healer | ace5cc362b830af83f07f51c8ddaed617c22982d503e0bf9bc4d844f8f5bb2a7

General

Target

x8777818.exe
Size

314KB
MD5

d94172ba977fc4e1724b8e58192f1b63
SHA1

e3bf21047ab496dfcc96f6ab2160f1efa59c8971
SHA256

ace5cc362b830af83f07f51c8ddaed617c22982d503e0bf9bc4d844f8f5bb2a7
SHA512

7fc2958ee995c9ff3dc14b6fd48b7afd3225c37a6193621ad69c689e3bf5657ae88803d295ff9cf42a1aff9e0d46c0ed43e4750bbffbd09c114e3f5fa2442851
SSDEEP

6144:KUy+bnr+cp0yN90QEYD2c3onfawpuF3CP1Hl27+/kLH1gTOj1j4:8Mroy90KWfB4FS5lm+/8H111c

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

C2

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/668-7-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 2 IoCs

pid	Process
1208	g4021041.exe
5004	h0148896.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x8777818.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1208 set thread context of 668	1208	g4021041.exe	72

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
668	AppLaunch.exe
668	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	668	AppLaunch.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1208	4900	x8777818.exe	70
PID 4900 wrote to memory of 1208	4900	x8777818.exe	70
PID 4900 wrote to memory of 1208	4900	x8777818.exe	70
PID 1208 wrote to memory of 668	1208	g4021041.exe	72
PID 1208 wrote to memory of 668	1208	g4021041.exe	72
PID 1208 wrote to memory of 668	1208	g4021041.exe	72
PID 1208 wrote to memory of 668	1208	g4021041.exe	72
PID 1208 wrote to memory of 668	1208	g4021041.exe	72
PID 1208 wrote to memory of 668	1208	g4021041.exe	72
PID 1208 wrote to memory of 668	1208	g4021041.exe	72
PID 1208 wrote to memory of 668	1208	g4021041.exe	72
PID 4900 wrote to memory of 5004	4900	x8777818.exe	73
PID 4900 wrote to memory of 5004	4900	x8777818.exe	73
PID 4900 wrote to memory of 5004	4900	x8777818.exe	73

C:\Users\Admin\AppData\Local\Temp\x8777818.exe
"C:\Users\Admin\AppData\Local\Temp\x8777818.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4900
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g4021041.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g4021041.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0148896.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0148896.exe
  2⤵
  - Executes dropped EXE
  PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g4021041.exe

Filesize
229KB

MD5
bd3ad5a5f3bdbbcc666960e355ea0ab4

SHA1
00319db9ddecfbca5c26206e742b89305c4eb5f7

SHA256
28242776c7ccefaf54d1912cea0de80422bb9c33381684b7eab7670c3b0d7f32

SHA512
e826591c641e34cfc417e189635069b6bc8a5e3f2ab2c0f02399eaf902a9f2aafd386fe390cef842d7f70f25d43e01349189f1e359207600e2b7b73cf46f2679

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g4021041.exe

Filesize
229KB

MD5
bd3ad5a5f3bdbbcc666960e355ea0ab4

SHA1
00319db9ddecfbca5c26206e742b89305c4eb5f7

SHA256
28242776c7ccefaf54d1912cea0de80422bb9c33381684b7eab7670c3b0d7f32

SHA512
e826591c641e34cfc417e189635069b6bc8a5e3f2ab2c0f02399eaf902a9f2aafd386fe390cef842d7f70f25d43e01349189f1e359207600e2b7b73cf46f2679

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0148896.exe

Filesize
174KB

MD5
92fafc33e658b62f46008d2d547650de

SHA1
4d2a3b7b5ce7ae24131e58d9c37661c0fdf16bef

SHA256
ce176f99a1d99eded9b6b2a0efe79a9b23ad0d83c0731041a3ab44f8105e867e

SHA512
90b6c3abc327425d3c80c4b29ad0bf2d9f7abb3da898e2988bcdef26e4177b2087ed0b8a290d8833d2bd15ca943fc8a42d92ef71c387a29f3882359bf38ae10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h0148896.exe

Filesize
174KB

MD5
92fafc33e658b62f46008d2d547650de

SHA1
4d2a3b7b5ce7ae24131e58d9c37661c0fdf16bef

SHA256
ce176f99a1d99eded9b6b2a0efe79a9b23ad0d83c0731041a3ab44f8105e867e

SHA512
90b6c3abc327425d3c80c4b29ad0bf2d9f7abb3da898e2988bcdef26e4177b2087ed0b8a290d8833d2bd15ca943fc8a42d92ef71c387a29f3882359bf38ae10a

Download Submit
memory/668-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/668-46-0x00000000732F0000-0x00000000739DE000-memory.dmp

Filesize
6.9MB

Download
memory/668-15-0x00000000732F0000-0x00000000739DE000-memory.dmp

Filesize
6.9MB

Download
memory/668-31-0x00000000732F0000-0x00000000739DE000-memory.dmp

Filesize
6.9MB

Download
memory/5004-16-0x0000000001400000-0x0000000001406000-memory.dmp

Filesize
24KB

Download
memory/5004-18-0x000000000AEE0000-0x000000000B4E6000-memory.dmp

Filesize
6.0MB

Download
memory/5004-19-0x000000000AA60000-0x000000000AB6A000-memory.dmp

Filesize
1.0MB

Download
memory/5004-20-0x000000000A990000-0x000000000A9A2000-memory.dmp

Filesize
72KB

Download
memory/5004-21-0x000000000A9F0000-0x000000000AA2E000-memory.dmp

Filesize
248KB

Download
memory/5004-22-0x000000000AB70000-0x000000000ABBB000-memory.dmp

Filesize
300KB

Download
memory/5004-17-0x00000000732F0000-0x00000000739DE000-memory.dmp

Filesize
6.9MB

Download
memory/5004-14-0x0000000000C50000-0x0000000000C80000-memory.dmp

Filesize
192KB

Download
memory/5004-47-0x00000000732F0000-0x00000000739DE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads