healer | a4793e171af30dbed3e67ad00dabee05a6a6b21cb525121f39bf1945b694efd2

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2023 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4793e171af30dbed3e67ad00dabee05a6a6b21cb525121f39bf1945b694efd2.exe
Size

1.1MB
MD5

45469de66c416be7c6a14c6c381f2eb6
SHA1

6c4a3f212d80804ce3abdd399d4314d375c97d5b
SHA256

a4793e171af30dbed3e67ad00dabee05a6a6b21cb525121f39bf1945b694efd2
SHA512

9aa1bf246812b876df8920a4148f47b43ff28023872a0a011f7c747ce372a1445cfab9677199a28e25bf8b73b88fd94b71468ebb3a50f0d2d53220d3fc139439
SSDEEP

24576:Eygx+DgHXmOyVLpc9jUqg0873jLSi89zzqSIXMViyv0:Tw2OopcVH4ubJiXMViS

Score

10^/10

healer redline buben dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/5112-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4124	x3803016.exe
4532	x7693758.exe
3684	x2568520.exe
3808	g9754782.exe
3564	h4961463.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a4793e171af30dbed3e67ad00dabee05a6a6b21cb525121f39bf1945b694efd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3803016.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7693758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2568520.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3808 set thread context of 5112	3808	g9754782.exe	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4788	3808	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5112	AppLaunch.exe
5112	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	AppLaunch.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 4124	2024	a4793e171af30dbed3e67ad00dabee05a6a6b21cb525121f39bf1945b694efd2.exe	85
PID 2024 wrote to memory of 4124	2024	a4793e171af30dbed3e67ad00dabee05a6a6b21cb525121f39bf1945b694efd2.exe	85
PID 2024 wrote to memory of 4124	2024	a4793e171af30dbed3e67ad00dabee05a6a6b21cb525121f39bf1945b694efd2.exe	85
PID 4124 wrote to memory of 4532	4124	x3803016.exe	86
PID 4124 wrote to memory of 4532	4124	x3803016.exe	86
PID 4124 wrote to memory of 4532	4124	x3803016.exe	86
PID 4532 wrote to memory of 3684	4532	x7693758.exe	87
PID 4532 wrote to memory of 3684	4532	x7693758.exe	87
PID 4532 wrote to memory of 3684	4532	x7693758.exe	87
PID 3684 wrote to memory of 3808	3684	x2568520.exe	88
PID 3684 wrote to memory of 3808	3684	x2568520.exe	88
PID 3684 wrote to memory of 3808	3684	x2568520.exe	88
PID 3808 wrote to memory of 3176	3808	g9754782.exe	90
PID 3808 wrote to memory of 3176	3808	g9754782.exe	90
PID 3808 wrote to memory of 3176	3808	g9754782.exe	90
PID 3808 wrote to memory of 5112	3808	g9754782.exe	91
PID 3808 wrote to memory of 5112	3808	g9754782.exe	91
PID 3808 wrote to memory of 5112	3808	g9754782.exe	91
PID 3808 wrote to memory of 5112	3808	g9754782.exe	91
PID 3808 wrote to memory of 5112	3808	g9754782.exe	91
PID 3808 wrote to memory of 5112	3808	g9754782.exe	91
PID 3808 wrote to memory of 5112	3808	g9754782.exe	91
PID 3808 wrote to memory of 5112	3808	g9754782.exe	91
PID 3684 wrote to memory of 3564	3684	x2568520.exe	96
PID 3684 wrote to memory of 3564	3684	x2568520.exe	96
PID 3684 wrote to memory of 3564	3684	x2568520.exe	96

C:\Users\Admin\AppData\Local\Temp\a4793e171af30dbed3e67ad00dabee05a6a6b21cb525121f39bf1945b694efd2.exe
"C:\Users\Admin\AppData\Local\Temp\a4793e171af30dbed3e67ad00dabee05a6a6b21cb525121f39bf1945b694efd2.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3803016.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3803016.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7693758.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7693758.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2568520.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2568520.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3684
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9754782.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9754782.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3808
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3176
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3808 -s 588
        6⤵
        Program crash
        
        PID:4788
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4961463.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4961463.exe
        5⤵
        Executes dropped EXE
        
        PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3808 -ip 3808
1⤵
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3803016.exe

Filesize
1.0MB

MD5
ab23aa818469c2a03f4d04cf42c9f5ac

SHA1
a3ed56560e4a34cfddab536500dce8c049ffa8d9

SHA256
325182af7a81816335f560f5182aaaeec4736abae71c2ac70a60b329326f8590

SHA512
b07acb3bc99e6fecb645bb94368478b22e3dbb3a5265d77f3187a5683e3c0c1fcd8bb7d982a5080d5a47c56b231aceca32db521a1ef4dd1975ca16b782acc7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3803016.exe

Filesize
1.0MB

MD5
ab23aa818469c2a03f4d04cf42c9f5ac

SHA1
a3ed56560e4a34cfddab536500dce8c049ffa8d9

SHA256
325182af7a81816335f560f5182aaaeec4736abae71c2ac70a60b329326f8590

SHA512
b07acb3bc99e6fecb645bb94368478b22e3dbb3a5265d77f3187a5683e3c0c1fcd8bb7d982a5080d5a47c56b231aceca32db521a1ef4dd1975ca16b782acc7f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7693758.exe

Filesize
651KB

MD5
d513abe4a7e3f8e49c9bde2ea75e387c

SHA1
8aeca9cfa5c5b03efc3dce1825053f619b23e08f

SHA256
007b4292df1a3d512785be803b3cce2aeb191eaedd5015232414af9d748e120e

SHA512
cee0460b37995362d9c90ee34e69a730bd141e71a512d0f975bac7bce7356a671eaed8f738dab7c2785f53ad6cddc890c27c759ca7b6215a34c016edec3db059

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7693758.exe

Filesize
651KB

MD5
d513abe4a7e3f8e49c9bde2ea75e387c

SHA1
8aeca9cfa5c5b03efc3dce1825053f619b23e08f

SHA256
007b4292df1a3d512785be803b3cce2aeb191eaedd5015232414af9d748e120e

SHA512
cee0460b37995362d9c90ee34e69a730bd141e71a512d0f975bac7bce7356a671eaed8f738dab7c2785f53ad6cddc890c27c759ca7b6215a34c016edec3db059

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2568520.exe

Filesize
466KB

MD5
d9a440ccf93f67515ba919581918e568

SHA1
8a0ada8f8f9982c3c7a607a48c41a1f280beb76d

SHA256
a7d5488691692178aa6a5eb59dc5e750d3e901bc5a84e48883db976e5d444b7a

SHA512
c5bd2725c256184bb73eb174208dadbc9e2af18cc6e524dd2096239a2f6f3d508e3aa8c925eccf585300a58a04509e09730eabe8cb8bc93d0c29d9dc8f8e23f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2568520.exe

Filesize
466KB

MD5
d9a440ccf93f67515ba919581918e568

SHA1
8a0ada8f8f9982c3c7a607a48c41a1f280beb76d

SHA256
a7d5488691692178aa6a5eb59dc5e750d3e901bc5a84e48883db976e5d444b7a

SHA512
c5bd2725c256184bb73eb174208dadbc9e2af18cc6e524dd2096239a2f6f3d508e3aa8c925eccf585300a58a04509e09730eabe8cb8bc93d0c29d9dc8f8e23f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9754782.exe

Filesize
899KB

MD5
3d35358489b3cc3687ad2d233c3ca8e2

SHA1
3cab271ba7502baa114c28fcfa912ce925c24797

SHA256
82fbe0f411a4bf587e6ffbb57f878ce51609930527a48f4353b1a3ff1d9fc2e3

SHA512
5c8a3796c1116706d1b0cbd5e513aaebef8f10a7d3651cb1a445e63e7d53dbaa79385a8903c7fd886e8aba82297d099a895592ba15af0f655995e41cb9a54cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9754782.exe

Filesize
899KB

MD5
3d35358489b3cc3687ad2d233c3ca8e2

SHA1
3cab271ba7502baa114c28fcfa912ce925c24797

SHA256
82fbe0f411a4bf587e6ffbb57f878ce51609930527a48f4353b1a3ff1d9fc2e3

SHA512
5c8a3796c1116706d1b0cbd5e513aaebef8f10a7d3651cb1a445e63e7d53dbaa79385a8903c7fd886e8aba82297d099a895592ba15af0f655995e41cb9a54cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4961463.exe

Filesize
174KB

MD5
f5bc187098ee11e8a3daa4ec2ba4d826

SHA1
f49c95fed7165365b98fc8d4e3acf8baddb182e3

SHA256
5d965103ecb69e868c817e627a7be8d9eb92bad10bde8d2423e7f4beb5665f83

SHA512
b64b71af7553ef7f7a81b4903ad3447246a1ef3af1c0db42dc3ba2914d0ea59c1d09aa38df858ee649d6440af67a20cb8de82b2e31a5f88ee3e7eb2ae3146b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4961463.exe

Filesize
174KB

MD5
f5bc187098ee11e8a3daa4ec2ba4d826

SHA1
f49c95fed7165365b98fc8d4e3acf8baddb182e3

SHA256
5d965103ecb69e868c817e627a7be8d9eb92bad10bde8d2423e7f4beb5665f83

SHA512
b64b71af7553ef7f7a81b4903ad3447246a1ef3af1c0db42dc3ba2914d0ea59c1d09aa38df858ee649d6440af67a20cb8de82b2e31a5f88ee3e7eb2ae3146b58

Download Submit
memory/3564-33-0x0000000000D30000-0x0000000000D60000-memory.dmp

Filesize
192KB

Download
memory/3564-39-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/3564-46-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/3564-34-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/3564-35-0x0000000002E40000-0x0000000002E46000-memory.dmp

Filesize
24KB

Download
memory/3564-36-0x0000000005CA0000-0x00000000062B8000-memory.dmp

Filesize
6.1MB

Download
memory/3564-37-0x0000000005790000-0x000000000589A000-memory.dmp

Filesize
1.0MB

Download
memory/3564-45-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/3564-38-0x00000000056C0000-0x00000000056D2000-memory.dmp

Filesize
72KB

Download
memory/3564-40-0x0000000005720000-0x000000000575C000-memory.dmp

Filesize
240KB

Download
memory/3564-41-0x00000000058A0000-0x00000000058EC000-memory.dmp

Filesize
304KB

Download
memory/5112-42-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/5112-44-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/5112-29-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/5112-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download