healer | b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2023 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe
Size

1.3MB
MD5

672ad505a63ad07f386a276f8613f8f8
SHA1

e0975fc870d32df6e9af57510fed97c0d503dd06
SHA256

b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2
SHA512

60bb509dea15c1704594dd171c45af44aaa0c2b9402fa9bc312c196609700cc35a6ff67b0a6a154786cd375d68118c6d6242bd762724745db68e941676d2c6b6
SSDEEP

24576:m09Vjt5nN75u3KmWnRdwWpKUKrfyhm9w5aqr84aas9Y/TMVWkzxQ:m09Vjto3MnRdwsKrrfyhmBbnn+/DkNQ

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4644-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2856	x3284800.exe
4340	x2347650.exe
220	x7651666.exe
2880	g1442280.exe
756	h1168118.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2347650.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7651666.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3284800.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3772 set thread context of 380	3772	JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe	80
PID 2880 set thread context of 4644	2880	g1442280.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4644	AppLaunch.exe
4644	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4644	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 380	3772	JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe	80
PID 3772 wrote to memory of 380	3772	JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe	80
PID 3772 wrote to memory of 380	3772	JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe	80
PID 3772 wrote to memory of 380	3772	JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe	80
PID 3772 wrote to memory of 380	3772	JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe	80
PID 3772 wrote to memory of 380	3772	JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe	80
PID 3772 wrote to memory of 380	3772	JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe	80
PID 3772 wrote to memory of 380	3772	JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe	80
PID 3772 wrote to memory of 380	3772	JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe	80
PID 3772 wrote to memory of 380	3772	JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe	80
PID 380 wrote to memory of 2856	380	AppLaunch.exe	81
PID 380 wrote to memory of 2856	380	AppLaunch.exe	81
PID 380 wrote to memory of 2856	380	AppLaunch.exe	81
PID 2856 wrote to memory of 4340	2856	x3284800.exe	82
PID 2856 wrote to memory of 4340	2856	x3284800.exe	82
PID 2856 wrote to memory of 4340	2856	x3284800.exe	82
PID 4340 wrote to memory of 220	4340	x2347650.exe	83
PID 4340 wrote to memory of 220	4340	x2347650.exe	83
PID 4340 wrote to memory of 220	4340	x2347650.exe	83
PID 220 wrote to memory of 2880	220	x7651666.exe	84
PID 220 wrote to memory of 2880	220	x7651666.exe	84
PID 220 wrote to memory of 2880	220	x7651666.exe	84
PID 2880 wrote to memory of 4644	2880	g1442280.exe	85
PID 2880 wrote to memory of 4644	2880	g1442280.exe	85
PID 2880 wrote to memory of 4644	2880	g1442280.exe	85
PID 2880 wrote to memory of 4644	2880	g1442280.exe	85
PID 2880 wrote to memory of 4644	2880	g1442280.exe	85
PID 2880 wrote to memory of 4644	2880	g1442280.exe	85
PID 2880 wrote to memory of 4644	2880	g1442280.exe	85
PID 2880 wrote to memory of 4644	2880	g1442280.exe	85
PID 220 wrote to memory of 756	220	x7651666.exe	86
PID 220 wrote to memory of 756	220	x7651666.exe	86
PID 220 wrote to memory of 756	220	x7651666.exe	86

C:\Users\Admin\AppData\Local\Temp\JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe
"C:\Users\Admin\AppData\Local\Temp\JC_b8893bbff12588d9a06deea184b6593821730733cb47d1fffdd767f7021f76e2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:380
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3284800.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3284800.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2347650.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2347650.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7651666.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7651666.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:220
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1442280.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1442280.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4644
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1168118.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1168118.exe
        6⤵
        Executes dropped EXE
        
        PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3284800.exe

Filesize
767KB

MD5
4fa98b318b434bf339aa96cc87078d94

SHA1
0d6232f4c35fe3491c22f6421f4831b667b5f1a9

SHA256
1d1ece41536e2665a2d5669a9acd16a38d94a8a815a3c43c8710c4014497e337

SHA512
43738a3c18e64647474766fd9d436fb21f2df45456705662f58b9ec30d4934fc20f86047dc2d0d420ebbd0f6c743b7d356f84968fa5d6526b0728c10b38ff8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3284800.exe

Filesize
767KB

MD5
4fa98b318b434bf339aa96cc87078d94

SHA1
0d6232f4c35fe3491c22f6421f4831b667b5f1a9

SHA256
1d1ece41536e2665a2d5669a9acd16a38d94a8a815a3c43c8710c4014497e337

SHA512
43738a3c18e64647474766fd9d436fb21f2df45456705662f58b9ec30d4934fc20f86047dc2d0d420ebbd0f6c743b7d356f84968fa5d6526b0728c10b38ff8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2347650.exe

Filesize
492KB

MD5
88047a7600fcb8d25f07137682c46726

SHA1
90796a1e42eb0bec05dd8bb0d390507176380446

SHA256
7f13a15c7069bfd804a9ed39df07995f6f889d7d686faaea698ea60f69ccbf7c

SHA512
6479854f2842b6ad0e332a361f434f2f09d08eb31a09b4cb70e83d48e74dece9d21601bd336a0e25610bacb28436ab7c36fee5a62760feb38843044b44d7f67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2347650.exe

Filesize
492KB

MD5
88047a7600fcb8d25f07137682c46726

SHA1
90796a1e42eb0bec05dd8bb0d390507176380446

SHA256
7f13a15c7069bfd804a9ed39df07995f6f889d7d686faaea698ea60f69ccbf7c

SHA512
6479854f2842b6ad0e332a361f434f2f09d08eb31a09b4cb70e83d48e74dece9d21601bd336a0e25610bacb28436ab7c36fee5a62760feb38843044b44d7f67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7651666.exe

Filesize
326KB

MD5
b71c09a11aa7b80cab19dd57723843fb

SHA1
69db42d43d293c44e984bdf97f7c2a07e752a8ef

SHA256
51f013399518c5af929a3351e65763f2f144423f38b699baaeba9fdc9abcc100

SHA512
0501bb75f2f99876f77b16bfbc5bc8595bf6b501e48d173e0b286a32453ee352d54bb918400b0a8e6137fba900858900c3929bd76e80e12eb13158b031ef5de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7651666.exe

Filesize
326KB

MD5
b71c09a11aa7b80cab19dd57723843fb

SHA1
69db42d43d293c44e984bdf97f7c2a07e752a8ef

SHA256
51f013399518c5af929a3351e65763f2f144423f38b699baaeba9fdc9abcc100

SHA512
0501bb75f2f99876f77b16bfbc5bc8595bf6b501e48d173e0b286a32453ee352d54bb918400b0a8e6137fba900858900c3929bd76e80e12eb13158b031ef5de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1442280.exe

Filesize
242KB

MD5
ababb4b675f9e18d469af6c3c7847e2f

SHA1
ce16e714cf1dcfbc9579111cc94cecd558d40130

SHA256
01752e6b033a10b357785385437a8e88b8dd550421505e97b677305a72b53610

SHA512
80572f94040856a206c74d2ca64e4c18ced324f0e72c87124a63ef0b0345140ad70134e065254e56d88763d3e331e331efd3bb645f8fe5dbc7bc53148ed4740b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1442280.exe

Filesize
242KB

MD5
ababb4b675f9e18d469af6c3c7847e2f

SHA1
ce16e714cf1dcfbc9579111cc94cecd558d40130

SHA256
01752e6b033a10b357785385437a8e88b8dd550421505e97b677305a72b53610

SHA512
80572f94040856a206c74d2ca64e4c18ced324f0e72c87124a63ef0b0345140ad70134e065254e56d88763d3e331e331efd3bb645f8fe5dbc7bc53148ed4740b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1168118.exe

Filesize
174KB

MD5
714bafdcfb7ec0179f6c9c634b59db17

SHA1
6e3d64ecee0c2968d9e4cc93bafd9760a8e5d16e

SHA256
a9a47c9d42b0e89b685c857a76c1c7e4d8cb9172292c98436f4441ef66bee50b

SHA512
9cbe7e66b8f173d40ef8b89ab6f23782f9cd01a0e7c15236d739cfd3e187ce26fb85ca8f3464020baed99758438993f1d4a7eec7c02f4a951578445ea1c9f2de

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1168118.exe

Filesize
174KB

MD5
714bafdcfb7ec0179f6c9c634b59db17

SHA1
6e3d64ecee0c2968d9e4cc93bafd9760a8e5d16e

SHA256
a9a47c9d42b0e89b685c857a76c1c7e4d8cb9172292c98436f4441ef66bee50b

SHA512
9cbe7e66b8f173d40ef8b89ab6f23782f9cd01a0e7c15236d739cfd3e187ce26fb85ca8f3464020baed99758438993f1d4a7eec7c02f4a951578445ea1c9f2de

Download Submit
memory/380-3-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/380-2-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/380-46-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/380-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/380-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/756-36-0x00000000000C0000-0x00000000000F0000-memory.dmp

Filesize
192KB

Download
memory/756-43-0x0000000009FB0000-0x0000000009FC2000-memory.dmp

Filesize
72KB

Download
memory/756-38-0x0000000073BC0000-0x0000000074370000-memory.dmp

Filesize
7.7MB

Download
memory/756-39-0x00000000007B0000-0x00000000007B6000-memory.dmp

Filesize
24KB

Download
memory/756-40-0x000000000A550000-0x000000000AB68000-memory.dmp

Filesize
6.1MB

Download
memory/756-41-0x000000000A080000-0x000000000A18A000-memory.dmp

Filesize
1.0MB

Download
memory/756-42-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/756-51-0x0000000000A60000-0x0000000000A70000-memory.dmp

Filesize
64KB

Download
memory/756-44-0x000000000A010000-0x000000000A04C000-memory.dmp

Filesize
240KB

Download
memory/756-45-0x000000000A190000-0x000000000A1DC000-memory.dmp

Filesize
304KB

Download
memory/756-48-0x0000000073BC0000-0x0000000074370000-memory.dmp

Filesize
7.7MB

Download
memory/4644-47-0x0000000073BC0000-0x0000000074370000-memory.dmp

Filesize
7.7MB

Download
memory/4644-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4644-50-0x0000000073BC0000-0x0000000074370000-memory.dmp

Filesize
7.7MB

Download
memory/4644-37-0x0000000073BC0000-0x0000000074370000-memory.dmp

Filesize
7.7MB

Download