healer | f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2023 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe
Size

1.3MB
MD5

6ce07baec7ff104777ad41180762424b
SHA1

60f37931649d38b9c6119160e2f8a64b20f728db
SHA256

f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4
SHA512

cfa9f22ed9c37d10052e07471ac387015ec5f65cb51e1e8249402ce23988a17476c1558c27b646c7ba4a1f347f4dfa962fede2e3d63a5ca02c2cff67bdd6543e
SSDEEP

24576:F09hucjBTIiE6cL2iG9dLiZ2Leog9xJnZVjIp3XgrsXle4DQ2OQ:F09PBTIiEdDG91iZ2LeH9xdZVwgrsXl9

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/1504-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1812	x6930026.exe
2472	x3266691.exe
544	x1395542.exe
4520	g8521111.exe
3456	h0911090.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1395542.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6930026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3266691.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2296 set thread context of 1124	2296	f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe	86
PID 4520 set thread context of 1504	4520	g8521111.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1504	AppLaunch.exe
1504	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1504	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 1124	2296	f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe	86
PID 2296 wrote to memory of 1124	2296	f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe	86
PID 2296 wrote to memory of 1124	2296	f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe	86
PID 2296 wrote to memory of 1124	2296	f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe	86
PID 2296 wrote to memory of 1124	2296	f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe	86
PID 2296 wrote to memory of 1124	2296	f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe	86
PID 2296 wrote to memory of 1124	2296	f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe	86
PID 2296 wrote to memory of 1124	2296	f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe	86
PID 2296 wrote to memory of 1124	2296	f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe	86
PID 2296 wrote to memory of 1124	2296	f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe	86
PID 1124 wrote to memory of 1812	1124	AppLaunch.exe	87
PID 1124 wrote to memory of 1812	1124	AppLaunch.exe	87
PID 1124 wrote to memory of 1812	1124	AppLaunch.exe	87
PID 1812 wrote to memory of 2472	1812	x6930026.exe	88
PID 1812 wrote to memory of 2472	1812	x6930026.exe	88
PID 1812 wrote to memory of 2472	1812	x6930026.exe	88
PID 2472 wrote to memory of 544	2472	x3266691.exe	89
PID 2472 wrote to memory of 544	2472	x3266691.exe	89
PID 2472 wrote to memory of 544	2472	x3266691.exe	89
PID 544 wrote to memory of 4520	544	x1395542.exe	90
PID 544 wrote to memory of 4520	544	x1395542.exe	90
PID 544 wrote to memory of 4520	544	x1395542.exe	90
PID 4520 wrote to memory of 1504	4520	g8521111.exe	91
PID 4520 wrote to memory of 1504	4520	g8521111.exe	91
PID 4520 wrote to memory of 1504	4520	g8521111.exe	91
PID 4520 wrote to memory of 1504	4520	g8521111.exe	91
PID 4520 wrote to memory of 1504	4520	g8521111.exe	91
PID 4520 wrote to memory of 1504	4520	g8521111.exe	91
PID 4520 wrote to memory of 1504	4520	g8521111.exe	91
PID 4520 wrote to memory of 1504	4520	g8521111.exe	91
PID 544 wrote to memory of 3456	544	x1395542.exe	92
PID 544 wrote to memory of 3456	544	x1395542.exe	92
PID 544 wrote to memory of 3456	544	x1395542.exe	92

C:\Users\Admin\AppData\Local\Temp\f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe
"C:\Users\Admin\AppData\Local\Temp\f7dd2915a7d3f500e121e9ada01f261ccd67d379f973b3452a1ed2823501aaf4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6930026.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6930026.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3266691.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3266691.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1395542.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1395542.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:544
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8521111.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8521111.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0911090.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0911090.exe
        6⤵
        Executes dropped EXE
        
        PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6930026.exe

Filesize
768KB

MD5
0320ef9ca4897e695bb11c17970f0811

SHA1
fa405edc4f59ca59fef19dceae484a63bf72a0e1

SHA256
1654fd4f3be480f827ddd5c885b38bdc5515d6c98383d46496b9e09d76ee48ba

SHA512
bc27b4f0325b402f5f83dc9803a7d205801608956f1e409540e818653d4f2e9765df16beca58d5b62e710e01d58e0bd1cf9a7f23c3ae06210fad1edec6d705b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6930026.exe

Filesize
768KB

MD5
0320ef9ca4897e695bb11c17970f0811

SHA1
fa405edc4f59ca59fef19dceae484a63bf72a0e1

SHA256
1654fd4f3be480f827ddd5c885b38bdc5515d6c98383d46496b9e09d76ee48ba

SHA512
bc27b4f0325b402f5f83dc9803a7d205801608956f1e409540e818653d4f2e9765df16beca58d5b62e710e01d58e0bd1cf9a7f23c3ae06210fad1edec6d705b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3266691.exe

Filesize
492KB

MD5
28d40c9529c8673fd1e60911285ff199

SHA1
370af782c91397afbb5e642fd78ae3a15bd51cf5

SHA256
81c2abac31032d7b686e9dbc79915eff8072f3b08ecd7370f6faa7f1e8111584

SHA512
8ef926f45bb66fe081f0c31dce88e094c77010d81493528789e1637115ebdf4f0981a1863cc6b5e6f01ecf72430ce2ece5b03616bd07d329ec558c6068096804

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3266691.exe

Filesize
492KB

MD5
28d40c9529c8673fd1e60911285ff199

SHA1
370af782c91397afbb5e642fd78ae3a15bd51cf5

SHA256
81c2abac31032d7b686e9dbc79915eff8072f3b08ecd7370f6faa7f1e8111584

SHA512
8ef926f45bb66fe081f0c31dce88e094c77010d81493528789e1637115ebdf4f0981a1863cc6b5e6f01ecf72430ce2ece5b03616bd07d329ec558c6068096804

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1395542.exe

Filesize
326KB

MD5
b5d44815db096285a730b3db13a38a5b

SHA1
c2d408266d0fbc42e1babe939be83d30a84619d2

SHA256
cd4831a7b6cf0459595d9774feb9e60344e2240d0a9b2005c05126b523dbbf98

SHA512
3a75eb1fa71985f3a5310c4cdabae3c67311ccb064bb2e83259ffbb44531380152a2ef28ea42eaf60d9825cad039db9e09aa24bf16ede72f36db5c2c7cf0a722

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1395542.exe

Filesize
326KB

MD5
b5d44815db096285a730b3db13a38a5b

SHA1
c2d408266d0fbc42e1babe939be83d30a84619d2

SHA256
cd4831a7b6cf0459595d9774feb9e60344e2240d0a9b2005c05126b523dbbf98

SHA512
3a75eb1fa71985f3a5310c4cdabae3c67311ccb064bb2e83259ffbb44531380152a2ef28ea42eaf60d9825cad039db9e09aa24bf16ede72f36db5c2c7cf0a722

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8521111.exe

Filesize
242KB

MD5
6aa1c0a50eeab3386d914c4957a8f9d3

SHA1
e33e98579901f0aacc06983de0e23260c4184a6a

SHA256
d4eacf7866b55815811bf9472c177efe7926b4ef5e03bf23c86938eab44ef83d

SHA512
bcd3322056fe5cd509b9760ffd315fd0067fa658e694dc06f3c808fe299fab95e12f5850e688a57abbee51579eee77bf3ad74ca1a3febb5ddb9bc5a6499da501

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8521111.exe

Filesize
242KB

MD5
6aa1c0a50eeab3386d914c4957a8f9d3

SHA1
e33e98579901f0aacc06983de0e23260c4184a6a

SHA256
d4eacf7866b55815811bf9472c177efe7926b4ef5e03bf23c86938eab44ef83d

SHA512
bcd3322056fe5cd509b9760ffd315fd0067fa658e694dc06f3c808fe299fab95e12f5850e688a57abbee51579eee77bf3ad74ca1a3febb5ddb9bc5a6499da501

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0911090.exe

Filesize
174KB

MD5
4eba5dc58dae364fcea734c0bf4a832b

SHA1
63be8ea2e54b1b1e15a890042f2d4f81d3578e0a

SHA256
48b17fe2f3fb2b0b79bb89134d8479ed224dc2753f1eb370aa32971ce0528bab

SHA512
ba5be31a17cee736802ebd44dfb56146d90406474962ba908976ca52d0ff5609063fa5ef8e12b34082c09e636383fa9cab508a0a80e7432a1ad5c1654e697807

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0911090.exe

Filesize
174KB

MD5
4eba5dc58dae364fcea734c0bf4a832b

SHA1
63be8ea2e54b1b1e15a890042f2d4f81d3578e0a

SHA256
48b17fe2f3fb2b0b79bb89134d8479ed224dc2753f1eb370aa32971ce0528bab

SHA512
ba5be31a17cee736802ebd44dfb56146d90406474962ba908976ca52d0ff5609063fa5ef8e12b34082c09e636383fa9cab508a0a80e7432a1ad5c1654e697807

Download Submit
memory/1124-46-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1124-2-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1124-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1124-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1124-3-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1504-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1504-37-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/1504-50-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/1504-47-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/3456-36-0x0000000000B30000-0x0000000000B60000-memory.dmp

Filesize
192KB

Download
memory/3456-41-0x000000000A9A0000-0x000000000AAAA000-memory.dmp

Filesize
1.0MB

Download
memory/3456-43-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download
memory/3456-42-0x000000000A8E0000-0x000000000A8F2000-memory.dmp

Filesize
72KB

Download
memory/3456-44-0x000000000A940000-0x000000000A97C000-memory.dmp

Filesize
240KB

Download
memory/3456-45-0x000000000AAB0000-0x000000000AAFC000-memory.dmp

Filesize
304KB

Download
memory/3456-40-0x000000000AE50000-0x000000000B468000-memory.dmp

Filesize
6.1MB

Download
memory/3456-39-0x0000000005350000-0x0000000005356000-memory.dmp

Filesize
24KB

Download
memory/3456-48-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/3456-38-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/3456-51-0x00000000053A0000-0x00000000053B0000-memory.dmp

Filesize
64KB

Download