healer | 70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c

Analysis

max time kernel
156s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe
Size

2.6MB
MD5

d5072e7a9c082a65e61e5f65b7b58f07
SHA1

eda7f387ea58329aa6ea7f88f044d84e53dd977f
SHA256

70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c
SHA512

a97a27fbe1cf1a7cd84caf79d91149fe690006fc359334cb81a774ddd6093a01384fb33892206451b67cbd759a1e725e599a5b95bc033b9644383b69a36f7a7a
SSDEEP

49152:699i4ytXZQmSxZjDhtrvdb0xs6MztweyRjNqSIXc612N:zirvdgq6Mhwe4DE8

Score

10^/10

healer redline buben dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/1228-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3896	x2088299.exe
1880	x7525411.exe
3540	x7876835.exe
716	g6190733.exe
1280	h0563254.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2088299.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7525411.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7876835.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1248 set thread context of 1204	1248	70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe	85
PID 716 set thread context of 1228	716	g6190733.exe	94

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3456	1248	WerFault.exe	70
948	716	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1228	AppLaunch.exe
1228	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1204	1248	70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe	85
PID 1248 wrote to memory of 1204	1248	70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe	85
PID 1248 wrote to memory of 1204	1248	70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe	85
PID 1248 wrote to memory of 1204	1248	70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe	85
PID 1248 wrote to memory of 1204	1248	70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe	85
PID 1248 wrote to memory of 1204	1248	70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe	85
PID 1248 wrote to memory of 1204	1248	70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe	85
PID 1248 wrote to memory of 1204	1248	70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe	85
PID 1248 wrote to memory of 1204	1248	70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe	85
PID 1248 wrote to memory of 1204	1248	70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe	85
PID 1204 wrote to memory of 3896	1204	AppLaunch.exe	88
PID 1204 wrote to memory of 3896	1204	AppLaunch.exe	88
PID 1204 wrote to memory of 3896	1204	AppLaunch.exe	88
PID 3896 wrote to memory of 1880	3896	x2088299.exe	89
PID 3896 wrote to memory of 1880	3896	x2088299.exe	89
PID 3896 wrote to memory of 1880	3896	x2088299.exe	89
PID 1880 wrote to memory of 3540	1880	x7525411.exe	91
PID 1880 wrote to memory of 3540	1880	x7525411.exe	91
PID 1880 wrote to memory of 3540	1880	x7525411.exe	91
PID 3540 wrote to memory of 716	3540	x7876835.exe	92
PID 3540 wrote to memory of 716	3540	x7876835.exe	92
PID 3540 wrote to memory of 716	3540	x7876835.exe	92
PID 716 wrote to memory of 1228	716	g6190733.exe	94
PID 716 wrote to memory of 1228	716	g6190733.exe	94
PID 716 wrote to memory of 1228	716	g6190733.exe	94
PID 716 wrote to memory of 1228	716	g6190733.exe	94
PID 716 wrote to memory of 1228	716	g6190733.exe	94
PID 716 wrote to memory of 1228	716	g6190733.exe	94
PID 716 wrote to memory of 1228	716	g6190733.exe	94
PID 716 wrote to memory of 1228	716	g6190733.exe	94
PID 3540 wrote to memory of 1280	3540	x7876835.exe	99
PID 3540 wrote to memory of 1280	3540	x7876835.exe	99
PID 3540 wrote to memory of 1280	3540	x7876835.exe	99

C:\Users\Admin\AppData\Local\Temp\70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe
"C:\Users\Admin\AppData\Local\Temp\70129546c0dff665516c6ea710a069fa6702d173898900afaff969439c7a5e5c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2088299.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2088299.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3896
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7525411.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7525411.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7876835.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7876835.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3540
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6190733.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6190733.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 716 -s 152
        7⤵
        Program crash
        
        PID:948
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0563254.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0563254.exe
        6⤵
        Executes dropped EXE
        
        PID:1280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1248 -s 152
  2⤵
  - Program crash
  PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1248 -ip 1248
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 716 -ip 716
1⤵
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2088299.exe

Filesize
1.0MB

MD5
6cd7f65e44bace85a2f23ca7f1e7af33

SHA1
608f3f8a7f4a8acb6f6cc8b16ea7395a23319488

SHA256
11a1786eb9b48cacb706c5c756db0b59c1ddb5b6c43023caebc294890d941eb0

SHA512
8bfc927e40f69b3f287bfdfd33127cf8bfb2ae678793105cd73ffaf406b18dbeba6aa4877c08305fcbe104cb6cc6dbf4995b4b9292b48b67dda04f47002a83b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2088299.exe

Filesize
1.0MB

MD5
6cd7f65e44bace85a2f23ca7f1e7af33

SHA1
608f3f8a7f4a8acb6f6cc8b16ea7395a23319488

SHA256
11a1786eb9b48cacb706c5c756db0b59c1ddb5b6c43023caebc294890d941eb0

SHA512
8bfc927e40f69b3f287bfdfd33127cf8bfb2ae678793105cd73ffaf406b18dbeba6aa4877c08305fcbe104cb6cc6dbf4995b4b9292b48b67dda04f47002a83b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7525411.exe

Filesize
651KB

MD5
ef63677a5e5467031a655bc0ab5955c6

SHA1
3878fda58038c277985c019a01765f441f7a1058

SHA256
5c0d49bdeb415c5810a8e3aadf17d7b3a09ec56eb28015e2c12313c9b84c4624

SHA512
0c95dcb2ae5dcc80d7fb069cc81cd3ca761ca4a95110d7ccd929f24a3653a6cd5ceec161aa332a44df8b3c68b770ad46677cfe167f782ea29d3e7c7dccce42ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7525411.exe

Filesize
651KB

MD5
ef63677a5e5467031a655bc0ab5955c6

SHA1
3878fda58038c277985c019a01765f441f7a1058

SHA256
5c0d49bdeb415c5810a8e3aadf17d7b3a09ec56eb28015e2c12313c9b84c4624

SHA512
0c95dcb2ae5dcc80d7fb069cc81cd3ca761ca4a95110d7ccd929f24a3653a6cd5ceec161aa332a44df8b3c68b770ad46677cfe167f782ea29d3e7c7dccce42ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7876835.exe

Filesize
466KB

MD5
709d166fe8c0e5353cd56f7a9c82d438

SHA1
a55a45562bc0bad2638fa27a7a00bb7cde088dd2

SHA256
5d5f3164b918ddd51d2f18278f7914ce299202de0cdb3d3c711da654c568373c

SHA512
370c445959595ba648d830af726d029cd4d37da4d21466f5ab68debd09ee9c5ffbfe3410414b3b803bf7468c08c2e9d1c1350e535692a17a1ea995403d579e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7876835.exe

Filesize
466KB

MD5
709d166fe8c0e5353cd56f7a9c82d438

SHA1
a55a45562bc0bad2638fa27a7a00bb7cde088dd2

SHA256
5d5f3164b918ddd51d2f18278f7914ce299202de0cdb3d3c711da654c568373c

SHA512
370c445959595ba648d830af726d029cd4d37da4d21466f5ab68debd09ee9c5ffbfe3410414b3b803bf7468c08c2e9d1c1350e535692a17a1ea995403d579e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6190733.exe

Filesize
899KB

MD5
d4f1d1a28969edeb7b808d6226b323cb

SHA1
974646294b67d0226f7ba685b6a4276e565181ae

SHA256
6abf9747244a637a4c4fcb0eac0ff7fa87ea4c626394216c445d37a82491c420

SHA512
a542abf8d85696fca2f61cb175718987e43a7c252ac50d6350845ab7b2e7d55a90e84cb2ccde8b9f557fea2d26893a45ea736579edece4f1a92485bfadad329f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6190733.exe

Filesize
899KB

MD5
d4f1d1a28969edeb7b808d6226b323cb

SHA1
974646294b67d0226f7ba685b6a4276e565181ae

SHA256
6abf9747244a637a4c4fcb0eac0ff7fa87ea4c626394216c445d37a82491c420

SHA512
a542abf8d85696fca2f61cb175718987e43a7c252ac50d6350845ab7b2e7d55a90e84cb2ccde8b9f557fea2d26893a45ea736579edece4f1a92485bfadad329f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0563254.exe

Filesize
174KB

MD5
39fc0b24ff09499b06e6d7128ebc2da6

SHA1
200b1dd921c449127feddf0111be1184e868ecad

SHA256
945b4e40ac521efbabddeef97195d47988c8ce2bc656860a8071db251d40dcef

SHA512
9c96f4ad3b205d54d90e26696f83280d539aefd299195fd57bb09bd733502932d8cadd39afa98c074e55859fa07a59faffe30ece860710bb02160760918fc3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0563254.exe

Filesize
174KB

MD5
39fc0b24ff09499b06e6d7128ebc2da6

SHA1
200b1dd921c449127feddf0111be1184e868ecad

SHA256
945b4e40ac521efbabddeef97195d47988c8ce2bc656860a8071db251d40dcef

SHA512
9c96f4ad3b205d54d90e26696f83280d539aefd299195fd57bb09bd733502932d8cadd39afa98c074e55859fa07a59faffe30ece860710bb02160760918fc3fd

Download Submit
memory/1204-3-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1204-2-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1204-1-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1204-0-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1204-46-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/1228-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1228-33-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/1228-49-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/1228-47-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/1280-40-0x0000000005890000-0x0000000005EA8000-memory.dmp

Filesize
6.1MB

Download
memory/1280-41-0x0000000005380000-0x000000000548A000-memory.dmp

Filesize
1.0MB

Download
memory/1280-42-0x0000000005290000-0x00000000052A2000-memory.dmp

Filesize
72KB

Download
memory/1280-43-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/1280-44-0x00000000052F0000-0x000000000532C000-memory.dmp

Filesize
240KB

Download
memory/1280-45-0x0000000005330000-0x000000000537C000-memory.dmp

Filesize
304KB

Download
memory/1280-39-0x0000000002B50000-0x0000000002B56000-memory.dmp

Filesize
24KB

Download
memory/1280-38-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/1280-37-0x00000000007C0000-0x00000000007F0000-memory.dmp

Filesize
192KB

Download
memory/1280-50-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/1280-51-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download