healer | 95fb552e223bacb356225f06399cca3ddd1dcc3302de5f39d26a56665c656a75

Analysis

max time kernel
136s
max time network
150s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12-10-2023 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x3053086.exe
Size

492KB
MD5

fb222f908910b188d9e6f9c343280e34
SHA1

993ae7465553bfd4789b5144cc9f70928e0c299a
SHA256

95fb552e223bacb356225f06399cca3ddd1dcc3302de5f39d26a56665c656a75
SHA512

1ae6b2185526b0f7b244b945d254e41ae85f334b76e72d9160bd84c135eefc1ad01923425167c5d8449c8497850e0c67fb11595b89f0c1f5c870bd15d2fe182b
SSDEEP

12288:OMr0y906nDyHw8X76TTrq2YlyvlvLEXENqb4:yyGwyqrAlgjpq0

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

resource	yara_rule
behavioral1/memory/2916-29-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2916-27-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2916-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2916-34-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2916-36-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2828	x5182030.exe
2276	g6429604.exe
2900	h4643382.exe

Loads dropped DLL 7 IoCs

pid	Process
1936	x3053086.exe
2828	x5182030.exe
2828	x5182030.exe
2828	x5182030.exe
2276	g6429604.exe
2828	x5182030.exe
2900	h4643382.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x3053086.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5182030.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 2916	2276	g6429604.exe	30

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2916	AppLaunch.exe
2916	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2828	1936	x3053086.exe	28
PID 1936 wrote to memory of 2828	1936	x3053086.exe	28
PID 1936 wrote to memory of 2828	1936	x3053086.exe	28
PID 1936 wrote to memory of 2828	1936	x3053086.exe	28
PID 1936 wrote to memory of 2828	1936	x3053086.exe	28
PID 1936 wrote to memory of 2828	1936	x3053086.exe	28
PID 1936 wrote to memory of 2828	1936	x3053086.exe	28
PID 2828 wrote to memory of 2276	2828	x5182030.exe	29
PID 2828 wrote to memory of 2276	2828	x5182030.exe	29
PID 2828 wrote to memory of 2276	2828	x5182030.exe	29
PID 2828 wrote to memory of 2276	2828	x5182030.exe	29
PID 2828 wrote to memory of 2276	2828	x5182030.exe	29
PID 2828 wrote to memory of 2276	2828	x5182030.exe	29
PID 2828 wrote to memory of 2276	2828	x5182030.exe	29
PID 2276 wrote to memory of 2916	2276	g6429604.exe	30
PID 2276 wrote to memory of 2916	2276	g6429604.exe	30
PID 2276 wrote to memory of 2916	2276	g6429604.exe	30
PID 2276 wrote to memory of 2916	2276	g6429604.exe	30
PID 2276 wrote to memory of 2916	2276	g6429604.exe	30
PID 2276 wrote to memory of 2916	2276	g6429604.exe	30
PID 2276 wrote to memory of 2916	2276	g6429604.exe	30
PID 2276 wrote to memory of 2916	2276	g6429604.exe	30
PID 2276 wrote to memory of 2916	2276	g6429604.exe	30
PID 2276 wrote to memory of 2916	2276	g6429604.exe	30
PID 2276 wrote to memory of 2916	2276	g6429604.exe	30
PID 2276 wrote to memory of 2916	2276	g6429604.exe	30
PID 2828 wrote to memory of 2900	2828	x5182030.exe	31
PID 2828 wrote to memory of 2900	2828	x5182030.exe	31
PID 2828 wrote to memory of 2900	2828	x5182030.exe	31
PID 2828 wrote to memory of 2900	2828	x5182030.exe	31
PID 2828 wrote to memory of 2900	2828	x5182030.exe	31
PID 2828 wrote to memory of 2900	2828	x5182030.exe	31
PID 2828 wrote to memory of 2900	2828	x5182030.exe	31

C:\Users\Admin\AppData\Local\Temp\x3053086.exe
"C:\Users\Admin\AppData\Local\Temp\x3053086.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5182030.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5182030.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6429604.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6429604.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4643382.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4643382.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5182030.exe

Filesize
326KB

MD5
11924a7c6b34d401fce9a0289a495d90

SHA1
7e07aa42127ad4e83b4db9988d42f36229275c72

SHA256
b610208386aff19bb310792255e5022f47fc360015fde0da73df201153ae013d

SHA512
1d1501b04e60ac2e2ebd31a9ec8d62690f556ad4f7b1e3aa7ca822ac8137dc7ae04f8c06e404798973e487f17930fac08237e6329ae0d860a6d3d27218931fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5182030.exe

Filesize
326KB

MD5
11924a7c6b34d401fce9a0289a495d90

SHA1
7e07aa42127ad4e83b4db9988d42f36229275c72

SHA256
b610208386aff19bb310792255e5022f47fc360015fde0da73df201153ae013d

SHA512
1d1501b04e60ac2e2ebd31a9ec8d62690f556ad4f7b1e3aa7ca822ac8137dc7ae04f8c06e404798973e487f17930fac08237e6329ae0d860a6d3d27218931fb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6429604.exe

Filesize
242KB

MD5
8989f700c821326027fe2fe0f49e5377

SHA1
42caa5229b3098681604d0ef16959b4bf0bbb4c2

SHA256
f083e0adfc6196b5a9eff007132b1bbce34ff64ea672a9aebe64ed0bcf745421

SHA512
2405054d42419eacc4e4ee9630e80a146e3a359a22152ad7d49098aac72691b218db1c3085a3d4b5ac604ddc874bc8369719f8e0ad126f6b1c4abdcfcfb2e368

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6429604.exe

Filesize
242KB

MD5
8989f700c821326027fe2fe0f49e5377

SHA1
42caa5229b3098681604d0ef16959b4bf0bbb4c2

SHA256
f083e0adfc6196b5a9eff007132b1bbce34ff64ea672a9aebe64ed0bcf745421

SHA512
2405054d42419eacc4e4ee9630e80a146e3a359a22152ad7d49098aac72691b218db1c3085a3d4b5ac604ddc874bc8369719f8e0ad126f6b1c4abdcfcfb2e368

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6429604.exe

Filesize
242KB

MD5
8989f700c821326027fe2fe0f49e5377

SHA1
42caa5229b3098681604d0ef16959b4bf0bbb4c2

SHA256
f083e0adfc6196b5a9eff007132b1bbce34ff64ea672a9aebe64ed0bcf745421

SHA512
2405054d42419eacc4e4ee9630e80a146e3a359a22152ad7d49098aac72691b218db1c3085a3d4b5ac604ddc874bc8369719f8e0ad126f6b1c4abdcfcfb2e368

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4643382.exe

Filesize
174KB

MD5
1827ae586ad2402dc0adc144a7669594

SHA1
7c4c2a6be7c2cb469e0ca47d971957620938edea

SHA256
0429a60d41dd59931c21923cfaf7158b5678f26d4cd8b2832ba200487a17ab78

SHA512
0d20f12df977497f7959a22a5568bc5b681f2e7caad0c6014f19c5a70d49b1ee56e5bf548a3679ce51618d687c68975565ae13a2e1808ba64329d25d6a13f71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4643382.exe

Filesize
174KB

MD5
1827ae586ad2402dc0adc144a7669594

SHA1
7c4c2a6be7c2cb469e0ca47d971957620938edea

SHA256
0429a60d41dd59931c21923cfaf7158b5678f26d4cd8b2832ba200487a17ab78

SHA512
0d20f12df977497f7959a22a5568bc5b681f2e7caad0c6014f19c5a70d49b1ee56e5bf548a3679ce51618d687c68975565ae13a2e1808ba64329d25d6a13f71e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5182030.exe

Filesize
326KB

MD5
11924a7c6b34d401fce9a0289a495d90

SHA1
7e07aa42127ad4e83b4db9988d42f36229275c72

SHA256
b610208386aff19bb310792255e5022f47fc360015fde0da73df201153ae013d

SHA512
1d1501b04e60ac2e2ebd31a9ec8d62690f556ad4f7b1e3aa7ca822ac8137dc7ae04f8c06e404798973e487f17930fac08237e6329ae0d860a6d3d27218931fb1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5182030.exe

Filesize
326KB

MD5
11924a7c6b34d401fce9a0289a495d90

SHA1
7e07aa42127ad4e83b4db9988d42f36229275c72

SHA256
b610208386aff19bb310792255e5022f47fc360015fde0da73df201153ae013d

SHA512
1d1501b04e60ac2e2ebd31a9ec8d62690f556ad4f7b1e3aa7ca822ac8137dc7ae04f8c06e404798973e487f17930fac08237e6329ae0d860a6d3d27218931fb1

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6429604.exe

Filesize
242KB

MD5
8989f700c821326027fe2fe0f49e5377

SHA1
42caa5229b3098681604d0ef16959b4bf0bbb4c2

SHA256
f083e0adfc6196b5a9eff007132b1bbce34ff64ea672a9aebe64ed0bcf745421

SHA512
2405054d42419eacc4e4ee9630e80a146e3a359a22152ad7d49098aac72691b218db1c3085a3d4b5ac604ddc874bc8369719f8e0ad126f6b1c4abdcfcfb2e368

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6429604.exe

Filesize
242KB

MD5
8989f700c821326027fe2fe0f49e5377

SHA1
42caa5229b3098681604d0ef16959b4bf0bbb4c2

SHA256
f083e0adfc6196b5a9eff007132b1bbce34ff64ea672a9aebe64ed0bcf745421

SHA512
2405054d42419eacc4e4ee9630e80a146e3a359a22152ad7d49098aac72691b218db1c3085a3d4b5ac604ddc874bc8369719f8e0ad126f6b1c4abdcfcfb2e368

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6429604.exe

Filesize
242KB

MD5
8989f700c821326027fe2fe0f49e5377

SHA1
42caa5229b3098681604d0ef16959b4bf0bbb4c2

SHA256
f083e0adfc6196b5a9eff007132b1bbce34ff64ea672a9aebe64ed0bcf745421

SHA512
2405054d42419eacc4e4ee9630e80a146e3a359a22152ad7d49098aac72691b218db1c3085a3d4b5ac604ddc874bc8369719f8e0ad126f6b1c4abdcfcfb2e368

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4643382.exe

Filesize
174KB

MD5
1827ae586ad2402dc0adc144a7669594

SHA1
7c4c2a6be7c2cb469e0ca47d971957620938edea

SHA256
0429a60d41dd59931c21923cfaf7158b5678f26d4cd8b2832ba200487a17ab78

SHA512
0d20f12df977497f7959a22a5568bc5b681f2e7caad0c6014f19c5a70d49b1ee56e5bf548a3679ce51618d687c68975565ae13a2e1808ba64329d25d6a13f71e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\h4643382.exe

Filesize
174KB

MD5
1827ae586ad2402dc0adc144a7669594

SHA1
7c4c2a6be7c2cb469e0ca47d971957620938edea

SHA256
0429a60d41dd59931c21923cfaf7158b5678f26d4cd8b2832ba200487a17ab78

SHA512
0d20f12df977497f7959a22a5568bc5b681f2e7caad0c6014f19c5a70d49b1ee56e5bf548a3679ce51618d687c68975565ae13a2e1808ba64329d25d6a13f71e

Download Submit
memory/2900-43-0x0000000000E80000-0x0000000000EB0000-memory.dmp

Filesize
192KB

Download
memory/2900-44-0x00000000004F0000-0x00000000004F6000-memory.dmp

Filesize
24KB

Download
memory/2916-27-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2916-31-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2916-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2916-34-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2916-36-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2916-29-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2916-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2916-23-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download