healer | 45e94c10bbc148cc1f0e810ef4a64b3b2814960515bbe6c69d8570dde960e0b2

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c648954590b2b993dd0ec5a577cba1b52011aa076b30819cd9c278d54c229da2.exe
Size

1.2MB
MD5

8f0ae8b9143b7c2a9d3ee80fb01e12e5
SHA1

89f6a23d8506e9f9225d65cde96557e343ed2ea6
SHA256

c648954590b2b993dd0ec5a577cba1b52011aa076b30819cd9c278d54c229da2
SHA512

92a13795c626c78cecaa8af7c42b1156bbec24345e610b8ed5487e536d532fce4a93af4eb15528949c77169f1a694c37672ff1e3dee5442152a241acb2776e84
SSDEEP

24576:CyLs0yzVqprTMOkQDpNfAv6eht7Q3PcTUahfoMx7pMeW:pw0yBqV4pQDpSvdht7Q3P4N7pMe

Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral18/memory/4920-41-0x0000000000690000-0x00000000006CE000-memory.dmp	healer
behavioral18/files/0x0007000000023454-47.dat	healer
behavioral18/memory/5056-48-0x0000000000430000-0x000000000043A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1097541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1097541.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b9639557.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b9639557.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b9639557.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b9639557.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a1097541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1097541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b9639557.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b9639557.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1097541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1097541.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral18/memory/556-53-0x0000000002060000-0x00000000020EC000-memory.dmp	family_redline
behavioral18/memory/556-60-0x0000000002060000-0x00000000020EC000-memory.dmp	family_redline

Executes dropped EXE 7 IoCs

pid	Process
1892	v3488982.exe
1444	v9692876.exe
3880	v4993504.exe
2436	v6610272.exe
4920	a1097541.exe
5056	b9639557.exe
556	c3816723.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a1097541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1097541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b9639557.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c648954590b2b993dd0ec5a577cba1b52011aa076b30819cd9c278d54c229da2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3488982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9692876.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4993504.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6610272.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4920	a1097541.exe
4920	a1097541.exe
5056	b9639557.exe
5056	b9639557.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4920	a1097541.exe
Token: SeDebugPrivilege	5056	b9639557.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1892	1636	c648954590b2b993dd0ec5a577cba1b52011aa076b30819cd9c278d54c229da2.exe	83
PID 1636 wrote to memory of 1892	1636	c648954590b2b993dd0ec5a577cba1b52011aa076b30819cd9c278d54c229da2.exe	83
PID 1636 wrote to memory of 1892	1636	c648954590b2b993dd0ec5a577cba1b52011aa076b30819cd9c278d54c229da2.exe	83
PID 1892 wrote to memory of 1444	1892	v3488982.exe	84
PID 1892 wrote to memory of 1444	1892	v3488982.exe	84
PID 1892 wrote to memory of 1444	1892	v3488982.exe	84
PID 1444 wrote to memory of 3880	1444	v9692876.exe	85
PID 1444 wrote to memory of 3880	1444	v9692876.exe	85
PID 1444 wrote to memory of 3880	1444	v9692876.exe	85
PID 3880 wrote to memory of 2436	3880	v4993504.exe	86
PID 3880 wrote to memory of 2436	3880	v4993504.exe	86
PID 3880 wrote to memory of 2436	3880	v4993504.exe	86
PID 2436 wrote to memory of 4920	2436	v6610272.exe	88
PID 2436 wrote to memory of 4920	2436	v6610272.exe	88
PID 2436 wrote to memory of 4920	2436	v6610272.exe	88
PID 2436 wrote to memory of 5056	2436	v6610272.exe	98
PID 2436 wrote to memory of 5056	2436	v6610272.exe	98
PID 3880 wrote to memory of 556	3880	v4993504.exe	99
PID 3880 wrote to memory of 556	3880	v4993504.exe	99
PID 3880 wrote to memory of 556	3880	v4993504.exe	99

C:\Users\Admin\AppData\Local\Temp\c648954590b2b993dd0ec5a577cba1b52011aa076b30819cd9c278d54c229da2.exe
"C:\Users\Admin\AppData\Local\Temp\c648954590b2b993dd0ec5a577cba1b52011aa076b30819cd9c278d54c229da2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3488982.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3488982.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9692876.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9692876.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4993504.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4993504.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3880
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6610272.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6610272.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2436
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1097541.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1097541.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9639557.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9639557.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3816723.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3816723.exe
        5⤵
        Executes dropped EXE
        
        PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3488982.exe

Filesize
1.0MB

MD5
d243a6511f0d3e68f5aa8d43f3dd7f3b

SHA1
7d1534ed0cbe345621ece012d7087b09f26894cf

SHA256
ad64d7e5f0015bc591333da061c261a7a7a21941cf89d2840156c7b16fe13348

SHA512
d12a0304c25ef0367f8aa937c8f062b585e35d7f10f5e3e726b4c42dfe0c7922fb25df146a4b940dd6874b99080b5c30910777faf4c3feae17cc82e8f1763e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9692876.exe

Filesize
907KB

MD5
af4b6ee32e905833f52664447255cebe

SHA1
c73084cf15ca24c4332c028cd33fd129606a947f

SHA256
02a217269c36a6055324a25f694e6712a03cb700003cc5e07b06213573974496

SHA512
41b8275fbe2168b40c60a891bc98fafc42b5bab4997cc8e0851fef01f5df9733737d258e207071bd4dd88b9f348ccd730fe9c11214841fb7468d6baa51f29b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4993504.exe

Filesize
723KB

MD5
e4bc1e3a7d5c0707cb7a51bc0885bac8

SHA1
8841aa32e81d48e6f132fcb478cc56eaccf54bc5

SHA256
802bd1694645ebe47bc74d9b805cdfb0d654c4c545b7217d9cbca53595442db2

SHA512
0007f204656b06eed59fb33ea974eef5aca74bf7851a70bb7f2e565b95df11dddc67e0aea4613a0e5fbb5f60db9eadb367d17f4ad00084939a6cbb640a9d914b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3816723.exe

Filesize
491KB

MD5
755410f0aa46758c9f0214567e2029a1

SHA1
a78cbd39742a653ec83688b318d97bd159659455

SHA256
d8ba2a469d8e17d26166218994479f49e939c8cf18edaa6379e9b750b5e00026

SHA512
37e78c8211be1ac8893c2ac36239793c6701e0e7aec071cac737a72a1575f565f47662200c7efb7635d11bf5ceb3847145d2d1dd4e34840f8ab3bd2bceaa8044

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6610272.exe

Filesize
324KB

MD5
e7d041c38e3ee39c96aa00d019a84fbf

SHA1
0665bdcf3cdd3c2961e921198157e3b24909b203

SHA256
7e313e4487ab9f86dc94ca65c26f3654fd5c4dbfcc856458832ba8b4dc5db578

SHA512
75d2b9b4e562ff284051834655e580cad62075c987e7ceb1a3a46faafd24a6abd817c2631d64cb6bd121a7abda2a8c8eade5240d42ead98a31a7354907797469

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1097541.exe

Filesize
295KB

MD5
ce1702e57be93eedfc26ee915494f665

SHA1
47455dace1b826c1d1de4bd9eb1eae45d085fe94

SHA256
076eac6ce7b2d0d9d9db1a2cb2daa3e7371a72c2f3ba69659ab2b4ec6c484119

SHA512
5e20b1866b481e3181d327b7ca63c29e1c5a59a8584c084fddbe8aa0b508e5b0ee6ed3e2a71406b66cbda3694b563f5cdb479dac196409d9f32b0f19cf1eb049

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9639557.exe

Filesize
11KB

MD5
704e5df0fc4e88fa277b3168658091cd

SHA1
ae5853a4834b8d791e4f3f7df21fdd38f8fac531

SHA256
1b7df6d5f6eebeed6911fa4520e730bd3906e492fcc3c236d3315433e8bd320c

SHA512
462aa658bec6cff61ad79b8cd6df8ae587556b2b9fae156808c447cf76d8f1f74151c6ad2120967f7cf851c1f8b067b68387f04509656fbfd0b656c4e394acde

Download Submit
memory/556-63-0x000000000A030000-0x000000000A648000-memory.dmp

Filesize
6.1MB

Download
memory/556-53-0x0000000002060000-0x00000000020EC000-memory.dmp

Filesize
560KB

Download
memory/556-60-0x0000000002060000-0x00000000020EC000-memory.dmp

Filesize
560KB

Download
memory/556-62-0x0000000002400000-0x0000000002406000-memory.dmp

Filesize
24KB

Download
memory/556-64-0x000000000A6B0000-0x000000000A7BA000-memory.dmp

Filesize
1.0MB

Download
memory/556-65-0x000000000A7E0000-0x000000000A7F2000-memory.dmp

Filesize
72KB

Download
memory/556-66-0x000000000A800000-0x000000000A83C000-memory.dmp

Filesize
240KB

Download
memory/556-67-0x0000000006A00000-0x0000000006A4C000-memory.dmp

Filesize
304KB

Download
memory/4920-41-0x0000000000690000-0x00000000006CE000-memory.dmp

Filesize
248KB

Download
memory/4920-42-0x0000000004470000-0x0000000004471000-memory.dmp

Filesize
4KB

Download
memory/4920-35-0x0000000000690000-0x00000000006CE000-memory.dmp

Filesize
248KB

Download
memory/5056-48-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download