healer | 0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb

Analysis

max time kernel
125s
max time network
139s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
18/09/2023, 12:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe
Size

1.3MB
MD5

b0826473df86da07e509b968125e2a53
SHA1

b618223795eff8cac41bd17678a65b7f6d39f992
SHA256

0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb
SHA512

50e18e7a9204e98b03459149c9fbde94edb6316b88d69ebbf793694cbf66616f78544021ae275527f6569e533f2310091544370b3084bb4da1c57af04fd3d9c8
SSDEEP

24576:m09qjR5iA1m+sIgDEpAEhIdSM349yaMWKhCzTQ:m09Ii2xp9VJ9dMoTQ

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/5100-34-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2360	x0258036.exe
3580	x0310037.exe
3968	x2009317.exe
4892	g8983899.exe
4612	h7714620.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0258036.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0310037.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2009317.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3692 set thread context of 4936	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	70
PID 4892 set thread context of 5100	4892	g8983899.exe	76

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5100	AppLaunch.exe
5100	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 4616	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	69
PID 3692 wrote to memory of 4616	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	69
PID 3692 wrote to memory of 4616	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	69
PID 3692 wrote to memory of 4936	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	70
PID 3692 wrote to memory of 4936	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	70
PID 3692 wrote to memory of 4936	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	70
PID 3692 wrote to memory of 4936	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	70
PID 3692 wrote to memory of 4936	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	70
PID 3692 wrote to memory of 4936	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	70
PID 3692 wrote to memory of 4936	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	70
PID 3692 wrote to memory of 4936	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	70
PID 3692 wrote to memory of 4936	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	70
PID 3692 wrote to memory of 4936	3692	0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe	70
PID 4936 wrote to memory of 2360	4936	AppLaunch.exe	71
PID 4936 wrote to memory of 2360	4936	AppLaunch.exe	71
PID 4936 wrote to memory of 2360	4936	AppLaunch.exe	71
PID 2360 wrote to memory of 3580	2360	x0258036.exe	72
PID 2360 wrote to memory of 3580	2360	x0258036.exe	72
PID 2360 wrote to memory of 3580	2360	x0258036.exe	72
PID 3580 wrote to memory of 3968	3580	x0310037.exe	73
PID 3580 wrote to memory of 3968	3580	x0310037.exe	73
PID 3580 wrote to memory of 3968	3580	x0310037.exe	73
PID 3968 wrote to memory of 4892	3968	x2009317.exe	74
PID 3968 wrote to memory of 4892	3968	x2009317.exe	74
PID 3968 wrote to memory of 4892	3968	x2009317.exe	74
PID 4892 wrote to memory of 4104	4892	g8983899.exe	75
PID 4892 wrote to memory of 4104	4892	g8983899.exe	75
PID 4892 wrote to memory of 4104	4892	g8983899.exe	75
PID 4892 wrote to memory of 5100	4892	g8983899.exe	76
PID 4892 wrote to memory of 5100	4892	g8983899.exe	76
PID 4892 wrote to memory of 5100	4892	g8983899.exe	76
PID 4892 wrote to memory of 5100	4892	g8983899.exe	76
PID 4892 wrote to memory of 5100	4892	g8983899.exe	76
PID 4892 wrote to memory of 5100	4892	g8983899.exe	76
PID 4892 wrote to memory of 5100	4892	g8983899.exe	76
PID 4892 wrote to memory of 5100	4892	g8983899.exe	76
PID 3968 wrote to memory of 4612	3968	x2009317.exe	77
PID 3968 wrote to memory of 4612	3968	x2009317.exe	77
PID 3968 wrote to memory of 4612	3968	x2009317.exe	77

C:\Users\Admin\AppData\Local\Temp\0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe
"C:\Users\Admin\AppData\Local\Temp\0175c812cf5ddbeb0bd87d01ebb0591a1b4154653e3d707c5325c546f880cacb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0258036.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0258036.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0310037.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0310037.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2009317.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2009317.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8983899.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8983899.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4104
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7714620.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7714620.exe
        6⤵
        Executes dropped EXE
        
        PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0258036.exe

Filesize
767KB

MD5
aa8afb602e45a24b2ef10814513a7794

SHA1
32bd6182a8992cfcc280f4c0d8441fe2ab7f0110

SHA256
00f93a1078f40a089fc1d4908d93b0482c5bd31c688f04683b004c699d16d22a

SHA512
0e760bd508d2d009bab0b24f28808c6f0e232e2064c5a6c43547a745dfc25207d9d59626d659cfac959e95655723bc21ee3b8004aab040cff58bb26556a71d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0258036.exe

Filesize
767KB

MD5
aa8afb602e45a24b2ef10814513a7794

SHA1
32bd6182a8992cfcc280f4c0d8441fe2ab7f0110

SHA256
00f93a1078f40a089fc1d4908d93b0482c5bd31c688f04683b004c699d16d22a

SHA512
0e760bd508d2d009bab0b24f28808c6f0e232e2064c5a6c43547a745dfc25207d9d59626d659cfac959e95655723bc21ee3b8004aab040cff58bb26556a71d40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0310037.exe

Filesize
492KB

MD5
0bfddcda29c50db6a1d3233b9406a454

SHA1
4c903ba9f1d2847025573ddaa0b1da6f223966bf

SHA256
fe6c32a35b717534256fbb304a4fc3dfa0718af6b519c3e7e88fff297b5e2816

SHA512
23fdb14f8173980c9bfcc10425d7a32e81aa0918734dc502191328d49fac8ec54d9fe6120dd2d701be37d151cc07989b1424027b30a4137ddf207147d1c29ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0310037.exe

Filesize
492KB

MD5
0bfddcda29c50db6a1d3233b9406a454

SHA1
4c903ba9f1d2847025573ddaa0b1da6f223966bf

SHA256
fe6c32a35b717534256fbb304a4fc3dfa0718af6b519c3e7e88fff297b5e2816

SHA512
23fdb14f8173980c9bfcc10425d7a32e81aa0918734dc502191328d49fac8ec54d9fe6120dd2d701be37d151cc07989b1424027b30a4137ddf207147d1c29ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2009317.exe

Filesize
326KB

MD5
a9fd3506cf2c113da662bbe70e8537be

SHA1
237d53eb961be988f2e01a8c890bd463a2667b83

SHA256
5ade9c0f38a3568f59d8d8b6066d345e36cd231219f9f392e744778e96b83d5a

SHA512
da9a44245ff8f021a93fa96cc744a4862ee793ac93bb0c861d0f66b3ea66f24f69d35aac567b1d3acd1f601dce4c57292f57c80eed2a6a107433bb57abc18c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2009317.exe

Filesize
326KB

MD5
a9fd3506cf2c113da662bbe70e8537be

SHA1
237d53eb961be988f2e01a8c890bd463a2667b83

SHA256
5ade9c0f38a3568f59d8d8b6066d345e36cd231219f9f392e744778e96b83d5a

SHA512
da9a44245ff8f021a93fa96cc744a4862ee793ac93bb0c861d0f66b3ea66f24f69d35aac567b1d3acd1f601dce4c57292f57c80eed2a6a107433bb57abc18c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8983899.exe

Filesize
242KB

MD5
22336ae64a321acc1c1fc54879f9aabb

SHA1
7dafd45744c10cec32829694a06d36b9a25be221

SHA256
2eb313be83988f6185358ece5d3656c733290f0ea4c7d31f9cbe100d9409371c

SHA512
3493495776956f1ae2a43a4d62092e098b1c978216b5a8b81acb4510f772e6de041c2d023c2cea9b202aa531ae995d760654cdb9fae3e63003678591a7b92d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8983899.exe

Filesize
242KB

MD5
22336ae64a321acc1c1fc54879f9aabb

SHA1
7dafd45744c10cec32829694a06d36b9a25be221

SHA256
2eb313be83988f6185358ece5d3656c733290f0ea4c7d31f9cbe100d9409371c

SHA512
3493495776956f1ae2a43a4d62092e098b1c978216b5a8b81acb4510f772e6de041c2d023c2cea9b202aa531ae995d760654cdb9fae3e63003678591a7b92d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7714620.exe

Filesize
174KB

MD5
fe8b4bc5e146fb3e07b36447f83dad58

SHA1
21665f4eb016c565da868c88d76938cb987753ac

SHA256
0a72898f8f212850425bfaa7d1c13397e516473554ad8e2b9b8f324cca9c8544

SHA512
f4e3ebd3915789892c37fb4800f8877ca592ead57ac314ced2a0208fcba37dfdd08cf634a9a44a60c3940c5ab3b704b18966b674982fb9c2b45c95a41170e4fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7714620.exe

Filesize
174KB

MD5
fe8b4bc5e146fb3e07b36447f83dad58

SHA1
21665f4eb016c565da868c88d76938cb987753ac

SHA256
0a72898f8f212850425bfaa7d1c13397e516473554ad8e2b9b8f324cca9c8544

SHA512
f4e3ebd3915789892c37fb4800f8877ca592ead57ac314ced2a0208fcba37dfdd08cf634a9a44a60c3940c5ab3b704b18966b674982fb9c2b45c95a41170e4fa

Download Submit
memory/4612-53-0x0000000004EC0000-0x0000000004F0B000-memory.dmp

Filesize
300KB

Download
memory/4612-50-0x0000000004E80000-0x0000000004EBE000-memory.dmp

Filesize
248KB

Download
memory/4612-60-0x0000000072F70000-0x000000007365E000-memory.dmp

Filesize
6.9MB

Download
memory/4612-44-0x0000000072F70000-0x000000007365E000-memory.dmp

Filesize
6.9MB

Download
memory/4612-43-0x0000000004CA0000-0x0000000004CA6000-memory.dmp

Filesize
24KB

Download
memory/4612-47-0x0000000004CF0000-0x0000000004D02000-memory.dmp

Filesize
72KB

Download
memory/4612-41-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download
memory/4612-46-0x0000000004F90000-0x000000000509A000-memory.dmp

Filesize
1.0MB

Download
memory/4612-45-0x0000000005490000-0x0000000005A96000-memory.dmp

Filesize
6.0MB

Download
memory/4936-2-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4936-4-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4936-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4936-5-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4936-58-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4936-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5100-34-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/5100-42-0x0000000072F70000-0x000000007365E000-memory.dmp

Filesize
6.9MB

Download
memory/5100-59-0x0000000072F70000-0x000000007365E000-memory.dmp

Filesize
6.9MB

Download
memory/5100-75-0x0000000072F70000-0x000000007365E000-memory.dmp

Filesize
6.9MB

Download