healer | 8449031e10e7cd77dd596d4c3c923d1e099662892a6777491d29a540f130485a

Analysis

max time kernel
293s
max time network
300s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19-09-2023 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x6161540.exe
Size

487KB
MD5

1990265e89bd2fdc7e857cdef4fad2ce
SHA1

3ba988dc7d323f9cdf6745b7e46326e763923507
SHA256

8449031e10e7cd77dd596d4c3c923d1e099662892a6777491d29a540f130485a
SHA512

0fed439071296196ee6abc47f24062ba9e1afd1410fbca41fc17d6bad1f71ff9fdc459369d11f7cb92b4d75deae39ad8774fc5522c81157c26f98ae1a0b26f33
SSDEEP

12288:1MrPy90ZIBqJnrVpTQw/a3uXjyJFwIMp:+yCIuV1yeXmPwz

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2604-25-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2604-26-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2604-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2604-30-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2604-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 3 IoCs

Processes:

x9391797.exeg6373050.exeh7041528.exe

pid process

2508 x9391797.exe
2644 g6373050.exe
2560 h7041528.exe
Loads dropped DLL 7 IoCs

Processes:

x6161540.exex9391797.exeg6373050.exeh7041528.exe

pid process

2900 x6161540.exe
2508 x9391797.exe
2508 x9391797.exe
2508 x9391797.exe
2644 g6373050.exe
2508 x9391797.exe
2560 h7041528.exe

pid	process
2508	x9391797.exe
2644	g6373050.exe
2560	h7041528.exe

pid	process
2900	x6161540.exe
2508	x9391797.exe
2508	x9391797.exe
2508	x9391797.exe
2644	g6373050.exe
2508	x9391797.exe
2560	h7041528.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x6161540.exex9391797.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x6161540.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9391797.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g6373050.exe

description pid process target process

PID 2644 set thread context of 2604 2644 g6373050.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2604 AppLaunch.exe
2604 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2604 AppLaunch.exe

description	pid	process	target process
PID 2644 set thread context of 2604	2644	g6373050.exe	AppLaunch.exe

pid	process
2604	AppLaunch.exe
2604	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2604	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

x6161540.exex9391797.exeg6373050.exe

description	pid	process	target process
PID 2900 wrote to memory of 2508	2900	x6161540.exe	x9391797.exe
PID 2900 wrote to memory of 2508	2900	x6161540.exe	x9391797.exe
PID 2900 wrote to memory of 2508	2900	x6161540.exe	x9391797.exe
PID 2900 wrote to memory of 2508	2900	x6161540.exe	x9391797.exe
PID 2900 wrote to memory of 2508	2900	x6161540.exe	x9391797.exe
PID 2900 wrote to memory of 2508	2900	x6161540.exe	x9391797.exe
PID 2900 wrote to memory of 2508	2900	x6161540.exe	x9391797.exe
PID 2508 wrote to memory of 2644	2508	x9391797.exe	g6373050.exe
PID 2508 wrote to memory of 2644	2508	x9391797.exe	g6373050.exe
PID 2508 wrote to memory of 2644	2508	x9391797.exe	g6373050.exe
PID 2508 wrote to memory of 2644	2508	x9391797.exe	g6373050.exe
PID 2508 wrote to memory of 2644	2508	x9391797.exe	g6373050.exe
PID 2508 wrote to memory of 2644	2508	x9391797.exe	g6373050.exe
PID 2508 wrote to memory of 2644	2508	x9391797.exe	g6373050.exe
PID 2644 wrote to memory of 2604	2644	g6373050.exe	AppLaunch.exe
PID 2644 wrote to memory of 2604	2644	g6373050.exe	AppLaunch.exe
PID 2644 wrote to memory of 2604	2644	g6373050.exe	AppLaunch.exe
PID 2644 wrote to memory of 2604	2644	g6373050.exe	AppLaunch.exe
PID 2644 wrote to memory of 2604	2644	g6373050.exe	AppLaunch.exe
PID 2644 wrote to memory of 2604	2644	g6373050.exe	AppLaunch.exe
PID 2644 wrote to memory of 2604	2644	g6373050.exe	AppLaunch.exe
PID 2644 wrote to memory of 2604	2644	g6373050.exe	AppLaunch.exe
PID 2644 wrote to memory of 2604	2644	g6373050.exe	AppLaunch.exe
PID 2644 wrote to memory of 2604	2644	g6373050.exe	AppLaunch.exe
PID 2644 wrote to memory of 2604	2644	g6373050.exe	AppLaunch.exe
PID 2644 wrote to memory of 2604	2644	g6373050.exe	AppLaunch.exe
PID 2508 wrote to memory of 2560	2508	x9391797.exe	h7041528.exe
PID 2508 wrote to memory of 2560	2508	x9391797.exe	h7041528.exe
PID 2508 wrote to memory of 2560	2508	x9391797.exe	h7041528.exe
PID 2508 wrote to memory of 2560	2508	x9391797.exe	h7041528.exe
PID 2508 wrote to memory of 2560	2508	x9391797.exe	h7041528.exe
PID 2508 wrote to memory of 2560	2508	x9391797.exe	h7041528.exe
PID 2508 wrote to memory of 2560	2508	x9391797.exe	h7041528.exe

C:\Users\Admin\AppData\Local\Temp\x6161540.exe
"C:\Users\Admin\AppData\Local\Temp\x6161540.exe"
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2900

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9391797.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9391797.exe
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2508

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6373050.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6373050.exe
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7041528.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7041528.exe
- Executes dropped EXE
- Loads dropped DLL
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9391797.exe
Filesize
321KB

MD5
dba7de05cbeabdc859adfc5b6498a558

SHA1
653ebef6f9214b020def4354caa166457dcb8bcb

SHA256
3f021e6c4a954aa68bfc5acf5a86dad05b1dd124b742ff26392f7cb71edad49c

SHA512
dd716f1414c6bbb0a5dadbc3c6e5596f3b25282711c7ecafc6799a9a3c057d01e1aad924ca5348423449e24386c0e22a15321d739e27ae9bee17bcada8d22c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9391797.exe
Filesize
321KB

MD5
dba7de05cbeabdc859adfc5b6498a558

SHA1
653ebef6f9214b020def4354caa166457dcb8bcb

SHA256
3f021e6c4a954aa68bfc5acf5a86dad05b1dd124b742ff26392f7cb71edad49c

SHA512
dd716f1414c6bbb0a5dadbc3c6e5596f3b25282711c7ecafc6799a9a3c057d01e1aad924ca5348423449e24386c0e22a15321d739e27ae9bee17bcada8d22c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6373050.exe
Filesize
236KB

MD5
9dc867c2adacdd76b2324bc47467f83c

SHA1
f3decfe079b8dc76d536de7ca9aeec2c0da18d72

SHA256
5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

SHA512
0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6373050.exe
Filesize
236KB

MD5
9dc867c2adacdd76b2324bc47467f83c

SHA1
f3decfe079b8dc76d536de7ca9aeec2c0da18d72

SHA256
5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

SHA512
0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6373050.exe
Filesize
236KB

MD5
9dc867c2adacdd76b2324bc47467f83c

SHA1
f3decfe079b8dc76d536de7ca9aeec2c0da18d72

SHA256
5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

SHA512
0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7041528.exe
Filesize
174KB

MD5
17061663123df86496cfa24e531b4127

SHA1
446ad405b223ce6e9197ec7ef814516d9d99caa8

SHA256
da7d0eb65df4abc42e450a6419eb96af0f77816f0c0cdf3c943cd98f8d6867cd

SHA512
b52254ceef131d9d7b8ab5d9f7e0737870575d82f3479fb90f8a19654c8070c431e9be06c6f9df46db01c1b1e4e607458feb93300f43056b872f937723e489e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7041528.exe
Filesize
174KB

MD5
17061663123df86496cfa24e531b4127

SHA1
446ad405b223ce6e9197ec7ef814516d9d99caa8

SHA256
da7d0eb65df4abc42e450a6419eb96af0f77816f0c0cdf3c943cd98f8d6867cd

SHA512
b52254ceef131d9d7b8ab5d9f7e0737870575d82f3479fb90f8a19654c8070c431e9be06c6f9df46db01c1b1e4e607458feb93300f43056b872f937723e489e4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9391797.exe
Filesize
321KB

MD5
dba7de05cbeabdc859adfc5b6498a558

SHA1
653ebef6f9214b020def4354caa166457dcb8bcb

SHA256
3f021e6c4a954aa68bfc5acf5a86dad05b1dd124b742ff26392f7cb71edad49c

SHA512
dd716f1414c6bbb0a5dadbc3c6e5596f3b25282711c7ecafc6799a9a3c057d01e1aad924ca5348423449e24386c0e22a15321d739e27ae9bee17bcada8d22c5c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9391797.exe
Filesize
321KB

MD5
dba7de05cbeabdc859adfc5b6498a558

SHA1
653ebef6f9214b020def4354caa166457dcb8bcb

SHA256
3f021e6c4a954aa68bfc5acf5a86dad05b1dd124b742ff26392f7cb71edad49c

SHA512
dd716f1414c6bbb0a5dadbc3c6e5596f3b25282711c7ecafc6799a9a3c057d01e1aad924ca5348423449e24386c0e22a15321d739e27ae9bee17bcada8d22c5c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6373050.exe
Filesize
236KB

MD5
9dc867c2adacdd76b2324bc47467f83c

SHA1
f3decfe079b8dc76d536de7ca9aeec2c0da18d72

SHA256
5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

SHA512
0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6373050.exe
Filesize
236KB

MD5
9dc867c2adacdd76b2324bc47467f83c

SHA1
f3decfe079b8dc76d536de7ca9aeec2c0da18d72

SHA256
5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

SHA512
0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6373050.exe
Filesize
236KB

MD5
9dc867c2adacdd76b2324bc47467f83c

SHA1
f3decfe079b8dc76d536de7ca9aeec2c0da18d72

SHA256
5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

SHA512
0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7041528.exe
Filesize
174KB

MD5
17061663123df86496cfa24e531b4127

SHA1
446ad405b223ce6e9197ec7ef814516d9d99caa8

SHA256
da7d0eb65df4abc42e450a6419eb96af0f77816f0c0cdf3c943cd98f8d6867cd

SHA512
b52254ceef131d9d7b8ab5d9f7e0737870575d82f3479fb90f8a19654c8070c431e9be06c6f9df46db01c1b1e4e607458feb93300f43056b872f937723e489e4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7041528.exe
Filesize
174KB

MD5
17061663123df86496cfa24e531b4127

SHA1
446ad405b223ce6e9197ec7ef814516d9d99caa8

SHA256
da7d0eb65df4abc42e450a6419eb96af0f77816f0c0cdf3c943cd98f8d6867cd

SHA512
b52254ceef131d9d7b8ab5d9f7e0737870575d82f3479fb90f8a19654c8070c431e9be06c6f9df46db01c1b1e4e607458feb93300f43056b872f937723e489e4

Download Submit
memory/2560-39-0x0000000000A30000-0x0000000000A60000-memory.dmp

Filesize
192KB

Download
memory/2560-40-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2604-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-30-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-24-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2604-23-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download