healer | 3f021e6c4a954aa68bfc5acf5a86dad05b1dd124b742ff26392f7cb71edad49c

Analysis

max time kernel
291s
max time network
297s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19-09-2023 06:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x9391797.exe
Size

321KB
MD5

dba7de05cbeabdc859adfc5b6498a558
SHA1

653ebef6f9214b020def4354caa166457dcb8bcb
SHA256

3f021e6c4a954aa68bfc5acf5a86dad05b1dd124b742ff26392f7cb71edad49c
SHA512

dd716f1414c6bbb0a5dadbc3c6e5596f3b25282711c7ecafc6799a9a3c057d01e1aad924ca5348423449e24386c0e22a15321d739e27ae9bee17bcada8d22c5c
SSDEEP

6144:KYy+bnr+ap0yN90QE9WaMye34ulHCg2c+SeaKuKk:sMrOy90xMygHBqL9aKux

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2984-15-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2984-16-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2984-18-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2984-20-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2984-22-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 2 IoCs

Processes:

g6373050.exeh7041528.exe

pid process

1280 g6373050.exe
2648 h7041528.exe
Loads dropped DLL 5 IoCs

Processes:

x9391797.exeg6373050.exeh7041528.exe

pid process

1292 x9391797.exe
1292 x9391797.exe
1280 g6373050.exe
1292 x9391797.exe
2648 h7041528.exe

pid	process
1280	g6373050.exe
2648	h7041528.exe

pid	process
1292	x9391797.exe
1292	x9391797.exe
1280	g6373050.exe
1292	x9391797.exe
2648	h7041528.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x9391797.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x9391797.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g6373050.exe

description pid process target process

PID 1280 set thread context of 2984 1280 g6373050.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2984 AppLaunch.exe
2984 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2984 AppLaunch.exe

description	pid	process	target process
PID 1280 set thread context of 2984	1280	g6373050.exe	AppLaunch.exe

pid	process
2984	AppLaunch.exe
2984	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2984	AppLaunch.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

x9391797.exeg6373050.exe

description	pid	process	target process
PID 1292 wrote to memory of 1280	1292	x9391797.exe	g6373050.exe
PID 1292 wrote to memory of 1280	1292	x9391797.exe	g6373050.exe
PID 1292 wrote to memory of 1280	1292	x9391797.exe	g6373050.exe
PID 1292 wrote to memory of 1280	1292	x9391797.exe	g6373050.exe
PID 1292 wrote to memory of 1280	1292	x9391797.exe	g6373050.exe
PID 1292 wrote to memory of 1280	1292	x9391797.exe	g6373050.exe
PID 1292 wrote to memory of 1280	1292	x9391797.exe	g6373050.exe
PID 1280 wrote to memory of 2984	1280	g6373050.exe	AppLaunch.exe
PID 1280 wrote to memory of 2984	1280	g6373050.exe	AppLaunch.exe
PID 1280 wrote to memory of 2984	1280	g6373050.exe	AppLaunch.exe
PID 1280 wrote to memory of 2984	1280	g6373050.exe	AppLaunch.exe
PID 1280 wrote to memory of 2984	1280	g6373050.exe	AppLaunch.exe
PID 1280 wrote to memory of 2984	1280	g6373050.exe	AppLaunch.exe
PID 1280 wrote to memory of 2984	1280	g6373050.exe	AppLaunch.exe
PID 1280 wrote to memory of 2984	1280	g6373050.exe	AppLaunch.exe
PID 1280 wrote to memory of 2984	1280	g6373050.exe	AppLaunch.exe
PID 1280 wrote to memory of 2984	1280	g6373050.exe	AppLaunch.exe
PID 1280 wrote to memory of 2984	1280	g6373050.exe	AppLaunch.exe
PID 1280 wrote to memory of 2984	1280	g6373050.exe	AppLaunch.exe
PID 1292 wrote to memory of 2648	1292	x9391797.exe	h7041528.exe
PID 1292 wrote to memory of 2648	1292	x9391797.exe	h7041528.exe
PID 1292 wrote to memory of 2648	1292	x9391797.exe	h7041528.exe
PID 1292 wrote to memory of 2648	1292	x9391797.exe	h7041528.exe
PID 1292 wrote to memory of 2648	1292	x9391797.exe	h7041528.exe
PID 1292 wrote to memory of 2648	1292	x9391797.exe	h7041528.exe
PID 1292 wrote to memory of 2648	1292	x9391797.exe	h7041528.exe

C:\Users\Admin\AppData\Local\Temp\x9391797.exe
"C:\Users\Admin\AppData\Local\Temp\x9391797.exe"
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6373050.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6373050.exe
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h7041528.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h7041528.exe
- Executes dropped EXE
- Loads dropped DLL
PID:2648

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6373050.exe
Filesize
236KB

MD5
9dc867c2adacdd76b2324bc47467f83c

SHA1
f3decfe079b8dc76d536de7ca9aeec2c0da18d72

SHA256
5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

SHA512
0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6373050.exe
Filesize
236KB

MD5
9dc867c2adacdd76b2324bc47467f83c

SHA1
f3decfe079b8dc76d536de7ca9aeec2c0da18d72

SHA256
5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

SHA512
0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6373050.exe
Filesize
236KB

MD5
9dc867c2adacdd76b2324bc47467f83c

SHA1
f3decfe079b8dc76d536de7ca9aeec2c0da18d72

SHA256
5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

SHA512
0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h7041528.exe
Filesize
174KB

MD5
17061663123df86496cfa24e531b4127

SHA1
446ad405b223ce6e9197ec7ef814516d9d99caa8

SHA256
da7d0eb65df4abc42e450a6419eb96af0f77816f0c0cdf3c943cd98f8d6867cd

SHA512
b52254ceef131d9d7b8ab5d9f7e0737870575d82f3479fb90f8a19654c8070c431e9be06c6f9df46db01c1b1e4e607458feb93300f43056b872f937723e489e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\h7041528.exe
Filesize
174KB

MD5
17061663123df86496cfa24e531b4127

SHA1
446ad405b223ce6e9197ec7ef814516d9d99caa8

SHA256
da7d0eb65df4abc42e450a6419eb96af0f77816f0c0cdf3c943cd98f8d6867cd

SHA512
b52254ceef131d9d7b8ab5d9f7e0737870575d82f3479fb90f8a19654c8070c431e9be06c6f9df46db01c1b1e4e607458feb93300f43056b872f937723e489e4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6373050.exe
Filesize
236KB

MD5
9dc867c2adacdd76b2324bc47467f83c

SHA1
f3decfe079b8dc76d536de7ca9aeec2c0da18d72

SHA256
5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

SHA512
0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6373050.exe
Filesize
236KB

MD5
9dc867c2adacdd76b2324bc47467f83c

SHA1
f3decfe079b8dc76d536de7ca9aeec2c0da18d72

SHA256
5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

SHA512
0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\g6373050.exe
Filesize
236KB

MD5
9dc867c2adacdd76b2324bc47467f83c

SHA1
f3decfe079b8dc76d536de7ca9aeec2c0da18d72

SHA256
5158a232d953ba32ce82499cdc54e8d7fd113b3672c9b9d82ee5df3f842eb410

SHA512
0b7c0c7514e7468cf89e6492608ab2e24054c94ebc77fe571dba7c9aa612f82c3d5d0c3c62f1e9acbfd01229568b83847dd9ff331f618b7bb8cb89d3437aacff

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\h7041528.exe
Filesize
174KB

MD5
17061663123df86496cfa24e531b4127

SHA1
446ad405b223ce6e9197ec7ef814516d9d99caa8

SHA256
da7d0eb65df4abc42e450a6419eb96af0f77816f0c0cdf3c943cd98f8d6867cd

SHA512
b52254ceef131d9d7b8ab5d9f7e0737870575d82f3479fb90f8a19654c8070c431e9be06c6f9df46db01c1b1e4e607458feb93300f43056b872f937723e489e4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\h7041528.exe
Filesize
174KB

MD5
17061663123df86496cfa24e531b4127

SHA1
446ad405b223ce6e9197ec7ef814516d9d99caa8

SHA256
da7d0eb65df4abc42e450a6419eb96af0f77816f0c0cdf3c943cd98f8d6867cd

SHA512
b52254ceef131d9d7b8ab5d9f7e0737870575d82f3479fb90f8a19654c8070c431e9be06c6f9df46db01c1b1e4e607458feb93300f43056b872f937723e489e4

Download Submit
memory/2648-30-0x00000000001E0000-0x00000000001E6000-memory.dmp

Filesize
24KB

Download
memory/2648-29-0x0000000000990000-0x00000000009C0000-memory.dmp

Filesize
192KB

Download
memory/2984-15-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2984-22-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2984-20-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2984-18-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2984-17-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2984-16-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2984-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2984-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download