healer | e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea

Resubmissions

12-02-2024 15:14

240212-smedwaae93 10

18-01-2024 16:04

27-11-2023 17:24

27-11-2023 17:23

07-09-2023 17:34

07-09-2023 17:29

Analysis

max time kernel
128s
max time network
143s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07-09-2023 17:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
Size

473KB
MD5

5ae1281ef3fd32f975133cd880be9ba8
SHA1

11f3e8bfb5443fe516ff6922e72ae005e1431e13
SHA256

e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea
SHA512

c7a2df58fc7b97ed642b4671ea2af9573ea9f6e8806c3251703b4d594a24a0463380eafcb7757dc4d732655c5f08d28776cf6d0e5597ea2377463c106de4e587
SSDEEP

12288:zMr0y904pAEvdXQzqmrQAQlMmHeNwwrGfI:XyxTNQzdZanQwwrGfI

Score

10^/10

healer redline mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detects Healer an antivirus disabler dropper 4 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015ce4-24.dat	healer
behavioral1/files/0x000a000000015ce4-26.dat	healer
behavioral1/files/0x000a000000015ce4-27.dat	healer
behavioral1/memory/2628-29-0x0000000000B40000-0x0000000000B4A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g5140893.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2572	x8180539.exe
2700	x8801353.exe
2628	g5140893.exe
2496	i5032787.exe

Loads dropped DLL 7 IoCs

pid	Process
2228	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
2572	x8180539.exe
2572	x8180539.exe
2700	x8801353.exe
2700	x8801353.exe
2700	x8801353.exe
2496	i5032787.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	g5140893.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8180539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8801353.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2628	g5140893.exe
2628	g5140893.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2628	g5140893.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2572	2228	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	29
PID 2228 wrote to memory of 2572	2228	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	29
PID 2228 wrote to memory of 2572	2228	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	29
PID 2228 wrote to memory of 2572	2228	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	29
PID 2228 wrote to memory of 2572	2228	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	29
PID 2228 wrote to memory of 2572	2228	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	29
PID 2228 wrote to memory of 2572	2228	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	29
PID 2572 wrote to memory of 2700	2572	x8180539.exe	30
PID 2572 wrote to memory of 2700	2572	x8180539.exe	30
PID 2572 wrote to memory of 2700	2572	x8180539.exe	30
PID 2572 wrote to memory of 2700	2572	x8180539.exe	30
PID 2572 wrote to memory of 2700	2572	x8180539.exe	30
PID 2572 wrote to memory of 2700	2572	x8180539.exe	30
PID 2572 wrote to memory of 2700	2572	x8180539.exe	30
PID 2700 wrote to memory of 2628	2700	x8801353.exe	31
PID 2700 wrote to memory of 2628	2700	x8801353.exe	31
PID 2700 wrote to memory of 2628	2700	x8801353.exe	31
PID 2700 wrote to memory of 2628	2700	x8801353.exe	31
PID 2700 wrote to memory of 2628	2700	x8801353.exe	31
PID 2700 wrote to memory of 2628	2700	x8801353.exe	31
PID 2700 wrote to memory of 2628	2700	x8801353.exe	31
PID 2700 wrote to memory of 2496	2700	x8801353.exe	34
PID 2700 wrote to memory of 2496	2700	x8801353.exe	34
PID 2700 wrote to memory of 2496	2700	x8801353.exe	34
PID 2700 wrote to memory of 2496	2700	x8801353.exe	34
PID 2700 wrote to memory of 2496	2700	x8801353.exe	34
PID 2700 wrote to memory of 2496	2700	x8801353.exe	34
PID 2700 wrote to memory of 2496	2700	x8801353.exe	34

C:\Users\Admin\AppData\Local\Temp\JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
"C:\Users\Admin\AppData\Local\Temp\JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe

Filesize
371KB

MD5
77b13a3fd07083ce83966ad88c56783f

SHA1
f233315220091a448f740a6ad71cd7b45ecaae92

SHA256
5fb312ef2771f6e0870cb919e6cb40ff56b834c69054dd7c5890544a480493b8

SHA512
e030b9de4ba08956297af6ea1bf2539641f7960e0ef327ebdda5b7e39ba2171c9b50d028c8db18723ba15e0a8614197d56170fe9e569264bcecc8177861e825e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe

Filesize
371KB

MD5
77b13a3fd07083ce83966ad88c56783f

SHA1
f233315220091a448f740a6ad71cd7b45ecaae92

SHA256
5fb312ef2771f6e0870cb919e6cb40ff56b834c69054dd7c5890544a480493b8

SHA512
e030b9de4ba08956297af6ea1bf2539641f7960e0ef327ebdda5b7e39ba2171c9b50d028c8db18723ba15e0a8614197d56170fe9e569264bcecc8177861e825e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe

Filesize
206KB

MD5
ef4b98983a112ab0cd247faf227bd5e1

SHA1
6e117ab856666570dd067008aabe5fcd9f0735ac

SHA256
6639b1af65588c7bc5d7dfab64d99a84b64192d9553169a9abdf8c88862b1620

SHA512
adce7f277d3920e08bbb390933e626b3659afb2160e9dda88868a6af0728f078756d49b91867eb8b81c2850ef2c56ff914fc09f349d9081aa1ed736e7cfdc221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe

Filesize
206KB

MD5
ef4b98983a112ab0cd247faf227bd5e1

SHA1
6e117ab856666570dd067008aabe5fcd9f0735ac

SHA256
6639b1af65588c7bc5d7dfab64d99a84b64192d9553169a9abdf8c88862b1620

SHA512
adce7f277d3920e08bbb390933e626b3659afb2160e9dda88868a6af0728f078756d49b91867eb8b81c2850ef2c56ff914fc09f349d9081aa1ed736e7cfdc221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe

Filesize
12KB

MD5
9403417cabef4a164263a6d85bfddba5

SHA1
3c1f1b1c7e911b93933d8c116a6bfd305ce03d18

SHA256
7a1985041896a40c9846c64fe801d4e503f9471ab7a3e5ebd5d42ac843c579f9

SHA512
f6c6554d43f667592586f46e56274e0934e6b632016c49c2dd11b3214fd088c392532e8bede5fa911984613b7cf79f353151e5940a3c9fa9abd28455d7c65991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe

Filesize
12KB

MD5
9403417cabef4a164263a6d85bfddba5

SHA1
3c1f1b1c7e911b93933d8c116a6bfd305ce03d18

SHA256
7a1985041896a40c9846c64fe801d4e503f9471ab7a3e5ebd5d42ac843c579f9

SHA512
f6c6554d43f667592586f46e56274e0934e6b632016c49c2dd11b3214fd088c392532e8bede5fa911984613b7cf79f353151e5940a3c9fa9abd28455d7c65991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe

Filesize
176KB

MD5
486ce910a0924bb56ac5d8d7db61e7c0

SHA1
88139cdedbe75eb1441972b4bd5b498c1eb2e38c

SHA256
8511b1f1796c6bb4f49377a78b3cc1543f9f7ad0523e91df7cf4f5e6ddcc86b9

SHA512
0b277bae0dea7ba4543f32cbc6c084b1f23f47a74d9a01a2a0f3baf4d0ea99b7a7cf7a2a4af7110e0badc39400d0feb3963db1392e2bacefbcb8e2597c98f7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe

Filesize
176KB

MD5
486ce910a0924bb56ac5d8d7db61e7c0

SHA1
88139cdedbe75eb1441972b4bd5b498c1eb2e38c

SHA256
8511b1f1796c6bb4f49377a78b3cc1543f9f7ad0523e91df7cf4f5e6ddcc86b9

SHA512
0b277bae0dea7ba4543f32cbc6c084b1f23f47a74d9a01a2a0f3baf4d0ea99b7a7cf7a2a4af7110e0badc39400d0feb3963db1392e2bacefbcb8e2597c98f7e3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe

Filesize
371KB

MD5
77b13a3fd07083ce83966ad88c56783f

SHA1
f233315220091a448f740a6ad71cd7b45ecaae92

SHA256
5fb312ef2771f6e0870cb919e6cb40ff56b834c69054dd7c5890544a480493b8

SHA512
e030b9de4ba08956297af6ea1bf2539641f7960e0ef327ebdda5b7e39ba2171c9b50d028c8db18723ba15e0a8614197d56170fe9e569264bcecc8177861e825e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe

Filesize
371KB

MD5
77b13a3fd07083ce83966ad88c56783f

SHA1
f233315220091a448f740a6ad71cd7b45ecaae92

SHA256
5fb312ef2771f6e0870cb919e6cb40ff56b834c69054dd7c5890544a480493b8

SHA512
e030b9de4ba08956297af6ea1bf2539641f7960e0ef327ebdda5b7e39ba2171c9b50d028c8db18723ba15e0a8614197d56170fe9e569264bcecc8177861e825e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe

Filesize
206KB

MD5
ef4b98983a112ab0cd247faf227bd5e1

SHA1
6e117ab856666570dd067008aabe5fcd9f0735ac

SHA256
6639b1af65588c7bc5d7dfab64d99a84b64192d9553169a9abdf8c88862b1620

SHA512
adce7f277d3920e08bbb390933e626b3659afb2160e9dda88868a6af0728f078756d49b91867eb8b81c2850ef2c56ff914fc09f349d9081aa1ed736e7cfdc221

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe

Filesize
206KB

MD5
ef4b98983a112ab0cd247faf227bd5e1

SHA1
6e117ab856666570dd067008aabe5fcd9f0735ac

SHA256
6639b1af65588c7bc5d7dfab64d99a84b64192d9553169a9abdf8c88862b1620

SHA512
adce7f277d3920e08bbb390933e626b3659afb2160e9dda88868a6af0728f078756d49b91867eb8b81c2850ef2c56ff914fc09f349d9081aa1ed736e7cfdc221

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe

Filesize
12KB

MD5
9403417cabef4a164263a6d85bfddba5

SHA1
3c1f1b1c7e911b93933d8c116a6bfd305ce03d18

SHA256
7a1985041896a40c9846c64fe801d4e503f9471ab7a3e5ebd5d42ac843c579f9

SHA512
f6c6554d43f667592586f46e56274e0934e6b632016c49c2dd11b3214fd088c392532e8bede5fa911984613b7cf79f353151e5940a3c9fa9abd28455d7c65991

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe

Filesize
176KB

MD5
486ce910a0924bb56ac5d8d7db61e7c0

SHA1
88139cdedbe75eb1441972b4bd5b498c1eb2e38c

SHA256
8511b1f1796c6bb4f49377a78b3cc1543f9f7ad0523e91df7cf4f5e6ddcc86b9

SHA512
0b277bae0dea7ba4543f32cbc6c084b1f23f47a74d9a01a2a0f3baf4d0ea99b7a7cf7a2a4af7110e0badc39400d0feb3963db1392e2bacefbcb8e2597c98f7e3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe

Filesize
176KB

MD5
486ce910a0924bb56ac5d8d7db61e7c0

SHA1
88139cdedbe75eb1441972b4bd5b498c1eb2e38c

SHA256
8511b1f1796c6bb4f49377a78b3cc1543f9f7ad0523e91df7cf4f5e6ddcc86b9

SHA512
0b277bae0dea7ba4543f32cbc6c084b1f23f47a74d9a01a2a0f3baf4d0ea99b7a7cf7a2a4af7110e0badc39400d0feb3963db1392e2bacefbcb8e2597c98f7e3

Download Submit
memory/2496-38-0x00000000012C0000-0x00000000012F0000-memory.dmp

Filesize
192KB

Download
memory/2496-39-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/2628-28-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

Filesize
9.9MB

Download
memory/2628-29-0x0000000000B40000-0x0000000000B4A000-memory.dmp

Filesize
40KB

Download
memory/2628-30-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

Filesize
9.9MB

Download
memory/2628-31-0x000007FEF56F0000-0x000007FEF60DC000-memory.dmp

Filesize
9.9MB

Download