healer | 5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210

Analysis

max time kernel
140s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe
Size

1.1MB
MD5

51dcdcd85ebeeecc5604fcf4ea862c08
SHA1

f18ced960defd288a54d75761c968fae9e89c602
SHA256

5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210
SHA512

2eb686b90de6c8980de8403a4cf0b73809f855261958bb8fe0ab99ed774ac65d1841589738fc384bf06312ee7cc13f9f1adabe6af83eb12ad0900cd143e8c1f4
SSDEEP

24576:5y4e5/PflTsk3p7zE+sz0W8A4QBlVbo4U4Dd+Nkt6DUmQpEJNYf:s4KPflTsJ70W8CBlVu4Zt6DSpEJ

Score

10^/10

healer redline buben dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/1612-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
5096	x3065453.exe
4380	x0740758.exe
4436	x3325313.exe
1172	g4952973.exe
2080	h0308900.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3065453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0740758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x3325313.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1172 set thread context of 1612	1172	g4952973.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3300	1172	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1612	AppLaunch.exe
1612	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 5096	4832	5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe	83
PID 4832 wrote to memory of 5096	4832	5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe	83
PID 4832 wrote to memory of 5096	4832	5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe	83
PID 5096 wrote to memory of 4380	5096	x3065453.exe	84
PID 5096 wrote to memory of 4380	5096	x3065453.exe	84
PID 5096 wrote to memory of 4380	5096	x3065453.exe	84
PID 4380 wrote to memory of 4436	4380	x0740758.exe	85
PID 4380 wrote to memory of 4436	4380	x0740758.exe	85
PID 4380 wrote to memory of 4436	4380	x0740758.exe	85
PID 4436 wrote to memory of 1172	4436	x3325313.exe	86
PID 4436 wrote to memory of 1172	4436	x3325313.exe	86
PID 4436 wrote to memory of 1172	4436	x3325313.exe	86
PID 1172 wrote to memory of 1612	1172	g4952973.exe	88
PID 1172 wrote to memory of 1612	1172	g4952973.exe	88
PID 1172 wrote to memory of 1612	1172	g4952973.exe	88
PID 1172 wrote to memory of 1612	1172	g4952973.exe	88
PID 1172 wrote to memory of 1612	1172	g4952973.exe	88
PID 1172 wrote to memory of 1612	1172	g4952973.exe	88
PID 1172 wrote to memory of 1612	1172	g4952973.exe	88
PID 1172 wrote to memory of 1612	1172	g4952973.exe	88
PID 4436 wrote to memory of 2080	4436	x3325313.exe	92
PID 4436 wrote to memory of 2080	4436	x3325313.exe	92
PID 4436 wrote to memory of 2080	4436	x3325313.exe	92

C:\Users\Admin\AppData\Local\Temp\5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe
"C:\Users\Admin\AppData\Local\Temp\5255b26add346dffb7f4e0c7007ae0807d12950101464e4524d89c8cb5e6a210.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3065453.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3065453.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0740758.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0740758.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3325313.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3325313.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4436
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4952973.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4952973.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1172 -s 556
        6⤵
        Program crash
        
        PID:3300
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0308900.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0308900.exe
        5⤵
        Executes dropped EXE
        
        PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1172 -ip 1172
1⤵
PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3065453.exe

Filesize
1.0MB

MD5
1cab562f55428189af15aafd9d663b4a

SHA1
21a31704cbe735bf65472ff2f38fd8f4e7c62e76

SHA256
2293d4b6cb74c31f986a47dcec32979202d7049d4e0278dfe9381522d4f0da63

SHA512
4d0ab0999726ea5af45b1e25e39fdfad11acb027fe50c0d897cf5917b0c1f27e6ae850f919a2ae9154d8f65cfef48df8d9d4d424990671a3bcb20200d9e2299d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3065453.exe

Filesize
1.0MB

MD5
1cab562f55428189af15aafd9d663b4a

SHA1
21a31704cbe735bf65472ff2f38fd8f4e7c62e76

SHA256
2293d4b6cb74c31f986a47dcec32979202d7049d4e0278dfe9381522d4f0da63

SHA512
4d0ab0999726ea5af45b1e25e39fdfad11acb027fe50c0d897cf5917b0c1f27e6ae850f919a2ae9154d8f65cfef48df8d9d4d424990671a3bcb20200d9e2299d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0740758.exe

Filesize
652KB

MD5
3ff2f75c549c702e35282ceae7122a8c

SHA1
18debde29b6852e16fd5a25763dc6c23f0966be1

SHA256
400a090876a119d27a472d5a9688abfb16855c81904e8cca4ad171301a3dd8e1

SHA512
1f677f85e25a66906e6c20a071d8a910e32df8ff2816be544b85b32c9ba4df1b4f3d9c5c46f9b03f82f6b55bd48a2a58e9ea346ecb19207006a1254f86a9ae84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0740758.exe

Filesize
652KB

MD5
3ff2f75c549c702e35282ceae7122a8c

SHA1
18debde29b6852e16fd5a25763dc6c23f0966be1

SHA256
400a090876a119d27a472d5a9688abfb16855c81904e8cca4ad171301a3dd8e1

SHA512
1f677f85e25a66906e6c20a071d8a910e32df8ff2816be544b85b32c9ba4df1b4f3d9c5c46f9b03f82f6b55bd48a2a58e9ea346ecb19207006a1254f86a9ae84

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3325313.exe

Filesize
467KB

MD5
d79cae984d98091d6716cce4ca9d8842

SHA1
151690482fa84da23cccfef6fdc4241cc275d6af

SHA256
2ebf50572caaeef8f4ba2ce86832f25b93d509cbb155ef6a023c6d2a2898a539

SHA512
414e376876eec733a742f4c3a7079605ff10fb65a9c73282e2f1e4c3aa316311a21227c18460d7fe193684aca73a5b1bbd9ec6881ea6dc25c68d78b81edffbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3325313.exe

Filesize
467KB

MD5
d79cae984d98091d6716cce4ca9d8842

SHA1
151690482fa84da23cccfef6fdc4241cc275d6af

SHA256
2ebf50572caaeef8f4ba2ce86832f25b93d509cbb155ef6a023c6d2a2898a539

SHA512
414e376876eec733a742f4c3a7079605ff10fb65a9c73282e2f1e4c3aa316311a21227c18460d7fe193684aca73a5b1bbd9ec6881ea6dc25c68d78b81edffbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4952973.exe

Filesize
899KB

MD5
7dccc0b9e27dd2da37d426513ec0443b

SHA1
83ffc5b13d599341425ebf8850c357c2285145b8

SHA256
bae060fa54dae6cc5d76a0c5dc600cd60c333f0130f62858b17b024bcef71f04

SHA512
ed65652196a3561a45eeec58658c1985442d1c682f6a913f6f4eb34b2844ada60c94b21ea7dee4898ca3a26e74f6059c506db146625512626ed608d368cbdb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g4952973.exe

Filesize
899KB

MD5
7dccc0b9e27dd2da37d426513ec0443b

SHA1
83ffc5b13d599341425ebf8850c357c2285145b8

SHA256
bae060fa54dae6cc5d76a0c5dc600cd60c333f0130f62858b17b024bcef71f04

SHA512
ed65652196a3561a45eeec58658c1985442d1c682f6a913f6f4eb34b2844ada60c94b21ea7dee4898ca3a26e74f6059c506db146625512626ed608d368cbdb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0308900.exe

Filesize
174KB

MD5
6a74ebf0f4aea35966e84ad9192d28b8

SHA1
53c8e8040d4d89332edf4030744d4a3c5e5df1ea

SHA256
2ba6a600fe55e17ddb66455425892268ef2fba232207a431abe3c3ec680965ee

SHA512
f270d28838e352e609e04be37f54898da54c0e75f43942768aee6d7145fd062938b2da9cdd7e06f9a55d1069a7240d94d2dbb29fe729f548cde9ddef6533b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0308900.exe

Filesize
174KB

MD5
6a74ebf0f4aea35966e84ad9192d28b8

SHA1
53c8e8040d4d89332edf4030744d4a3c5e5df1ea

SHA256
2ba6a600fe55e17ddb66455425892268ef2fba232207a431abe3c3ec680965ee

SHA512
f270d28838e352e609e04be37f54898da54c0e75f43942768aee6d7145fd062938b2da9cdd7e06f9a55d1069a7240d94d2dbb29fe729f548cde9ddef6533b5f1

Download Submit
memory/1612-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1612-29-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/1612-42-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/1612-44-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2080-33-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/2080-36-0x0000000005570000-0x0000000005B88000-memory.dmp

Filesize
6.1MB

Download
memory/2080-37-0x0000000005060000-0x000000000516A000-memory.dmp

Filesize
1.0MB

Download
memory/2080-39-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download
memory/2080-38-0x0000000004F70000-0x0000000004F82000-memory.dmp

Filesize
72KB

Download
memory/2080-40-0x0000000004FD0000-0x000000000500C000-memory.dmp

Filesize
240KB

Download
memory/2080-41-0x0000000005010000-0x000000000505C000-memory.dmp

Filesize
304KB

Download
memory/2080-35-0x0000000004DF0000-0x0000000004DF6000-memory.dmp

Filesize
24KB

Download
memory/2080-34-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2080-45-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/2080-46-0x0000000004E40000-0x0000000004E50000-memory.dmp

Filesize
64KB

Download