healer | e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4

General

Target

e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe
Size

768KB
MD5

c2d280d5dd66c8a297f2e19713ea6a90
SHA1

0d4d56a897012f7b28a476a7b839bf7f3d386c76
SHA256

e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4
SHA512

7d8cec302af3e79d9d348bff17d79f92bc0e101da10c55784f2300a676286ff946bb8eeb5ebf481cb20e765e719bc31cf9957189cd5569c5f7e737ce6f12040d
SSDEEP

12288:QMr5y90zM4qBXurPsrbi67bRbx7sD/Hd4cCMUKrcprko/VSXJTZrTIKZqF9Fmj:5yQmZuraLbRRsDl4cd1i3UK9e

Score

10^/10

healer redline lada dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lada

C2

77.91.124.82:19071

Attributes

auth_value
252f78fed0684205b098417688fa33e2

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1660-21-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

x0690730.exex3340577.exeg1458779.exei7563383.exe

pid process

2392 x0690730.exe
4992 x3340577.exe
4596 g1458779.exe
2692 i7563383.exe

pid	process
2392	x0690730.exe
4992	x3340577.exe
4596	g1458779.exe
2692	i7563383.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x0690730.exex3340577.exee78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0690730.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3340577.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g1458779.exe

description pid process target process

PID 4596 set thread context of 1660 4596 g1458779.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1660 AppLaunch.exe
1660 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1660 AppLaunch.exe

description	pid	process	target process
PID 4596 set thread context of 1660	4596	g1458779.exe	AppLaunch.exe

pid	process
1660	AppLaunch.exe
1660	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1660	AppLaunch.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exex0690730.exex3340577.exeg1458779.exe

description	pid	process	target process
PID 2540 wrote to memory of 2392	2540	e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe	x0690730.exe
PID 2540 wrote to memory of 2392	2540	e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe	x0690730.exe
PID 2540 wrote to memory of 2392	2540	e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe	x0690730.exe
PID 2392 wrote to memory of 4992	2392	x0690730.exe	x3340577.exe
PID 2392 wrote to memory of 4992	2392	x0690730.exe	x3340577.exe
PID 2392 wrote to memory of 4992	2392	x0690730.exe	x3340577.exe
PID 4992 wrote to memory of 4596	4992	x3340577.exe	g1458779.exe
PID 4992 wrote to memory of 4596	4992	x3340577.exe	g1458779.exe
PID 4992 wrote to memory of 4596	4992	x3340577.exe	g1458779.exe
PID 4596 wrote to memory of 4580	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 4580	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 4580	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 4504	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 4504	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 4504	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 1660	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 1660	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 1660	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 1660	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 1660	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 1660	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 1660	4596	g1458779.exe	AppLaunch.exe
PID 4596 wrote to memory of 1660	4596	g1458779.exe	AppLaunch.exe
PID 4992 wrote to memory of 2692	4992	x3340577.exe	i7563383.exe
PID 4992 wrote to memory of 2692	4992	x3340577.exe	i7563383.exe
PID 4992 wrote to memory of 2692	4992	x3340577.exe	i7563383.exe

C:\Users\Admin\AppData\Local\Temp\e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe
"C:\Users\Admin\AppData\Local\Temp\e78da6221b0753644a09316c5c8fecb2a14e0bae2d9a38d8ac497573a952ceb4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0690730.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0690730.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2392

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3340577.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3340577.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4992

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1458779.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1458779.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4580

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
PID:4504

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7563383.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7563383.exe
4⤵
- Executes dropped EXE
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0690730.exe
Filesize
493KB

MD5
28044eb09256d65b26dc56bc5a40c3ff

SHA1
c3b63f305abbbedb228c413418414f25f4bc67e2

SHA256
cbb4b904fb6dc11f6f9dff5ab5a4dbd9357b11526ab1bd64e87f578bd1bf2fe8

SHA512
a8e8421b1b361a85cd67a5fb04fa7ba48c1a68f0e9a40b48c6e0245c8e882c7f9a88a1affc592b8e54fb8c24ba152868c04d20bb55ff522b6eb48c0be084060c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0690730.exe
Filesize
493KB

MD5
28044eb09256d65b26dc56bc5a40c3ff

SHA1
c3b63f305abbbedb228c413418414f25f4bc67e2

SHA256
cbb4b904fb6dc11f6f9dff5ab5a4dbd9357b11526ab1bd64e87f578bd1bf2fe8

SHA512
a8e8421b1b361a85cd67a5fb04fa7ba48c1a68f0e9a40b48c6e0245c8e882c7f9a88a1affc592b8e54fb8c24ba152868c04d20bb55ff522b6eb48c0be084060c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3340577.exe
Filesize
326KB

MD5
7990235218844006c7f6675cbcac83da

SHA1
07c91d56b42ce20b3e2403894a1ffd17c64eca8c

SHA256
15d2116ebbf443acfa0b1622ac23772fed279a3a0aa2984eebbd97ab2c869b96

SHA512
792ced857f1e96341792fd00b649bfda898511b409fbb0ea17867bf6fb8f3547070ffe43e8ee8ae4589d0c32fd642cad98b1f84c67984b7b72f75c8e8a76be4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3340577.exe
Filesize
326KB

MD5
7990235218844006c7f6675cbcac83da

SHA1
07c91d56b42ce20b3e2403894a1ffd17c64eca8c

SHA256
15d2116ebbf443acfa0b1622ac23772fed279a3a0aa2984eebbd97ab2c869b96

SHA512
792ced857f1e96341792fd00b649bfda898511b409fbb0ea17867bf6fb8f3547070ffe43e8ee8ae4589d0c32fd642cad98b1f84c67984b7b72f75c8e8a76be4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1458779.exe
Filesize
257KB

MD5
5fab31239c00f290ac6ab75bf0131527

SHA1
6675a53cc7b5305b2c75a570d54467616aec3c53

SHA256
ca6713e5e0f9071e5475253cc24dc5f70e966f420ab55013fdf29f8f4b9ef8d6

SHA512
b8cce9e8de20795ecaa6748d14c5f3b1f2c301350d60edf7e3161c00888aa0894e1f7dfaf4e9f13ff2bd04d6415c61ae3762c562ea73a5568c1c42f4616276a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1458779.exe
Filesize
257KB

MD5
5fab31239c00f290ac6ab75bf0131527

SHA1
6675a53cc7b5305b2c75a570d54467616aec3c53

SHA256
ca6713e5e0f9071e5475253cc24dc5f70e966f420ab55013fdf29f8f4b9ef8d6

SHA512
b8cce9e8de20795ecaa6748d14c5f3b1f2c301350d60edf7e3161c00888aa0894e1f7dfaf4e9f13ff2bd04d6415c61ae3762c562ea73a5568c1c42f4616276a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7563383.exe
Filesize
174KB

MD5
be50086808ba8062ab4a40437400ce02

SHA1
b55cdabd44a283fca48b8e783d6462720aa9cfa5

SHA256
1a3b278c7bde33759508496ba39902d461ade3f4432c73bdd4b68fd9da92b0c6

SHA512
be9be777031db307fb6c1e9b057449f2e16d695eb758d5cf72e9d614e0b5fa5f62af5954b846091c66d88b8a439163892cd187768b279d8a15608c7d2ff4358d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i7563383.exe
Filesize
174KB

MD5
be50086808ba8062ab4a40437400ce02

SHA1
b55cdabd44a283fca48b8e783d6462720aa9cfa5

SHA256
1a3b278c7bde33759508496ba39902d461ade3f4432c73bdd4b68fd9da92b0c6

SHA512
be9be777031db307fb6c1e9b057449f2e16d695eb758d5cf72e9d614e0b5fa5f62af5954b846091c66d88b8a439163892cd187768b279d8a15608c7d2ff4358d

Download Submit
memory/1660-30-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1660-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1660-60-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-29-0x00000000008C0000-0x00000000008F0000-memory.dmp

Filesize
192KB

Download
memory/2692-31-0x0000000002A10000-0x0000000002A16000-memory.dmp

Filesize
24KB

Download
memory/2692-32-0x000000000AB80000-0x000000000B186000-memory.dmp

Filesize
6.0MB

Download
memory/2692-33-0x000000000A6D0000-0x000000000A7DA000-memory.dmp

Filesize
1.0MB

Download
memory/2692-34-0x000000000A600000-0x000000000A612000-memory.dmp

Filesize
72KB

Download
memory/2692-35-0x000000000A660000-0x000000000A69E000-memory.dmp

Filesize
248KB

Download
memory/2692-40-0x000000000A7E0000-0x000000000A82B000-memory.dmp

Filesize
300KB

Download
memory/2692-45-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download
memory/2692-28-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads