healer | dd49e60a45e3962b98b32d0ae9a1256ae1e60ba2b696a005fe221e32f96d996b

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe
Size

481KB
MD5

b983bbfa2e93dade84538209720f5e08
SHA1

6aa74f2b866844d1b5fe626d72e29ff27ffe095f
SHA256

db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3
SHA512

11e6207c8144315a15dfd8c7e486a2fff3d0d77a9c860e775ef8f5c50f4f61b12ab57fc5e61a3d821676857e701ff2c221aa11832987fca344a2ed861d58158a
SSDEEP

12288:pMrPy90u/cEIpe3ZHY+YtBEn1C3xvimDfHWu2BI95:uyD/mepfK2WvdLH6m5

Score

10^/10

healer redline mihan dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mihan

217.196.96.101:4132

Attributes

auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral22/memory/3160-15-0x0000000002010000-0x000000000202A000-memory.dmp	healer
behavioral22/memory/3160-18-0x0000000002510000-0x0000000002528000-memory.dmp	healer
behavioral22/memory/3160-48-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-46-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-44-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-42-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-40-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-38-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-36-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-34-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-32-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-30-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-28-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-26-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-24-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-22-0x0000000002510000-0x0000000002522000-memory.dmp	healer
behavioral22/memory/3160-21-0x0000000002510000-0x0000000002522000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a9410822.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9410822.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a9410822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9410822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9410822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9410822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9410822.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0566205.exe	family_redline
behavioral22/memory/4464-54-0x0000000000150000-0x0000000000180000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

v0380562.exea9410822.exeb0566205.exe

pid process

1696 v0380562.exe
3160 a9410822.exe
4464 b0566205.exe

pid	process
1696	v0380562.exe
3160	a9410822.exe
4464	b0566205.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

a9410822.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a9410822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9410822.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

v0380562.exedb8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0380562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a9410822.exe

pid process

3160 a9410822.exe
3160 a9410822.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a9410822.exe

description pid process

Token: SeDebugPrivilege 3160 a9410822.exe

pid	process
3160	a9410822.exe
3160	a9410822.exe

description	pid	process
Token: SeDebugPrivilege	3160	a9410822.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exev0380562.exe

description	pid	process	target process
PID 4496 wrote to memory of 1696	4496	db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe	v0380562.exe
PID 4496 wrote to memory of 1696	4496	db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe	v0380562.exe
PID 4496 wrote to memory of 1696	4496	db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe	v0380562.exe
PID 1696 wrote to memory of 3160	1696	v0380562.exe	a9410822.exe
PID 1696 wrote to memory of 3160	1696	v0380562.exe	a9410822.exe
PID 1696 wrote to memory of 3160	1696	v0380562.exe	a9410822.exe
PID 1696 wrote to memory of 4464	1696	v0380562.exe	b0566205.exe
PID 1696 wrote to memory of 4464	1696	v0380562.exe	b0566205.exe
PID 1696 wrote to memory of 4464	1696	v0380562.exe	b0566205.exe

C:\Users\Admin\AppData\Local\Temp\db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe
"C:\Users\Admin\AppData\Local\Temp\db8411596845ee0bb667106c06caf801537d732f8726ab81f03248be803038f3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4496

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0380562.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0380562.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9410822.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9410822.exe
3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0566205.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0566205.exe
3⤵
- Executes dropped EXE
PID:4464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0380562.exe
Filesize
309KB

MD5
78289d64bca8cf7001a2833b55f2d498

SHA1
46803bfbbd092741d0ead6461ad85e4411b8b564

SHA256
8e1e0b35af10cacf9588932c603d7913d923bf0337f00201cb01275d6f6bb94a

SHA512
2fd00e508126efa27032ad5590bed9f12c113ee0a9fd852fe8b71eab4180022d724233c7936440fa3e3ea25f017ee2d3f6b08b40523b955a6129a07629058b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9410822.exe
Filesize
180KB

MD5
e20b8db65254032c64dcbba10e2538e3

SHA1
6b9dce92ff8582993c93807070d22b3e51cedbe5

SHA256
6238e60d08e87649202d276796980664795c96d4cdb610debab0c18928323885

SHA512
d2e6fe43d7c9bde6bb14556655a9a3cb71343b623209ec5b84d669030f57bc2f40fc929a54add3ce58460350a1dc41da55e98989f2805c241b490346debb8e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b0566205.exe
Filesize
168KB

MD5
9ca4be4159a6d2a62bf4c67fdd2f47f7

SHA1
6a6fd283228d81238b60a4fe86d4ccea44f6dc62

SHA256
4f48de5e12e4d0cf4bde18b729a8399f9b81ed39b18276e6ecbaac2da20e8af6

SHA512
87866bb49c961b9624d137e8cf6c2308b2c998acb12886ccc63213b8f6f4478bc1f0d234906a1df04ff082d458354c50143c9843bf0535b20d40bee616ba6076

Download Submit
memory/3160-34-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-18-0x0000000002510000-0x0000000002528000-memory.dmp

Filesize
96KB

Download
memory/3160-30-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-16-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/3160-19-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/3160-20-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/3160-48-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-46-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-44-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-42-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-40-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-38-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-36-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-15-0x0000000002010000-0x000000000202A000-memory.dmp

Filesize
104KB

Download
memory/3160-32-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-17-0x0000000004AC0000-0x0000000005064000-memory.dmp

Filesize
5.6MB

Download
memory/3160-28-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-26-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-24-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-22-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-21-0x0000000002510000-0x0000000002522000-memory.dmp

Filesize
72KB

Download
memory/3160-50-0x00000000740C0000-0x0000000074870000-memory.dmp

Filesize
7.7MB

Download
memory/3160-14-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/4464-55-0x0000000002340000-0x0000000002346000-memory.dmp

Filesize
24KB

Download
memory/4464-54-0x0000000000150000-0x0000000000180000-memory.dmp

Filesize
192KB

Download
memory/4464-57-0x000000000A100000-0x000000000A20A000-memory.dmp

Filesize
1.0MB

Download
memory/4464-58-0x000000000A030000-0x000000000A042000-memory.dmp

Filesize
72KB

Download
memory/4464-59-0x000000000A090000-0x000000000A0CC000-memory.dmp

Filesize
240KB

Download
memory/4464-56-0x000000000A5B0000-0x000000000ABC8000-memory.dmp

Filesize
6.1MB

Download
memory/4464-60-0x0000000004490000-0x00000000044DC000-memory.dmp

Filesize
304KB

Download