healer | e6564b70fa3d9a9e989ad7c1bb2b027f2e5447273c0bb64f84c7940828ecb0ed

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe
Size

1.2MB
MD5

3084e5a05ec994a172379bb42d1f4a6e
SHA1

d5705086a050a075520d1e19aa047f924e079ba5
SHA256

b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9
SHA512

7988b8ced595a143db70f1e668bb0e645fa19621e363061379cd5b042ec6444bf8f9a14184bd65afb126a851e8acfb23eee6f71bce930d135c9eab36d87e06a0
SSDEEP

24576:my9QoTLxsXrQ8m0Y3lsvmLEBXibYVetVVosYmmL9hK:19Qwss8ytLqqYjsJmJh

Score

10^/10

healer redline lamp dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lamp

77.91.68.56:19071

Attributes

auth_value
ee1df63bcdbe3de70f52810d94eaff7d

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

Processes:

resource	yara_rule
behavioral15/memory/3660-41-0x0000000000570000-0x00000000005AE000-memory.dmp	healer
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe	healer
behavioral15/memory/540-48-0x0000000000BF0000-0x0000000000BFA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a6918678.exeb0194431.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6918678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6918678.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	b0194431.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	b0194431.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	b0194431.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	b0194431.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	b0194431.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a6918678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6918678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6918678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6918678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	b0194431.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral15/memory/3028-53-0x0000000000620000-0x00000000006AC000-memory.dmp	family_redline
behavioral15/memory/3028-60-0x0000000000620000-0x00000000006AC000-memory.dmp	family_redline

Executes dropped EXE 7 IoCs

Processes:

v8193530.exev7356747.exev1869910.exev6266876.exea6918678.exeb0194431.exec9863785.exe

pid process

3748 v8193530.exe
3020 v7356747.exe
3356 v1869910.exe
3132 v6266876.exe
3660 a6918678.exe
540 b0194431.exe
3028 c9863785.exe

pid	process
3748	v8193530.exe
3020	v7356747.exe
3356	v1869910.exe
3132	v6266876.exe
3660	a6918678.exe
540	b0194431.exe
3028	c9863785.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

a6918678.exeb0194431.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a6918678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6918678.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	b0194431.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

v7356747.exev1869910.exev6266876.exeb6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exev8193530.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7356747.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1869910.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6266876.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8193530.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a6918678.exeb0194431.exe

pid process

3660 a6918678.exe
3660 a6918678.exe
540 b0194431.exe
540 b0194431.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

a6918678.exeb0194431.exe

description pid process

Token: SeDebugPrivilege 3660 a6918678.exe
Token: SeDebugPrivilege 540 b0194431.exe

pid	process
3660	a6918678.exe
3660	a6918678.exe
540	b0194431.exe
540	b0194431.exe

description	pid	process
Token: SeDebugPrivilege	3660	a6918678.exe
Token: SeDebugPrivilege	540	b0194431.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exev8193530.exev7356747.exev1869910.exev6266876.exe

description	pid	process	target process
PID 5008 wrote to memory of 3748	5008	b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe	v8193530.exe
PID 5008 wrote to memory of 3748	5008	b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe	v8193530.exe
PID 5008 wrote to memory of 3748	5008	b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe	v8193530.exe
PID 3748 wrote to memory of 3020	3748	v8193530.exe	v7356747.exe
PID 3748 wrote to memory of 3020	3748	v8193530.exe	v7356747.exe
PID 3748 wrote to memory of 3020	3748	v8193530.exe	v7356747.exe
PID 3020 wrote to memory of 3356	3020	v7356747.exe	v1869910.exe
PID 3020 wrote to memory of 3356	3020	v7356747.exe	v1869910.exe
PID 3020 wrote to memory of 3356	3020	v7356747.exe	v1869910.exe
PID 3356 wrote to memory of 3132	3356	v1869910.exe	v6266876.exe
PID 3356 wrote to memory of 3132	3356	v1869910.exe	v6266876.exe
PID 3356 wrote to memory of 3132	3356	v1869910.exe	v6266876.exe
PID 3132 wrote to memory of 3660	3132	v6266876.exe	a6918678.exe
PID 3132 wrote to memory of 3660	3132	v6266876.exe	a6918678.exe
PID 3132 wrote to memory of 3660	3132	v6266876.exe	a6918678.exe
PID 3132 wrote to memory of 540	3132	v6266876.exe	b0194431.exe
PID 3132 wrote to memory of 540	3132	v6266876.exe	b0194431.exe
PID 3356 wrote to memory of 3028	3356	v1869910.exe	c9863785.exe
PID 3356 wrote to memory of 3028	3356	v1869910.exe	c9863785.exe
PID 3356 wrote to memory of 3028	3356	v1869910.exe	c9863785.exe

C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe
"C:\Users\Admin\AppData\Local\Temp\b6b53c7022ec83f58037dc5fee6d8a5dd71ff675b2851d1ebdaac02d608ebac9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5008

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3748

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3356

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3132

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe
5⤵
- Executes dropped EXE
PID:3028

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8193530.exe
Filesize
1.0MB

MD5
8f452b4a4326c38e4571b85753f14835

SHA1
39e82691dbf838c5929a85c0ccea571b2eeaa762

SHA256
2c425603871cfae47a16427da45eb520a5ed3d232c7cd61f40106132368da097

SHA512
5a562cd0ba0c785afe7121fd99bc39173a2121452c011bdb7424ffe30c95e181d4848dbe70996f40d02e03518328159b8913ae7351cfb4da9d4da1b4cd36a061

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7356747.exe
Filesize
905KB

MD5
c01e50a9b08254b6225359b71398aec4

SHA1
69290aa4f0cfff274bd47cbea733cd1494329fff

SHA256
e11371b57008d6851d429072eb585f23a66ef95ba1f2fe63bd2ee922b8583a12

SHA512
73b878812254dbf5854e5cd330bcb063eca437b2f84b127f6f8fae664d274b3de5904a97ea070c77f32fe3838d69926aa7e9f19d3abaa4b81cc8684c9acc0b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1869910.exe
Filesize
722KB

MD5
b047020daecfcd4d6486280843970ca3

SHA1
1126405fb85088855aa5c5b0a4fe8c53deff0d25

SHA256
6347410a710cfe628661defb8efdb525f50735c3eeb0911a1b4c40888708bab8

SHA512
78d6bbedafae407382fb5e27982c03d04c8036406742168203577974d0632915125324292665ff07e82ef42faeca5a24add5ac0ccf0ac7a5ced4152bfad44a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9863785.exe
Filesize
492KB

MD5
c0cb72fd5b63fa6a0e23311a69b60989

SHA1
bc1d486836b34d78d9169fec03e4b60433e1374c

SHA256
875aa2484a1a2abf76d5e4888f69df5ef6eac968473931e34bfd7a571eaa3a1d

SHA512
a469239d9e7178b1127af703d1347670173ec45f446bc47e96b1edc8f6ecc1482de44d055a9183b8e9f441a9b0d1625da2b48d36392c919ca5be3ad6f542c805

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6266876.exe
Filesize
325KB

MD5
3700b23c6984dc6b04ae254478422acf

SHA1
c96f67a6cd8c1c5c421a2f7268fdb0cbbcf5969d

SHA256
53432dba21043cefad2ee82a5077c1aea9238fa7a57f8701799c03717b27b344

SHA512
5c9b84a799ae5178ff835fb31e8a9b986bd923fc6fa5d13aff1df33ed66f0eea4826066ec741b04deafd5370a08dbdf154668c3dfde2177c9b1378198fb1ce75

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6918678.exe
Filesize
295KB

MD5
52a2bfba5bb378ef0d888bff0a0a9a4c

SHA1
e407c2042a2751b2643c4ba379b37f5c98242c07

SHA256
46aedf9813ed0c38fac92d5493e5dde9b57dbc6304456fc2ececa49e07feed65

SHA512
cd46b3f4f4165ddc64c3c87ad8ef0b855c032e8ecb863092b9fb08cd5885a31178f8538dfd447c4e0848cdf09cd7e2ce4e972c2ac4719cb60dd5c36ae8713ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0194431.exe
Filesize
11KB

MD5
a489f76b1e20676c44e20a1265d95bd2

SHA1
4adea8e3285c282db000d943bb98a5a7b9f797b7

SHA256
4c2d887e30ef21d4754b422f989dd02647ffd5ecfeea4342034e646e914ea32d

SHA512
06b205ec385ac02692a039cff628c8c5dcc4d1e388a05d4bdc8ad6b7f6efc61a3caf8c9bd9f18d08f321a4e11d27932af8a0ca8bc60bf62d2dbf0a8075bbcfa3

Download Submit
memory/540-48-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/3028-63-0x0000000009FB0000-0x000000000A5C8000-memory.dmp

Filesize
6.1MB

Download
memory/3028-53-0x0000000000620000-0x00000000006AC000-memory.dmp

Filesize
560KB

Download
memory/3028-60-0x0000000000620000-0x00000000006AC000-memory.dmp

Filesize
560KB

Download
memory/3028-62-0x0000000002510000-0x0000000002516000-memory.dmp

Filesize
24KB

Download
memory/3028-64-0x000000000A5D0000-0x000000000A6DA000-memory.dmp

Filesize
1.0MB

Download
memory/3028-65-0x0000000006AB0000-0x0000000006AC2000-memory.dmp

Filesize
72KB

Download
memory/3028-66-0x0000000006AD0000-0x0000000006B0C000-memory.dmp

Filesize
240KB

Download
memory/3028-67-0x0000000006C70000-0x0000000006CBC000-memory.dmp

Filesize
304KB

Download
memory/3660-42-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3660-41-0x0000000000570000-0x00000000005AE000-memory.dmp

Filesize
248KB

Download
memory/3660-35-0x0000000000570000-0x00000000005AE000-memory.dmp

Filesize
248KB

Download