healer | e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea

Resubmissions

12-02-2024 15:14

240212-smedwaae93 10

18-01-2024 16:04

27-11-2023 17:24

27-11-2023 17:23

07-09-2023 17:34

07-09-2023 17:29

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
Size

473KB
MD5

5ae1281ef3fd32f975133cd880be9ba8
SHA1

11f3e8bfb5443fe516ff6922e72ae005e1431e13
SHA256

e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea
SHA512

c7a2df58fc7b97ed642b4671ea2af9573ea9f6e8806c3251703b4d594a24a0463380eafcb7757dc4d732655c5f08d28776cf6d0e5597ea2377463c106de4e587
SSDEEP

12288:zMr0y904pAEvdXQzqmrQAQlMmHeNwwrGfI:XyxTNQzdZanQwwrGfI

Score

10^/10

healer redline mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000015c9f-26.dat	healer
behavioral1/memory/1416-28-0x00000000009D0000-0x00000000009DA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	g5140893.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	g5140893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	g5140893.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000015cb6-34.dat	family_redline
behavioral1/memory/2692-37-0x00000000003A0000-0x00000000003D0000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
2216	x8180539.exe
3060	x8801353.exe
1416	g5140893.exe
2692	i5032787.exe

Loads dropped DLL 7 IoCs

pid	Process
1936	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
2216	x8180539.exe
2216	x8180539.exe
3060	x8801353.exe
3060	x8801353.exe
3060	x8801353.exe
2692	i5032787.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	g5140893.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	g5140893.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8180539.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8801353.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1416	g5140893.exe
1416	g5140893.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	g5140893.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2216	1936	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	28
PID 1936 wrote to memory of 2216	1936	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	28
PID 1936 wrote to memory of 2216	1936	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	28
PID 1936 wrote to memory of 2216	1936	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	28
PID 1936 wrote to memory of 2216	1936	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	28
PID 1936 wrote to memory of 2216	1936	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	28
PID 1936 wrote to memory of 2216	1936	JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe	28
PID 2216 wrote to memory of 3060	2216	x8180539.exe	29
PID 2216 wrote to memory of 3060	2216	x8180539.exe	29
PID 2216 wrote to memory of 3060	2216	x8180539.exe	29
PID 2216 wrote to memory of 3060	2216	x8180539.exe	29
PID 2216 wrote to memory of 3060	2216	x8180539.exe	29
PID 2216 wrote to memory of 3060	2216	x8180539.exe	29
PID 2216 wrote to memory of 3060	2216	x8180539.exe	29
PID 3060 wrote to memory of 1416	3060	x8801353.exe	30
PID 3060 wrote to memory of 1416	3060	x8801353.exe	30
PID 3060 wrote to memory of 1416	3060	x8801353.exe	30
PID 3060 wrote to memory of 1416	3060	x8801353.exe	30
PID 3060 wrote to memory of 1416	3060	x8801353.exe	30
PID 3060 wrote to memory of 1416	3060	x8801353.exe	30
PID 3060 wrote to memory of 1416	3060	x8801353.exe	30
PID 3060 wrote to memory of 2692	3060	x8801353.exe	31
PID 3060 wrote to memory of 2692	3060	x8801353.exe	31
PID 3060 wrote to memory of 2692	3060	x8801353.exe	31
PID 3060 wrote to memory of 2692	3060	x8801353.exe	31
PID 3060 wrote to memory of 2692	3060	x8801353.exe	31
PID 3060 wrote to memory of 2692	3060	x8801353.exe	31
PID 3060 wrote to memory of 2692	3060	x8801353.exe	31

C:\Users\Admin\AppData\Local\Temp\JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe
"C:\Users\Admin\AppData\Local\Temp\JC_e3cc6620516dbea63b618fcc57d399f3189b105ec90a4ce0bbb9add1eda7e6ea.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1416
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe

Filesize
256KB

MD5
881b71c183d3ea76400c8b78f518913b

SHA1
56b6ff22efaca2f770a72233eef64a7dda528f8c

SHA256
9ffb9c4e53e438a0dcf70af910d127bd49c1d83751f282a95bad09531db68c02

SHA512
7bdcba4786797ef75b0f46a555136c7b2862c7360cf48136352742590d2cb91be41198a9d34e87d77d2eeb1aa0eb413f70384df509e074fee29f1efc426d327c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe

Filesize
357KB

MD5
f53428b9ebfec6b356134d139222b4d7

SHA1
bd778e2188427d35fe15a5aeb671bffec50a5761

SHA256
6f8325159d3f93e5a164a6fb01a17099c1681d6883eb6cdcf9272ea1832fd619

SHA512
cdb260fd46aa98cfaaf37de19c0339c3cd8e15c3ee2df6eaabfc46961bdf23b78c8752caab9f3ec5b3ec5ebea26c7ca1087f7454df10552441420d957a5d74bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe

Filesize
36KB

MD5
33dfe7d0a9fddc21224b54a2cce1a32b

SHA1
c0b2991da80e33be21fa1217b276f96f2b643c99

SHA256
8afb07aab654e7c8b755a6b6be13d657b0c607e8b1f4672def62d7e3b3413f6f

SHA512
3807007e9763cf9a50c3ab07a9c2049774aaca42bfd4f228132a460be35f1dcd8fccbb3d9ba82c0ab1c546ed0cec4a7f50d28fa0279926e6df5b88d282c794d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5140893.exe

Filesize
12KB

MD5
9403417cabef4a164263a6d85bfddba5

SHA1
3c1f1b1c7e911b93933d8c116a6bfd305ce03d18

SHA256
7a1985041896a40c9846c64fe801d4e503f9471ab7a3e5ebd5d42ac843c579f9

SHA512
f6c6554d43f667592586f46e56274e0934e6b632016c49c2dd11b3214fd088c392532e8bede5fa911984613b7cf79f353151e5940a3c9fa9abd28455d7c65991

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5032787.exe

Filesize
176KB

MD5
486ce910a0924bb56ac5d8d7db61e7c0

SHA1
88139cdedbe75eb1441972b4bd5b498c1eb2e38c

SHA256
8511b1f1796c6bb4f49377a78b3cc1543f9f7ad0523e91df7cf4f5e6ddcc86b9

SHA512
0b277bae0dea7ba4543f32cbc6c084b1f23f47a74d9a01a2a0f3baf4d0ea99b7a7cf7a2a4af7110e0badc39400d0feb3963db1392e2bacefbcb8e2597c98f7e3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe

Filesize
371KB

MD5
77b13a3fd07083ce83966ad88c56783f

SHA1
f233315220091a448f740a6ad71cd7b45ecaae92

SHA256
5fb312ef2771f6e0870cb919e6cb40ff56b834c69054dd7c5890544a480493b8

SHA512
e030b9de4ba08956297af6ea1bf2539641f7960e0ef327ebdda5b7e39ba2171c9b50d028c8db18723ba15e0a8614197d56170fe9e569264bcecc8177861e825e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8180539.exe

Filesize
221KB

MD5
bdfd87252731dbbe8518c57e1defdaa1

SHA1
e441cfdf6b667f99d27ca33b14d3431b93807ca8

SHA256
a1e7bf7fdb40725ef01495c868f9a1425e6a718ace23a6473a126d8e34335859

SHA512
51a299df1f87873b856b9ec51e93e29365d22efba7a20a24d7818881a33e31e6e575253669b70c548cb4bb3d4f041cbfbbb3660cc5c493bb35b2a0ccd46b5d64

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe

Filesize
45KB

MD5
422936c73ad49ba52e140cc9aa522ab4

SHA1
4631f40917c71d2c8734b1c5ecc7fbab0e03633b

SHA256
2ce0e421c40b9b07eb2213efe11203a07fbce6b298c64712bd73046b954a752b

SHA512
c70885a49a3df0e77124f9a941e29de04b5a31e036f2ce2f7bb7578d6018bb20916662bd93a4e4e4f4502f56bc981dba408b80113ff9f688c566207d6f3fb9b0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8801353.exe

Filesize
206KB

MD5
ef4b98983a112ab0cd247faf227bd5e1

SHA1
6e117ab856666570dd067008aabe5fcd9f0735ac

SHA256
6639b1af65588c7bc5d7dfab64d99a84b64192d9553169a9abdf8c88862b1620

SHA512
adce7f277d3920e08bbb390933e626b3659afb2160e9dda88868a6af0728f078756d49b91867eb8b81c2850ef2c56ff914fc09f349d9081aa1ed736e7cfdc221

Download Submit
memory/1416-28-0x00000000009D0000-0x00000000009DA000-memory.dmp

Filesize
40KB

Download
memory/1416-29-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

Filesize
9.9MB

Download
memory/1416-30-0x000007FEF5B50000-0x000007FEF653C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-37-0x00000000003A0000-0x00000000003D0000-memory.dmp

Filesize
192KB

Download
memory/2692-38-0x0000000000380000-0x0000000000386000-memory.dmp

Filesize
24KB

Download