healer | 2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf

General

Target

2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf.exe
Size

769KB
MD5

f67cbc2d576f1070b671c306fc10972f
SHA1

64d4fb9da61f659e1b807d443f73a84c6d2c866f
SHA256

2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf
SHA512

1ccc3d146015fd43701b24b251f578cdc0bc80f8def49c8e11ae62507d27e72f828de59e5febe9d536529b6909b468017bf84290024c473fbdf1009033eee613
SSDEEP

12288:MMrTy90dPfu4WPWrxaR0NjbOA1CjmW60UIp/MReXe50x3q5VJmT3di63ioxNq1j3:vymhrMQbDgV60UDeXo0TTI63wFGFM

Score

10^/10

healer redline virad dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

virad

C2

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1944-21-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

x8990390.exex7643579.exeg9540812.exei6742569.exe

pid process

4108 x8990390.exe
636 x7643579.exe
3528 g9540812.exe
1476 i6742569.exe

pid	process
4108	x8990390.exe
636	x7643579.exe
3528	g9540812.exe
1476	i6742569.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf.exex8990390.exex7643579.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8990390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7643579.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g9540812.exe

description pid process target process

PID 3528 set thread context of 1944 3528 g9540812.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1944 AppLaunch.exe
1944 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1944 AppLaunch.exe

description	pid	process	target process
PID 3528 set thread context of 1944	3528	g9540812.exe	AppLaunch.exe

pid	process
1944	AppLaunch.exe
1944	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1944	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf.exex8990390.exex7643579.exeg9540812.exe

description	pid	process	target process
PID 2408 wrote to memory of 4108	2408	2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf.exe	x8990390.exe
PID 2408 wrote to memory of 4108	2408	2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf.exe	x8990390.exe
PID 2408 wrote to memory of 4108	2408	2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf.exe	x8990390.exe
PID 4108 wrote to memory of 636	4108	x8990390.exe	x7643579.exe
PID 4108 wrote to memory of 636	4108	x8990390.exe	x7643579.exe
PID 4108 wrote to memory of 636	4108	x8990390.exe	x7643579.exe
PID 636 wrote to memory of 3528	636	x7643579.exe	g9540812.exe
PID 636 wrote to memory of 3528	636	x7643579.exe	g9540812.exe
PID 636 wrote to memory of 3528	636	x7643579.exe	g9540812.exe
PID 3528 wrote to memory of 3004	3528	g9540812.exe	AppLaunch.exe
PID 3528 wrote to memory of 3004	3528	g9540812.exe	AppLaunch.exe
PID 3528 wrote to memory of 3004	3528	g9540812.exe	AppLaunch.exe
PID 3528 wrote to memory of 1944	3528	g9540812.exe	AppLaunch.exe
PID 3528 wrote to memory of 1944	3528	g9540812.exe	AppLaunch.exe
PID 3528 wrote to memory of 1944	3528	g9540812.exe	AppLaunch.exe
PID 3528 wrote to memory of 1944	3528	g9540812.exe	AppLaunch.exe
PID 3528 wrote to memory of 1944	3528	g9540812.exe	AppLaunch.exe
PID 3528 wrote to memory of 1944	3528	g9540812.exe	AppLaunch.exe
PID 3528 wrote to memory of 1944	3528	g9540812.exe	AppLaunch.exe
PID 3528 wrote to memory of 1944	3528	g9540812.exe	AppLaunch.exe
PID 636 wrote to memory of 1476	636	x7643579.exe	i6742569.exe
PID 636 wrote to memory of 1476	636	x7643579.exe	i6742569.exe
PID 636 wrote to memory of 1476	636	x7643579.exe	i6742569.exe

C:\Users\Admin\AppData\Local\Temp\2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf.exe
"C:\Users\Admin\AppData\Local\Temp\2f85c62250f28ac7226da8b60cd6c03afa6fe92751f776359da9022df89ebfdf.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8990390.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8990390.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4108

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7643579.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7643579.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9540812.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9540812.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:3004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6742569.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6742569.exe
4⤵
- Executes dropped EXE
PID:1476

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

Disable or Modify Tools

1

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8990390.exe
Filesize
493KB

MD5
1b1fc35789673a32f209174c2a7cb079

SHA1
e7cf76567c64c182ab26678831b5e9ca4dc06c6e

SHA256
dfa074d7c1c52983f7eba8b9fadbededfc59a6f39b24154232df2fcdf273bf98

SHA512
62c48cd333395168def12e7f61172cfd37957e49e030e74411c8db9a4a77df8e230ad913b62dfe3eff79dbd93819e4b1178ac03d0f6c098595ba73cdba02145e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8990390.exe
Filesize
493KB

MD5
1b1fc35789673a32f209174c2a7cb079

SHA1
e7cf76567c64c182ab26678831b5e9ca4dc06c6e

SHA256
dfa074d7c1c52983f7eba8b9fadbededfc59a6f39b24154232df2fcdf273bf98

SHA512
62c48cd333395168def12e7f61172cfd37957e49e030e74411c8db9a4a77df8e230ad913b62dfe3eff79dbd93819e4b1178ac03d0f6c098595ba73cdba02145e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7643579.exe
Filesize
327KB

MD5
7422bedbb4ac084aaa41398117ea963b

SHA1
529ba09178757dbc50e0fa14234b30c112f2ca92

SHA256
2ae9e7870ff1516d99f67ccf77ef98267222eb34c7afbdbf2e36b6624e581b03

SHA512
4fd349fabad21c744a48046712b8f172f4a0343b29d7ebafde8088a96a083a10d9b5aea84e7c8a6e4fc7fcbc8fd48ab210aee846474a8edac98bb77f15c568ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7643579.exe
Filesize
327KB

MD5
7422bedbb4ac084aaa41398117ea963b

SHA1
529ba09178757dbc50e0fa14234b30c112f2ca92

SHA256
2ae9e7870ff1516d99f67ccf77ef98267222eb34c7afbdbf2e36b6624e581b03

SHA512
4fd349fabad21c744a48046712b8f172f4a0343b29d7ebafde8088a96a083a10d9b5aea84e7c8a6e4fc7fcbc8fd48ab210aee846474a8edac98bb77f15c568ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9540812.exe
Filesize
256KB

MD5
e35d02a0e87a5c5f6eb5dd90a3a92426

SHA1
75d66b7b1738f76cf72ed10d75cbc14d72542463

SHA256
d7ebbb3db76ed1c3a50ff4321de7927ccbc08e24cbea9254d6a60abf1ec2e63b

SHA512
521650556d79ed5c0e45c4c0ed4f6b744903ebbabae0f7829cd1ed09a32446c88f7d26d6fb1a62aab4462c7acc947fd8eb012da93ebda9f50aa41582917d8126

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g9540812.exe
Filesize
256KB

MD5
e35d02a0e87a5c5f6eb5dd90a3a92426

SHA1
75d66b7b1738f76cf72ed10d75cbc14d72542463

SHA256
d7ebbb3db76ed1c3a50ff4321de7927ccbc08e24cbea9254d6a60abf1ec2e63b

SHA512
521650556d79ed5c0e45c4c0ed4f6b744903ebbabae0f7829cd1ed09a32446c88f7d26d6fb1a62aab4462c7acc947fd8eb012da93ebda9f50aa41582917d8126

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6742569.exe
Filesize
175KB

MD5
7d9186c307130be43a1b112453344e4d

SHA1
b77f49f0c097792fe2949e662a3f9260cb4c260f

SHA256
3e5b5044e5993c8ebf2fda399c0d6927cc3fd38be51f9c8cbde3dfcbbf4a797a

SHA512
4875a5c982861fc2c2b4d91ce83d4819dba64e2f99677f3e1a21ca6f007a3f4277a3ca26819d73831e573dac07547ea6c2fe30c54ba0ba18208f7bfa360a6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6742569.exe
Filesize
175KB

MD5
7d9186c307130be43a1b112453344e4d

SHA1
b77f49f0c097792fe2949e662a3f9260cb4c260f

SHA256
3e5b5044e5993c8ebf2fda399c0d6927cc3fd38be51f9c8cbde3dfcbbf4a797a

SHA512
4875a5c982861fc2c2b4d91ce83d4819dba64e2f99677f3e1a21ca6f007a3f4277a3ca26819d73831e573dac07547ea6c2fe30c54ba0ba18208f7bfa360a6877

Download Submit
memory/1476-31-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/1476-25-0x00000000008C0000-0x00000000008F0000-memory.dmp

Filesize
192KB

Download
memory/1476-27-0x0000000073E50000-0x0000000074600000-memory.dmp

Filesize
7.7MB

Download
memory/1476-28-0x0000000005900000-0x0000000005F18000-memory.dmp

Filesize
6.1MB

Download
memory/1476-29-0x00000000053F0000-0x00000000054FA000-memory.dmp

Filesize
1.0MB

Download
memory/1476-30-0x0000000005240000-0x0000000005252000-memory.dmp

Filesize
72KB

Download
memory/1476-32-0x00000000052E0000-0x000000000531C000-memory.dmp

Filesize
240KB

Download
memory/1476-34-0x0000000073E50000-0x0000000074600000-memory.dmp

Filesize
7.7MB

Download
memory/1476-37-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/1944-26-0x0000000073E50000-0x0000000074600000-memory.dmp

Filesize
7.7MB

Download
memory/1944-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1944-33-0x0000000073E50000-0x0000000074600000-memory.dmp

Filesize
7.7MB

Download
memory/1944-36-0x0000000073E50000-0x0000000074600000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads