healer | ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe
Size

1.3MB
MD5

a9f1f2c44972ae482bb3d8b296a3c426
SHA1

23e4f7afa469b6284dfdc4c80ace8c3d6cf4b8e7
SHA256

ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138
SHA512

4f279c1678cc557eeaf9a18a585634da099b07be734e6a6bf55adab8565cc45e90ff746b6b8042dbae713ceed0cc325406b59dfeaadd42695c0a31d1f991751e
SSDEEP

24576:PWVd5TFUxejZHQp2Ks/fArd61yaHITjl+5VoLXys:k5GxejZCA+jlwoLXys

Score

10^/10

healer redline vasha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vasha

77.91.124.82:19071

Attributes

auth_value
42fc61786274daca54d589b85a2c1954

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/2808-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4432	x7296182.exe
4740	x9595592.exe
4412	x7629890.exe
4852	g3929830.exe
2140	h4683754.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7296182.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9595592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x7629890.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 2428	3488	ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe	84
PID 4852 set thread context of 2808	4852	g3929830.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2808	AppLaunch.exe
2808	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 2428	3488	ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe	84
PID 3488 wrote to memory of 2428	3488	ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe	84
PID 3488 wrote to memory of 2428	3488	ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe	84
PID 3488 wrote to memory of 2428	3488	ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe	84
PID 3488 wrote to memory of 2428	3488	ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe	84
PID 3488 wrote to memory of 2428	3488	ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe	84
PID 3488 wrote to memory of 2428	3488	ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe	84
PID 3488 wrote to memory of 2428	3488	ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe	84
PID 3488 wrote to memory of 2428	3488	ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe	84
PID 3488 wrote to memory of 2428	3488	ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe	84
PID 2428 wrote to memory of 4432	2428	AppLaunch.exe	85
PID 2428 wrote to memory of 4432	2428	AppLaunch.exe	85
PID 2428 wrote to memory of 4432	2428	AppLaunch.exe	85
PID 4432 wrote to memory of 4740	4432	x7296182.exe	88
PID 4432 wrote to memory of 4740	4432	x7296182.exe	88
PID 4432 wrote to memory of 4740	4432	x7296182.exe	88
PID 4740 wrote to memory of 4412	4740	x9595592.exe	89
PID 4740 wrote to memory of 4412	4740	x9595592.exe	89
PID 4740 wrote to memory of 4412	4740	x9595592.exe	89
PID 4412 wrote to memory of 4852	4412	x7629890.exe	91
PID 4412 wrote to memory of 4852	4412	x7629890.exe	91
PID 4412 wrote to memory of 4852	4412	x7629890.exe	91
PID 4852 wrote to memory of 4696	4852	g3929830.exe	93
PID 4852 wrote to memory of 4696	4852	g3929830.exe	93
PID 4852 wrote to memory of 4696	4852	g3929830.exe	93
PID 4852 wrote to memory of 2808	4852	g3929830.exe	92
PID 4852 wrote to memory of 2808	4852	g3929830.exe	92
PID 4852 wrote to memory of 2808	4852	g3929830.exe	92
PID 4852 wrote to memory of 2808	4852	g3929830.exe	92
PID 4852 wrote to memory of 2808	4852	g3929830.exe	92
PID 4852 wrote to memory of 2808	4852	g3929830.exe	92
PID 4852 wrote to memory of 2808	4852	g3929830.exe	92
PID 4852 wrote to memory of 2808	4852	g3929830.exe	92
PID 4412 wrote to memory of 2140	4412	x7629890.exe	94
PID 4412 wrote to memory of 2140	4412	x7629890.exe	94
PID 4412 wrote to memory of 2140	4412	x7629890.exe	94

C:\Users\Admin\AppData\Local\Temp\ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe
"C:\Users\Admin\AppData\Local\Temp\ed6bd1c353ae6a01cdd355fddba5084804ac56f158eb67f3ab1f92092636e138.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7296182.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7296182.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9595592.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9595592.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7629890.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7629890.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4412
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3929830.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3929830.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4696
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4683754.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4683754.exe
        6⤵
        Executes dropped EXE
        
        PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7296182.exe

Filesize
777KB

MD5
c84ddcea94447b7055ba47c77e732502

SHA1
8eeb368b6815dc995ddad86be0d5d851e0b8f2df

SHA256
9013cb9daab7960ddc9ad765abd54df952ede48c8a8d0107925af9bbfb050ebd

SHA512
75214c1cc44295874335b1d7511f9742f9e0bb5b5e7a30c9378db3bffe0211411a1b659f72ecd79c042043c928300ea0bfdc4538c367c2d55eddb2d975cb933c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7296182.exe

Filesize
777KB

MD5
c84ddcea94447b7055ba47c77e732502

SHA1
8eeb368b6815dc995ddad86be0d5d851e0b8f2df

SHA256
9013cb9daab7960ddc9ad765abd54df952ede48c8a8d0107925af9bbfb050ebd

SHA512
75214c1cc44295874335b1d7511f9742f9e0bb5b5e7a30c9378db3bffe0211411a1b659f72ecd79c042043c928300ea0bfdc4538c367c2d55eddb2d975cb933c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9595592.exe

Filesize
506KB

MD5
1ee9477e08c0198b26015791bd40da65

SHA1
3eba01c5c633cf855972478158d05d5878897ec9

SHA256
02b529dc2e9da0f269f5df5a962279a3fe9c35c8a8c2796defc86f61c87a3d3d

SHA512
8add80295287c5972c98bdc4d571a8005e6d4b4a480565de75d1c017dff4e16b31b5f5d92167c7d69fc95080637a9d230cf930d715bdad57f9c7bb3b26e20e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9595592.exe

Filesize
506KB

MD5
1ee9477e08c0198b26015791bd40da65

SHA1
3eba01c5c633cf855972478158d05d5878897ec9

SHA256
02b529dc2e9da0f269f5df5a962279a3fe9c35c8a8c2796defc86f61c87a3d3d

SHA512
8add80295287c5972c98bdc4d571a8005e6d4b4a480565de75d1c017dff4e16b31b5f5d92167c7d69fc95080637a9d230cf930d715bdad57f9c7bb3b26e20e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7629890.exe

Filesize
321KB

MD5
7902fe140135a294025ef87eaad2a261

SHA1
ca971f0c80e816a99bb80c77f5d1eb407707d033

SHA256
8a58957ec3b4294517c7edc6302de26a4182e57f79bca056cf0f600f387f1c08

SHA512
139eb08c0f5e170f6c459f451afaf0b1b16748f5edd9c87a6db87881fda6c435d64d00384d66cf8634529fdd3d84bcd6dbe4d25e07f724a9a712355a3cb4d8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x7629890.exe

Filesize
321KB

MD5
7902fe140135a294025ef87eaad2a261

SHA1
ca971f0c80e816a99bb80c77f5d1eb407707d033

SHA256
8a58957ec3b4294517c7edc6302de26a4182e57f79bca056cf0f600f387f1c08

SHA512
139eb08c0f5e170f6c459f451afaf0b1b16748f5edd9c87a6db87881fda6c435d64d00384d66cf8634529fdd3d84bcd6dbe4d25e07f724a9a712355a3cb4d8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3929830.exe

Filesize
236KB

MD5
683c9ea455bd546678d0f9a1344ec224

SHA1
5ca2be076db6eb88bd5dcc6727a8946c75824cb6

SHA256
15323cbd8c2b02bef207401367590a14978445eaa7a96420d0b0945dced8ea42

SHA512
ca24c4ef61b89659d149538d15c6caa313dd0e1c5a6b64567c878e6d7fa31047557d4081d67f41bb98a83341c2b45957617a6c9e23633dc5c366e120cf166b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3929830.exe

Filesize
236KB

MD5
683c9ea455bd546678d0f9a1344ec224

SHA1
5ca2be076db6eb88bd5dcc6727a8946c75824cb6

SHA256
15323cbd8c2b02bef207401367590a14978445eaa7a96420d0b0945dced8ea42

SHA512
ca24c4ef61b89659d149538d15c6caa313dd0e1c5a6b64567c878e6d7fa31047557d4081d67f41bb98a83341c2b45957617a6c9e23633dc5c366e120cf166b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4683754.exe

Filesize
174KB

MD5
a7d9a52ebcba609a5ad0da249cdda912

SHA1
9cfd77f3bd59a139e28e9b4936eeb5391e5eb0dd

SHA256
897cc1a9089d28bf38a6ba568dd3687b2f4e9b03ac66f67bb383c124931fc901

SHA512
e4931628f15b6edfc767725948b2e13275211e26de7c540f15292710107c3423d6c4a4abe308ebc4719d9773e39261b84267dc22da78c33ad4d31647396eaf3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h4683754.exe

Filesize
174KB

MD5
a7d9a52ebcba609a5ad0da249cdda912

SHA1
9cfd77f3bd59a139e28e9b4936eeb5391e5eb0dd

SHA256
897cc1a9089d28bf38a6ba568dd3687b2f4e9b03ac66f67bb383c124931fc901

SHA512
e4931628f15b6edfc767725948b2e13275211e26de7c540f15292710107c3423d6c4a4abe308ebc4719d9773e39261b84267dc22da78c33ad4d31647396eaf3d

Download Submit
memory/2140-45-0x000000000A540000-0x000000000A57C000-memory.dmp

Filesize
240KB

Download
memory/2140-43-0x000000000A4E0000-0x000000000A4F2000-memory.dmp

Filesize
72KB

Download
memory/2140-39-0x0000000002980000-0x0000000002986000-memory.dmp

Filesize
24KB

Download
memory/2140-40-0x000000000AAB0000-0x000000000B0C8000-memory.dmp

Filesize
6.1MB

Download
memory/2140-47-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/2140-36-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/2140-46-0x000000000A6B0000-0x000000000A6FC000-memory.dmp

Filesize
304KB

Download
memory/2140-41-0x000000000A5A0000-0x000000000A6AA000-memory.dmp

Filesize
1.0MB

Download
memory/2140-51-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2140-44-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2140-38-0x0000000000730000-0x0000000000760000-memory.dmp

Filesize
192KB

Download
memory/2428-42-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2428-1-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2428-3-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2428-0-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2428-2-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2808-48-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/2808-37-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/2808-50-0x0000000073F80000-0x0000000074730000-memory.dmp

Filesize
7.7MB

Download
memory/2808-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download