healer | f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 06:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc.exe
Size

1.1MB
MD5

46cc4c160c07962424459a08227709c4
SHA1

0c52b072dbd5f0450a6551b77a36b3f167de8c1e
SHA256

f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc
SHA512

112c5d63847569c70f27859d0f1f340a1ceaf2785fd99a4764d35c68c487abd4ac019ce63b6de548438c4c6bbffb3d1aa39ec64e61d73dab60f7a3be3f1d39aa
SSDEEP

24576:ayanTPzoNnJUAnIFlf10eIKWgd6OyX80xdLPPXBZPMQ8OCHJSurat:hwfK6FZ1asYOyJTLXvPMdOCpR

Score

10^/10

healer redline buben dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/3976-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4856	x1194848.exe
5092	x1999959.exe
1412	x1948888.exe
2104	g2779674.exe
2824	h2878870.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1999959.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1948888.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1194848.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2104 set thread context of 3976	2104	g2779674.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3592	2104	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3976	AppLaunch.exe
3976	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4856	2808	f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc.exe	85
PID 2808 wrote to memory of 4856	2808	f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc.exe	85
PID 2808 wrote to memory of 4856	2808	f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc.exe	85
PID 4856 wrote to memory of 5092	4856	x1194848.exe	86
PID 4856 wrote to memory of 5092	4856	x1194848.exe	86
PID 4856 wrote to memory of 5092	4856	x1194848.exe	86
PID 5092 wrote to memory of 1412	5092	x1999959.exe	87
PID 5092 wrote to memory of 1412	5092	x1999959.exe	87
PID 5092 wrote to memory of 1412	5092	x1999959.exe	87
PID 1412 wrote to memory of 2104	1412	x1948888.exe	88
PID 1412 wrote to memory of 2104	1412	x1948888.exe	88
PID 1412 wrote to memory of 2104	1412	x1948888.exe	88
PID 2104 wrote to memory of 3976	2104	g2779674.exe	90
PID 2104 wrote to memory of 3976	2104	g2779674.exe	90
PID 2104 wrote to memory of 3976	2104	g2779674.exe	90
PID 2104 wrote to memory of 3976	2104	g2779674.exe	90
PID 2104 wrote to memory of 3976	2104	g2779674.exe	90
PID 2104 wrote to memory of 3976	2104	g2779674.exe	90
PID 2104 wrote to memory of 3976	2104	g2779674.exe	90
PID 2104 wrote to memory of 3976	2104	g2779674.exe	90
PID 1412 wrote to memory of 2824	1412	x1948888.exe	95
PID 1412 wrote to memory of 2824	1412	x1948888.exe	95
PID 1412 wrote to memory of 2824	1412	x1948888.exe	95

C:\Users\Admin\AppData\Local\Temp\f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc.exe
"C:\Users\Admin\AppData\Local\Temp\f1372b1a0961a0c57fe69d716e6992ea2a6a82ef2944465f88c1a99f117de4cc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1194848.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1194848.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1999959.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1999959.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1948888.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1948888.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1412
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2779674.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2779674.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2104
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3976
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2104 -s 136
        6⤵
        Program crash
        
        PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2878870.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2878870.exe
        5⤵
        Executes dropped EXE
        
        PID:2824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2104 -ip 2104
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1194848.exe

Filesize
1.0MB

MD5
469523525237c805502bfbec72b8a67e

SHA1
34ee6b4be2d26dc6e9a51946cbdc6038c97e9ed6

SHA256
ae4c484d116f025cd08dbed6d3786eec6b547e15919997f550be788a427a7f0e

SHA512
863aa4f5985e6c5932bde5ee3046b027e15ded0a040acf0065cc7ff5454a621dcada95bc78a06da879de7f729d0ed1f364bdddde3db1b5067530d10a26812696

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1194848.exe

Filesize
1.0MB

MD5
469523525237c805502bfbec72b8a67e

SHA1
34ee6b4be2d26dc6e9a51946cbdc6038c97e9ed6

SHA256
ae4c484d116f025cd08dbed6d3786eec6b547e15919997f550be788a427a7f0e

SHA512
863aa4f5985e6c5932bde5ee3046b027e15ded0a040acf0065cc7ff5454a621dcada95bc78a06da879de7f729d0ed1f364bdddde3db1b5067530d10a26812696

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1999959.exe

Filesize
651KB

MD5
bce56f4e512ae7758e3890f9add2c6ae

SHA1
6ee31f44edef526548adcd41952a2addd6c86e2e

SHA256
209a0c03d464fafc9657c1a5f8dc61d88c68af9312cfa32c282538730b79cf81

SHA512
d30925c89601ce3c7c57075efa52c6c1212d3a9473da16c8330509625b1ef959913122a8b2974f1d33432f7b986c902ed3cc229a133dc0fedd0a4bbc808e8576

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1999959.exe

Filesize
651KB

MD5
bce56f4e512ae7758e3890f9add2c6ae

SHA1
6ee31f44edef526548adcd41952a2addd6c86e2e

SHA256
209a0c03d464fafc9657c1a5f8dc61d88c68af9312cfa32c282538730b79cf81

SHA512
d30925c89601ce3c7c57075efa52c6c1212d3a9473da16c8330509625b1ef959913122a8b2974f1d33432f7b986c902ed3cc229a133dc0fedd0a4bbc808e8576

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1948888.exe

Filesize
465KB

MD5
5c67808b656205321897724516b25c6a

SHA1
3e940a5fea71a3c510eabaebfc346b6cede331f8

SHA256
b12350798c654ae949a005844c65ef16d136ad08598227c8041fe8bb48e6dcbd

SHA512
656aa047c084f5b81903ee4ef2e8e87c0d557218fefd4c84e9e2aecffba9a7147a89a97b5f954e24dd07643749ea63c04ae4c326baa1298e7d0a635c44a0c8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1948888.exe

Filesize
465KB

MD5
5c67808b656205321897724516b25c6a

SHA1
3e940a5fea71a3c510eabaebfc346b6cede331f8

SHA256
b12350798c654ae949a005844c65ef16d136ad08598227c8041fe8bb48e6dcbd

SHA512
656aa047c084f5b81903ee4ef2e8e87c0d557218fefd4c84e9e2aecffba9a7147a89a97b5f954e24dd07643749ea63c04ae4c326baa1298e7d0a635c44a0c8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2779674.exe

Filesize
899KB

MD5
e829ce547c5be1cd263c88beec82f48d

SHA1
5c4568f0f9eb99439898e32cbf75b6d69efb7453

SHA256
5af500b6b3b8be045d276abce5be151c057b739ff9439f9fb4740285fb54277d

SHA512
1d11ffdfbf497815c5c588f5b6eb2ede1b4994d2f0167fca7977133f31fb7c7bdfc82ae52199cd4ca277a256e8f78efb5249aa7d62882c42778921c5b3806ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2779674.exe

Filesize
899KB

MD5
e829ce547c5be1cd263c88beec82f48d

SHA1
5c4568f0f9eb99439898e32cbf75b6d69efb7453

SHA256
5af500b6b3b8be045d276abce5be151c057b739ff9439f9fb4740285fb54277d

SHA512
1d11ffdfbf497815c5c588f5b6eb2ede1b4994d2f0167fca7977133f31fb7c7bdfc82ae52199cd4ca277a256e8f78efb5249aa7d62882c42778921c5b3806ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2878870.exe

Filesize
174KB

MD5
1b51b2d863f4bf00441ad1efd2880ce8

SHA1
d571b8c09671d4db37be6c2e62b753787a248e85

SHA256
0c6731f17d8873eb91514cb5a0419b9a23704a143fb414cd5cb38132efc05944

SHA512
0bf3570620819244f966fd2c8b90ecf72f5123b371e8a79839674962bb9f542ccf166bbae304e604af811c4f3472c5166dc274a31e8f99d9ab47dbcbcd537271

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2878870.exe

Filesize
174KB

MD5
1b51b2d863f4bf00441ad1efd2880ce8

SHA1
d571b8c09671d4db37be6c2e62b753787a248e85

SHA256
0c6731f17d8873eb91514cb5a0419b9a23704a143fb414cd5cb38132efc05944

SHA512
0bf3570620819244f966fd2c8b90ecf72f5123b371e8a79839674962bb9f542ccf166bbae304e604af811c4f3472c5166dc274a31e8f99d9ab47dbcbcd537271

Download Submit
memory/2824-33-0x00000000008E0000-0x0000000000910000-memory.dmp

Filesize
192KB

Download
memory/2824-39-0x00000000052A0000-0x00000000052B2000-memory.dmp

Filesize
72KB

Download
memory/2824-46-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/2824-34-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/2824-35-0x0000000001220000-0x0000000001226000-memory.dmp

Filesize
24KB

Download
memory/2824-36-0x0000000005A60000-0x0000000006078000-memory.dmp

Filesize
6.1MB

Download
memory/2824-37-0x0000000005550000-0x000000000565A000-memory.dmp

Filesize
1.0MB

Download
memory/2824-45-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/2824-38-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/2824-40-0x0000000005440000-0x000000000547C000-memory.dmp

Filesize
240KB

Download
memory/2824-41-0x0000000005480000-0x00000000054CC000-memory.dmp

Filesize
304KB

Download
memory/3976-42-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/3976-44-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/3976-29-0x0000000074110000-0x00000000748C0000-memory.dmp

Filesize
7.7MB

Download
memory/3976-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download