healer | dd49e60a45e3962b98b32d0ae9a1256ae1e60ba2b696a005fe221e32f96d996b

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe
Size

480KB
MD5

da1a7836295f867660a4ef08cbd034ad
SHA1

ba6d8cc6092de77df9c6dbbd70b3344739d2f7b6
SHA256

5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980
SHA512

b992f960dbee603138e2d251048ce9448e2762cb7fae486f6fe3fbe9c739af5094a3d6f7dc6da38172c3b6a23ccc9b02a01edaeb73fee305c2dc0cdbb814973b
SSDEEP

12288:aMrYy90jit+Ui52alg5MAxa3xV6x3ANJ0+kwPvIKw8F0:iys1n2AHee0O0+/PvIJ8u

Score

10^/10

healer redline mihan dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mihan

217.196.96.101:4132

Attributes

auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral13/memory/720-15-0x0000000002410000-0x000000000242A000-memory.dmp	healer
behavioral13/memory/720-18-0x0000000005080000-0x0000000005098000-memory.dmp	healer
behavioral13/memory/720-22-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-46-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-44-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-42-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-40-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-39-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-36-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-34-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-32-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-30-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-28-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-26-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-24-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-20-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral13/memory/720-19-0x0000000005080000-0x0000000005092000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a8375659.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a8375659.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8375659.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8375659.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8375659.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8375659.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8375659.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7173200.exe	family_redline
behavioral13/memory/2576-53-0x0000000000CC0000-0x0000000000CF0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

v3188639.exea8375659.exeb7173200.exe

pid process

4448 v3188639.exe
720 a8375659.exe
2576 b7173200.exe

pid	process
4448	v3188639.exe
720	a8375659.exe
2576	b7173200.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

a8375659.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a8375659.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8375659.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exev3188639.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3188639.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4860 sc.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a8375659.exe

pid process

720 a8375659.exe
720 a8375659.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a8375659.exe

description pid process

Token: SeDebugPrivilege 720 a8375659.exe

pid	process
4860	sc.exe

pid	process
720	a8375659.exe
720	a8375659.exe

description	pid	process
Token: SeDebugPrivilege	720	a8375659.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exev3188639.exe

description	pid	process	target process
PID 2428 wrote to memory of 4448	2428	5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe	v3188639.exe
PID 2428 wrote to memory of 4448	2428	5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe	v3188639.exe
PID 2428 wrote to memory of 4448	2428	5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe	v3188639.exe
PID 4448 wrote to memory of 720	4448	v3188639.exe	a8375659.exe
PID 4448 wrote to memory of 720	4448	v3188639.exe	a8375659.exe
PID 4448 wrote to memory of 720	4448	v3188639.exe	a8375659.exe
PID 4448 wrote to memory of 2576	4448	v3188639.exe	b7173200.exe
PID 4448 wrote to memory of 2576	4448	v3188639.exe	b7173200.exe
PID 4448 wrote to memory of 2576	4448	v3188639.exe	b7173200.exe

C:\Users\Admin\AppData\Local\Temp\5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe
"C:\Users\Admin\AppData\Local\Temp\5f157bb7f5af6f00c288774953e6950cbcecbf52dfbf7a910b167c511b237980.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3188639.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3188639.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8375659.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8375659.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:720

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7173200.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7173200.exe
3⤵
- Executes dropped EXE
PID:2576

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4860

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3188639.exe
Filesize
309KB

MD5
807e71d7270ae44b1afeecf5a8acef11

SHA1
592e794dd1f853fcf84fcfa47240f809654ac553

SHA256
2958df126f58bfa9cf8a442bda3aa95a2a4462a00453ce2de5927d4b3db1ce53

SHA512
c64ed63457b3d9d25bab614f39e24b8bd1328c2aa234ebead0eaa26e2b29a24dc5575248eeeded3ba30d97e366a40dee59e583a09e145b0fd7347ed70c8deab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8375659.exe
Filesize
180KB

MD5
7a3073915f79b6370ced968bd0641865

SHA1
4bfeaaacef77c10a76c5107e9079217e22f70ba4

SHA256
c09f37dd8bdfc6fad23336a853e7b6a24413627a5196b48ff1a4bfdc2ec5b94b

SHA512
cc64029593e582e10e4fdd262add890f878c0ff285390473d24f30e37c74100102f591cf5fc34c3433d66eff3ce30d83377574c0decc63b5014aae3d7b5cc99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7173200.exe
Filesize
168KB

MD5
bb5a235b78bece4455fdf8b0e1feac99

SHA1
d464fc693250f9a1968c91d30fd7cc2ea5966b3a

SHA256
73d99cba272ccc89b9068644a65a2c778f754e233fdac271ed3eaa602ff17e66

SHA512
b30e111f04ab68349f6811d7d28dc3fc46f8c16c4c1a791d7d2829dfb86bbf8bc2aa5961d7ba3090f20ca4c689ce6f254e72bfca8669ca3fed1a644f02e514b8

Download Submit
memory/720-46-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-22-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-28-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-18-0x0000000005080000-0x0000000005098000-memory.dmp

Filesize
96KB

Download
memory/720-26-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-15-0x0000000002410000-0x000000000242A000-memory.dmp

Filesize
104KB

Download
memory/720-44-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-42-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-40-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-39-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-36-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-24-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-32-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-30-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-17-0x0000000004A70000-0x0000000005014000-memory.dmp

Filesize
5.6MB

Download
memory/720-16-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/720-34-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-47-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/720-20-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-19-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/720-49-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Filesize
7.7MB

Download
memory/720-14-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2576-53-0x0000000000CC0000-0x0000000000CF0000-memory.dmp

Filesize
192KB

Download
memory/2576-54-0x00000000017F0000-0x00000000017F6000-memory.dmp

Filesize
24KB

Download
memory/2576-56-0x00000000058F0000-0x00000000059FA000-memory.dmp

Filesize
1.0MB

Download
memory/2576-55-0x0000000005E00000-0x0000000006418000-memory.dmp

Filesize
6.1MB

Download
memory/2576-57-0x0000000005670000-0x0000000005682000-memory.dmp

Filesize
72KB

Download
memory/2576-58-0x00000000057E0000-0x000000000581C000-memory.dmp

Filesize
240KB

Download
memory/2576-59-0x0000000005830000-0x000000000587C000-memory.dmp

Filesize
304KB

Download