healer | e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed

Analysis

max time kernel
126s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe
Size

1.6MB
MD5

2f1c41adf7b880f2e9f9b1b0286a143b
SHA1

606acc7a67ec4f0241b3850a1b0ce2241774c9de
SHA256

61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b
SHA512

c1b593f1e6600aa2124262f90c0a1ad77f46dc1e87ce836c1d9bf2160352d974f5cbff78100bc7c380071b3de8d0ef3cd653423efa26e73c005beb59a6fa0596
SSDEEP

24576:gye1lDVXnpy0e+JaxMbVa2H2t2BCl1EDD9uh4iVtjGE0Nx:nEneZxoDH42BClumNVL0N

Score

10^/10

healer redline masha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

masha

77.91.68.48:19071

Attributes

auth_value
55b9b39a0dae383196a4b8d79e5bb805

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
behavioral9/memory/3668-28-0x0000000000470000-0x000000000047A000-memory.dmp	healer
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe	healer
behavioral9/memory/4104-37-0x00000000004A0000-0x00000000004AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

b6286603.exea8518906.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b6286603.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a8518906.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8518906.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8518906.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b6286603.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b6286603.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b6286603.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b6286603.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8518906.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8518906.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8518906.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b6286603.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral9/memory/844-42-0x00000000005B0000-0x00000000005E0000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

Processes:

v7479313.exev7958004.exev2151231.exea8518906.exeb6286603.exec8826700.exe

pid process

216 v7479313.exe
2152 v7958004.exe
1904 v2151231.exe
3668 a8518906.exe
4104 b6286603.exe
844 c8826700.exe

pid	process
216	v7479313.exe
2152	v7958004.exe
1904	v2151231.exe
3668	a8518906.exe
4104	b6286603.exe
844	c8826700.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

a8518906.exeb6286603.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a8518906.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8518906.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b6286603.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exev7479313.exev7958004.exev2151231.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7479313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7958004.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v2151231.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a8518906.exeb6286603.exe

pid process

3668 a8518906.exe
3668 a8518906.exe
4104 b6286603.exe
4104 b6286603.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a8518906.exeb6286603.exe

description pid process

Token: SeDebugPrivilege 3668 a8518906.exe
Token: SeDebugPrivilege 4104 b6286603.exe

pid	process
3668	a8518906.exe
3668	a8518906.exe
4104	b6286603.exe
4104	b6286603.exe

description	pid	process
Token: SeDebugPrivilege	3668	a8518906.exe
Token: SeDebugPrivilege	4104	b6286603.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exev7479313.exev7958004.exev2151231.exe

description	pid	process	target process
PID 1612 wrote to memory of 216	1612	61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe	v7479313.exe
PID 1612 wrote to memory of 216	1612	61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe	v7479313.exe
PID 1612 wrote to memory of 216	1612	61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe	v7479313.exe
PID 216 wrote to memory of 2152	216	v7479313.exe	v7958004.exe
PID 216 wrote to memory of 2152	216	v7479313.exe	v7958004.exe
PID 216 wrote to memory of 2152	216	v7479313.exe	v7958004.exe
PID 2152 wrote to memory of 1904	2152	v7958004.exe	v2151231.exe
PID 2152 wrote to memory of 1904	2152	v7958004.exe	v2151231.exe
PID 2152 wrote to memory of 1904	2152	v7958004.exe	v2151231.exe
PID 1904 wrote to memory of 3668	1904	v2151231.exe	a8518906.exe
PID 1904 wrote to memory of 3668	1904	v2151231.exe	a8518906.exe
PID 1904 wrote to memory of 3668	1904	v2151231.exe	a8518906.exe
PID 1904 wrote to memory of 4104	1904	v2151231.exe	b6286603.exe
PID 1904 wrote to memory of 4104	1904	v2151231.exe	b6286603.exe
PID 2152 wrote to memory of 844	2152	v7958004.exe	c8826700.exe
PID 2152 wrote to memory of 844	2152	v7958004.exe	c8826700.exe
PID 2152 wrote to memory of 844	2152	v7958004.exe	c8826700.exe

C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe
"C:\Users\Admin\AppData\Local\Temp\61f1416a771544600c2eb0122b2860693273306c4f450b6c7dc5af2a07a52b2b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1612

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:216

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4104

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
4⤵
- Executes dropped EXE
PID:844

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7479313.exe
Filesize
1.4MB

MD5
f322468f7b64cecefaf9a0f0faccce20

SHA1
3d70724ebe7a280468c06cec4aeff4723eb530be

SHA256
d0d0aa49f6e37875f9b5dd0f21ab7ea9a9a366ff47cf69e224a1aa6e5089a24c

SHA512
b73f96b0eae3a1ca5da4a964cf56c7a991e5d30796a0f56bd6729dd4dfe542ed1053b7e0d3284bac2d5a1c7e646002fdf11866c094543e2e94847a9ed16b1fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7958004.exe
Filesize
1.3MB

MD5
208b54dec1def07b191289f2f777b350

SHA1
10bf86ca447e4aa9d59a244824788350d4b4f071

SHA256
09b9055edb7d51a08a4b7a7b2ee1d982379fff43c34637084fdd32a412a20974

SHA512
06ebe2071211a221f939aa666849012f4d6e1b7855ff8e0df4bda2c0fe1430b564ad1d4209b945cfead695f1503a2dc57af84fae7bd1cf62e71691184a772b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8826700.exe
Filesize
729KB

MD5
066240575f50b7f5987e95a3be5d62dc

SHA1
3edf9ff59b4ee474b5d828763d9c4df55bd51179

SHA256
5d78ef153cc6b04717c89d059e6b2c6200834f3945d6e762603d53c118bddfd5

SHA512
702b9df12dcfb2038eb71e0286f1c6d036df628fee3b9c44b295bf5089ce07c88fd70ac44091eb092c941217a7437210ff792190706568d8608f3a689450d76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v2151231.exe
Filesize
638KB

MD5
4b1a2d09d57bf0b2fc99d5da960562d5

SHA1
d72c7391e795ee360ad860d870d03c58372e5d19

SHA256
df3d2938bcbf97d8977a8fe236a2471d529e1b484ba5090635dc3fec80b7b8e3

SHA512
4a69463ab5fcb25140b9ce4fece0c2d0e7c3d2827d7d2addc26a38a8c9aeb1787837ade0084c578c46efa2d4b3c98b4fc0b645334796d40d2a73ea4e55d28684

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8518906.exe
Filesize
568KB

MD5
ae98a36da0e47b966ed93d845206ce38

SHA1
1ea9b655c02f2073c92e4a010c25a2c5bcad1ed8

SHA256
1c262ccffb16c31cdf0cc414038a3da52f58e209027e5a915f3b6e40be5d3bee

SHA512
975b325fdd9cf5f47778742bf53b10a2903caace94b69d59a16c7c8ade15e8bd7d29ed372269bdde0bf76ac8898771601549f993e69c9801ffc11da4168cb1dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6286603.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
memory/844-49-0x000000000A640000-0x000000000A74A000-memory.dmp

Filesize
1.0MB

Download
memory/844-42-0x00000000005B0000-0x00000000005E0000-memory.dmp

Filesize
192KB

Download
memory/844-47-0x0000000002310000-0x0000000002316000-memory.dmp

Filesize
24KB

Download
memory/844-48-0x000000000A000000-0x000000000A618000-memory.dmp

Filesize
6.1MB

Download
memory/844-50-0x000000000A780000-0x000000000A792000-memory.dmp

Filesize
72KB

Download
memory/844-51-0x000000000A7A0000-0x000000000A7DC000-memory.dmp

Filesize
240KB

Download
memory/844-52-0x00000000021E0000-0x000000000222C000-memory.dmp

Filesize
304KB

Download
memory/3668-28-0x0000000000470000-0x000000000047A000-memory.dmp

Filesize
40KB

Download
memory/4104-37-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download