healer | d489bb16bad16af7c57f9852a491fb82e94a9ab007fa85336ab33ca83773d893

Analysis

max time kernel
134s
max time network
146s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

x2882564.exe
Size

776KB
MD5

b486e1aa15200a93443df9fcb1098c5e
SHA1

ce2512432ef7f497863052da77f53cd1a827d86a
SHA256

d489bb16bad16af7c57f9852a491fb82e94a9ab007fa85336ab33ca83773d893
SHA512

423c73cf5f708e75faf6fdd406088ecb717639b503e02b9e0921274a8c1618fe3d228ef0b806e6a94c880eec3b75cc0f026304719ae11af7621ac6241b70d561
SSDEEP

12288:qMrsy90EAUxhFHh+ny7B298BEhaSLXvJAjnfYjnAKywqxrgKCb90vDM2VwOCvj:SyDDY/8SFzvJUfYj+rDCSvDM1Z

Score

10^/10

healer redline vasha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vasha

77.91.124.82:19071

Attributes

auth_value
42fc61786274daca54d589b85a2c1954

Signatures

Detects Healer an antivirus disabler dropper 5 IoCs

resource	yara_rule
behavioral1/memory/2688-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2688-36-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2688-38-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2688-40-0x0000000000400000-0x000000000040A000-memory.dmp	healer
behavioral1/memory/2688-42-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2184	x5610254.exe
2712	x8731362.exe
2640	g7935047.exe
2404	h3626941.exe

Loads dropped DLL 9 IoCs

pid	Process
2488	x2882564.exe
2184	x5610254.exe
2184	x5610254.exe
2712	x8731362.exe
2712	x8731362.exe
2712	x8731362.exe
2640	g7935047.exe
2712	x8731362.exe
2404	h3626941.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	x2882564.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5610254.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8731362.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2640 set thread context of 2688	2640	g7935047.exe	32

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2688	AppLaunch.exe
2688	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	AppLaunch.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2184	2488	x2882564.exe	28
PID 2488 wrote to memory of 2184	2488	x2882564.exe	28
PID 2488 wrote to memory of 2184	2488	x2882564.exe	28
PID 2488 wrote to memory of 2184	2488	x2882564.exe	28
PID 2488 wrote to memory of 2184	2488	x2882564.exe	28
PID 2488 wrote to memory of 2184	2488	x2882564.exe	28
PID 2488 wrote to memory of 2184	2488	x2882564.exe	28
PID 2184 wrote to memory of 2712	2184	x5610254.exe	29
PID 2184 wrote to memory of 2712	2184	x5610254.exe	29
PID 2184 wrote to memory of 2712	2184	x5610254.exe	29
PID 2184 wrote to memory of 2712	2184	x5610254.exe	29
PID 2184 wrote to memory of 2712	2184	x5610254.exe	29
PID 2184 wrote to memory of 2712	2184	x5610254.exe	29
PID 2184 wrote to memory of 2712	2184	x5610254.exe	29
PID 2712 wrote to memory of 2640	2712	x8731362.exe	30
PID 2712 wrote to memory of 2640	2712	x8731362.exe	30
PID 2712 wrote to memory of 2640	2712	x8731362.exe	30
PID 2712 wrote to memory of 2640	2712	x8731362.exe	30
PID 2712 wrote to memory of 2640	2712	x8731362.exe	30
PID 2712 wrote to memory of 2640	2712	x8731362.exe	30
PID 2712 wrote to memory of 2640	2712	x8731362.exe	30
PID 2640 wrote to memory of 2688	2640	g7935047.exe	32
PID 2640 wrote to memory of 2688	2640	g7935047.exe	32
PID 2640 wrote to memory of 2688	2640	g7935047.exe	32
PID 2640 wrote to memory of 2688	2640	g7935047.exe	32
PID 2640 wrote to memory of 2688	2640	g7935047.exe	32
PID 2640 wrote to memory of 2688	2640	g7935047.exe	32
PID 2640 wrote to memory of 2688	2640	g7935047.exe	32
PID 2640 wrote to memory of 2688	2640	g7935047.exe	32
PID 2640 wrote to memory of 2688	2640	g7935047.exe	32
PID 2640 wrote to memory of 2688	2640	g7935047.exe	32
PID 2640 wrote to memory of 2688	2640	g7935047.exe	32
PID 2640 wrote to memory of 2688	2640	g7935047.exe	32
PID 2712 wrote to memory of 2404	2712	x8731362.exe	33
PID 2712 wrote to memory of 2404	2712	x8731362.exe	33
PID 2712 wrote to memory of 2404	2712	x8731362.exe	33
PID 2712 wrote to memory of 2404	2712	x8731362.exe	33
PID 2712 wrote to memory of 2404	2712	x8731362.exe	33
PID 2712 wrote to memory of 2404	2712	x8731362.exe	33
PID 2712 wrote to memory of 2404	2712	x8731362.exe	33

C:\Users\Admin\AppData\Local\Temp\x2882564.exe
"C:\Users\Admin\AppData\Local\Temp\x2882564.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5610254.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5610254.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8731362.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8731362.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7935047.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7935047.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h3626941.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h3626941.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5610254.exe

Filesize
506KB

MD5
6358555534d3ecf9384103b3f2228bb1

SHA1
2274736eb3b60d8eb594a42179213c8f67d158ff

SHA256
8ae95d092646486753b97dbdfc6acf17a3c9f6f18a79d58ae599a7925f964f69

SHA512
03dda4d938425bed1cb3b004fbfce2714e5b38ddc01aa54b9d543d4824ea44bbac69e12a0859a3bc7dc20d853ab0a7b6cbb7c22268b5e034d5182a8ca70519bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5610254.exe

Filesize
506KB

MD5
6358555534d3ecf9384103b3f2228bb1

SHA1
2274736eb3b60d8eb594a42179213c8f67d158ff

SHA256
8ae95d092646486753b97dbdfc6acf17a3c9f6f18a79d58ae599a7925f964f69

SHA512
03dda4d938425bed1cb3b004fbfce2714e5b38ddc01aa54b9d543d4824ea44bbac69e12a0859a3bc7dc20d853ab0a7b6cbb7c22268b5e034d5182a8ca70519bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8731362.exe

Filesize
320KB

MD5
faa8635b24a3c8c194ea66f37770732e

SHA1
7a45390809e3fb5a228396d3b5ff05b3a99bc9be

SHA256
0fdbc770ea66f062af959235a3a6559123d5408a322c111592ef584215ef81c4

SHA512
e269067cd43197b7d6c6901cb3ab55cec1a7e8aeb80f9a1b938bfcb3b4d0cb847a90766fc22ac393f7c035022911fe5ace8ce56c3268fdc3503f60b266789db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8731362.exe

Filesize
320KB

MD5
faa8635b24a3c8c194ea66f37770732e

SHA1
7a45390809e3fb5a228396d3b5ff05b3a99bc9be

SHA256
0fdbc770ea66f062af959235a3a6559123d5408a322c111592ef584215ef81c4

SHA512
e269067cd43197b7d6c6901cb3ab55cec1a7e8aeb80f9a1b938bfcb3b4d0cb847a90766fc22ac393f7c035022911fe5ace8ce56c3268fdc3503f60b266789db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7935047.exe

Filesize
236KB

MD5
ae3c2011e6b28a83ed5ec20506e2e3eb

SHA1
34bcdb009271f3301b37346648ade33ceecf9556

SHA256
797cfa22728210b5dfc1b746fda10be7684798629c168664d754440882c5dbcf

SHA512
8c8f8a783cd2fa9de0a23735c958dab8563b7f100e77c3e821287a7a07d05db398dd2a3a00b447c11b34d89b0c48ef497a869003582159e7e6c134bba6cd3138

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7935047.exe

Filesize
236KB

MD5
ae3c2011e6b28a83ed5ec20506e2e3eb

SHA1
34bcdb009271f3301b37346648ade33ceecf9556

SHA256
797cfa22728210b5dfc1b746fda10be7684798629c168664d754440882c5dbcf

SHA512
8c8f8a783cd2fa9de0a23735c958dab8563b7f100e77c3e821287a7a07d05db398dd2a3a00b447c11b34d89b0c48ef497a869003582159e7e6c134bba6cd3138

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7935047.exe

Filesize
236KB

MD5
ae3c2011e6b28a83ed5ec20506e2e3eb

SHA1
34bcdb009271f3301b37346648ade33ceecf9556

SHA256
797cfa22728210b5dfc1b746fda10be7684798629c168664d754440882c5dbcf

SHA512
8c8f8a783cd2fa9de0a23735c958dab8563b7f100e77c3e821287a7a07d05db398dd2a3a00b447c11b34d89b0c48ef497a869003582159e7e6c134bba6cd3138

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h3626941.exe

Filesize
174KB

MD5
43acc3d174d9c2da4013def25ed93107

SHA1
c0e91ed2ab5c607fc0b22c8f4209db792c26fa5f

SHA256
745e358e9b0eefe2efe8d14cdbf17a194b81a80f929df4514cc3fed696d259ee

SHA512
6ddecd71a2e5f9d6670f297513fe3db5e2ed4e859857d8a25a42dbcfe03e6d5f70762af836061a0ebfdfc05be6ca102d6b9116fe6e627a989811da07c59b9614

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h3626941.exe

Filesize
174KB

MD5
43acc3d174d9c2da4013def25ed93107

SHA1
c0e91ed2ab5c607fc0b22c8f4209db792c26fa5f

SHA256
745e358e9b0eefe2efe8d14cdbf17a194b81a80f929df4514cc3fed696d259ee

SHA512
6ddecd71a2e5f9d6670f297513fe3db5e2ed4e859857d8a25a42dbcfe03e6d5f70762af836061a0ebfdfc05be6ca102d6b9116fe6e627a989811da07c59b9614

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5610254.exe

Filesize
506KB

MD5
6358555534d3ecf9384103b3f2228bb1

SHA1
2274736eb3b60d8eb594a42179213c8f67d158ff

SHA256
8ae95d092646486753b97dbdfc6acf17a3c9f6f18a79d58ae599a7925f964f69

SHA512
03dda4d938425bed1cb3b004fbfce2714e5b38ddc01aa54b9d543d4824ea44bbac69e12a0859a3bc7dc20d853ab0a7b6cbb7c22268b5e034d5182a8ca70519bb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5610254.exe

Filesize
506KB

MD5
6358555534d3ecf9384103b3f2228bb1

SHA1
2274736eb3b60d8eb594a42179213c8f67d158ff

SHA256
8ae95d092646486753b97dbdfc6acf17a3c9f6f18a79d58ae599a7925f964f69

SHA512
03dda4d938425bed1cb3b004fbfce2714e5b38ddc01aa54b9d543d4824ea44bbac69e12a0859a3bc7dc20d853ab0a7b6cbb7c22268b5e034d5182a8ca70519bb

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8731362.exe

Filesize
320KB

MD5
faa8635b24a3c8c194ea66f37770732e

SHA1
7a45390809e3fb5a228396d3b5ff05b3a99bc9be

SHA256
0fdbc770ea66f062af959235a3a6559123d5408a322c111592ef584215ef81c4

SHA512
e269067cd43197b7d6c6901cb3ab55cec1a7e8aeb80f9a1b938bfcb3b4d0cb847a90766fc22ac393f7c035022911fe5ace8ce56c3268fdc3503f60b266789db3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8731362.exe

Filesize
320KB

MD5
faa8635b24a3c8c194ea66f37770732e

SHA1
7a45390809e3fb5a228396d3b5ff05b3a99bc9be

SHA256
0fdbc770ea66f062af959235a3a6559123d5408a322c111592ef584215ef81c4

SHA512
e269067cd43197b7d6c6901cb3ab55cec1a7e8aeb80f9a1b938bfcb3b4d0cb847a90766fc22ac393f7c035022911fe5ace8ce56c3268fdc3503f60b266789db3

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7935047.exe

Filesize
236KB

MD5
ae3c2011e6b28a83ed5ec20506e2e3eb

SHA1
34bcdb009271f3301b37346648ade33ceecf9556

SHA256
797cfa22728210b5dfc1b746fda10be7684798629c168664d754440882c5dbcf

SHA512
8c8f8a783cd2fa9de0a23735c958dab8563b7f100e77c3e821287a7a07d05db398dd2a3a00b447c11b34d89b0c48ef497a869003582159e7e6c134bba6cd3138

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7935047.exe

Filesize
236KB

MD5
ae3c2011e6b28a83ed5ec20506e2e3eb

SHA1
34bcdb009271f3301b37346648ade33ceecf9556

SHA256
797cfa22728210b5dfc1b746fda10be7684798629c168664d754440882c5dbcf

SHA512
8c8f8a783cd2fa9de0a23735c958dab8563b7f100e77c3e821287a7a07d05db398dd2a3a00b447c11b34d89b0c48ef497a869003582159e7e6c134bba6cd3138

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7935047.exe

Filesize
236KB

MD5
ae3c2011e6b28a83ed5ec20506e2e3eb

SHA1
34bcdb009271f3301b37346648ade33ceecf9556

SHA256
797cfa22728210b5dfc1b746fda10be7684798629c168664d754440882c5dbcf

SHA512
8c8f8a783cd2fa9de0a23735c958dab8563b7f100e77c3e821287a7a07d05db398dd2a3a00b447c11b34d89b0c48ef497a869003582159e7e6c134bba6cd3138

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h3626941.exe

Filesize
174KB

MD5
43acc3d174d9c2da4013def25ed93107

SHA1
c0e91ed2ab5c607fc0b22c8f4209db792c26fa5f

SHA256
745e358e9b0eefe2efe8d14cdbf17a194b81a80f929df4514cc3fed696d259ee

SHA512
6ddecd71a2e5f9d6670f297513fe3db5e2ed4e859857d8a25a42dbcfe03e6d5f70762af836061a0ebfdfc05be6ca102d6b9116fe6e627a989811da07c59b9614

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\h3626941.exe

Filesize
174KB

MD5
43acc3d174d9c2da4013def25ed93107

SHA1
c0e91ed2ab5c607fc0b22c8f4209db792c26fa5f

SHA256
745e358e9b0eefe2efe8d14cdbf17a194b81a80f929df4514cc3fed696d259ee

SHA512
6ddecd71a2e5f9d6670f297513fe3db5e2ed4e859857d8a25a42dbcfe03e6d5f70762af836061a0ebfdfc05be6ca102d6b9116fe6e627a989811da07c59b9614

Download Submit
memory/2404-50-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/2404-49-0x0000000000F30000-0x0000000000F60000-memory.dmp

Filesize
192KB

Download
memory/2688-33-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2688-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2688-40-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2688-38-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2688-37-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2688-36-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2688-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2688-34-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download