healer | cc8cd993612f9af800c17abe559e4b5dd4d1d9c0cbd2ddee4b2127106f9ae926

Analysis

max time kernel
147s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_cc8cd993612f9af800c17abe559e4b5dd4d1d9c0cbd2ddee4b2127106f9ae926.exe
Size

829KB
MD5

deaa813c64fee1b74af55f9094c8d63f
SHA1

0b134926f163a0cd103589138779c1f5904e54ef
SHA256

cc8cd993612f9af800c17abe559e4b5dd4d1d9c0cbd2ddee4b2127106f9ae926
SHA512

b2e81fd546e3caaae49c6eda225ca2883791c7b83c17c58f4c3855e2dd45c563a4adaf2e1a5ca60dc3a7cb74d67501c07967ba42d055d2c3391d64912b1938c9
SSDEEP

24576:Byjc+affwnBVHz8XrW34Wl9Tu/mOta0ntQk0:0wRwnBVHghWlUfta0F

Score

10^/10

healer redline bobik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

bobik

77.91.124.82:19071

Attributes

auth_value
d639522ae3c9dda998264d691a19eb33

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023170-33.dat	healer
behavioral2/files/0x0007000000023170-34.dat	healer
behavioral2/memory/4160-35-0x00000000009D0000-0x00000000009DA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2910160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2910160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2910160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2910160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2910160.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2910160.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1332	v1265465.exe
2936	v8176061.exe
3768	v0926194.exe
4704	v5364847.exe
4160	a2910160.exe
3064	b9960639.exe
3788	c2418439.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2910160.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0926194.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5364847.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JC_cc8cd993612f9af800c17abe559e4b5dd4d1d9c0cbd2ddee4b2127106f9ae926.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1265465.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8176061.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4160	a2910160.exe
4160	a2910160.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	a2910160.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 1332	4324	JC_cc8cd993612f9af800c17abe559e4b5dd4d1d9c0cbd2ddee4b2127106f9ae926.exe	82
PID 4324 wrote to memory of 1332	4324	JC_cc8cd993612f9af800c17abe559e4b5dd4d1d9c0cbd2ddee4b2127106f9ae926.exe	82
PID 4324 wrote to memory of 1332	4324	JC_cc8cd993612f9af800c17abe559e4b5dd4d1d9c0cbd2ddee4b2127106f9ae926.exe	82
PID 1332 wrote to memory of 2936	1332	v1265465.exe	83
PID 1332 wrote to memory of 2936	1332	v1265465.exe	83
PID 1332 wrote to memory of 2936	1332	v1265465.exe	83
PID 2936 wrote to memory of 3768	2936	v8176061.exe	85
PID 2936 wrote to memory of 3768	2936	v8176061.exe	85
PID 2936 wrote to memory of 3768	2936	v8176061.exe	85
PID 3768 wrote to memory of 4704	3768	v0926194.exe	86
PID 3768 wrote to memory of 4704	3768	v0926194.exe	86
PID 3768 wrote to memory of 4704	3768	v0926194.exe	86
PID 4704 wrote to memory of 4160	4704	v5364847.exe	87
PID 4704 wrote to memory of 4160	4704	v5364847.exe	87
PID 4704 wrote to memory of 3064	4704	v5364847.exe	88
PID 4704 wrote to memory of 3064	4704	v5364847.exe	88
PID 4704 wrote to memory of 3064	4704	v5364847.exe	88
PID 3768 wrote to memory of 3788	3768	v0926194.exe	89
PID 3768 wrote to memory of 3788	3768	v0926194.exe	89
PID 3768 wrote to memory of 3788	3768	v0926194.exe	89

C:\Users\Admin\AppData\Local\Temp\JC_cc8cd993612f9af800c17abe559e4b5dd4d1d9c0cbd2ddee4b2127106f9ae926.exe
"C:\Users\Admin\AppData\Local\Temp\JC_cc8cd993612f9af800c17abe559e4b5dd4d1d9c0cbd2ddee4b2127106f9ae926.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1265465.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1265465.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8176061.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8176061.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0926194.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0926194.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3768
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5364847.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5364847.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4704
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2910160.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2910160.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9960639.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9960639.exe
        6⤵
        Executes dropped EXE
        
        PID:3064
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2418439.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2418439.exe
        5⤵
        Executes dropped EXE
        
        PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1265465.exe

Filesize
723KB

MD5
1e7fd2d83fc0fb09c451dfd4c38ff6fe

SHA1
fe98b06a59bc37f6086088468251f53b8ece06da

SHA256
e14d15d17d29e5b96fed3a66f6266e649a84cff6d2b70d56563f066dd19165b1

SHA512
ca3d16466d933979dafa29fb3eaf5cb551a079d9388ff6a080ab57ea7eebc9f6f3c21773869a5253fa3061d95be0b345e7b94ab992212015005e8783e12a0fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1265465.exe

Filesize
723KB

MD5
1e7fd2d83fc0fb09c451dfd4c38ff6fe

SHA1
fe98b06a59bc37f6086088468251f53b8ece06da

SHA256
e14d15d17d29e5b96fed3a66f6266e649a84cff6d2b70d56563f066dd19165b1

SHA512
ca3d16466d933979dafa29fb3eaf5cb551a079d9388ff6a080ab57ea7eebc9f6f3c21773869a5253fa3061d95be0b345e7b94ab992212015005e8783e12a0fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8176061.exe

Filesize
497KB

MD5
5a454b2d058401e0b2e97a2fcb1471b9

SHA1
6baa78f150fca3179c59397ce8e6df5cc0ca0972

SHA256
a3f008395f4e105f784261705e5b1d8a78e013a06c48e7a43101a9f9de0aea7c

SHA512
d2920ab85e79649ed12b12d337d3f1c2b6973a6cebc36fde8df2dc7eddca16b9848572ac37a0a069bf72ca36c5c3f503a049409830ef13734e24889242ead753

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8176061.exe

Filesize
497KB

MD5
5a454b2d058401e0b2e97a2fcb1471b9

SHA1
6baa78f150fca3179c59397ce8e6df5cc0ca0972

SHA256
a3f008395f4e105f784261705e5b1d8a78e013a06c48e7a43101a9f9de0aea7c

SHA512
d2920ab85e79649ed12b12d337d3f1c2b6973a6cebc36fde8df2dc7eddca16b9848572ac37a0a069bf72ca36c5c3f503a049409830ef13734e24889242ead753

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0926194.exe

Filesize
373KB

MD5
414c76b9f1091f8190a62dba1430a924

SHA1
60713778a0644b09dc0e3df62869d196120d8349

SHA256
7fda20ed74b54b48d97f2489643fcf558e6e8d05dbbdbce0d5fed8e4a96396b5

SHA512
25ec925318c8816b051e40333c57bc20bf85f4d0aec6e0bc24b14e2ff424f0aa7994f53e591ccc5080add57dd8e012bd86a77fd09171c9b3ea4a7f94d2d864b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0926194.exe

Filesize
373KB

MD5
414c76b9f1091f8190a62dba1430a924

SHA1
60713778a0644b09dc0e3df62869d196120d8349

SHA256
7fda20ed74b54b48d97f2489643fcf558e6e8d05dbbdbce0d5fed8e4a96396b5

SHA512
25ec925318c8816b051e40333c57bc20bf85f4d0aec6e0bc24b14e2ff424f0aa7994f53e591ccc5080add57dd8e012bd86a77fd09171c9b3ea4a7f94d2d864b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2418439.exe

Filesize
174KB

MD5
5533028b46b34dd165d50556f0102c36

SHA1
f67da64536311a3d4c3459a66011773dda6acf12

SHA256
d3ce68aa1afc0d50a4860333b979e2239f68bf5b773a8c01ead97255ef7e90cc

SHA512
2cd8e25e8156569b75fa99c1f248203b100a788598286501de78979bb4c096df75057051c60a486e200740b80a3f710ce942ecfc13f19961d7785528009d14ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2418439.exe

Filesize
174KB

MD5
5533028b46b34dd165d50556f0102c36

SHA1
f67da64536311a3d4c3459a66011773dda6acf12

SHA256
d3ce68aa1afc0d50a4860333b979e2239f68bf5b773a8c01ead97255ef7e90cc

SHA512
2cd8e25e8156569b75fa99c1f248203b100a788598286501de78979bb4c096df75057051c60a486e200740b80a3f710ce942ecfc13f19961d7785528009d14ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5364847.exe

Filesize
217KB

MD5
5819392846b8c12905ab55b6b4075c03

SHA1
78056f04cd96fe1705008cb0fc16417a54c44950

SHA256
bdcf5d0bc03d4e4a3d515a9da84a74f449a0019fe523deaf13e42934e211ffe7

SHA512
7ffd515fe0259106cfff4374b6b0aab8d9c3d5f96fa8e212c62f2ba6b698667882a072cf604376b902fdc633ee9899b0bf4fb0ab9031d01bb1e59fce1f0dc01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5364847.exe

Filesize
217KB

MD5
5819392846b8c12905ab55b6b4075c03

SHA1
78056f04cd96fe1705008cb0fc16417a54c44950

SHA256
bdcf5d0bc03d4e4a3d515a9da84a74f449a0019fe523deaf13e42934e211ffe7

SHA512
7ffd515fe0259106cfff4374b6b0aab8d9c3d5f96fa8e212c62f2ba6b698667882a072cf604376b902fdc633ee9899b0bf4fb0ab9031d01bb1e59fce1f0dc01b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2910160.exe

Filesize
20KB

MD5
c2064d9128b9623552172710b817a450

SHA1
db68f7b438b9fd76326bf41a6f4c6e0fe1dea894

SHA256
e2191d2e40db4f44e8268f8133eb29993e1154487635a81574f6a808a7b2f352

SHA512
f7354423c381a7032c8b551ab54842707ec02a0768ff7d38fcd6ac4af8cc1d780ed068089651503e82103b27d21496b99ea6d4d5ec0bfc3d6726a7abc4657fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2910160.exe

Filesize
20KB

MD5
c2064d9128b9623552172710b817a450

SHA1
db68f7b438b9fd76326bf41a6f4c6e0fe1dea894

SHA256
e2191d2e40db4f44e8268f8133eb29993e1154487635a81574f6a808a7b2f352

SHA512
f7354423c381a7032c8b551ab54842707ec02a0768ff7d38fcd6ac4af8cc1d780ed068089651503e82103b27d21496b99ea6d4d5ec0bfc3d6726a7abc4657fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9960639.exe

Filesize
140KB

MD5
c183ac69e3d33164adb4242799381843

SHA1
7c37250d67691281e1be0eaee223a5d581bef4df

SHA256
813e77c6e659e5a524381fc8685884666de243eb47f34b78152428ce9febea8a

SHA512
45751dfb93f3ce575718ac24e1ecef6f67c5c9bcba6545e3ef1b1f211687873481f1ab3ac04953fd2e3c5f7c27c48b4685ebc0a753fe951e1a13ed2c702560b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9960639.exe

Filesize
140KB

MD5
c183ac69e3d33164adb4242799381843

SHA1
7c37250d67691281e1be0eaee223a5d581bef4df

SHA256
813e77c6e659e5a524381fc8685884666de243eb47f34b78152428ce9febea8a

SHA512
45751dfb93f3ce575718ac24e1ecef6f67c5c9bcba6545e3ef1b1f211687873481f1ab3ac04953fd2e3c5f7c27c48b4685ebc0a753fe951e1a13ed2c702560b0

Download Submit
memory/3788-46-0x0000000074370000-0x0000000074B20000-memory.dmp

Filesize
7.7MB

Download
memory/3788-45-0x0000000000080000-0x00000000000B0000-memory.dmp

Filesize
192KB

Download
memory/3788-47-0x000000000A430000-0x000000000AA48000-memory.dmp

Filesize
6.1MB

Download
memory/3788-48-0x0000000009F20000-0x000000000A02A000-memory.dmp

Filesize
1.0MB

Download
memory/3788-49-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/3788-50-0x0000000009E30000-0x0000000009E42000-memory.dmp

Filesize
72KB

Download
memory/3788-51-0x0000000009E90000-0x0000000009ECC000-memory.dmp

Filesize
240KB

Download
memory/3788-52-0x0000000074370000-0x0000000074B20000-memory.dmp

Filesize
7.7MB

Download
memory/3788-53-0x0000000004A80000-0x0000000004A90000-memory.dmp

Filesize
64KB

Download
memory/4160-38-0x00007FFF29210000-0x00007FFF29CD1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-36-0x00007FFF29210000-0x00007FFF29CD1000-memory.dmp

Filesize
10.8MB

Download
memory/4160-35-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download