healer | ff5bff453148333bc10d200e02ff7d9848690214fc6b56a5ded05c517ec6b58a

Analysis

max time kernel
286s
max time network
300s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19-09-2023 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x2187432.exe
Size

767KB
MD5

ae57bf787472df63812c94000b30e5e3
SHA1

815744b59c8c14100fa17a50be7d010f6b51675d
SHA256

ff5bff453148333bc10d200e02ff7d9848690214fc6b56a5ded05c517ec6b58a
SHA512

7b046d0348cdd2ffbfbee7ba088a8f91373c80cf9e6b99c11ac2db2ebfd124120c6a589a2746a949038ca61b7f5ae55b8aeb8c365825d0d78218f0fba744d6a9
SSDEEP

12288:1Mr/y90ib6+7ZCYjY8zCdkvvahvVnubBoBK4TsfWF3bMUhiBUL5glXYR5KaRZwPg:2y5xdCqg+vOubB+Kfs3QUEBUFg2TRZwY

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2596-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2596-36-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2596-38-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2596-40-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2596-42-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

x0651453.exex8002878.exeg3089245.exeh8345542.exe

pid process

2532 x0651453.exe
2540 x8002878.exe
2880 g3089245.exe
2960 h8345542.exe

pid	process
2532	x0651453.exe
2540	x8002878.exe
2880	g3089245.exe
2960	h8345542.exe

Loads dropped DLL 9 IoCs

Processes:

x2187432.exex0651453.exex8002878.exeg3089245.exeh8345542.exe

pid	process
2184	x2187432.exe
2532	x0651453.exe
2532	x0651453.exe
2540	x8002878.exe
2540	x8002878.exe
2540	x8002878.exe
2880	g3089245.exe
2540	x8002878.exe
2960	h8345542.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x2187432.exex0651453.exex8002878.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x2187432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0651453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8002878.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g3089245.exe

description pid process target process

PID 2880 set thread context of 2596 2880 g3089245.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2596 AppLaunch.exe
2596 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2596 AppLaunch.exe

description	pid	process	target process
PID 2880 set thread context of 2596	2880	g3089245.exe	AppLaunch.exe

pid	process
2596	AppLaunch.exe
2596	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2596	AppLaunch.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

x2187432.exex0651453.exex8002878.exeg3089245.exe

description	pid	process	target process
PID 2184 wrote to memory of 2532	2184	x2187432.exe	x0651453.exe
PID 2184 wrote to memory of 2532	2184	x2187432.exe	x0651453.exe
PID 2184 wrote to memory of 2532	2184	x2187432.exe	x0651453.exe
PID 2184 wrote to memory of 2532	2184	x2187432.exe	x0651453.exe
PID 2184 wrote to memory of 2532	2184	x2187432.exe	x0651453.exe
PID 2184 wrote to memory of 2532	2184	x2187432.exe	x0651453.exe
PID 2184 wrote to memory of 2532	2184	x2187432.exe	x0651453.exe
PID 2532 wrote to memory of 2540	2532	x0651453.exe	x8002878.exe
PID 2532 wrote to memory of 2540	2532	x0651453.exe	x8002878.exe
PID 2532 wrote to memory of 2540	2532	x0651453.exe	x8002878.exe
PID 2532 wrote to memory of 2540	2532	x0651453.exe	x8002878.exe
PID 2532 wrote to memory of 2540	2532	x0651453.exe	x8002878.exe
PID 2532 wrote to memory of 2540	2532	x0651453.exe	x8002878.exe
PID 2532 wrote to memory of 2540	2532	x0651453.exe	x8002878.exe
PID 2540 wrote to memory of 2880	2540	x8002878.exe	g3089245.exe
PID 2540 wrote to memory of 2880	2540	x8002878.exe	g3089245.exe
PID 2540 wrote to memory of 2880	2540	x8002878.exe	g3089245.exe
PID 2540 wrote to memory of 2880	2540	x8002878.exe	g3089245.exe
PID 2540 wrote to memory of 2880	2540	x8002878.exe	g3089245.exe
PID 2540 wrote to memory of 2880	2540	x8002878.exe	g3089245.exe
PID 2540 wrote to memory of 2880	2540	x8002878.exe	g3089245.exe
PID 2880 wrote to memory of 2596	2880	g3089245.exe	AppLaunch.exe
PID 2880 wrote to memory of 2596	2880	g3089245.exe	AppLaunch.exe
PID 2880 wrote to memory of 2596	2880	g3089245.exe	AppLaunch.exe
PID 2880 wrote to memory of 2596	2880	g3089245.exe	AppLaunch.exe
PID 2880 wrote to memory of 2596	2880	g3089245.exe	AppLaunch.exe
PID 2880 wrote to memory of 2596	2880	g3089245.exe	AppLaunch.exe
PID 2880 wrote to memory of 2596	2880	g3089245.exe	AppLaunch.exe
PID 2880 wrote to memory of 2596	2880	g3089245.exe	AppLaunch.exe
PID 2880 wrote to memory of 2596	2880	g3089245.exe	AppLaunch.exe
PID 2880 wrote to memory of 2596	2880	g3089245.exe	AppLaunch.exe
PID 2880 wrote to memory of 2596	2880	g3089245.exe	AppLaunch.exe
PID 2880 wrote to memory of 2596	2880	g3089245.exe	AppLaunch.exe
PID 2540 wrote to memory of 2960	2540	x8002878.exe	h8345542.exe
PID 2540 wrote to memory of 2960	2540	x8002878.exe	h8345542.exe
PID 2540 wrote to memory of 2960	2540	x8002878.exe	h8345542.exe
PID 2540 wrote to memory of 2960	2540	x8002878.exe	h8345542.exe
PID 2540 wrote to memory of 2960	2540	x8002878.exe	h8345542.exe
PID 2540 wrote to memory of 2960	2540	x8002878.exe	h8345542.exe
PID 2540 wrote to memory of 2960	2540	x8002878.exe	h8345542.exe

C:\Users\Admin\AppData\Local\Temp\x2187432.exe
"C:\Users\Admin\AppData\Local\Temp\x2187432.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2184

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0651453.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0651453.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8002878.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8002878.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3089245.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3089245.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
5⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8345542.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8345542.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0651453.exe
Filesize
492KB

MD5
8c62495f62de77222ca27558fbf5e0bc

SHA1
109f944d602fe8a613193b97715c8432e90cd1b2

SHA256
8afd755682fd51de8c541b0e31ab2ee1d6bdde402a7e4d566fe0494dbdb16d3f

SHA512
0b1f795298c2a9763240a209033268e0b612f5eee43febb6a093988b40ced4330de1419341028bd84c8b0cc58fc503afc30dfe05025756bcf5839677ae21fda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0651453.exe
Filesize
492KB

MD5
8c62495f62de77222ca27558fbf5e0bc

SHA1
109f944d602fe8a613193b97715c8432e90cd1b2

SHA256
8afd755682fd51de8c541b0e31ab2ee1d6bdde402a7e4d566fe0494dbdb16d3f

SHA512
0b1f795298c2a9763240a209033268e0b612f5eee43febb6a093988b40ced4330de1419341028bd84c8b0cc58fc503afc30dfe05025756bcf5839677ae21fda0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8002878.exe
Filesize
326KB

MD5
d450a74effe247298e76be251e9d20b6

SHA1
2ec5fbbbd9ea9125beb84d456fac275f9dc42adc

SHA256
c22b6ac1147733913380ba7c0f23d9e8802bb8f91b681e416aa5c5a0f942d105

SHA512
1d4d264d1e20603a5d9dccac06c5055b5ec2555f3d6d390b4bd066a45ff23ede0ea15df9eec5154ac3601c7f28537b4096d703ea294295973e99fbf2b149d678

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8002878.exe
Filesize
326KB

MD5
d450a74effe247298e76be251e9d20b6

SHA1
2ec5fbbbd9ea9125beb84d456fac275f9dc42adc

SHA256
c22b6ac1147733913380ba7c0f23d9e8802bb8f91b681e416aa5c5a0f942d105

SHA512
1d4d264d1e20603a5d9dccac06c5055b5ec2555f3d6d390b4bd066a45ff23ede0ea15df9eec5154ac3601c7f28537b4096d703ea294295973e99fbf2b149d678

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3089245.exe
Filesize
242KB

MD5
d1139a672dbbf2080d65e428ab2a5e89

SHA1
ba26ec755852555edba81f15f9937884666845c5

SHA256
2f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6

SHA512
5d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3089245.exe
Filesize
242KB

MD5
d1139a672dbbf2080d65e428ab2a5e89

SHA1
ba26ec755852555edba81f15f9937884666845c5

SHA256
2f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6

SHA512
5d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3089245.exe
Filesize
242KB

MD5
d1139a672dbbf2080d65e428ab2a5e89

SHA1
ba26ec755852555edba81f15f9937884666845c5

SHA256
2f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6

SHA512
5d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8345542.exe
Filesize
174KB

MD5
24a7f85e7aba85d56e39eabf594afb44

SHA1
33e1f059adfe93d5bdf2a7880a0193c88a7ad1c4

SHA256
179783183da481296e77d35b9a3a73c8247ad2420d49a4e7fd35ae12efadd467

SHA512
a19c25638b6209e447bd2ef8eabf7377188f4bf89d12333ca25c17fff91e5b0c52d2e0504df3c465b781d6e0b75776c02752492f8e24e54a0e19385c1f326c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8345542.exe
Filesize
174KB

MD5
24a7f85e7aba85d56e39eabf594afb44

SHA1
33e1f059adfe93d5bdf2a7880a0193c88a7ad1c4

SHA256
179783183da481296e77d35b9a3a73c8247ad2420d49a4e7fd35ae12efadd467

SHA512
a19c25638b6209e447bd2ef8eabf7377188f4bf89d12333ca25c17fff91e5b0c52d2e0504df3c465b781d6e0b75776c02752492f8e24e54a0e19385c1f326c67

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0651453.exe
Filesize
492KB

MD5
8c62495f62de77222ca27558fbf5e0bc

SHA1
109f944d602fe8a613193b97715c8432e90cd1b2

SHA256
8afd755682fd51de8c541b0e31ab2ee1d6bdde402a7e4d566fe0494dbdb16d3f

SHA512
0b1f795298c2a9763240a209033268e0b612f5eee43febb6a093988b40ced4330de1419341028bd84c8b0cc58fc503afc30dfe05025756bcf5839677ae21fda0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0651453.exe
Filesize
492KB

MD5
8c62495f62de77222ca27558fbf5e0bc

SHA1
109f944d602fe8a613193b97715c8432e90cd1b2

SHA256
8afd755682fd51de8c541b0e31ab2ee1d6bdde402a7e4d566fe0494dbdb16d3f

SHA512
0b1f795298c2a9763240a209033268e0b612f5eee43febb6a093988b40ced4330de1419341028bd84c8b0cc58fc503afc30dfe05025756bcf5839677ae21fda0

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8002878.exe
Filesize
326KB

MD5
d450a74effe247298e76be251e9d20b6

SHA1
2ec5fbbbd9ea9125beb84d456fac275f9dc42adc

SHA256
c22b6ac1147733913380ba7c0f23d9e8802bb8f91b681e416aa5c5a0f942d105

SHA512
1d4d264d1e20603a5d9dccac06c5055b5ec2555f3d6d390b4bd066a45ff23ede0ea15df9eec5154ac3601c7f28537b4096d703ea294295973e99fbf2b149d678

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8002878.exe
Filesize
326KB

MD5
d450a74effe247298e76be251e9d20b6

SHA1
2ec5fbbbd9ea9125beb84d456fac275f9dc42adc

SHA256
c22b6ac1147733913380ba7c0f23d9e8802bb8f91b681e416aa5c5a0f942d105

SHA512
1d4d264d1e20603a5d9dccac06c5055b5ec2555f3d6d390b4bd066a45ff23ede0ea15df9eec5154ac3601c7f28537b4096d703ea294295973e99fbf2b149d678

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3089245.exe
Filesize
242KB

MD5
d1139a672dbbf2080d65e428ab2a5e89

SHA1
ba26ec755852555edba81f15f9937884666845c5

SHA256
2f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6

SHA512
5d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3089245.exe
Filesize
242KB

MD5
d1139a672dbbf2080d65e428ab2a5e89

SHA1
ba26ec755852555edba81f15f9937884666845c5

SHA256
2f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6

SHA512
5d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3089245.exe
Filesize
242KB

MD5
d1139a672dbbf2080d65e428ab2a5e89

SHA1
ba26ec755852555edba81f15f9937884666845c5

SHA256
2f587191e89b78e30307e3d1c06e7fc8abcda40f2bbea21bb522c5c9dd07a8f6

SHA512
5d9b0361549f6cc589dd9de63ed7af83b1a434524ff66cec60d6414d2fe3153f879f7a43d364e71fce933da89617d550d4b3858d48c2f19418f1db74809d52ca

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8345542.exe
Filesize
174KB

MD5
24a7f85e7aba85d56e39eabf594afb44

SHA1
33e1f059adfe93d5bdf2a7880a0193c88a7ad1c4

SHA256
179783183da481296e77d35b9a3a73c8247ad2420d49a4e7fd35ae12efadd467

SHA512
a19c25638b6209e447bd2ef8eabf7377188f4bf89d12333ca25c17fff91e5b0c52d2e0504df3c465b781d6e0b75776c02752492f8e24e54a0e19385c1f326c67

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h8345542.exe
Filesize
174KB

MD5
24a7f85e7aba85d56e39eabf594afb44

SHA1
33e1f059adfe93d5bdf2a7880a0193c88a7ad1c4

SHA256
179783183da481296e77d35b9a3a73c8247ad2420d49a4e7fd35ae12efadd467

SHA512
a19c25638b6209e447bd2ef8eabf7377188f4bf89d12333ca25c17fff91e5b0c52d2e0504df3c465b781d6e0b75776c02752492f8e24e54a0e19385c1f326c67

Download Submit
memory/2596-33-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2596-38-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2596-40-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2596-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2596-36-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2596-37-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2596-34-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2960-49-0x0000000000280000-0x00000000002B0000-memory.dmp

Filesize
192KB

Download
memory/2960-50-0x0000000000360000-0x0000000000366000-memory.dmp

Filesize
24KB

Download