healer | 57a34a1caae7f0426b32bc71b73785f820451c97d3c5db368da479183b037629

Analysis

max time kernel
127s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0938a999b8caf4ac0b0ae0df1eb9b0b22dec4dfbfa3b4cb4ac6b6fdd35c3f7a3.exe
Size

1.2MB
MD5

65883b4a8135be962bb33cbe7124a601
SHA1

003fcf5786e5ba85e4947ce59abbadbb9cb22ba4
SHA256

0938a999b8caf4ac0b0ae0df1eb9b0b22dec4dfbfa3b4cb4ac6b6fdd35c3f7a3
SHA512

15d57b859eef30a26195aceb39f5cf9544132ad2e887842a88430e4d2582b22891e87502cb741685cf6631de6c8768a74d4822df2aa4a66c9d0625f3ef1b00b9
SSDEEP

24576:PyuI+YFzqAmOH7ZZBGLaEBupcGi7HjvapU66B49AxQml:aGYUAmGBGLduSGSvTJ4I

Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/memory/1628-41-0x00000000004B0000-0x00000000004EE000-memory.dmp	healer
behavioral1/files/0x0007000000023463-46.dat	healer
behavioral1/memory/3700-48-0x0000000000DC0000-0x0000000000DCA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6073119.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6073119.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b6966414.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b6966414.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b6966414.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a6073119.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6073119.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b6966414.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b6966414.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b6966414.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6073119.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6073119.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/memory/4352-53-0x0000000001FB0000-0x000000000203C000-memory.dmp	family_redline
behavioral1/memory/4352-60-0x0000000001FB0000-0x000000000203C000-memory.dmp	family_redline

Executes dropped EXE 7 IoCs

pid	Process
4020	v4502117.exe
2664	v9468037.exe
4060	v3169319.exe
2384	v9212352.exe
1628	a6073119.exe
3700	b6966414.exe
4352	c7133350.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a6073119.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6073119.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b6966414.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0938a999b8caf4ac0b0ae0df1eb9b0b22dec4dfbfa3b4cb4ac6b6fdd35c3f7a3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4502117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9468037.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3169319.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9212352.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1628	a6073119.exe
1628	a6073119.exe
3700	b6966414.exe
3700	b6966414.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	a6073119.exe
Token: SeDebugPrivilege	3700	b6966414.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 4020	1856	0938a999b8caf4ac0b0ae0df1eb9b0b22dec4dfbfa3b4cb4ac6b6fdd35c3f7a3.exe	84
PID 1856 wrote to memory of 4020	1856	0938a999b8caf4ac0b0ae0df1eb9b0b22dec4dfbfa3b4cb4ac6b6fdd35c3f7a3.exe	84
PID 1856 wrote to memory of 4020	1856	0938a999b8caf4ac0b0ae0df1eb9b0b22dec4dfbfa3b4cb4ac6b6fdd35c3f7a3.exe	84
PID 4020 wrote to memory of 2664	4020	v4502117.exe	85
PID 4020 wrote to memory of 2664	4020	v4502117.exe	85
PID 4020 wrote to memory of 2664	4020	v4502117.exe	85
PID 2664 wrote to memory of 4060	2664	v9468037.exe	87
PID 2664 wrote to memory of 4060	2664	v9468037.exe	87
PID 2664 wrote to memory of 4060	2664	v9468037.exe	87
PID 4060 wrote to memory of 2384	4060	v3169319.exe	88
PID 4060 wrote to memory of 2384	4060	v3169319.exe	88
PID 4060 wrote to memory of 2384	4060	v3169319.exe	88
PID 2384 wrote to memory of 1628	2384	v9212352.exe	89
PID 2384 wrote to memory of 1628	2384	v9212352.exe	89
PID 2384 wrote to memory of 1628	2384	v9212352.exe	89
PID 2384 wrote to memory of 3700	2384	v9212352.exe	94
PID 2384 wrote to memory of 3700	2384	v9212352.exe	94
PID 4060 wrote to memory of 4352	4060	v3169319.exe	95
PID 4060 wrote to memory of 4352	4060	v3169319.exe	95
PID 4060 wrote to memory of 4352	4060	v3169319.exe	95

C:\Users\Admin\AppData\Local\Temp\0938a999b8caf4ac0b0ae0df1eb9b0b22dec4dfbfa3b4cb4ac6b6fdd35c3f7a3.exe
"C:\Users\Admin\AppData\Local\Temp\0938a999b8caf4ac0b0ae0df1eb9b0b22dec4dfbfa3b4cb4ac6b6fdd35c3f7a3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4502117.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4502117.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9468037.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9468037.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3169319.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3169319.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9212352.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9212352.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6073119.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6073119.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6966414.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6966414.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7133350.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7133350.exe
        5⤵
        Executes dropped EXE
        
        PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4502117.exe

Filesize
1.0MB

MD5
59428e4ccebfc6dd340d8b529cbc1a20

SHA1
c2d8debfb3b5fa94f6a6b45ddd4a7925ac8eb7f3

SHA256
b1923d8eea4d2c469a2eda9a11a6883eacbac1d20103bf9ee16bff2b972cda7f

SHA512
49bbbcc3516e1f8e566dfe44a6244c9d33ada44e90b6cd59d4851b49d64bea8a6b08d1434a17f52da6d809a1e12db1a410ad331418575658e72ffd5c123795c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9468037.exe

Filesize
906KB

MD5
d37dd3d1df9437fca9263ff6322ab957

SHA1
36650b84a0e010cd40efac971a4bc5a4f66bfa64

SHA256
5c4fd7dc311f70861047b8e0c591a7e7e88c3fb8a76995a797439c0d6a17a5bf

SHA512
2df136cd5dcd8e2675a4f87cee2349f11cf3c408d10c3530a6be88512ad76558ef0177bb5e49c88f0b2a7d45b36890d40e9ef8cb3bcdfdfa67b4c400d1571e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3169319.exe

Filesize
722KB

MD5
bb8875b186ee8780517d342e19dabf0a

SHA1
0e0ab4ea6f00c068ba5f60efabf5c3e7c92857f0

SHA256
f0dff460af5dde1a38dceb311dbb611c32c0ddd3f34b1643b6fda83794f72c35

SHA512
0e31d4976508ad86c19e38bce72d3c08d6c8da6bd70ad19f05d630dd2b7ce71851b00ae6d3cb3c669f89c3814aa072ab6bdafdfd22de8b10ce68d2566de2b606

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7133350.exe

Filesize
491KB

MD5
f172d470fc8f5a1f32456a418bcb6517

SHA1
7cedee0bcbcdb6ec4d0aa1c96cb781b58085c020

SHA256
29637e8c1a1ec7bffd145a7e2d3c0dd547d367d43c1a611fac2d21ebac4996b9

SHA512
f8f43a4c3ef3e7d0d79ad23ad29956d3a2c8d4e8bebbae7cdce7f0ca4ae5dd28408e3c0725ac65173a6b6bafb7c2b38e64f58b0339f4a4754eab76eadc21cc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9212352.exe

Filesize
326KB

MD5
3bd16ca4347d2c927891bfbfdbc1ad7b

SHA1
8da7546242a085a8c1746229dec75003a05087c2

SHA256
4d0d4db944383e2d84ba28598df125f8914b9cd37b9eca594f9beb67efa87adf

SHA512
8dc800783a0db8c9fd6b523296593addc0f9a4f35c34c29a1a2afd7e208e46229a60f3a9be1eceaf94ca65d84168d8b3926789f4aaa54833c919cd0793ff5a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6073119.exe

Filesize
295KB

MD5
f28a122b694a5fc9fce3abada17743f6

SHA1
9bc491d7e3139ba2220830ac4be17e1926623d02

SHA256
5f5de7d8883b88831eb527b856e55200d0bd26b29a3b8e4db292bb9867ddd855

SHA512
8e411eb7d6e444d424957866a9c884b697039c2bb132292f86b2a42d859bddcb19a039b84cbb9ac1defed9d931782f044cb0f6b1cca212bd9e54b85c13e95ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6966414.exe

Filesize
11KB

MD5
f98262dafbc87c8f25177129b13c62f0

SHA1
15185689422140bacdec8095d5eb0407347993b7

SHA256
34243e0a87cee8c94d413dd9d3d478fe849e29d3ab802b99f4ada3e0dbf0eaa4

SHA512
e0fdf9ab1e81bbb3de224a07607dcb94859a6e2bd2855a66fd3be4d1a59aac60ed36c296cbcff9c3e8d65be82f9defd1c2a556d038ec469699bea645a67831c2

Download Submit
memory/1628-35-0x00000000004B0000-0x00000000004EE000-memory.dmp

Filesize
248KB

Download
memory/1628-41-0x00000000004B0000-0x00000000004EE000-memory.dmp

Filesize
248KB

Download
memory/1628-42-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/3700-48-0x0000000000DC0000-0x0000000000DCA000-memory.dmp

Filesize
40KB

Download
memory/4352-53-0x0000000001FB0000-0x000000000203C000-memory.dmp

Filesize
560KB

Download
memory/4352-60-0x0000000001FB0000-0x000000000203C000-memory.dmp

Filesize
560KB

Download
memory/4352-62-0x00000000043A0000-0x00000000043A6000-memory.dmp

Filesize
24KB

Download
memory/4352-63-0x0000000008660000-0x0000000008C78000-memory.dmp

Filesize
6.1MB

Download
memory/4352-64-0x00000000080A0000-0x00000000081AA000-memory.dmp

Filesize
1.0MB

Download
memory/4352-65-0x00000000081D0000-0x00000000081E2000-memory.dmp

Filesize
72KB

Download
memory/4352-66-0x00000000081F0000-0x000000000822C000-memory.dmp

Filesize
240KB

Download
memory/4352-67-0x0000000008260000-0x00000000082AC000-memory.dmp

Filesize
304KB

Download