healer | c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5

Analysis

max time kernel
158s
max time network
176s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
17/09/2023, 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe
Size

1.3MB
MD5

4a05dd3afee92c247ae5afd584217677
SHA1

85617a85e1183f160afbac80fde61aac8c4540e6
SHA256

c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5
SHA512

596e928da5749a9db9a1f2927511aedb3eb81b844639749b55ac1d7e25e1c000160b27c8bef55afd3e39bb242861b3daa5d73aff07dc53f6b956dfcc0175eaf0
SSDEEP

24576:209BY6wnpPsz9R8UuCUjEdp/BPsG29RIn+uxiFMcBtPuYdQ:209DUp2CUmj+ZPB29SxtcBs6Q

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/3060-34-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2748	x7070397.exe
3280	x6064401.exe
4628	x8843737.exe
1240	g5557687.exe
3868	h0046556.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6064401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8843737.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7070397.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1440 set thread context of 3168	1440	c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe	70
PID 1240 set thread context of 3060	1240	g5557687.exe	75

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3060	AppLaunch.exe
3060	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 3168	1440	c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe	70
PID 1440 wrote to memory of 3168	1440	c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe	70
PID 1440 wrote to memory of 3168	1440	c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe	70
PID 1440 wrote to memory of 3168	1440	c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe	70
PID 1440 wrote to memory of 3168	1440	c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe	70
PID 1440 wrote to memory of 3168	1440	c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe	70
PID 1440 wrote to memory of 3168	1440	c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe	70
PID 1440 wrote to memory of 3168	1440	c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe	70
PID 1440 wrote to memory of 3168	1440	c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe	70
PID 1440 wrote to memory of 3168	1440	c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe	70
PID 3168 wrote to memory of 2748	3168	AppLaunch.exe	71
PID 3168 wrote to memory of 2748	3168	AppLaunch.exe	71
PID 3168 wrote to memory of 2748	3168	AppLaunch.exe	71
PID 2748 wrote to memory of 3280	2748	x7070397.exe	72
PID 2748 wrote to memory of 3280	2748	x7070397.exe	72
PID 2748 wrote to memory of 3280	2748	x7070397.exe	72
PID 3280 wrote to memory of 4628	3280	x6064401.exe	73
PID 3280 wrote to memory of 4628	3280	x6064401.exe	73
PID 3280 wrote to memory of 4628	3280	x6064401.exe	73
PID 4628 wrote to memory of 1240	4628	x8843737.exe	74
PID 4628 wrote to memory of 1240	4628	x8843737.exe	74
PID 4628 wrote to memory of 1240	4628	x8843737.exe	74
PID 1240 wrote to memory of 3060	1240	g5557687.exe	75
PID 1240 wrote to memory of 3060	1240	g5557687.exe	75
PID 1240 wrote to memory of 3060	1240	g5557687.exe	75
PID 1240 wrote to memory of 3060	1240	g5557687.exe	75
PID 1240 wrote to memory of 3060	1240	g5557687.exe	75
PID 1240 wrote to memory of 3060	1240	g5557687.exe	75
PID 1240 wrote to memory of 3060	1240	g5557687.exe	75
PID 1240 wrote to memory of 3060	1240	g5557687.exe	75
PID 4628 wrote to memory of 3868	4628	x8843737.exe	76
PID 4628 wrote to memory of 3868	4628	x8843737.exe	76
PID 4628 wrote to memory of 3868	4628	x8843737.exe	76

C:\Users\Admin\AppData\Local\Temp\c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe
"C:\Users\Admin\AppData\Local\Temp\c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7070397.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7070397.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6064401.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6064401.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3280
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8843737.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8843737.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4628
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5557687.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5557687.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0046556.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0046556.exe
        6⤵
        Executes dropped EXE
        
        PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7070397.exe

Filesize
767KB

MD5
5a774f41c940b22f7c9bbfd74764bed4

SHA1
73668037d23e1738fe71acdf95bd46d9117b5230

SHA256
2429b3f2c283da7544fad317611e0406fa73e9459728496656b2d030a96e9fc7

SHA512
26b9a3ed8e53f6b7e40e9b08d104b7598846541b3742c87699bdacbf43a615c49a7aef1f750565afad7068cf7de52e9241f4dab1de7b3cc79188808c77dec3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7070397.exe

Filesize
767KB

MD5
5a774f41c940b22f7c9bbfd74764bed4

SHA1
73668037d23e1738fe71acdf95bd46d9117b5230

SHA256
2429b3f2c283da7544fad317611e0406fa73e9459728496656b2d030a96e9fc7

SHA512
26b9a3ed8e53f6b7e40e9b08d104b7598846541b3742c87699bdacbf43a615c49a7aef1f750565afad7068cf7de52e9241f4dab1de7b3cc79188808c77dec3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6064401.exe

Filesize
492KB

MD5
f2c63e89afa3b80f6d08fbd38c82ed7e

SHA1
24d3c662c3fd420731c795e7b297f98d24489e2f

SHA256
809d37d028744a2b9b7e797573b1c3431a885593706b202714774288c2561d97

SHA512
a1117acbb1871c784989aff50e6e32d1d8f6abf3b73ecf464ae9c57c29ae46eb7190e63ebe15f5561c7c306e83df7875221b713335edf83739d483b062685035

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6064401.exe

Filesize
492KB

MD5
f2c63e89afa3b80f6d08fbd38c82ed7e

SHA1
24d3c662c3fd420731c795e7b297f98d24489e2f

SHA256
809d37d028744a2b9b7e797573b1c3431a885593706b202714774288c2561d97

SHA512
a1117acbb1871c784989aff50e6e32d1d8f6abf3b73ecf464ae9c57c29ae46eb7190e63ebe15f5561c7c306e83df7875221b713335edf83739d483b062685035

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8843737.exe

Filesize
327KB

MD5
cd47d9dd00168041f651ef91d51873e8

SHA1
84a9a758688f527f7e139ea62613349ab56c45d1

SHA256
83d9409cff763532818552b8659e2bf225b01424ad0e4063ce4d822ddc764c02

SHA512
96ee8a19e29f74cb709a784af5866d9f94bb3867756c1fa6b4e129b7ee99ec7156c1c82ea9f7594ab2fa15e4db67a982ce7b3dd86916fdd91998fff8b0ddcd8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8843737.exe

Filesize
327KB

MD5
cd47d9dd00168041f651ef91d51873e8

SHA1
84a9a758688f527f7e139ea62613349ab56c45d1

SHA256
83d9409cff763532818552b8659e2bf225b01424ad0e4063ce4d822ddc764c02

SHA512
96ee8a19e29f74cb709a784af5866d9f94bb3867756c1fa6b4e129b7ee99ec7156c1c82ea9f7594ab2fa15e4db67a982ce7b3dd86916fdd91998fff8b0ddcd8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5557687.exe

Filesize
242KB

MD5
7440c11c60ca4f79c188f8a2304d57d1

SHA1
3e842a1c814606390b8a36fc8f6f240d0ebc418a

SHA256
75970f7c84baf69b1557bf1cbd76596b995552243add75f7bdd692141b63fbb4

SHA512
4c4dab580b809bf5a0f8dfac6527c8d1c54eaaad7263e33b8ca22982841f580b604984df98cf7c1b49c394cd23e933bb053e91be6db778cb4afbcc92f15bfcdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5557687.exe

Filesize
242KB

MD5
7440c11c60ca4f79c188f8a2304d57d1

SHA1
3e842a1c814606390b8a36fc8f6f240d0ebc418a

SHA256
75970f7c84baf69b1557bf1cbd76596b995552243add75f7bdd692141b63fbb4

SHA512
4c4dab580b809bf5a0f8dfac6527c8d1c54eaaad7263e33b8ca22982841f580b604984df98cf7c1b49c394cd23e933bb053e91be6db778cb4afbcc92f15bfcdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0046556.exe

Filesize
174KB

MD5
005ee76a889964cd4316947e4a036303

SHA1
3df590396be6c4d3b81baa374e221ee578cfcf61

SHA256
e34a31e874d68154076fcd274a39328deb5f19ab438a8d9783cc8197c12a40cf

SHA512
1c519289ca4cf067326f0d2c687af2eeec51ee399dc213157889f6448703c34e18b61024c3f9bfcfa2dd06857d99dd14e09acd2bc4c0ad3b82b203515b57058a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0046556.exe

Filesize
174KB

MD5
005ee76a889964cd4316947e4a036303

SHA1
3df590396be6c4d3b81baa374e221ee578cfcf61

SHA256
e34a31e874d68154076fcd274a39328deb5f19ab438a8d9783cc8197c12a40cf

SHA512
1c519289ca4cf067326f0d2c687af2eeec51ee399dc213157889f6448703c34e18b61024c3f9bfcfa2dd06857d99dd14e09acd2bc4c0ad3b82b203515b57058a

Download Submit
memory/3060-34-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3060-74-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/3060-42-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/3060-59-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/3168-58-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3168-4-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3168-2-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3168-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3168-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3168-5-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3868-43-0x00000000010C0000-0x00000000010C6000-memory.dmp

Filesize
24KB

Download
memory/3868-46-0x0000000005310000-0x000000000541A000-memory.dmp

Filesize
1.0MB

Download
memory/3868-47-0x0000000002BF0000-0x0000000002C02000-memory.dmp

Filesize
72KB

Download
memory/3868-48-0x00000000051B0000-0x00000000051EE000-memory.dmp

Filesize
248KB

Download
memory/3868-49-0x0000000005200000-0x000000000524B000-memory.dmp

Filesize
300KB

Download
memory/3868-45-0x0000000005810000-0x0000000005E16000-memory.dmp

Filesize
6.0MB

Download
memory/3868-44-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download
memory/3868-41-0x0000000000830000-0x0000000000860000-memory.dmp

Filesize
192KB

Download
memory/3868-75-0x00000000737C0000-0x0000000073EAE000-memory.dmp

Filesize
6.9MB

Download