healer | 0d38abfe984169678896e8bb7d6acb76520f9a192c13c35d628aed308e80edaa

Analysis

max time kernel
143s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 11:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d38abfe984169678896e8bb7d6acb76520f9a192c13c35d628aed308e80edaa.exe
Size

1.1MB
MD5

5c116774214fee0cbeb74166443f6aa0
SHA1

1c45fd2c507f3a8b529ecdc16179265512a053b7
SHA256

0d38abfe984169678896e8bb7d6acb76520f9a192c13c35d628aed308e80edaa
SHA512

707c38965b7f15cf795d2fa9ba22934a9e5ae73ca536d0a1c0ef491915efb60f89a86c4f29a015d393714165994ff935b674eac77541594128bf18c8e8aa1176
SSDEEP

24576:cyFw0eHM4WfRa5xtOpGlFND2XryzQSgugHyy3WT99:LFw3HjIa5eolXD2WsSRgH

Score

10^/10

healer redline buben dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/572-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
220	x0921769.exe
116	x1372855.exe
2536	x2389860.exe
2852	g2357082.exe
2772	h3541677.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0d38abfe984169678896e8bb7d6acb76520f9a192c13c35d628aed308e80edaa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0921769.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1372855.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2389860.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2852 set thread context of 572	2852	g2357082.exe	88

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1540	2852	WerFault.exe	85

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
572	AppLaunch.exe
572	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	572	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 220	4484	0d38abfe984169678896e8bb7d6acb76520f9a192c13c35d628aed308e80edaa.exe	82
PID 4484 wrote to memory of 220	4484	0d38abfe984169678896e8bb7d6acb76520f9a192c13c35d628aed308e80edaa.exe	82
PID 4484 wrote to memory of 220	4484	0d38abfe984169678896e8bb7d6acb76520f9a192c13c35d628aed308e80edaa.exe	82
PID 220 wrote to memory of 116	220	x0921769.exe	83
PID 220 wrote to memory of 116	220	x0921769.exe	83
PID 220 wrote to memory of 116	220	x0921769.exe	83
PID 116 wrote to memory of 2536	116	x1372855.exe	84
PID 116 wrote to memory of 2536	116	x1372855.exe	84
PID 116 wrote to memory of 2536	116	x1372855.exe	84
PID 2536 wrote to memory of 2852	2536	x2389860.exe	85
PID 2536 wrote to memory of 2852	2536	x2389860.exe	85
PID 2536 wrote to memory of 2852	2536	x2389860.exe	85
PID 2852 wrote to memory of 572	2852	g2357082.exe	88
PID 2852 wrote to memory of 572	2852	g2357082.exe	88
PID 2852 wrote to memory of 572	2852	g2357082.exe	88
PID 2852 wrote to memory of 572	2852	g2357082.exe	88
PID 2852 wrote to memory of 572	2852	g2357082.exe	88
PID 2852 wrote to memory of 572	2852	g2357082.exe	88
PID 2852 wrote to memory of 572	2852	g2357082.exe	88
PID 2852 wrote to memory of 572	2852	g2357082.exe	88
PID 2536 wrote to memory of 2772	2536	x2389860.exe	92
PID 2536 wrote to memory of 2772	2536	x2389860.exe	92
PID 2536 wrote to memory of 2772	2536	x2389860.exe	92

C:\Users\Admin\AppData\Local\Temp\0d38abfe984169678896e8bb7d6acb76520f9a192c13c35d628aed308e80edaa.exe
"C:\Users\Admin\AppData\Local\Temp\0d38abfe984169678896e8bb7d6acb76520f9a192c13c35d628aed308e80edaa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0921769.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0921769.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1372855.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1372855.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2389860.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2389860.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2357082.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2357082.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2852 -s 152
        6⤵
        Program crash
        
        PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3541677.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3541677.exe
        5⤵
        Executes dropped EXE
        
        PID:2772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2852 -ip 2852
1⤵
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0921769.exe

Filesize
1.0MB

MD5
7f7496c1d9f20ea5e178435793d36f45

SHA1
c9aa33954e55f7d1cb127cc0934550b4664a4c35

SHA256
16b1322ea6156c88649fa1965515e2247829085323d59e1e993d95507c3455ef

SHA512
bb3091de22244bbcd437bb4d05a1089cbb46d6b84c5abbbb9947cb31f9944438ea92aea5cbf9838c311d24e6ab3b1c477fd783dddcff35230bc2eee6d40e473f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0921769.exe

Filesize
1.0MB

MD5
7f7496c1d9f20ea5e178435793d36f45

SHA1
c9aa33954e55f7d1cb127cc0934550b4664a4c35

SHA256
16b1322ea6156c88649fa1965515e2247829085323d59e1e993d95507c3455ef

SHA512
bb3091de22244bbcd437bb4d05a1089cbb46d6b84c5abbbb9947cb31f9944438ea92aea5cbf9838c311d24e6ab3b1c477fd783dddcff35230bc2eee6d40e473f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1372855.exe

Filesize
652KB

MD5
64aa1c5b71352841a02edd6cc8c2b7f2

SHA1
17566315bd53880de53fc6fc3cfd753dbcd8a139

SHA256
f752fbf36143fe48a1069f9feaa7cbf58539e4a8d66d436677b6f87c8afd5b2b

SHA512
5967ec488ac34c0aeef26c13f6ebd5104b76ef3500a55814d6ccf9dadc749ad32d62bccc3860c50f2b4b9af9753e3f26fd7488068d68c3e3c4dc9bffa8f00e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1372855.exe

Filesize
652KB

MD5
64aa1c5b71352841a02edd6cc8c2b7f2

SHA1
17566315bd53880de53fc6fc3cfd753dbcd8a139

SHA256
f752fbf36143fe48a1069f9feaa7cbf58539e4a8d66d436677b6f87c8afd5b2b

SHA512
5967ec488ac34c0aeef26c13f6ebd5104b76ef3500a55814d6ccf9dadc749ad32d62bccc3860c50f2b4b9af9753e3f26fd7488068d68c3e3c4dc9bffa8f00e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2389860.exe

Filesize
466KB

MD5
ed52a4d38d95ca34e85c6d613cb0bc48

SHA1
294c142198802b728f283d4c9159ae5d75e56bfc

SHA256
ab7e79251d896ade55793c9fbf3f45673bd94a7d798e092a709208f4657db282

SHA512
966f09f64ab48b60021dc62159883f7acc10872276743a875ed151f2c9ff3a5f518ec56d78be889a9d3b16cfea1c82394d7f29d9460154120f665ee448a49171

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2389860.exe

Filesize
466KB

MD5
ed52a4d38d95ca34e85c6d613cb0bc48

SHA1
294c142198802b728f283d4c9159ae5d75e56bfc

SHA256
ab7e79251d896ade55793c9fbf3f45673bd94a7d798e092a709208f4657db282

SHA512
966f09f64ab48b60021dc62159883f7acc10872276743a875ed151f2c9ff3a5f518ec56d78be889a9d3b16cfea1c82394d7f29d9460154120f665ee448a49171

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2357082.exe

Filesize
899KB

MD5
0cf2c4d40e24e40ea1191e2e9e8175d6

SHA1
d45e9bd05b245c9f8152f92adaed593247dac6d3

SHA256
ffb5994ddbabbae91efca92051fed4296921df5fa75b90c1acf175e8c04926bb

SHA512
d45826fe1ea25bcd791621117b1314452ef1f67760f0e444a5c4c2fe5aba5160632794713d08797ed27e682134b7eb85af4298189e87b3a4ff8484c66363633e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2357082.exe

Filesize
899KB

MD5
0cf2c4d40e24e40ea1191e2e9e8175d6

SHA1
d45e9bd05b245c9f8152f92adaed593247dac6d3

SHA256
ffb5994ddbabbae91efca92051fed4296921df5fa75b90c1acf175e8c04926bb

SHA512
d45826fe1ea25bcd791621117b1314452ef1f67760f0e444a5c4c2fe5aba5160632794713d08797ed27e682134b7eb85af4298189e87b3a4ff8484c66363633e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3541677.exe

Filesize
174KB

MD5
56ef211490da8e645b02b618b202a7b3

SHA1
e30c28ba57e3cd227b8c3fec96a74438c7c7461b

SHA256
c59a3b3aa6d1f84fb7ef44ff1ff70b11d1af0352b35c4948df071d58bc43bc54

SHA512
8352f5ac9361a152985ba86f54874c10fb1018d4eb11330261c743035aae213c9382eac67b149031ba27119caa49fcf667030457a639b1f5e85bb77090ce3319

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3541677.exe

Filesize
174KB

MD5
56ef211490da8e645b02b618b202a7b3

SHA1
e30c28ba57e3cd227b8c3fec96a74438c7c7461b

SHA256
c59a3b3aa6d1f84fb7ef44ff1ff70b11d1af0352b35c4948df071d58bc43bc54

SHA512
8352f5ac9361a152985ba86f54874c10fb1018d4eb11330261c743035aae213c9382eac67b149031ba27119caa49fcf667030457a639b1f5e85bb77090ce3319

Download Submit
memory/572-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/572-29-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/572-42-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/572-44-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-33-0x0000000000AF0000-0x0000000000B20000-memory.dmp

Filesize
192KB

Download
memory/2772-36-0x0000000005A20000-0x0000000006038000-memory.dmp

Filesize
6.1MB

Download
memory/2772-37-0x0000000005540000-0x000000000564A000-memory.dmp

Filesize
1.0MB

Download
memory/2772-38-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/2772-39-0x0000000005480000-0x0000000005492000-memory.dmp

Filesize
72KB

Download
memory/2772-40-0x00000000054E0000-0x000000000551C000-memory.dmp

Filesize
240KB

Download
memory/2772-41-0x0000000005650000-0x000000000569C000-memory.dmp

Filesize
304KB

Download
memory/2772-35-0x0000000002D60000-0x0000000002D66000-memory.dmp

Filesize
24KB

Download
memory/2772-34-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-45-0x0000000074630000-0x0000000074DE0000-memory.dmp

Filesize
7.7MB

Download
memory/2772-46-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download