healer | 70d8c9b6b1ca04dfb10ea4cb4a723d0667023cb50f25b9eb1ca9f06bdaad4a07

Analysis

max time kernel
128s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
07-01-2024 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f79c16f1de3e05ee0c368cc72bed63f.exe
Size

1.3MB
MD5

8f79c16f1de3e05ee0c368cc72bed63f
SHA1

f3698f5230e09c093044e73b655fd69e25b9c3cb
SHA256

70d8c9b6b1ca04dfb10ea4cb4a723d0667023cb50f25b9eb1ca9f06bdaad4a07
SHA512

7d9053ae99a64fa974a80e7c0652faed3882d4a603aa45c1126cb51d5752c24748aaea67de66075b00c2a71720f18618316065a119a64fa1411109e2acad0bb3
SSDEEP

24576:2yrEsfi12+2waRpCZdVyNlQYRbtXcjqlfi1JoCq:FdY2hpCZdJ6bGGfi1

Score

10^/10

healer redline maza dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maza

185.161.248.73:4164

Attributes

auth_value
474d54c1c2f5291290c53f8378acd684

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2060-47-0x00000000003E0000-0x00000000003FA000-memory.dmp	healer
behavioral1/memory/2060-48-0x0000000000B90000-0x0000000000BA8000-memory.dmp	healer
behavioral1/memory/2060-50-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-68-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-76-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-74-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-72-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-70-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-66-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-64-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-62-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-60-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-58-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-56-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-54-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-52-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer
behavioral1/memory/2060-49-0x0000000000B90000-0x0000000000BA2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a96780884.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a96780884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a96780884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a96780884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a96780884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a96780884.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1980	i30920317.exe
2836	i14658364.exe
2680	i30992395.exe
2060	a96780884.exe
2928	b98853343.exe

Loads dropped DLL 11 IoCs

pid	Process
2452	8f79c16f1de3e05ee0c368cc72bed63f.exe
1980	i30920317.exe
1980	i30920317.exe
2836	i14658364.exe
2836	i14658364.exe
2680	i30992395.exe
2680	i30992395.exe
2680	i30992395.exe
2060	a96780884.exe
2680	i30992395.exe
2928	b98853343.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	a96780884.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a96780884.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i30992395.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8f79c16f1de3e05ee0c368cc72bed63f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i30920317.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i14658364.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2060	a96780884.exe
2060	a96780884.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	a96780884.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 1980	2452	8f79c16f1de3e05ee0c368cc72bed63f.exe	31
PID 2452 wrote to memory of 1980	2452	8f79c16f1de3e05ee0c368cc72bed63f.exe	31
PID 2452 wrote to memory of 1980	2452	8f79c16f1de3e05ee0c368cc72bed63f.exe	31
PID 2452 wrote to memory of 1980	2452	8f79c16f1de3e05ee0c368cc72bed63f.exe	31
PID 2452 wrote to memory of 1980	2452	8f79c16f1de3e05ee0c368cc72bed63f.exe	31
PID 2452 wrote to memory of 1980	2452	8f79c16f1de3e05ee0c368cc72bed63f.exe	31
PID 2452 wrote to memory of 1980	2452	8f79c16f1de3e05ee0c368cc72bed63f.exe	31
PID 1980 wrote to memory of 2836	1980	i30920317.exe	30
PID 1980 wrote to memory of 2836	1980	i30920317.exe	30
PID 1980 wrote to memory of 2836	1980	i30920317.exe	30
PID 1980 wrote to memory of 2836	1980	i30920317.exe	30
PID 1980 wrote to memory of 2836	1980	i30920317.exe	30
PID 1980 wrote to memory of 2836	1980	i30920317.exe	30
PID 1980 wrote to memory of 2836	1980	i30920317.exe	30
PID 2836 wrote to memory of 2680	2836	i14658364.exe	29
PID 2836 wrote to memory of 2680	2836	i14658364.exe	29
PID 2836 wrote to memory of 2680	2836	i14658364.exe	29
PID 2836 wrote to memory of 2680	2836	i14658364.exe	29
PID 2836 wrote to memory of 2680	2836	i14658364.exe	29
PID 2836 wrote to memory of 2680	2836	i14658364.exe	29
PID 2836 wrote to memory of 2680	2836	i14658364.exe	29
PID 2680 wrote to memory of 2060	2680	i30992395.exe	28
PID 2680 wrote to memory of 2060	2680	i30992395.exe	28
PID 2680 wrote to memory of 2060	2680	i30992395.exe	28
PID 2680 wrote to memory of 2060	2680	i30992395.exe	28
PID 2680 wrote to memory of 2060	2680	i30992395.exe	28
PID 2680 wrote to memory of 2060	2680	i30992395.exe	28
PID 2680 wrote to memory of 2060	2680	i30992395.exe	28
PID 2680 wrote to memory of 2928	2680	i30992395.exe	32
PID 2680 wrote to memory of 2928	2680	i30992395.exe	32
PID 2680 wrote to memory of 2928	2680	i30992395.exe	32
PID 2680 wrote to memory of 2928	2680	i30992395.exe	32
PID 2680 wrote to memory of 2928	2680	i30992395.exe	32
PID 2680 wrote to memory of 2928	2680	i30992395.exe	32
PID 2680 wrote to memory of 2928	2680	i30992395.exe	32

C:\Users\Admin\AppData\Local\Temp\8f79c16f1de3e05ee0c368cc72bed63f.exe
"C:\Users\Admin\AppData\Local\Temp\8f79c16f1de3e05ee0c368cc72bed63f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30920317.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30920317.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1980

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a96780884.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a96780884.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30992395.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30992395.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b98853343.exe
  C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b98853343.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2928

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14658364.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14658364.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30920317.exe

Filesize
1.1MB

MD5
b3017125cdff09570998ce23a096de2f

SHA1
87139741426fe86f434d8459ed6062839dfe633a

SHA256
1c0234c3c003072b88a2593c79930b683a7174b38ad4e50d8a4f37aaa278335f

SHA512
d1c81de9ee8122c65e0e23fcf2fd968906cd0a3ef735671045e29ee543606b56491ad44ddbab369e9674531923b6ff4c5eebe997e41839d28e6554c8720d1873

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14658364.exe

Filesize
690KB

MD5
11915d9f4ef58e565f70a6bbdc67db99

SHA1
5b2decafa33f6f5092546c0c1a94fa9b9e3a4690

SHA256
b261d94a439f483d0e90807d4aa6b5b3f4c2fcf913426a6af533608dcea2a0b2

SHA512
74ec465cf459c02d46525d8f4c76f425375e78351fe064657572a53897278960ca2b97d511eb34e4c1797d4cb0d9f2ad65d9e6e52df7cf4a0fa66336fe5c1fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30992395.exe

Filesize
324KB

MD5
a337f06338ee8c74be010fd91a255a27

SHA1
0745573fd14c502cb8eaa63d2b89b15fae89e196

SHA256
77171c60cff03572fdda203d1ab08710f797539062012efa4fb0224e8f34dfb7

SHA512
c48df144f96bccc0f0fb99d77cdc330f0f376f742eab55ff4e72152f1ef8684db93b20b37c66ba2360b21297a50b92824737590ab0876fa9af492fe34123c535

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a96780884.exe

Filesize
174KB

MD5
2a05119563fa305fea905802c2d98ead

SHA1
f2c904013c7a134ca5cad625bc3fef914f099a49

SHA256
24783e4cc344c6ffe0d45efbca059e2f0a4f9ac7403ca70ee9afeb2cd5d611b4

SHA512
7ea53fb6b46fb04f7c8df484f5352575e4616f91cbf830e8b79f35af95e026edd6464f2629adf3ba350e48996452cc8c84efb6003d68f7147b54e149110e5fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b98853343.exe

Filesize
65KB

MD5
fd9589fbf085a40529d5f8c1eacd4cfd

SHA1
a543d466953c1ccd3425773a6cc2311e6c6402b9

SHA256
c75dbfa364b4c6d74a26457cd052ce919b9d0a8c6061eb0ff470a86f7963092d

SHA512
c5e4a6a49dcdf0b21d4e841441cb7e04d3bcdf8ec8c0ccea8240f4d2bcdbfa5e7ca93dbb1d96d39c6d95503117fc012e5dcdca991622131fd41bd8673d996975

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30920317.exe

Filesize
523KB

MD5
de33b0afed24798614be09f52d0f9582

SHA1
4772106cc1c70894dc6c55338a21b4ce128104fd

SHA256
7980a1d711f503a6f76ccfa428b6010dba420dde2767f35e7fe8ed69c96bd4ca

SHA512
13b4b29ba1db9c6ad56cff4df86bae1425ba414efa0130a94b0e07df91a0804a99527e86f5261dcb826ae566db9cf1e2f3b8a1807bc72ab74571f1ad40520482

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30920317.exe

Filesize
397KB

MD5
5affb79273016f220c683e8be6d5cd52

SHA1
1868a270dad021cd887d1a4d6e84aaa1cb28ddfb

SHA256
5dc9c70b7d584b0e6120cbdaaa6b5cde547b992134893daf3e0535c8bb51e5a9

SHA512
3cf473764358d11fd6e4d2b36fb04df9f7ad71d45af5881a9117a8a4080f98ccb1b03b062035c119bbf460011ae83ada7a43b3b669bdcfa979114919bb27b8b5

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\i14658364.exe

Filesize
142KB

MD5
ea6afa071cf138dfe36e8fc9e9193ded

SHA1
5ea71ae8af9edff3f0843ecb5df9a203cc5295e9

SHA256
ccd5e739a37da5de8ceb8cdb04288e016efb94a2dd44f65560cc63a8618ffe75

SHA512
4773f4db7b7e1371dc74a6e1ff842048f02d5ba2808421a8110ebd59e38dc814db7f28f0ad6859e48934f08bdab10f241ac74b843ebc3beebe6958e61723d8b0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\i30992395.exe

Filesize
404KB

MD5
d5684112dfbf7a1b97594a67920d84b7

SHA1
01e99d2f789b4b4aeffaa032e00320d1188f61ae

SHA256
f9e8ee89546b066488a52354ac63e56fd213bec5ce9837c61a09d7541443ecfa

SHA512
10a5c929376fb3754b80a83d106e55830f9f34edaea62258429afd2cf65c2a3892e133a8d3628a103349153ea3f9e278d8cc0571eaf985f56ec4f9afdeb1d694

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\a96780884.exe

Filesize
344KB

MD5
109069a75d958282e002ae6a98dea4b6

SHA1
b22f8d8d82df6914e4084ae4670f6fab92079fb6

SHA256
7170a3c968b874fd59e2ab44640788c706b5594052113a778cab81faea1ab3bb

SHA512
7631179b06e65932a38fe49003d0ed81f7b724078ab9374497e79e2047e3babb2f6b06e0b73ecf698d8a3430a7a301a51d3ecd4e29872ce5d910645323354744

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\b98853343.exe

Filesize
101KB

MD5
60dee0356a47e03a536def6b1d235274

SHA1
dd37105fc87c662673fbfcc5aec95f8e2cc6d475

SHA256
87fdea53b25c9913d666885c7db551bf65eb1d8b022bc02db438e989e25445e8

SHA512
6852df85a68c41605ef92553df2a0da6cc7729e286ced86e5438e3ced766cf73a2d63a3155b1e3bfb1dc1fe21dfa99abf328f20dc6705d0770e75c264cd69af1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP003.TMP\b98853343.exe

Filesize
168KB

MD5
4deb4613e5d4be8515f2bccf2e7cd9b0

SHA1
4f1add325f65c821df49b575481f590b4d145848

SHA256
bfdbece7dfe1b422723d209274ba5129ac46e45d85fb1b22e9f92764f0ee1e76

SHA512
6916b3d22e6ed8132050fc70144f89cdba1d4dba913a14d8370fc66c5e808e199c42f35352ba60c917690d12a0109d6593d290f3f2e1a45933d73c7f7036554b

Download Submit
memory/2060-72-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-60-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-50-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-68-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-76-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-74-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-47-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/2060-70-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-66-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-64-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-62-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-48-0x0000000000B90000-0x0000000000BA8000-memory.dmp

Filesize
96KB

Download
memory/2060-58-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-56-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-54-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-52-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-49-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2060-78-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2060-79-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/2060-46-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/2060-44-0x0000000000E90000-0x0000000000F90000-memory.dmp

Filesize
1024KB

Download
memory/2060-45-0x0000000000240000-0x000000000026D000-memory.dmp

Filesize
180KB

Download
memory/2928-86-0x0000000000D00000-0x0000000000D2E000-memory.dmp

Filesize
184KB

Download
memory/2928-87-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download