healer | 034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
17/09/2023, 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe
Size

1.3MB
MD5

60d5e420c9ecbb99f0975a02c05905e5
SHA1

dca99c98ddf5129d458b29c7c1151b5d94ed22e4
SHA256

034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e
SHA512

a447c365d77b4c0c1df6713a0a4263cb2ad5eda092f26c5970d80bd6d1f96eb118763846839de759c81dd324b7d130100baf050694e8b917a44ecf957804875c
SSDEEP

24576:009qQOHWfgWqSK+1kaXvxiuFkHVTMztUUNX7bOSgrPWnDQLSs0ILXt0Q:0099OHWu+1NXGH8tUsX7qScSs0tQ

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/4936-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1352	x9153500.exe
1384	x8176547.exe
3936	x3384961.exe
2100	g8205532.exe
1264	h4499949.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9153500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8176547.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x3384961.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 884 set thread context of 3744	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	88
PID 2100 set thread context of 4936	2100	g8205532.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4936	AppLaunch.exe
4936	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 4824	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	87
PID 884 wrote to memory of 4824	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	87
PID 884 wrote to memory of 4824	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	87
PID 884 wrote to memory of 3744	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	88
PID 884 wrote to memory of 3744	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	88
PID 884 wrote to memory of 3744	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	88
PID 884 wrote to memory of 3744	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	88
PID 884 wrote to memory of 3744	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	88
PID 884 wrote to memory of 3744	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	88
PID 884 wrote to memory of 3744	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	88
PID 884 wrote to memory of 3744	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	88
PID 884 wrote to memory of 3744	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	88
PID 884 wrote to memory of 3744	884	034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe	88
PID 3744 wrote to memory of 1352	3744	AppLaunch.exe	89
PID 3744 wrote to memory of 1352	3744	AppLaunch.exe	89
PID 3744 wrote to memory of 1352	3744	AppLaunch.exe	89
PID 1352 wrote to memory of 1384	1352	x9153500.exe	90
PID 1352 wrote to memory of 1384	1352	x9153500.exe	90
PID 1352 wrote to memory of 1384	1352	x9153500.exe	90
PID 1384 wrote to memory of 3936	1384	x8176547.exe	91
PID 1384 wrote to memory of 3936	1384	x8176547.exe	91
PID 1384 wrote to memory of 3936	1384	x8176547.exe	91
PID 3936 wrote to memory of 2100	3936	x3384961.exe	92
PID 3936 wrote to memory of 2100	3936	x3384961.exe	92
PID 3936 wrote to memory of 2100	3936	x3384961.exe	92
PID 2100 wrote to memory of 4936	2100	g8205532.exe	93
PID 2100 wrote to memory of 4936	2100	g8205532.exe	93
PID 2100 wrote to memory of 4936	2100	g8205532.exe	93
PID 2100 wrote to memory of 4936	2100	g8205532.exe	93
PID 2100 wrote to memory of 4936	2100	g8205532.exe	93
PID 2100 wrote to memory of 4936	2100	g8205532.exe	93
PID 2100 wrote to memory of 4936	2100	g8205532.exe	93
PID 2100 wrote to memory of 4936	2100	g8205532.exe	93
PID 3936 wrote to memory of 1264	3936	x3384961.exe	94
PID 3936 wrote to memory of 1264	3936	x3384961.exe	94
PID 3936 wrote to memory of 1264	3936	x3384961.exe	94

C:\Users\Admin\AppData\Local\Temp\034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe
"C:\Users\Admin\AppData\Local\Temp\034601c4c30b1a3db00b70d66567f4b07e7d8c5918ad0a4880fea9d528f1225e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9153500.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9153500.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1352
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8176547.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8176547.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3384961.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3384961.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8205532.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8205532.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4499949.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4499949.exe
        6⤵
        Executes dropped EXE
        
        PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9153500.exe

Filesize
767KB

MD5
302ab05f8b67e03a6726e68409d9d287

SHA1
cb8bf2cb7ceeca66675ac69f4ec70244831c647e

SHA256
772945bda07da1492328552f3ff971551473a7f5f0f6a2be7292866801a6e04a

SHA512
7bd80f837c1b8527971e5148c70e7e46d68a3506565e48bc5674b8d78b11e72a5609a9e0b1e55774280b85959870ac5a8db9a422cfb58766141425a9e0aab136

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9153500.exe

Filesize
767KB

MD5
302ab05f8b67e03a6726e68409d9d287

SHA1
cb8bf2cb7ceeca66675ac69f4ec70244831c647e

SHA256
772945bda07da1492328552f3ff971551473a7f5f0f6a2be7292866801a6e04a

SHA512
7bd80f837c1b8527971e5148c70e7e46d68a3506565e48bc5674b8d78b11e72a5609a9e0b1e55774280b85959870ac5a8db9a422cfb58766141425a9e0aab136

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8176547.exe

Filesize
492KB

MD5
1334eaf55048bc7cc610ebca45c23caf

SHA1
d562b7fe6a615c199269dbae4dc33c6ad7eed207

SHA256
cc115162a3c13ab59e6083b5aad7d2dc5d20dc3dd8ffe79a88b4105afd00a66d

SHA512
1b7b7e81e1bef63b18da9cc688ab304f16ccde0e89afff93cb354664753f84565b4864c83629e63175663d944344369961477de9f3eb1376b1bb54af24f52506

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8176547.exe

Filesize
492KB

MD5
1334eaf55048bc7cc610ebca45c23caf

SHA1
d562b7fe6a615c199269dbae4dc33c6ad7eed207

SHA256
cc115162a3c13ab59e6083b5aad7d2dc5d20dc3dd8ffe79a88b4105afd00a66d

SHA512
1b7b7e81e1bef63b18da9cc688ab304f16ccde0e89afff93cb354664753f84565b4864c83629e63175663d944344369961477de9f3eb1376b1bb54af24f52506

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3384961.exe

Filesize
326KB

MD5
2ead58b23fdd0994fd8047ec9067b28c

SHA1
62f82c6040e4256e110550459ebdd34ba1d06209

SHA256
73e6860a458b2c7cf4b9c0262c1ea535c93d7ff420eae13343887d65ea75fb6f

SHA512
89299d5cd32b63f902857b636f90b52782045202f21a42ddf4f6a3820e50cb5348eabd2101c3b26c1d3c004988ae01b572d38a98a99f6d84eb7815df700331b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3384961.exe

Filesize
326KB

MD5
2ead58b23fdd0994fd8047ec9067b28c

SHA1
62f82c6040e4256e110550459ebdd34ba1d06209

SHA256
73e6860a458b2c7cf4b9c0262c1ea535c93d7ff420eae13343887d65ea75fb6f

SHA512
89299d5cd32b63f902857b636f90b52782045202f21a42ddf4f6a3820e50cb5348eabd2101c3b26c1d3c004988ae01b572d38a98a99f6d84eb7815df700331b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8205532.exe

Filesize
242KB

MD5
fa88726be8082932e8761ce501340a27

SHA1
f033a349146af45d9b128e0eccc7e884736bc5a0

SHA256
d9f201002c08ac6e400e65be7e8186df860fe33b60a862a09e23377aad3a3e98

SHA512
32fd589823b7308dc1635781026a79b7859c1bcde2ceae41835f9ecdaf5e10d0a6fab3f1bffa447680df8c4cc2767c97918ecc6f934b0d60edaa1a3329e29732

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8205532.exe

Filesize
242KB

MD5
fa88726be8082932e8761ce501340a27

SHA1
f033a349146af45d9b128e0eccc7e884736bc5a0

SHA256
d9f201002c08ac6e400e65be7e8186df860fe33b60a862a09e23377aad3a3e98

SHA512
32fd589823b7308dc1635781026a79b7859c1bcde2ceae41835f9ecdaf5e10d0a6fab3f1bffa447680df8c4cc2767c97918ecc6f934b0d60edaa1a3329e29732

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4499949.exe

Filesize
174KB

MD5
d08dec2a3f204c719b07909081387ada

SHA1
444a130764e8179e606674f4095dd862f892e5a5

SHA256
043985114aa4764269094870bb4adf25f8aca5b04ff7d2102c57a2b5e8f0e20e

SHA512
ae47d97f4e6e6d37d1e3a5f9aeccc595bb744cabab99cf2224f2e61f37cf4ab1317906674cd6faecedb607500710ea7e1815a0eaf96ef7c8271d71d6c8fafecf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4499949.exe

Filesize
174KB

MD5
d08dec2a3f204c719b07909081387ada

SHA1
444a130764e8179e606674f4095dd862f892e5a5

SHA256
043985114aa4764269094870bb4adf25f8aca5b04ff7d2102c57a2b5e8f0e20e

SHA512
ae47d97f4e6e6d37d1e3a5f9aeccc595bb744cabab99cf2224f2e61f37cf4ab1317906674cd6faecedb607500710ea7e1815a0eaf96ef7c8271d71d6c8fafecf

Download Submit
memory/1264-46-0x000000000A420000-0x000000000A46C000-memory.dmp

Filesize
304KB

Download
memory/1264-41-0x000000000A4B0000-0x000000000A5BA000-memory.dmp

Filesize
1.0MB

Download
memory/1264-51-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/1264-48-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/1264-45-0x000000000A3E0000-0x000000000A41C000-memory.dmp

Filesize
240KB

Download
memory/1264-44-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/1264-37-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/1264-38-0x0000000000450000-0x0000000000480000-memory.dmp

Filesize
192KB

Download
memory/1264-40-0x000000000A9C0000-0x000000000AFD8000-memory.dmp

Filesize
6.1MB

Download
memory/1264-39-0x0000000000BA0000-0x0000000000BA6000-memory.dmp

Filesize
24KB

Download
memory/1264-43-0x0000000004F10000-0x0000000004F20000-memory.dmp

Filesize
64KB

Download
memory/3744-2-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3744-42-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3744-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3744-3-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3744-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4936-36-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/4936-47-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/4936-50-0x0000000073E20000-0x00000000745D0000-memory.dmp

Filesize
7.7MB

Download
memory/4936-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download