healer | 97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7

General

Target

97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe
Size

999KB
MD5

ec2c8ebaf5d16e2de6de1f81620295f3
SHA1

7dadf5eb689a7f5a83eb799086c17d7014d2b405
SHA256

97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7
SHA512

799e9bc85421721b1f3b059eb84292d48d2ccce4e5b6ef0cca38ca40e3b222599528b71785733ed9471fb74be63b166e8518250a53e94287ff9e2606652861f3
SSDEEP

24576:r09xfRgjT5p2dgMbLY1mZFNp/rOMdYV1ULYa9HZUQ:r09s5ygCkAHNpDmV1ULYalZUQ

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

C2

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3140-26-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 4 IoCs

Processes:

x3425732.exex7205861.exeg3369620.exeh4961445.exe

pid process

3128 x3425732.exe
2980 x7205861.exe
3644 g3369620.exe
1936 h4961445.exe

pid	process
3128	x3425732.exe
2980	x7205861.exe
3644	g3369620.exe
1936	h4961445.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AppLaunch.exex3425732.exex7205861.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3425732.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7205861.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exeg3369620.exe

description	pid	process	target process
PID 4460 set thread context of 3804	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 3644 set thread context of 3140	3644	g3369620.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

3140 AppLaunch.exe
3140 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 3140 AppLaunch.exe

pid	process
3140	AppLaunch.exe
3140	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3140	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exeAppLaunch.exex3425732.exex7205861.exeg3369620.exe

description	pid	process	target process
PID 4460 wrote to memory of 1828	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 4460 wrote to memory of 1828	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 4460 wrote to memory of 1828	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 4460 wrote to memory of 3804	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 4460 wrote to memory of 3804	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 4460 wrote to memory of 3804	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 4460 wrote to memory of 3804	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 4460 wrote to memory of 3804	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 4460 wrote to memory of 3804	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 4460 wrote to memory of 3804	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 4460 wrote to memory of 3804	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 4460 wrote to memory of 3804	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 4460 wrote to memory of 3804	4460	97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe	AppLaunch.exe
PID 3804 wrote to memory of 3128	3804	AppLaunch.exe	x3425732.exe
PID 3804 wrote to memory of 3128	3804	AppLaunch.exe	x3425732.exe
PID 3804 wrote to memory of 3128	3804	AppLaunch.exe	x3425732.exe
PID 3128 wrote to memory of 2980	3128	x3425732.exe	x7205861.exe
PID 3128 wrote to memory of 2980	3128	x3425732.exe	x7205861.exe
PID 3128 wrote to memory of 2980	3128	x3425732.exe	x7205861.exe
PID 2980 wrote to memory of 3644	2980	x7205861.exe	g3369620.exe
PID 2980 wrote to memory of 3644	2980	x7205861.exe	g3369620.exe
PID 2980 wrote to memory of 3644	2980	x7205861.exe	g3369620.exe
PID 3644 wrote to memory of 3140	3644	g3369620.exe	AppLaunch.exe
PID 3644 wrote to memory of 3140	3644	g3369620.exe	AppLaunch.exe
PID 3644 wrote to memory of 3140	3644	g3369620.exe	AppLaunch.exe
PID 3644 wrote to memory of 3140	3644	g3369620.exe	AppLaunch.exe
PID 3644 wrote to memory of 3140	3644	g3369620.exe	AppLaunch.exe
PID 3644 wrote to memory of 3140	3644	g3369620.exe	AppLaunch.exe
PID 3644 wrote to memory of 3140	3644	g3369620.exe	AppLaunch.exe
PID 3644 wrote to memory of 3140	3644	g3369620.exe	AppLaunch.exe
PID 2980 wrote to memory of 1936	2980	x7205861.exe	h4961445.exe
PID 2980 wrote to memory of 1936	2980	x7205861.exe	h4961445.exe
PID 2980 wrote to memory of 1936	2980	x7205861.exe	h4961445.exe

C:\Users\Admin\AppData\Local\Temp\97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe
"C:\Users\Admin\AppData\Local\Temp\97ace22840143725b9f147027ad547cbbabc53892754597b4ec4071043a165b7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3804

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3425732.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3425732.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7205861.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7205861.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2980

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3369620.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3369620.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4961445.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4961445.exe
5⤵
- Executes dropped EXE
PID:1936

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

Disable or Modify Tools

1

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3425732.exe
Filesize
492KB

MD5
5a62b85447376a32410b17e3310ea728

SHA1
db0acccfdadae54e5e3ce1a728ed50a11471446d

SHA256
ee8af5770f1b60778cf97708a6900689f2e1834beb4a44770dfae12ae68705cd

SHA512
1435492ea70656ecd9d9d972fd8a0123b5d9abaae3182c5b6d1522d567d968efe8f0907f0e4d416b5aae45b7885434a0e3794506ce0cef838682d0e21cba6344

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3425732.exe
Filesize
492KB

MD5
5a62b85447376a32410b17e3310ea728

SHA1
db0acccfdadae54e5e3ce1a728ed50a11471446d

SHA256
ee8af5770f1b60778cf97708a6900689f2e1834beb4a44770dfae12ae68705cd

SHA512
1435492ea70656ecd9d9d972fd8a0123b5d9abaae3182c5b6d1522d567d968efe8f0907f0e4d416b5aae45b7885434a0e3794506ce0cef838682d0e21cba6344

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7205861.exe
Filesize
326KB

MD5
25b0b2c66ad1456bd115e7e9cf73e3d5

SHA1
1ad8f3d22e65f3cc118af4a3d8004c4a09c627d7

SHA256
ef158dfaf419ec52c614dcf101291bdf4a29d793740c866f23a7e7c6613a7fc2

SHA512
ae09eca3ac0eeb2d49c9fe8d5b2488997239fa0aa5290f2d6f89b11c00aa54d95a413095f5cb8cb826a3218c808381b35a0a51760ed5c0aca3bbdaca4a918cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7205861.exe
Filesize
326KB

MD5
25b0b2c66ad1456bd115e7e9cf73e3d5

SHA1
1ad8f3d22e65f3cc118af4a3d8004c4a09c627d7

SHA256
ef158dfaf419ec52c614dcf101291bdf4a29d793740c866f23a7e7c6613a7fc2

SHA512
ae09eca3ac0eeb2d49c9fe8d5b2488997239fa0aa5290f2d6f89b11c00aa54d95a413095f5cb8cb826a3218c808381b35a0a51760ed5c0aca3bbdaca4a918cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3369620.exe
Filesize
242KB

MD5
8b3120033ff4114bf024ff5a349f64cc

SHA1
36cfc6b1d98cd4da502f87cc1599cbbd4a7939a1

SHA256
4d60d5cfa66eb051cb5e30d1db495d51c32965a7211b69499e9968ee37df767a

SHA512
a718f1308ecbfe3c2038b6326279fffb082ed201c7ccccde5d96983ff0c51475e6c43610ef02e5073ac8a66d1428bf8d5bf99cd1a57b5d69b42c0b0c52a11da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g3369620.exe
Filesize
242KB

MD5
8b3120033ff4114bf024ff5a349f64cc

SHA1
36cfc6b1d98cd4da502f87cc1599cbbd4a7939a1

SHA256
4d60d5cfa66eb051cb5e30d1db495d51c32965a7211b69499e9968ee37df767a

SHA512
a718f1308ecbfe3c2038b6326279fffb082ed201c7ccccde5d96983ff0c51475e6c43610ef02e5073ac8a66d1428bf8d5bf99cd1a57b5d69b42c0b0c52a11da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4961445.exe
Filesize
174KB

MD5
cc1795806afc9010cf6150d795524a95

SHA1
63f3d26d6fd3b41c59a89387eb11861991ae0249

SHA256
d8d0ecd2967092e002cbf9b78154df6635162a054199a2d5aa71a4ef9ea93e3d

SHA512
cf8cb46283a8cef5839fd0584b7404723389026e94cfd2f504168d166d488d4f02fbec66fded57d46ee8d4bcefb1782fec590a6db5c6056e04ce0f6fe3b7dc48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h4961445.exe
Filesize
174KB

MD5
cc1795806afc9010cf6150d795524a95

SHA1
63f3d26d6fd3b41c59a89387eb11861991ae0249

SHA256
d8d0ecd2967092e002cbf9b78154df6635162a054199a2d5aa71a4ef9ea93e3d

SHA512
cf8cb46283a8cef5839fd0584b7404723389026e94cfd2f504168d166d488d4f02fbec66fded57d46ee8d4bcefb1782fec590a6db5c6056e04ce0f6fe3b7dc48

Download Submit
memory/1936-35-0x0000000005900000-0x0000000005A0A000-memory.dmp

Filesize
1.0MB

Download
memory/1936-37-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/1936-33-0x0000000002FE0000-0x0000000002FE6000-memory.dmp

Filesize
24KB

Download
memory/1936-40-0x00000000056E0000-0x00000000056F0000-memory.dmp

Filesize
64KB

Download
memory/1936-30-0x0000000000C70000-0x0000000000CA0000-memory.dmp

Filesize
192KB

Download
memory/1936-34-0x0000000005E10000-0x0000000006428000-memory.dmp

Filesize
6.1MB

Download
memory/1936-38-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1936-31-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/1936-36-0x0000000005630000-0x0000000005642000-memory.dmp

Filesize
72KB

Download
memory/3140-32-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3140-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3140-39-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3804-3-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3804-4-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3804-0-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3804-1-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3804-2-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads