healer | 3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302

Analysis

max time kernel
128s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe
Size

1.2MB
MD5

20495df89962673387ca7b9925e4f434
SHA1

73970d9530574f3bd2912ab6dc797391c60d9cfc
SHA256

3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302
SHA512

cdef891691bf2d6ced9c74d662ce7f058548149f7ece07574a52b99421b98da40cd407fcacc9651acace8f4a31fd661bdc5b49e897478e36e27ccfd8b4a8d8e5
SSDEEP

24576:wZtQ76aJrc/lYW3RxIZ+MxbcGAVa0Ga7okOMhZ:wZtQeaJrZZ+MxbD+s4MMhZ

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4056-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
756	x9182313.exe
2332	x6526992.exe
3708	x0135441.exe
3768	g9661120.exe
4200	h5369637.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9182313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6526992.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0135441.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4320 set thread context of 216	4320	3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe	90
PID 3768 set thread context of 4056	3768	g9661120.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4056	AppLaunch.exe
4056	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4056	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4320 wrote to memory of 216	4320	3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe	90
PID 4320 wrote to memory of 216	4320	3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe	90
PID 4320 wrote to memory of 216	4320	3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe	90
PID 4320 wrote to memory of 216	4320	3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe	90
PID 4320 wrote to memory of 216	4320	3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe	90
PID 4320 wrote to memory of 216	4320	3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe	90
PID 4320 wrote to memory of 216	4320	3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe	90
PID 4320 wrote to memory of 216	4320	3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe	90
PID 4320 wrote to memory of 216	4320	3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe	90
PID 4320 wrote to memory of 216	4320	3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe	90
PID 216 wrote to memory of 756	216	AppLaunch.exe	91
PID 216 wrote to memory of 756	216	AppLaunch.exe	91
PID 216 wrote to memory of 756	216	AppLaunch.exe	91
PID 756 wrote to memory of 2332	756	x9182313.exe	92
PID 756 wrote to memory of 2332	756	x9182313.exe	92
PID 756 wrote to memory of 2332	756	x9182313.exe	92
PID 2332 wrote to memory of 3708	2332	x6526992.exe	93
PID 2332 wrote to memory of 3708	2332	x6526992.exe	93
PID 2332 wrote to memory of 3708	2332	x6526992.exe	93
PID 3708 wrote to memory of 3768	3708	x0135441.exe	94
PID 3708 wrote to memory of 3768	3708	x0135441.exe	94
PID 3708 wrote to memory of 3768	3708	x0135441.exe	94
PID 3768 wrote to memory of 4948	3768	g9661120.exe	96
PID 3768 wrote to memory of 4948	3768	g9661120.exe	96
PID 3768 wrote to memory of 4948	3768	g9661120.exe	96
PID 3768 wrote to memory of 4056	3768	g9661120.exe	97
PID 3768 wrote to memory of 4056	3768	g9661120.exe	97
PID 3768 wrote to memory of 4056	3768	g9661120.exe	97
PID 3768 wrote to memory of 4056	3768	g9661120.exe	97
PID 3768 wrote to memory of 4056	3768	g9661120.exe	97
PID 3768 wrote to memory of 4056	3768	g9661120.exe	97
PID 3768 wrote to memory of 4056	3768	g9661120.exe	97
PID 3768 wrote to memory of 4056	3768	g9661120.exe	97
PID 3708 wrote to memory of 4200	3708	x0135441.exe	98
PID 3708 wrote to memory of 4200	3708	x0135441.exe	98
PID 3708 wrote to memory of 4200	3708	x0135441.exe	98

C:\Users\Admin\AppData\Local\Temp\3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3d4ad0f7c5b92d3dadbc2e789a414b4a074ef92a4fea40ae825e1a3123c24302_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:216
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9182313.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9182313.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6526992.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6526992.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0135441.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0135441.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3708
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9661120.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9661120.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4948
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5369637.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5369637.exe
        6⤵
        Executes dropped EXE
        
        PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9182313.exe

Filesize
749KB

MD5
8beefed927e2edf0069e2c8ce56440d2

SHA1
707157e93c9d0310bc3c3fea7c99b3d072b58114

SHA256
a1baa208dc89b9fbd1bfb19380c92f8e866d49858eb890308f101dc5bbbfd09f

SHA512
498c73993ac682a7990efb7dc02bb026d1d85fad9efc2dcc89f4fe9d0ceedd2caaa9b66f3a0a6c3b792090de6f4a79d45e5a71c1a68b6ffc2aa5c02915d75a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9182313.exe

Filesize
749KB

MD5
8beefed927e2edf0069e2c8ce56440d2

SHA1
707157e93c9d0310bc3c3fea7c99b3d072b58114

SHA256
a1baa208dc89b9fbd1bfb19380c92f8e866d49858eb890308f101dc5bbbfd09f

SHA512
498c73993ac682a7990efb7dc02bb026d1d85fad9efc2dcc89f4fe9d0ceedd2caaa9b66f3a0a6c3b792090de6f4a79d45e5a71c1a68b6ffc2aa5c02915d75a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6526992.exe

Filesize
483KB

MD5
724836836f4de883923290fbe55675c6

SHA1
d98e922a12ca284723b8d797be3477140e9aba67

SHA256
f0fa79e7a0b2b0d26131d58d906afabd073793b59f575cb1b4a9c4d9760b9346

SHA512
0750cb6a4f1378d49e546f8a33c82e1a897672a05f03dc40472671ea55923556126910a0f9554cc79d6756066393dacef7bbfb9479d88bceff6f638f1a141f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6526992.exe

Filesize
483KB

MD5
724836836f4de883923290fbe55675c6

SHA1
d98e922a12ca284723b8d797be3477140e9aba67

SHA256
f0fa79e7a0b2b0d26131d58d906afabd073793b59f575cb1b4a9c4d9760b9346

SHA512
0750cb6a4f1378d49e546f8a33c82e1a897672a05f03dc40472671ea55923556126910a0f9554cc79d6756066393dacef7bbfb9479d88bceff6f638f1a141f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0135441.exe

Filesize
317KB

MD5
69e6874662896642331eb66c1dd16c35

SHA1
54eb018ed50e358ca230aa2559b53e18b50ffbd5

SHA256
e37b26c0669f0735010624992b85e0976c7547890bb18ef71d491c05e8a5d978

SHA512
26ff82496750d17fbd81f25676bde843b7cd44c1aa32a86c717ab2c1129e4c27046d34c98e87dc521de00c3732ea958e5d7be06edf634231d0ca4be1638a9b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0135441.exe

Filesize
317KB

MD5
69e6874662896642331eb66c1dd16c35

SHA1
54eb018ed50e358ca230aa2559b53e18b50ffbd5

SHA256
e37b26c0669f0735010624992b85e0976c7547890bb18ef71d491c05e8a5d978

SHA512
26ff82496750d17fbd81f25676bde843b7cd44c1aa32a86c717ab2c1129e4c27046d34c98e87dc521de00c3732ea958e5d7be06edf634231d0ca4be1638a9b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9661120.exe

Filesize
230KB

MD5
85264644b778a0d9c27b771a5eb0a3d0

SHA1
1e2023b6b27b30250269313bfc2c8c099b46c563

SHA256
0a2aaf5fd990cd9ed4a990ae1841e82db5600a59dd981fc19474c9b5a2742357

SHA512
ed94575f3041dbcebec6ba944bfbf3c19483693eea64b2beed47dc810f3c41c6fcb79367cb85679179b10c6f01d606a88a746f5f486a32ad2db9818fa30a0608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9661120.exe

Filesize
230KB

MD5
85264644b778a0d9c27b771a5eb0a3d0

SHA1
1e2023b6b27b30250269313bfc2c8c099b46c563

SHA256
0a2aaf5fd990cd9ed4a990ae1841e82db5600a59dd981fc19474c9b5a2742357

SHA512
ed94575f3041dbcebec6ba944bfbf3c19483693eea64b2beed47dc810f3c41c6fcb79367cb85679179b10c6f01d606a88a746f5f486a32ad2db9818fa30a0608

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5369637.exe

Filesize
174KB

MD5
ba501349a2ebbe39703bb4b5be044f55

SHA1
cd564a661e9e815b448c8ec725cfb744fd09cb99

SHA256
5019558875416fab440d2300dd557c721924651ee9801bdc792998be04100013

SHA512
608d5b80722deaa1a64c749c35f7363494c9b298814ccfe0bc438bedb3cee78eb9caceb104a69bbf97f120d6c37cdca25a300ef50c559cd2998b5ec01b56422b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h5369637.exe

Filesize
174KB

MD5
ba501349a2ebbe39703bb4b5be044f55

SHA1
cd564a661e9e815b448c8ec725cfb744fd09cb99

SHA256
5019558875416fab440d2300dd557c721924651ee9801bdc792998be04100013

SHA512
608d5b80722deaa1a64c749c35f7363494c9b298814ccfe0bc438bedb3cee78eb9caceb104a69bbf97f120d6c37cdca25a300ef50c559cd2998b5ec01b56422b

Download Submit
memory/216-46-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/216-2-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/216-1-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/216-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/216-3-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/4056-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4056-50-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/4056-38-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/4056-47-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/4200-36-0x0000000000950000-0x0000000000980000-memory.dmp

Filesize
192KB

Download
memory/4200-41-0x0000000005400000-0x000000000550A000-memory.dmp

Filesize
1.0MB

Download
memory/4200-43-0x00000000052F0000-0x0000000005302000-memory.dmp

Filesize
72KB

Download
memory/4200-42-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download
memory/4200-44-0x0000000005350000-0x000000000538C000-memory.dmp

Filesize
240KB

Download
memory/4200-45-0x0000000005390000-0x00000000053DC000-memory.dmp

Filesize
304KB

Download
memory/4200-40-0x0000000005910000-0x0000000005F28000-memory.dmp

Filesize
6.1MB

Download
memory/4200-39-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/4200-49-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/4200-37-0x0000000005170000-0x0000000005176000-memory.dmp

Filesize
24KB

Download
memory/4200-51-0x00000000051E0000-0x00000000051F0000-memory.dmp

Filesize
64KB

Download