healer | 0c029ea417bd0bcbf096c68fcb87e95638ac3b29437df5399ab1f00d26addcb4

General

Target

x0996616.exe
Size

757KB
MD5

5ce0626813026706a786b6d10370b362
SHA1

2827998b7a70b2c6bee245b692d468a43d3f73d9
SHA256

0c029ea417bd0bcbf096c68fcb87e95638ac3b29437df5399ab1f00d26addcb4
SHA512

0da43afba595709b076e903075df4b5388dc9f5237dbb2a20af88af0a49ff2272535919b2263006d61c3b6a5802de7bf34bb019ac5b2c63631c324f91874b2a5
SSDEEP

12288:gMroy90khXhCxf7G+p9Ra4rS03q9UjJImxbPFxvi4gq/kcEPd3j6nyPRqTtIv2mv:4yZh4xDG+pNLESJLPF1i4H+PZGnypqp

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

C2

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2256-21-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

x1368633.exex7688341.exeg2204807.exeh0745430.exe

pid process

2432 x1368633.exe
4896 x7688341.exe
4508 g2204807.exe
3168 h0745430.exe

pid	process
2432	x1368633.exe
4896	x7688341.exe
4508	g2204807.exe
3168	h0745430.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

x7688341.exex0996616.exex1368633.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7688341.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x0996616.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1368633.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g2204807.exe

description pid process target process

PID 4508 set thread context of 2256 4508 g2204807.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

2256 AppLaunch.exe
2256 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 2256 AppLaunch.exe

description	pid	process	target process
PID 4508 set thread context of 2256	4508	g2204807.exe	AppLaunch.exe

pid	process
2256	AppLaunch.exe
2256	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2256	AppLaunch.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

x0996616.exex1368633.exex7688341.exeg2204807.exe

description	pid	process	target process
PID 5100 wrote to memory of 2432	5100	x0996616.exe	x1368633.exe
PID 5100 wrote to memory of 2432	5100	x0996616.exe	x1368633.exe
PID 5100 wrote to memory of 2432	5100	x0996616.exe	x1368633.exe
PID 2432 wrote to memory of 4896	2432	x1368633.exe	x7688341.exe
PID 2432 wrote to memory of 4896	2432	x1368633.exe	x7688341.exe
PID 2432 wrote to memory of 4896	2432	x1368633.exe	x7688341.exe
PID 4896 wrote to memory of 4508	4896	x7688341.exe	g2204807.exe
PID 4896 wrote to memory of 4508	4896	x7688341.exe	g2204807.exe
PID 4896 wrote to memory of 4508	4896	x7688341.exe	g2204807.exe
PID 4508 wrote to memory of 2256	4508	g2204807.exe	AppLaunch.exe
PID 4508 wrote to memory of 2256	4508	g2204807.exe	AppLaunch.exe
PID 4508 wrote to memory of 2256	4508	g2204807.exe	AppLaunch.exe
PID 4508 wrote to memory of 2256	4508	g2204807.exe	AppLaunch.exe
PID 4508 wrote to memory of 2256	4508	g2204807.exe	AppLaunch.exe
PID 4508 wrote to memory of 2256	4508	g2204807.exe	AppLaunch.exe
PID 4508 wrote to memory of 2256	4508	g2204807.exe	AppLaunch.exe
PID 4508 wrote to memory of 2256	4508	g2204807.exe	AppLaunch.exe
PID 4896 wrote to memory of 3168	4896	x7688341.exe	h0745430.exe
PID 4896 wrote to memory of 3168	4896	x7688341.exe	h0745430.exe
PID 4896 wrote to memory of 3168	4896	x7688341.exe	h0745430.exe

C:\Users\Admin\AppData\Local\Temp\x0996616.exe
"C:\Users\Admin\AppData\Local\Temp\x0996616.exe"
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1368633.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1368633.exe
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7688341.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7688341.exe
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4896

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g2204807.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g2204807.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h0745430.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h0745430.exe
- Executes dropped EXE
PID:3168

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

Disable or Modify Tools

1

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1368633.exe
Filesize
487KB

MD5
66fc7c0264275bd0d212270b875c36e7

SHA1
9b46dc1c23a4347f203aad5d138c5948918c7b22

SHA256
67984aa804e237aeb7bd79a1441ad49a6e5fc935bf44f324e23b97da314a7331

SHA512
ee46610b5fb07a4e16d152e9631def521192ef09c14d420091c57865a503f7707bff1aa591e410f61aae9d86dd6b9b02612511b80ffc3ddabbeee7ef6a6d64cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1368633.exe
Filesize
487KB

MD5
66fc7c0264275bd0d212270b875c36e7

SHA1
9b46dc1c23a4347f203aad5d138c5948918c7b22

SHA256
67984aa804e237aeb7bd79a1441ad49a6e5fc935bf44f324e23b97da314a7331

SHA512
ee46610b5fb07a4e16d152e9631def521192ef09c14d420091c57865a503f7707bff1aa591e410f61aae9d86dd6b9b02612511b80ffc3ddabbeee7ef6a6d64cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7688341.exe
Filesize
321KB

MD5
6f9fab527e0ccdc98d58ac716181b3c6

SHA1
851541e69cd89d0ebba22b0a2fdd63f40e6d723b

SHA256
93b183e0975c989bfbe8b579ce5d6e41ea957f4568a83e3ed264b4fc94f2f60b

SHA512
eb084cfb876b129a21a40eef6b3aec4ab7ea6bff8f960f8bf205aa1889c5be8ba9b34e301046c94b16e01a0542408be2114229dea1a316ef7f2d5a74ab5acce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7688341.exe
Filesize
321KB

MD5
6f9fab527e0ccdc98d58ac716181b3c6

SHA1
851541e69cd89d0ebba22b0a2fdd63f40e6d723b

SHA256
93b183e0975c989bfbe8b579ce5d6e41ea957f4568a83e3ed264b4fc94f2f60b

SHA512
eb084cfb876b129a21a40eef6b3aec4ab7ea6bff8f960f8bf205aa1889c5be8ba9b34e301046c94b16e01a0542408be2114229dea1a316ef7f2d5a74ab5acce7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g2204807.exe
Filesize
236KB

MD5
bd7db8b543d1b8d37a380bace855e6f1

SHA1
6bb4a5230f3038cfc4414e36175e399df0123568

SHA256
85c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b

SHA512
bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g2204807.exe
Filesize
236KB

MD5
bd7db8b543d1b8d37a380bace855e6f1

SHA1
6bb4a5230f3038cfc4414e36175e399df0123568

SHA256
85c512fbf6bdc46b301a7fca81c9d0b9c420ba21078befeec31d6061b7c1590b

SHA512
bd3d7ddfdefbb677e43fcc87b00f265c9a0cade8aa2f39d40eedb272586e2291c28d085035a3053a214ffb0102c1d6cbd1aa7606fb5c744c6aff3a54f3c6d63f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h0745430.exe
Filesize
174KB

MD5
b0b411456035583fa1873d9e27c80b3f

SHA1
b8a0d5d8022911b28ae6caeb0470e1c2f3a8ddc0

SHA256
b66a9b7940002fda2d1a3ef446c4732574d7fecf46b05211ec74c4e1b3c6a7db

SHA512
e166c14008f836a73bae5be0f49e5f257b73c96878283aad034194d3cfa92783fb9ac478ff86bb6c0fd3f088200c59fdc38b1c6953229737e4f5f555141411ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h0745430.exe
Filesize
174KB

MD5
b0b411456035583fa1873d9e27c80b3f

SHA1
b8a0d5d8022911b28ae6caeb0470e1c2f3a8ddc0

SHA256
b66a9b7940002fda2d1a3ef446c4732574d7fecf46b05211ec74c4e1b3c6a7db

SHA512
e166c14008f836a73bae5be0f49e5f257b73c96878283aad034194d3cfa92783fb9ac478ff86bb6c0fd3f088200c59fdc38b1c6953229737e4f5f555141411ea

Download Submit
memory/2256-29-0x00000000738D0000-0x0000000073FBE000-memory.dmp

Filesize
6MB

Download
memory/2256-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2256-45-0x00000000738D0000-0x0000000073FBE000-memory.dmp

Filesize
6MB

Download
memory/2256-61-0x00000000738D0000-0x0000000073FBE000-memory.dmp

Filesize
6MB

Download
memory/3168-28-0x00000000004D0000-0x0000000000500000-memory.dmp

Filesize
192KB

Download
memory/3168-31-0x00000000025D0000-0x00000000025D6000-memory.dmp

Filesize
24KB

Download
memory/3168-30-0x00000000738D0000-0x0000000073FBE000-memory.dmp

Filesize
6MB

Download
memory/3168-32-0x000000000A8F0000-0x000000000AEF6000-memory.dmp

Filesize
6MB

Download
memory/3168-33-0x000000000A420000-0x000000000A52A000-memory.dmp

Filesize
1MB

Download
memory/3168-34-0x000000000A350000-0x000000000A362000-memory.dmp

Filesize
72KB

Download
memory/3168-39-0x000000000A3B0000-0x000000000A3EE000-memory.dmp

Filesize
248KB

Download
memory/3168-40-0x000000000A530000-0x000000000A57B000-memory.dmp

Filesize
300KB

Download
memory/3168-46-0x00000000738D0000-0x0000000073FBE000-memory.dmp

Filesize
6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads