healer | 6964da01f17bbcc1eaff0837ad9069b90faab5e93c2f153b3198a6345ffebded

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2023 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6964da01f17bbcc1eaff0837ad9069b90faab5e93c2f153b3198a6345ffebded.exe
Size

1.1MB
MD5

5cde6b3a28ba1fbfdeeb819f8b33d74a
SHA1

df20871dbfd0b9178a95c5180e10de75bf2707f1
SHA256

6964da01f17bbcc1eaff0837ad9069b90faab5e93c2f153b3198a6345ffebded
SHA512

25a941ed9b5f1914d522c05ed8e773457f6bb9f9b158e5400edf1d587b03a13d267b8a6a93cacca647f2d8d3960f0697c77aa9b515b84fd80596b174916ac5e3
SSDEEP

24576:9yu0lDShbpNEnYRK6FYCEr1sikLgYD6kqdxOvNMk:YuMDSQEzEO/ekqdxOlM

Score

10^/10

healer redline buben dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/4112-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4532	x1203676.exe
3812	x8394654.exe
5024	x4319022.exe
4144	g6441304.exe
3404	h3431870.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6964da01f17bbcc1eaff0837ad9069b90faab5e93c2f153b3198a6345ffebded.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1203676.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8394654.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4319022.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4144 set thread context of 4112	4144	g6441304.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2732	4144	WerFault.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4112	AppLaunch.exe
4112	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4112	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3668 wrote to memory of 4532	3668	6964da01f17bbcc1eaff0837ad9069b90faab5e93c2f153b3198a6345ffebded.exe	84
PID 3668 wrote to memory of 4532	3668	6964da01f17bbcc1eaff0837ad9069b90faab5e93c2f153b3198a6345ffebded.exe	84
PID 3668 wrote to memory of 4532	3668	6964da01f17bbcc1eaff0837ad9069b90faab5e93c2f153b3198a6345ffebded.exe	84
PID 4532 wrote to memory of 3812	4532	x1203676.exe	85
PID 4532 wrote to memory of 3812	4532	x1203676.exe	85
PID 4532 wrote to memory of 3812	4532	x1203676.exe	85
PID 3812 wrote to memory of 5024	3812	x8394654.exe	86
PID 3812 wrote to memory of 5024	3812	x8394654.exe	86
PID 3812 wrote to memory of 5024	3812	x8394654.exe	86
PID 5024 wrote to memory of 4144	5024	x4319022.exe	88
PID 5024 wrote to memory of 4144	5024	x4319022.exe	88
PID 5024 wrote to memory of 4144	5024	x4319022.exe	88
PID 4144 wrote to memory of 4112	4144	g6441304.exe	90
PID 4144 wrote to memory of 4112	4144	g6441304.exe	90
PID 4144 wrote to memory of 4112	4144	g6441304.exe	90
PID 4144 wrote to memory of 4112	4144	g6441304.exe	90
PID 4144 wrote to memory of 4112	4144	g6441304.exe	90
PID 4144 wrote to memory of 4112	4144	g6441304.exe	90
PID 4144 wrote to memory of 4112	4144	g6441304.exe	90
PID 4144 wrote to memory of 4112	4144	g6441304.exe	90
PID 5024 wrote to memory of 3404	5024	x4319022.exe	95
PID 5024 wrote to memory of 3404	5024	x4319022.exe	95
PID 5024 wrote to memory of 3404	5024	x4319022.exe	95

C:\Users\Admin\AppData\Local\Temp\6964da01f17bbcc1eaff0837ad9069b90faab5e93c2f153b3198a6345ffebded.exe
"C:\Users\Admin\AppData\Local\Temp\6964da01f17bbcc1eaff0837ad9069b90faab5e93c2f153b3198a6345ffebded.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1203676.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1203676.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8394654.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8394654.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3812
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4319022.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4319022.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5024
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6441304.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6441304.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4144
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 580
        6⤵
        Program crash
        
        PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3431870.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3431870.exe
        5⤵
        Executes dropped EXE
        
        PID:3404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4144 -ip 4144
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1203676.exe

Filesize
1021KB

MD5
3ab4021220e6c8cbf22030649badd2ed

SHA1
f6b8fbbe894cc839890bf3787d058b7853f1b724

SHA256
9b205009b8e503d8d30f570f2ecb87dda9f759677e61260d96e5a61077d4c4b2

SHA512
5942b383e397492eb8a6c59e8f9d400eb3da99894f6b01e97ac9d6650b6391066a7d288e26463f7bbfa7c41ff79e00f30adcc3f566168a3988327ffd02be1708

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1203676.exe

Filesize
1021KB

MD5
3ab4021220e6c8cbf22030649badd2ed

SHA1
f6b8fbbe894cc839890bf3787d058b7853f1b724

SHA256
9b205009b8e503d8d30f570f2ecb87dda9f759677e61260d96e5a61077d4c4b2

SHA512
5942b383e397492eb8a6c59e8f9d400eb3da99894f6b01e97ac9d6650b6391066a7d288e26463f7bbfa7c41ff79e00f30adcc3f566168a3988327ffd02be1708

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8394654.exe

Filesize
628KB

MD5
7dafcadb2a1c610e34402dac777a5ee2

SHA1
1b703ce96c1015ae3e21405b99920d4b1aaa50f2

SHA256
47efb194bef09757780e7fbfb0ad797901296da2c9fe6c1e3c762890062a33b5

SHA512
88f290eff7a1ca0cdf7751ca0c80be8646390aa0f2099588cb79dea727b323736ac1233511e945fef78a282ac50dd88a4e5f6b9b6d19c422c2b236c9aa4fa29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8394654.exe

Filesize
628KB

MD5
7dafcadb2a1c610e34402dac777a5ee2

SHA1
1b703ce96c1015ae3e21405b99920d4b1aaa50f2

SHA256
47efb194bef09757780e7fbfb0ad797901296da2c9fe6c1e3c762890062a33b5

SHA512
88f290eff7a1ca0cdf7751ca0c80be8646390aa0f2099588cb79dea727b323736ac1233511e945fef78a282ac50dd88a4e5f6b9b6d19c422c2b236c9aa4fa29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4319022.exe

Filesize
443KB

MD5
856f8f1667c4b3f1853656c3e3788489

SHA1
5777eca46aca2748413dc0929dcd5cb44b4b4264

SHA256
35b6c0e711fd00e193641ed0ee232014ce3f2da1b37efa0473c38d94f3b71f3e

SHA512
a5eca361cc041aae5eed8472a65db1ccfbbd40d89b82e1291430af25a415604e33cad4a958b25c4372e2611f5292b6161607d15b4c81133cab261115cd366fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4319022.exe

Filesize
443KB

MD5
856f8f1667c4b3f1853656c3e3788489

SHA1
5777eca46aca2748413dc0929dcd5cb44b4b4264

SHA256
35b6c0e711fd00e193641ed0ee232014ce3f2da1b37efa0473c38d94f3b71f3e

SHA512
a5eca361cc041aae5eed8472a65db1ccfbbd40d89b82e1291430af25a415604e33cad4a958b25c4372e2611f5292b6161607d15b4c81133cab261115cd366fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6441304.exe

Filesize
861KB

MD5
712a7f596294bd279756ec6565037819

SHA1
36afdabd371b87c66b207b9aabb0889b4a078983

SHA256
24618ae9a4fb1b93a0fd80f34bb4d7635648f5f977fb6bb635ab7ad0c8de25b4

SHA512
994d63c6d1a98b97aeb90f61a3d37366492178998b1d9b849c9c4b5433e3e5dc94133a130e1463d6943b6a929656f6217adca2a9cfd4289db883300dd69fb15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6441304.exe

Filesize
861KB

MD5
712a7f596294bd279756ec6565037819

SHA1
36afdabd371b87c66b207b9aabb0889b4a078983

SHA256
24618ae9a4fb1b93a0fd80f34bb4d7635648f5f977fb6bb635ab7ad0c8de25b4

SHA512
994d63c6d1a98b97aeb90f61a3d37366492178998b1d9b849c9c4b5433e3e5dc94133a130e1463d6943b6a929656f6217adca2a9cfd4289db883300dd69fb15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3431870.exe

Filesize
174KB

MD5
b96715582f8b5f9b836a9d701f1e90c8

SHA1
4f1e45f984e9fb2f732d34f28295d5f249be7102

SHA256
869e21cbe6e1ad1ec9201f1ef82f7c39dedf260dea41ecfb1d4040758ea5e3cc

SHA512
f14a2fe5d3c77332171426aaaba8d365b69f5c4979b8370f26de7819a9c4d1151a11ebafcb1ab100483e56804274ae671132824cabf22d12e331fca9286375e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3431870.exe

Filesize
174KB

MD5
b96715582f8b5f9b836a9d701f1e90c8

SHA1
4f1e45f984e9fb2f732d34f28295d5f249be7102

SHA256
869e21cbe6e1ad1ec9201f1ef82f7c39dedf260dea41ecfb1d4040758ea5e3cc

SHA512
f14a2fe5d3c77332171426aaaba8d365b69f5c4979b8370f26de7819a9c4d1151a11ebafcb1ab100483e56804274ae671132824cabf22d12e331fca9286375e7

Download Submit
memory/3404-33-0x0000000000DB0000-0x0000000000DE0000-memory.dmp

Filesize
192KB

Download
memory/3404-38-0x0000000005880000-0x0000000005892000-memory.dmp

Filesize
72KB

Download
memory/3404-46-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/3404-34-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3404-35-0x0000000002F50000-0x0000000002F56000-memory.dmp

Filesize
24KB

Download
memory/3404-36-0x0000000005E20000-0x0000000006438000-memory.dmp

Filesize
6.1MB

Download
memory/3404-37-0x0000000005940000-0x0000000005A4A000-memory.dmp

Filesize
1.0MB

Download
memory/3404-45-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/3404-39-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/3404-40-0x00000000058E0000-0x000000000591C000-memory.dmp

Filesize
240KB

Download
memory/3404-41-0x0000000005A50000-0x0000000005A9C000-memory.dmp

Filesize
304KB

Download
memory/4112-42-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4112-44-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4112-29-0x0000000074840000-0x0000000074FF0000-memory.dmp

Filesize
7.7MB

Download
memory/4112-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download