healer | a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4

Analysis

max time kernel
142s
max time network
150s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
19/09/2023, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe
Size

1.3MB
MD5

d82c8056a71e8e53e597a87fbb4aab76
SHA1

afe664fb4de8d2ecfb701d5083732dc27193294b
SHA256

a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4
SHA512

8a52c8540f7490224319ee1758c98a0c45600d49d51d0def0ce6770575e7aa291566076e6fe8a58941a0dbec80b7f90f2b9539b388775325f817791f9974a90e
SSDEEP

24576:QlT85U+qoBdTTgtZkqm+fQZ8hchV35eF0fUgDlxJbKHPDLs:p5UFq+t2G3qVgFLafboDLs

Score

10^/10

healer redline vasha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vasha

77.91.124.82:19071

Attributes

auth_value
42fc61786274daca54d589b85a2c1954

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/4152-34-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1136	x5729809.exe
3456	x4003952.exe
4952	x8197398.exe
4940	g8753574.exe
4452	h9937611.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5729809.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4003952.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8197398.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5072 set thread context of 2524	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	73
PID 4940 set thread context of 4152	4940	g8753574.exe	79

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4152	AppLaunch.exe
4152	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4152	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 3256	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	72
PID 5072 wrote to memory of 3256	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	72
PID 5072 wrote to memory of 3256	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	72
PID 5072 wrote to memory of 2524	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	73
PID 5072 wrote to memory of 2524	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	73
PID 5072 wrote to memory of 2524	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	73
PID 5072 wrote to memory of 2524	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	73
PID 5072 wrote to memory of 2524	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	73
PID 5072 wrote to memory of 2524	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	73
PID 5072 wrote to memory of 2524	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	73
PID 5072 wrote to memory of 2524	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	73
PID 5072 wrote to memory of 2524	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	73
PID 5072 wrote to memory of 2524	5072	a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe	73
PID 2524 wrote to memory of 1136	2524	AppLaunch.exe	74
PID 2524 wrote to memory of 1136	2524	AppLaunch.exe	74
PID 2524 wrote to memory of 1136	2524	AppLaunch.exe	74
PID 1136 wrote to memory of 3456	1136	x5729809.exe	75
PID 1136 wrote to memory of 3456	1136	x5729809.exe	75
PID 1136 wrote to memory of 3456	1136	x5729809.exe	75
PID 3456 wrote to memory of 4952	3456	x4003952.exe	76
PID 3456 wrote to memory of 4952	3456	x4003952.exe	76
PID 3456 wrote to memory of 4952	3456	x4003952.exe	76
PID 4952 wrote to memory of 4940	4952	x8197398.exe	77
PID 4952 wrote to memory of 4940	4952	x8197398.exe	77
PID 4952 wrote to memory of 4940	4952	x8197398.exe	77
PID 4940 wrote to memory of 4152	4940	g8753574.exe	79
PID 4940 wrote to memory of 4152	4940	g8753574.exe	79
PID 4940 wrote to memory of 4152	4940	g8753574.exe	79
PID 4940 wrote to memory of 4152	4940	g8753574.exe	79
PID 4940 wrote to memory of 4152	4940	g8753574.exe	79
PID 4940 wrote to memory of 4152	4940	g8753574.exe	79
PID 4940 wrote to memory of 4152	4940	g8753574.exe	79
PID 4940 wrote to memory of 4152	4940	g8753574.exe	79
PID 4952 wrote to memory of 4452	4952	x8197398.exe	80
PID 4952 wrote to memory of 4452	4952	x8197398.exe	80
PID 4952 wrote to memory of 4452	4952	x8197398.exe	80

C:\Users\Admin\AppData\Local\Temp\a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe
"C:\Users\Admin\AppData\Local\Temp\a416b24f060994349aa37a88520a5d5189c0813a2108ad813065a8116f39dbd4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5729809.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5729809.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4003952.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4003952.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8197398.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8197398.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4952
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8753574.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8753574.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9937611.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9937611.exe
        6⤵
        Executes dropped EXE
        
        PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5729809.exe

Filesize
776KB

MD5
1fca6cc14ce237375fb7f454b3a9ab1f

SHA1
a00ff0ec09307b44aead002c0ca0987e412e7897

SHA256
3e292de69db371975892dee70eb5ba0a2a816485798ebe7d88d4a5899db1d8e9

SHA512
5c9f069fd7fcbc22dde88ab10a098699452391de10364fd6a495b912ab682942e77414c12a54a4cb0119695a7c87c697741a6aa5cbf06f45250e2868bd21c3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5729809.exe

Filesize
776KB

MD5
1fca6cc14ce237375fb7f454b3a9ab1f

SHA1
a00ff0ec09307b44aead002c0ca0987e412e7897

SHA256
3e292de69db371975892dee70eb5ba0a2a816485798ebe7d88d4a5899db1d8e9

SHA512
5c9f069fd7fcbc22dde88ab10a098699452391de10364fd6a495b912ab682942e77414c12a54a4cb0119695a7c87c697741a6aa5cbf06f45250e2868bd21c3bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4003952.exe

Filesize
506KB

MD5
b53e5062058d256e6d05707a2bd19a65

SHA1
130d86daf40f57e0d02048ee8e2d5c801dc82f38

SHA256
56559aef0a5db645f7adc4186c2e4ce917e769c3dc1e5314618684d1164326c1

SHA512
017369ccb244cdd0e6403ee0e7eb90457d2367c0a10c867e4c10edaca0ae15880ee17205861672371279e1f3bfcb3558c0668a106c4ba0ef41438446d689be0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4003952.exe

Filesize
506KB

MD5
b53e5062058d256e6d05707a2bd19a65

SHA1
130d86daf40f57e0d02048ee8e2d5c801dc82f38

SHA256
56559aef0a5db645f7adc4186c2e4ce917e769c3dc1e5314618684d1164326c1

SHA512
017369ccb244cdd0e6403ee0e7eb90457d2367c0a10c867e4c10edaca0ae15880ee17205861672371279e1f3bfcb3558c0668a106c4ba0ef41438446d689be0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8197398.exe

Filesize
321KB

MD5
551e3f3b6c5667df98e47f60ecbf892d

SHA1
ca9469739e4b3d897e5c10b5160c8de55d469a0d

SHA256
2debcbc09ddd65ee0382580dd2f9eab7ee565c157dd9e525019d88bd5b48a7fe

SHA512
e18a6e71ee806ba0311736a6cdb2e86b02f6f530a5939d6057566c102e27d51f6ed04d16104179a02557fa03bc4bde116d72ed067e90e1312dbd4b2c2c12b657

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8197398.exe

Filesize
321KB

MD5
551e3f3b6c5667df98e47f60ecbf892d

SHA1
ca9469739e4b3d897e5c10b5160c8de55d469a0d

SHA256
2debcbc09ddd65ee0382580dd2f9eab7ee565c157dd9e525019d88bd5b48a7fe

SHA512
e18a6e71ee806ba0311736a6cdb2e86b02f6f530a5939d6057566c102e27d51f6ed04d16104179a02557fa03bc4bde116d72ed067e90e1312dbd4b2c2c12b657

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8753574.exe

Filesize
236KB

MD5
a9bfd17e6ee65c6b33af273c9aa9bb5d

SHA1
4d0eb5c18801e0f78f44287cb61bb5fc573635cd

SHA256
84368d8ca5bb9ca6c0cc57551e21ad0f167cd44f953addcf16f7f78f48c4cabb

SHA512
394380fe3db6eff9bea828ce17aa6739b12fcc36e7ad7b3f96ec15c04d0eaf615f3149262af5fc5d16c4a284a1c7839a8d932395b3ceb54004930b1cad7775c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g8753574.exe

Filesize
236KB

MD5
a9bfd17e6ee65c6b33af273c9aa9bb5d

SHA1
4d0eb5c18801e0f78f44287cb61bb5fc573635cd

SHA256
84368d8ca5bb9ca6c0cc57551e21ad0f167cd44f953addcf16f7f78f48c4cabb

SHA512
394380fe3db6eff9bea828ce17aa6739b12fcc36e7ad7b3f96ec15c04d0eaf615f3149262af5fc5d16c4a284a1c7839a8d932395b3ceb54004930b1cad7775c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9937611.exe

Filesize
174KB

MD5
8ec0e3ed8fbabf07689731564962b4df

SHA1
edb7a959d80ed281442c6769638559071e8a33e1

SHA256
59a3dc284acd6ea1595ce47228ba8e4c2598c6eee8f318b855beefa53e7f0a3a

SHA512
64ee02dc0961ea036a265a14dfea71fca0d6aaa0d1b68ce14b7fa7836443e49dd0d7cd4cf2b5431c680fe4d9d027cbf13b147a46115a5926d707ec1fe82bb05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h9937611.exe

Filesize
174KB

MD5
8ec0e3ed8fbabf07689731564962b4df

SHA1
edb7a959d80ed281442c6769638559071e8a33e1

SHA256
59a3dc284acd6ea1595ce47228ba8e4c2598c6eee8f318b855beefa53e7f0a3a

SHA512
64ee02dc0961ea036a265a14dfea71fca0d6aaa0d1b68ce14b7fa7836443e49dd0d7cd4cf2b5431c680fe4d9d027cbf13b147a46115a5926d707ec1fe82bb05c

Download Submit
memory/2524-58-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2524-4-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2524-1-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2524-2-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2524-0-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2524-5-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/4152-34-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4152-74-0x00000000733F0000-0x0000000073ADE000-memory.dmp

Filesize
6.9MB

Download
memory/4152-44-0x00000000733F0000-0x0000000073ADE000-memory.dmp

Filesize
6.9MB

Download
memory/4452-42-0x00000000733F0000-0x0000000073ADE000-memory.dmp

Filesize
6.9MB

Download
memory/4452-45-0x0000000005F60000-0x0000000006566000-memory.dmp

Filesize
6.0MB

Download
memory/4452-46-0x0000000005A60000-0x0000000005B6A000-memory.dmp

Filesize
1.0MB

Download
memory/4452-47-0x0000000005950000-0x0000000005962000-memory.dmp

Filesize
72KB

Download
memory/4452-52-0x0000000005970000-0x00000000059AE000-memory.dmp

Filesize
248KB

Download
memory/4452-53-0x00000000059F0000-0x0000000005A3B000-memory.dmp

Filesize
300KB

Download
memory/4452-43-0x0000000001670000-0x0000000001676000-memory.dmp

Filesize
24KB

Download
memory/4452-59-0x00000000733F0000-0x0000000073ADE000-memory.dmp

Filesize
6.9MB

Download
memory/4452-41-0x0000000000EE0000-0x0000000000F10000-memory.dmp

Filesize
192KB

Download