healer | 4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe
Size

2.6MB
MD5

f361baba5e868ba8a847bc36fe791300
SHA1

f70029bd1bf0c44cb3018138d3bf1fa4914bb9ff
SHA256

4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892
SHA512

a815eba2e8d37bec6176079d0abc085f3104243bcc16009daff651d9559bf4ea6b2d6e142c62ef5040332a7b58271712963f4a144bb8c4a4725295d30dac7b0b
SSDEEP

49152:/99i4yt/SSaeh56Eyks8xXZgO6zIEcKc0INzJguMQ:ESGy2X+dG0IzN

Score

10^/10

healer redline vasha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vasha

77.91.124.82:19071

Attributes

auth_value
42fc61786274daca54d589b85a2c1954

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/1764-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2332	x3631573.exe
3016	x6718904.exe
3916	x7151222.exe
1388	g5644395.exe
2692	h0027045.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7151222.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3631573.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6718904.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3780 set thread context of 4592	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	93
PID 1388 set thread context of 1764	1388	g5644395.exe	102

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4996	3780	WerFault.exe	80
1628	1388	WerFault.exe	100

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1764	AppLaunch.exe
1764	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 1700	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	92
PID 3780 wrote to memory of 1700	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	92
PID 3780 wrote to memory of 1700	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	92
PID 3780 wrote to memory of 4592	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	93
PID 3780 wrote to memory of 4592	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	93
PID 3780 wrote to memory of 4592	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	93
PID 3780 wrote to memory of 4592	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	93
PID 3780 wrote to memory of 4592	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	93
PID 3780 wrote to memory of 4592	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	93
PID 3780 wrote to memory of 4592	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	93
PID 3780 wrote to memory of 4592	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	93
PID 3780 wrote to memory of 4592	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	93
PID 3780 wrote to memory of 4592	3780	4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe	93
PID 4592 wrote to memory of 2332	4592	AppLaunch.exe	96
PID 4592 wrote to memory of 2332	4592	AppLaunch.exe	96
PID 4592 wrote to memory of 2332	4592	AppLaunch.exe	96
PID 2332 wrote to memory of 3016	2332	x3631573.exe	97
PID 2332 wrote to memory of 3016	2332	x3631573.exe	97
PID 2332 wrote to memory of 3016	2332	x3631573.exe	97
PID 3016 wrote to memory of 3916	3016	x6718904.exe	99
PID 3016 wrote to memory of 3916	3016	x6718904.exe	99
PID 3016 wrote to memory of 3916	3016	x6718904.exe	99
PID 3916 wrote to memory of 1388	3916	x7151222.exe	100
PID 3916 wrote to memory of 1388	3916	x7151222.exe	100
PID 3916 wrote to memory of 1388	3916	x7151222.exe	100
PID 1388 wrote to memory of 1764	1388	g5644395.exe	102
PID 1388 wrote to memory of 1764	1388	g5644395.exe	102
PID 1388 wrote to memory of 1764	1388	g5644395.exe	102
PID 1388 wrote to memory of 1764	1388	g5644395.exe	102
PID 1388 wrote to memory of 1764	1388	g5644395.exe	102
PID 1388 wrote to memory of 1764	1388	g5644395.exe	102
PID 1388 wrote to memory of 1764	1388	g5644395.exe	102
PID 1388 wrote to memory of 1764	1388	g5644395.exe	102
PID 3916 wrote to memory of 2692	3916	x7151222.exe	105
PID 3916 wrote to memory of 2692	3916	x7151222.exe	105
PID 3916 wrote to memory of 2692	3916	x7151222.exe	105

C:\Users\Admin\AppData\Local\Temp\4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe
"C:\Users\Admin\AppData\Local\Temp\4461598e10d14c054f4a34754be68c0156ed493a19e8657a5502862d87311892.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3631573.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3631573.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6718904.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6718904.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7151222.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7151222.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3916
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5644395.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5644395.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 580
        7⤵
        Program crash
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0027045.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0027045.exe
        6⤵
        Executes dropped EXE
        
        PID:2692
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3780 -s 304
  2⤵
  - Program crash
  PID:4996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3780 -ip 3780
1⤵
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1388 -ip 1388
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3631573.exe

Filesize
1.0MB

MD5
3e7fd80ad92eb5ae3e14bc1e618c586c

SHA1
1f4edf44a5ce0aa395e44943fdb0d16ab68b16cb

SHA256
91746b2104c21c40f5cfd31542bc5a06483ad287d6ee59ca4b7dac4655f87187

SHA512
f3db845bafaa68af6a21f784dffe629028147d0bee8be909cfbfcdea0992b5a4d3322611c32d33de95d818ed25dd4878ebab6078d6b49696ea29a45de3db61bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3631573.exe

Filesize
1.0MB

MD5
3e7fd80ad92eb5ae3e14bc1e618c586c

SHA1
1f4edf44a5ce0aa395e44943fdb0d16ab68b16cb

SHA256
91746b2104c21c40f5cfd31542bc5a06483ad287d6ee59ca4b7dac4655f87187

SHA512
f3db845bafaa68af6a21f784dffe629028147d0bee8be909cfbfcdea0992b5a4d3322611c32d33de95d818ed25dd4878ebab6078d6b49696ea29a45de3db61bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6718904.exe

Filesize
652KB

MD5
56c9ec3b1de6af7d2573bba530ffac4e

SHA1
12b331c30b7176d2dc53d3087c53186605cd8414

SHA256
7ccb06f9e707e7d8d7f2d0fd8a264315f8d7abd767e7ef2e7952614f7d00e1c2

SHA512
038a23799aca5f3f64c3b4425fd0a3889a4e9efeb8e63a505b7be65e4a0cfef94c100d4e3edcb25d373747451760ca4f13e13761de985c4bc03017f436c93761

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6718904.exe

Filesize
652KB

MD5
56c9ec3b1de6af7d2573bba530ffac4e

SHA1
12b331c30b7176d2dc53d3087c53186605cd8414

SHA256
7ccb06f9e707e7d8d7f2d0fd8a264315f8d7abd767e7ef2e7952614f7d00e1c2

SHA512
038a23799aca5f3f64c3b4425fd0a3889a4e9efeb8e63a505b7be65e4a0cfef94c100d4e3edcb25d373747451760ca4f13e13761de985c4bc03017f436c93761

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7151222.exe

Filesize
467KB

MD5
5d9e797701b8f9ddeee11da3179bbb36

SHA1
b648d73ac6b049e48b9bf49299e9df7a979ea62f

SHA256
4d9f37a9a8352145797879503af461c47ee984b29f1cb1fe4801becc2eda47f4

SHA512
81047f271707b80455181feb6add2078fe4d2512dc8cd9101425ff56a0433139b38f393582e9b8b30a7a9525d162bbd584de4d15eaa27c72342ece131365b1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7151222.exe

Filesize
467KB

MD5
5d9e797701b8f9ddeee11da3179bbb36

SHA1
b648d73ac6b049e48b9bf49299e9df7a979ea62f

SHA256
4d9f37a9a8352145797879503af461c47ee984b29f1cb1fe4801becc2eda47f4

SHA512
81047f271707b80455181feb6add2078fe4d2512dc8cd9101425ff56a0433139b38f393582e9b8b30a7a9525d162bbd584de4d15eaa27c72342ece131365b1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5644395.exe

Filesize
899KB

MD5
50ab764bb9f59c33b273a7a38fd37d41

SHA1
913dbca1f033f4de7df5262b906b4da812c99a89

SHA256
cafda554703c92522dc99350e34a8b7381777c6c8a5b83075ceea0020b273ec9

SHA512
ad5e2740b34b6e18cca0878226bd8584dd29a143672fb0dfba15fa0d1f1485f42b1b859836c6762cd33779d12a5f4ec7c30e5093eb0e950049c684e228bd5cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5644395.exe

Filesize
899KB

MD5
50ab764bb9f59c33b273a7a38fd37d41

SHA1
913dbca1f033f4de7df5262b906b4da812c99a89

SHA256
cafda554703c92522dc99350e34a8b7381777c6c8a5b83075ceea0020b273ec9

SHA512
ad5e2740b34b6e18cca0878226bd8584dd29a143672fb0dfba15fa0d1f1485f42b1b859836c6762cd33779d12a5f4ec7c30e5093eb0e950049c684e228bd5cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0027045.exe

Filesize
174KB

MD5
5ad72eb8dbfffbe2f9e35d054247a6a7

SHA1
564ef1e026c70b4591ee0ebc58f1c8432e7ce3aa

SHA256
0696d0e6fd6ce73964aebbae60418b6301cb1947235c1274df22cc768b866cae

SHA512
326c6b04d36fdbb70908409e40b3a25ec73493b835e4b7341027fdd0af0d0c2ca1fc8cf0db3ea362c98f04e4ad8f7f48a04d86cd0ca5568894eb1b39a5942c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0027045.exe

Filesize
174KB

MD5
5ad72eb8dbfffbe2f9e35d054247a6a7

SHA1
564ef1e026c70b4591ee0ebc58f1c8432e7ce3aa

SHA256
0696d0e6fd6ce73964aebbae60418b6301cb1947235c1274df22cc768b866cae

SHA512
326c6b04d36fdbb70908409e40b3a25ec73493b835e4b7341027fdd0af0d0c2ca1fc8cf0db3ea362c98f04e4ad8f7f48a04d86cd0ca5568894eb1b39a5942c4f

Download Submit
memory/1764-50-0x0000000073040000-0x00000000737F0000-memory.dmp

Filesize
7.7MB

Download
memory/1764-47-0x0000000073040000-0x00000000737F0000-memory.dmp

Filesize
7.7MB

Download
memory/1764-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1764-33-0x0000000073040000-0x00000000737F0000-memory.dmp

Filesize
7.7MB

Download
memory/2692-45-0x0000000004AC0000-0x0000000004B0C000-memory.dmp

Filesize
304KB

Download
memory/2692-43-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2692-37-0x0000000000060000-0x0000000000090000-memory.dmp

Filesize
192KB

Download
memory/2692-38-0x0000000073040000-0x00000000737F0000-memory.dmp

Filesize
7.7MB

Download
memory/2692-39-0x0000000002210000-0x0000000002216000-memory.dmp

Filesize
24KB

Download
memory/2692-40-0x00000000050A0000-0x00000000056B8000-memory.dmp

Filesize
6.1MB

Download
memory/2692-41-0x0000000004B90000-0x0000000004C9A000-memory.dmp

Filesize
1.0MB

Download
memory/2692-51-0x0000000004970000-0x0000000004980000-memory.dmp

Filesize
64KB

Download
memory/2692-42-0x00000000048E0000-0x00000000048F2000-memory.dmp

Filesize
72KB

Download
memory/2692-44-0x0000000004A80000-0x0000000004ABC000-memory.dmp

Filesize
240KB

Download
memory/2692-48-0x0000000073040000-0x00000000737F0000-memory.dmp

Filesize
7.7MB

Download
memory/4592-46-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4592-1-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4592-3-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4592-2-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4592-0-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download