healer | dbe1fdc4d73b168e1814221465c051775dd1dc488c0f155561903e2dca3ec8fa

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_dbe1fdc4d73b168e1814221465c051775dd1dc488c0f155561903e2dca3ec8fa.exe
Size

827KB
MD5

0cb06c38c15ac2c52958c5ada1f2b3d3
SHA1

d217817f3ae9e095e4dc9ebce456f7e9ce6b3cec
SHA256

dbe1fdc4d73b168e1814221465c051775dd1dc488c0f155561903e2dca3ec8fa
SHA512

ba1e30bb145326d4993d8e9c0280616b89c6c32843c2924e6d8f9b1b07174ec87ed1e1da49f78fd67126ae6970e153165000ecfde16e675addeb335dcbee4f8a
SSDEEP

24576:GyW6l1rIZ+Mmr0w4PLgMOB99z8GCQbOz2USH0b:V/rIy8LLOBzAQblUS

Score

10^/10

healer redline bobik dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

bobik

77.91.124.82:19071

Attributes

auth_value
d639522ae3c9dda998264d691a19eb33

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023165-33.dat	healer
behavioral2/files/0x0007000000023165-34.dat	healer
behavioral2/memory/4804-35-0x0000000000920000-0x000000000092A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6652322.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6652322.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6652322.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a6652322.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6652322.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6652322.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4344	v8284293.exe
2356	v9652083.exe
3592	v5117640.exe
3644	v2332398.exe
4804	a6652322.exe
1036	b4617955.exe
2884	c8738248.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6652322.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5117640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2332398.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JC_dbe1fdc4d73b168e1814221465c051775dd1dc488c0f155561903e2dca3ec8fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8284293.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9652083.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4804	a6652322.exe
4804	a6652322.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4804	a6652322.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 4344	3064	JC_dbe1fdc4d73b168e1814221465c051775dd1dc488c0f155561903e2dca3ec8fa.exe	81
PID 3064 wrote to memory of 4344	3064	JC_dbe1fdc4d73b168e1814221465c051775dd1dc488c0f155561903e2dca3ec8fa.exe	81
PID 3064 wrote to memory of 4344	3064	JC_dbe1fdc4d73b168e1814221465c051775dd1dc488c0f155561903e2dca3ec8fa.exe	81
PID 4344 wrote to memory of 2356	4344	v8284293.exe	83
PID 4344 wrote to memory of 2356	4344	v8284293.exe	83
PID 4344 wrote to memory of 2356	4344	v8284293.exe	83
PID 2356 wrote to memory of 3592	2356	v9652083.exe	84
PID 2356 wrote to memory of 3592	2356	v9652083.exe	84
PID 2356 wrote to memory of 3592	2356	v9652083.exe	84
PID 3592 wrote to memory of 3644	3592	v5117640.exe	85
PID 3592 wrote to memory of 3644	3592	v5117640.exe	85
PID 3592 wrote to memory of 3644	3592	v5117640.exe	85
PID 3644 wrote to memory of 4804	3644	v2332398.exe	86
PID 3644 wrote to memory of 4804	3644	v2332398.exe	86
PID 3644 wrote to memory of 1036	3644	v2332398.exe	87
PID 3644 wrote to memory of 1036	3644	v2332398.exe	87
PID 3644 wrote to memory of 1036	3644	v2332398.exe	87
PID 3592 wrote to memory of 2884	3592	v5117640.exe	88
PID 3592 wrote to memory of 2884	3592	v5117640.exe	88
PID 3592 wrote to memory of 2884	3592	v5117640.exe	88

C:\Users\Admin\AppData\Local\Temp\JC_dbe1fdc4d73b168e1814221465c051775dd1dc488c0f155561903e2dca3ec8fa.exe
"C:\Users\Admin\AppData\Local\Temp\JC_dbe1fdc4d73b168e1814221465c051775dd1dc488c0f155561903e2dca3ec8fa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8284293.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8284293.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4344
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9652083.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9652083.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5117640.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5117640.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2332398.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2332398.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3644
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6652322.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6652322.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4617955.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4617955.exe
        6⤵
        Executes dropped EXE
        
        PID:1036
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8738248.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8738248.exe
        5⤵
        Executes dropped EXE
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8284293.exe

Filesize
723KB

MD5
42cc54b5759956bfe77b51e990135699

SHA1
196ed7772fc344599288b08ff9c012e4f5815d90

SHA256
3b1a62729b9a1e049a1499b5c2ec681c8d21020bf75f3a7775fde55af4fad086

SHA512
42bfd27aa3e3065e3acda32a0262a043ffb84ee1b95e5106e567763062c602adc1536fdb26994e1ae25e8df54a1a19b6876e177943f9592b12c12572c6d32bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8284293.exe

Filesize
723KB

MD5
42cc54b5759956bfe77b51e990135699

SHA1
196ed7772fc344599288b08ff9c012e4f5815d90

SHA256
3b1a62729b9a1e049a1499b5c2ec681c8d21020bf75f3a7775fde55af4fad086

SHA512
42bfd27aa3e3065e3acda32a0262a043ffb84ee1b95e5106e567763062c602adc1536fdb26994e1ae25e8df54a1a19b6876e177943f9592b12c12572c6d32bae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9652083.exe

Filesize
497KB

MD5
a6901d427247d0955f4b46e39a148726

SHA1
cb98d295938a05fb6602c0b0af8d0882364ec47b

SHA256
db3bead184679fc5ca7741f73856edbabde32fbe8617b3c0cb5808c609f929fe

SHA512
cca82d221e456b0f2f5ce5a2b03b489c6f1325a722b08436dd3ead289a62ff31348ecb7075969619bf27249f6e6b5c78f4f01afc24185f79504a2ae127638634

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9652083.exe

Filesize
497KB

MD5
a6901d427247d0955f4b46e39a148726

SHA1
cb98d295938a05fb6602c0b0af8d0882364ec47b

SHA256
db3bead184679fc5ca7741f73856edbabde32fbe8617b3c0cb5808c609f929fe

SHA512
cca82d221e456b0f2f5ce5a2b03b489c6f1325a722b08436dd3ead289a62ff31348ecb7075969619bf27249f6e6b5c78f4f01afc24185f79504a2ae127638634

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5117640.exe

Filesize
372KB

MD5
1f699e846d91b990e96944abd219e9de

SHA1
88e5490bd68f0c791669dc9f84732fe64c42ecb2

SHA256
084eecddd4f663ada4c16d58fcf021b60c1218b17c093d73a17b228c73292697

SHA512
bf6c94e7c00026e30eaeb9638d77dbfa3c4f1f93eef67196f685f1920a88e2d95f642ed99f9642239ee1aa955ecf2cff4f95844cfce8d75822482ea7bbb4c9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5117640.exe

Filesize
372KB

MD5
1f699e846d91b990e96944abd219e9de

SHA1
88e5490bd68f0c791669dc9f84732fe64c42ecb2

SHA256
084eecddd4f663ada4c16d58fcf021b60c1218b17c093d73a17b228c73292697

SHA512
bf6c94e7c00026e30eaeb9638d77dbfa3c4f1f93eef67196f685f1920a88e2d95f642ed99f9642239ee1aa955ecf2cff4f95844cfce8d75822482ea7bbb4c9f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8738248.exe

Filesize
174KB

MD5
c35ff2c0cf0e7aa5c5092313c653fedd

SHA1
739c86879a9acc7bd0a20281528a489280cd3a67

SHA256
589b3b52b09f35c83f07d95d60e289a090f81acfd91faf1966e08fdd66909e2b

SHA512
6f70a46231c70f71401f617ce4c93f9e858dc6290b8f27bddfbc078d9f4791100449977834a10cdf6ff59979eeea15d211b99741eac5298a44f45b4c1c047d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c8738248.exe

Filesize
174KB

MD5
c35ff2c0cf0e7aa5c5092313c653fedd

SHA1
739c86879a9acc7bd0a20281528a489280cd3a67

SHA256
589b3b52b09f35c83f07d95d60e289a090f81acfd91faf1966e08fdd66909e2b

SHA512
6f70a46231c70f71401f617ce4c93f9e858dc6290b8f27bddfbc078d9f4791100449977834a10cdf6ff59979eeea15d211b99741eac5298a44f45b4c1c047d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2332398.exe

Filesize
217KB

MD5
d00db2883b2d6a1ef95b50d76ee4cd7b

SHA1
bb314992169e0a45bed1ebc8658bb0212bd73019

SHA256
482f9d6bd798649c3db1cb2e2b3134ea9560dfdfd73b0ac2b2512c8a47e6a3de

SHA512
2b1a224d9ac7f22bdf322c0c36d2de66f5bcafccfba6d4059c4f56be09b858c43bd6961e607a7c6bbd045c0e6e203b0b54bcd0423be044d18b7d3bd39bdd70da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2332398.exe

Filesize
217KB

MD5
d00db2883b2d6a1ef95b50d76ee4cd7b

SHA1
bb314992169e0a45bed1ebc8658bb0212bd73019

SHA256
482f9d6bd798649c3db1cb2e2b3134ea9560dfdfd73b0ac2b2512c8a47e6a3de

SHA512
2b1a224d9ac7f22bdf322c0c36d2de66f5bcafccfba6d4059c4f56be09b858c43bd6961e607a7c6bbd045c0e6e203b0b54bcd0423be044d18b7d3bd39bdd70da

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6652322.exe

Filesize
20KB

MD5
eb0f5f8b3b4382d608567004c95fa346

SHA1
6f50fcd56e3ce237f8101aae95e7643977345a4c

SHA256
c5b27d7d3eb4ae0fda34d044583f4687a9fd3656de0c6627ba07240f66f70e3e

SHA512
c17e75d46f9d266d31a41ca605f23a5af37ee5e0515ac1e38cb221e9c4b42223112961d2e77c0b4ca6f29e2f8cfc6306ef8f31116b03ac080d2883191f03ed80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6652322.exe

Filesize
20KB

MD5
eb0f5f8b3b4382d608567004c95fa346

SHA1
6f50fcd56e3ce237f8101aae95e7643977345a4c

SHA256
c5b27d7d3eb4ae0fda34d044583f4687a9fd3656de0c6627ba07240f66f70e3e

SHA512
c17e75d46f9d266d31a41ca605f23a5af37ee5e0515ac1e38cb221e9c4b42223112961d2e77c0b4ca6f29e2f8cfc6306ef8f31116b03ac080d2883191f03ed80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4617955.exe

Filesize
140KB

MD5
a75f4caadd489a32d445dc94af871082

SHA1
e08b6db91dcc31c691e4bd1b7c72c833b34c58f2

SHA256
04421eb1a84520d65bdd3b7f694706e94852abc7f6f38c0bd46b01c5e65c0ea9

SHA512
dd982193fe3a3ecfa5cdfb78ab68de4aa0bd442222a181392e65b6e782ae114a607d75731ecb955511d0096449c3d838f0af769fe5c880e5207970091fd97894

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4617955.exe

Filesize
140KB

MD5
a75f4caadd489a32d445dc94af871082

SHA1
e08b6db91dcc31c691e4bd1b7c72c833b34c58f2

SHA256
04421eb1a84520d65bdd3b7f694706e94852abc7f6f38c0bd46b01c5e65c0ea9

SHA512
dd982193fe3a3ecfa5cdfb78ab68de4aa0bd442222a181392e65b6e782ae114a607d75731ecb955511d0096449c3d838f0af769fe5c880e5207970091fd97894

Download Submit
memory/2884-46-0x0000000074300000-0x0000000074AB0000-memory.dmp

Filesize
7.7MB

Download
memory/2884-45-0x0000000000BD0000-0x0000000000C00000-memory.dmp

Filesize
192KB

Download
memory/2884-47-0x0000000005CE0000-0x00000000062F8000-memory.dmp

Filesize
6.1MB

Download
memory/2884-48-0x00000000057D0000-0x00000000058DA000-memory.dmp

Filesize
1.0MB

Download
memory/2884-49-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/2884-50-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/2884-51-0x0000000005700000-0x000000000573C000-memory.dmp

Filesize
240KB

Download
memory/2884-52-0x0000000074300000-0x0000000074AB0000-memory.dmp

Filesize
7.7MB

Download
memory/2884-53-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/4804-38-0x00007FF9B3250000-0x00007FF9B3D11000-memory.dmp

Filesize
10.8MB

Download
memory/4804-36-0x00007FF9B3250000-0x00007FF9B3D11000-memory.dmp

Filesize
10.8MB

Download
memory/4804-35-0x0000000000920000-0x000000000092A000-memory.dmp

Filesize
40KB

Download