
PID 4052 wrote to memory of 4448	4052	v6219541.exe	88
PID 4448 wrote to memory of 4736	4448	v1806195.exe	89
PID 4448 wrote to memory of 4736	4448	v1806195.exe	89
PID 4448 wrote to memory of 3740	4448	v1806195.exe	92
PID 4448 wrote to memory of 3740	4448	v1806195.exe	92
PID 4448 wrote to memory of 3740	4448	v1806195.exe	92
PID 4052 wrote to memory of 1876	4052	v6219541.exe	93
PID 4052 wrote to memory of 1876	4052	v6219541.exe	93
PID 4052 wrote to memory of 1876	4052	v6219541.exe	93

C:\Users\Admin\AppData\Local\Temp\c32942e638646854d0d3a9373b3e592be13459c8533dc6662c65f2f2555f50e5_JC.exe
"C:\Users\Admin\AppData\Local\Temp\c32942e638646854d0d3a9373b3e592be13459c8533dc6662c65f2f2555f50e5_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7795964.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7795964.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3186335.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3186335.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6219541.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6219541.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4052
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1806195.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1806195.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4448
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4801457.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4801457.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3868682.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3868682.exe
        6⤵
        Executes dropped EXE
        
        PID:3740
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9950690.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9950690.exe
        5⤵
        Executes dropped EXE
        
        PID:1876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7795964.exe

Filesize
723KB

MD5
65e97755576c402ab2867c3e6a000537

SHA1
1e2e51a52797f8e813d137339ad0b3e161d0164c

SHA256
842d93ab44f49297270ab7e48df78f470ebbe2e5c83bdd531aa43b10187133b1

SHA512
9a1a86132b06d9762f86097ca42ab2921a96e27be8cd6e8a86e4c707192baff65fb867eb36b71c1ab563f1e92ac85251cbb3d93a8ed4b793150d1d557b5cb110

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7795964.exe

Filesize
723KB

MD5
65e97755576c402ab2867c3e6a000537

SHA1
1e2e51a52797f8e813d137339ad0b3e161d0164c

SHA256
842d93ab44f49297270ab7e48df78f470ebbe2e5c83bdd531aa43b10187133b1

SHA512
9a1a86132b06d9762f86097ca42ab2921a96e27be8cd6e8a86e4c707192baff65fb867eb36b71c1ab563f1e92ac85251cbb3d93a8ed4b793150d1d557b5cb110

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3186335.exe

Filesize
497KB

MD5
2b3de9801c0f2ea691bc69928e1ac448

SHA1
2fa2c9b6909a80464404eac79498220f7cd064c5

SHA256
dcf33d2ac71aaf2072212384127d41c765172de7d58ec4e93fb1e46a42c6eedc

SHA512
7bc04cdc45d4b37ff00acd226a0e99e0b1c12327e56731bf590bb41749ee9c71af2a6f92100850cc6c6b4a7dca1f7bc869ee4eef7ba2025e820cdb1de2071347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3186335.exe

Filesize
497KB

MD5
2b3de9801c0f2ea691bc69928e1ac448

SHA1
2fa2c9b6909a80464404eac79498220f7cd064c5

SHA256
dcf33d2ac71aaf2072212384127d41c765172de7d58ec4e93fb1e46a42c6eedc

SHA512
7bc04cdc45d4b37ff00acd226a0e99e0b1c12327e56731bf590bb41749ee9c71af2a6f92100850cc6c6b4a7dca1f7bc869ee4eef7ba2025e820cdb1de2071347

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6219541.exe

Filesize
372KB

MD5
75720efc209e530f03ceb487103d57c5

SHA1
a7ef63d8c032ae8c37dd842724fec62656d7df2c

SHA256
389eb9793f1fdbc6459041eb98901edb688e813c7d188695ae38f6c9efdaa1a8

SHA512
d3e19580c4d92b162827bd543ca214ee984903e771700a11b663fe01fc6192535bc0cfbe34462707a3a36cfbe46745daeb6f5f6bd0da38cb67f22345e4279cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6219541.exe

Filesize
372KB

MD5
75720efc209e530f03ceb487103d57c5

SHA1
a7ef63d8c032ae8c37dd842724fec62656d7df2c

SHA256
389eb9793f1fdbc6459041eb98901edb688e813c7d188695ae38f6c9efdaa1a8

SHA512
d3e19580c4d92b162827bd543ca214ee984903e771700a11b663fe01fc6192535bc0cfbe34462707a3a36cfbe46745daeb6f5f6bd0da38cb67f22345e4279cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9950690.exe

Filesize
174KB

MD5
66b6b3f685f54a6292d5c1b72829083c

SHA1
342b6b6426feee0ccf487f3a56431de018d36ed5

SHA256
b3fea3d669d954b1ca24a79b945ac970dc89e9adde39342ed580adcda4ad0313

SHA512
a4edb1f5bddbdaba6f4173222a44497515552f35e64a79e5b48e9e4769ab4f3504944c27c98da563d55c8bda40840b0714de631ff24a61e1de4b1efc9788534b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9950690.exe

Filesize
174KB

MD5
66b6b3f685f54a6292d5c1b72829083c

SHA1
342b6b6426feee0ccf487f3a56431de018d36ed5

SHA256
b3fea3d669d954b1ca24a79b945ac970dc89e9adde39342ed580adcda4ad0313

SHA512
a4edb1f5bddbdaba6f4173222a44497515552f35e64a79e5b48e9e4769ab4f3504944c27c98da563d55c8bda40840b0714de631ff24a61e1de4b1efc9788534b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1806195.exe

Filesize
217KB

MD5
076a9b3108904155f7a97f51ded2717b

SHA1
f2c18ff691065ea1ec315d2513ce4f7ad171822e

SHA256
00814cf7cc86ad91726b2653d6d161fcfdb1c0f0a5b1b2687f35dccde0909efd

SHA512
b19d02884b5f7c3ffe6bb2323ff5c0770ce9d95f5f6432b0ceac72971b88cbc2e7e572b729f7ffd6d7a1731efeb909f269c89d729145975816974dcf45dcf9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1806195.exe

Filesize
217KB

MD5
076a9b3108904155f7a97f51ded2717b

SHA1
f2c18ff691065ea1ec315d2513ce4f7ad171822e

SHA256
00814cf7cc86ad91726b2653d6d161fcfdb1c0f0a5b1b2687f35dccde0909efd

SHA512
b19d02884b5f7c3ffe6bb2323ff5c0770ce9d95f5f6432b0ceac72971b88cbc2e7e572b729f7ffd6d7a1731efeb909f269c89d729145975816974dcf45dcf9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4801457.exe

Filesize
19KB

MD5
755c2c97e071aeedc69bd5735f013ab5

SHA1
4bbc7dfd154958f8f8ebcdf2c38ea1d8024484a4

SHA256
b671364d3b8e2ae8e213fcf4aad7053249ecbcada353da0002b3fdc722a24a35

SHA512
0d0a0aa0e17f1e670f9fa3e8c8d9c29fa1f7ea657a98fa27da4b89e279363e2dbec428f9be9111e67790e63c8cec0a7f2ca02142b078a6de2f422fd9473d29b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4801457.exe

Filesize
19KB

MD5
755c2c97e071aeedc69bd5735f013ab5

SHA1
4bbc7dfd154958f8f8ebcdf2c38ea1d8024484a4

SHA256
b671364d3b8e2ae8e213fcf4aad7053249ecbcada353da0002b3fdc722a24a35

SHA512
0d0a0aa0e17f1e670f9fa3e8c8d9c29fa1f7ea657a98fa27da4b89e279363e2dbec428f9be9111e67790e63c8cec0a7f2ca02142b078a6de2f422fd9473d29b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3868682.exe

Filesize
140KB

MD5
6a27ff51330a0b29410b5aaf5a521080

SHA1
ef215de9a4ac9047c4067102c2059ebe791ec413

SHA256
9fb75bf15e20b0b439291784512fddef719339b05c0c414742475c342df906a8

SHA512
87f37efc4f816b79330100204f0f82c4eec81fd3de62c4c867ffc6032fbe6102ef5125e888a33172e4afffe1048940a3150f7f703233fdcadfca7523830a2488

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3868682.exe

Filesize
140KB

MD5
6a27ff51330a0b29410b5aaf5a521080

SHA1
ef215de9a4ac9047c4067102c2059ebe791ec413

SHA256
9fb75bf15e20b0b439291784512fddef719339b05c0c414742475c342df906a8

SHA512
87f37efc4f816b79330100204f0f82c4eec81fd3de62c4c867ffc6032fbe6102ef5125e888a33172e4afffe1048940a3150f7f703233fdcadfca7523830a2488

Download Submit
memory/1876-46-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/1876-45-0x0000000000460000-0x0000000000490000-memory.dmp

Filesize
192KB

Download
memory/1876-47-0x0000000005580000-0x0000000005B98000-memory.dmp

Filesize
6.1MB

Download
memory/1876-48-0x0000000005070000-0x000000000517A000-memory.dmp

Filesize
1.0MB

Download
memory/1876-50-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/1876-49-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/1876-51-0x0000000004FA0000-0x0000000004FDC000-memory.dmp

Filesize
240KB

Download
memory/1876-52-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/1876-53-0x0000000004F50000-0x0000000004F60000-memory.dmp

Filesize
64KB

Download
memory/4736-38-0x00007FFE51830000-0x00007FFE522F1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-36-0x00007FFE51830000-0x00007FFE522F1000-memory.dmp

Filesize
10.8MB

Download
memory/4736-35-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download