healer | b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf

Analysis

max time kernel
133s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe
Size

1.3MB
MD5

fc415ab92de0ba6c15c0bdfe85990cbf
SHA1

18f8e1748f5c17da4918f3896644e9a0a0d8d94a
SHA256

b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf
SHA512

d3d8685ea12ef78a54b85d2db64349d534cb37933f52f4f174878f5cac90251e37d7a39cd0fa2364b3c0a03860ed9bad4e5f47e3c05f64a7baad4b1b7f31d20c
SSDEEP

24576:N09ldqKOXb7+j/A6pELQG36xFqJpmHAfcBHFMrWKxtsJ4ULRQSq2D+GQ:N09DfhA6pEU6zB0TMr04UNQSq2D+GQ

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1220-33-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

x5401087.exex0503055.exex4607062.exeg5161620.exeh0756968.exe

pid process

1404 x5401087.exe
880 x0503055.exe
1628 x4607062.exe
2384 g5161620.exe
3044 h0756968.exe

pid	process
1404	x5401087.exe
880	x0503055.exe
1628	x4607062.exe
2384	g5161620.exe
3044	h0756968.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AppLaunch.exex5401087.exex0503055.exex4607062.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5401087.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0503055.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4607062.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exeg5161620.exe

description	pid	process	target process
PID 376 set thread context of 2152	376	b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe	AppLaunch.exe
PID 2384 set thread context of 1220	2384	g5161620.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1220 AppLaunch.exe
1220 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1220 AppLaunch.exe

pid	process
1220	AppLaunch.exe
1220	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1220	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exeAppLaunch.exex5401087.exex0503055.exex4607062.exeg5161620.exe

description	pid	process	target process
PID 376 wrote to memory of 2152	376	b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe	AppLaunch.exe
PID 376 wrote to memory of 2152	376	b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe	AppLaunch.exe
PID 376 wrote to memory of 2152	376	b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe	AppLaunch.exe
PID 376 wrote to memory of 2152	376	b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe	AppLaunch.exe
PID 376 wrote to memory of 2152	376	b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe	AppLaunch.exe
PID 376 wrote to memory of 2152	376	b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe	AppLaunch.exe
PID 376 wrote to memory of 2152	376	b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe	AppLaunch.exe
PID 376 wrote to memory of 2152	376	b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe	AppLaunch.exe
PID 376 wrote to memory of 2152	376	b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe	AppLaunch.exe
PID 376 wrote to memory of 2152	376	b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe	AppLaunch.exe
PID 2152 wrote to memory of 1404	2152	AppLaunch.exe	x5401087.exe
PID 2152 wrote to memory of 1404	2152	AppLaunch.exe	x5401087.exe
PID 2152 wrote to memory of 1404	2152	AppLaunch.exe	x5401087.exe
PID 1404 wrote to memory of 880	1404	x5401087.exe	x0503055.exe
PID 1404 wrote to memory of 880	1404	x5401087.exe	x0503055.exe
PID 1404 wrote to memory of 880	1404	x5401087.exe	x0503055.exe
PID 880 wrote to memory of 1628	880	x0503055.exe	x4607062.exe
PID 880 wrote to memory of 1628	880	x0503055.exe	x4607062.exe
PID 880 wrote to memory of 1628	880	x0503055.exe	x4607062.exe
PID 1628 wrote to memory of 2384	1628	x4607062.exe	g5161620.exe
PID 1628 wrote to memory of 2384	1628	x4607062.exe	g5161620.exe
PID 1628 wrote to memory of 2384	1628	x4607062.exe	g5161620.exe
PID 2384 wrote to memory of 804	2384	g5161620.exe	AppLaunch.exe
PID 2384 wrote to memory of 804	2384	g5161620.exe	AppLaunch.exe
PID 2384 wrote to memory of 804	2384	g5161620.exe	AppLaunch.exe
PID 2384 wrote to memory of 1220	2384	g5161620.exe	AppLaunch.exe
PID 2384 wrote to memory of 1220	2384	g5161620.exe	AppLaunch.exe
PID 2384 wrote to memory of 1220	2384	g5161620.exe	AppLaunch.exe
PID 2384 wrote to memory of 1220	2384	g5161620.exe	AppLaunch.exe
PID 2384 wrote to memory of 1220	2384	g5161620.exe	AppLaunch.exe
PID 2384 wrote to memory of 1220	2384	g5161620.exe	AppLaunch.exe
PID 2384 wrote to memory of 1220	2384	g5161620.exe	AppLaunch.exe
PID 2384 wrote to memory of 1220	2384	g5161620.exe	AppLaunch.exe
PID 1628 wrote to memory of 3044	1628	x4607062.exe	h0756968.exe
PID 1628 wrote to memory of 3044	1628	x4607062.exe	h0756968.exe
PID 1628 wrote to memory of 3044	1628	x4607062.exe	h0756968.exe

C:\Users\Admin\AppData\Local\Temp\b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe
"C:\Users\Admin\AppData\Local\Temp\b03c9166346452546c30fe5b5990d2877dffc2995373d191ce65ac48f077b1cf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5401087.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5401087.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1404

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0503055.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0503055.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:880

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4607062.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4607062.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1628

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5161620.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5161620.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0756968.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0756968.exe
6⤵
- Executes dropped EXE
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5401087.exe
Filesize
767KB

MD5
964fcb2df71688c6af790b2c919c5699

SHA1
f234acb655cc1e5d248a0aa832a4cd02d063bd1c

SHA256
5ce7ce871b6f09133e0dcaa5d533fa5e1bd81bbe20181ab79dbdcd4960bbd2c0

SHA512
f1c93e1b0bb538f4aa443b5c5e6de3e4a954dbea418a144354e49defce38b14e75899d814064f76b490f6d3062e794064ed20ccd6db4fadfc2b4a7bf5dfc1e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5401087.exe
Filesize
767KB

MD5
964fcb2df71688c6af790b2c919c5699

SHA1
f234acb655cc1e5d248a0aa832a4cd02d063bd1c

SHA256
5ce7ce871b6f09133e0dcaa5d533fa5e1bd81bbe20181ab79dbdcd4960bbd2c0

SHA512
f1c93e1b0bb538f4aa443b5c5e6de3e4a954dbea418a144354e49defce38b14e75899d814064f76b490f6d3062e794064ed20ccd6db4fadfc2b4a7bf5dfc1e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0503055.exe
Filesize
492KB

MD5
61b67faaa1eeef49541fb3b209f1cbd8

SHA1
a2fb24312545d9bd13ddb54cc648c428e00428ad

SHA256
9f5eadece130a3b12fe013831e8f316774d2b88d92c0fe445a5623d48f4b5831

SHA512
15822d93ee94dbbba5f2e846c48b94a057c98329e9a8494ae9519634bc31a4367478e2f0bd5cf41d18578305546a415f14f6617fd418f5fd9f2d83b6c47cee33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0503055.exe
Filesize
492KB

MD5
61b67faaa1eeef49541fb3b209f1cbd8

SHA1
a2fb24312545d9bd13ddb54cc648c428e00428ad

SHA256
9f5eadece130a3b12fe013831e8f316774d2b88d92c0fe445a5623d48f4b5831

SHA512
15822d93ee94dbbba5f2e846c48b94a057c98329e9a8494ae9519634bc31a4367478e2f0bd5cf41d18578305546a415f14f6617fd418f5fd9f2d83b6c47cee33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4607062.exe
Filesize
326KB

MD5
0d61c098d7837b4c59e3ebf14558d0e4

SHA1
d98df663884ad06288f8559296822b8407790904

SHA256
f734b3612fd5d1f33fda148c12e27d0cb7a04c41dc45431477ae250d862edfff

SHA512
0e8db5542ba1aa010d275e5b476fb6cb9d5d6ee6047ddaa84fd9ef9c40aee35999c9af0669de713e1442c27126f08220218764932e94bf5dda2e74d24a2ccbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4607062.exe
Filesize
326KB

MD5
0d61c098d7837b4c59e3ebf14558d0e4

SHA1
d98df663884ad06288f8559296822b8407790904

SHA256
f734b3612fd5d1f33fda148c12e27d0cb7a04c41dc45431477ae250d862edfff

SHA512
0e8db5542ba1aa010d275e5b476fb6cb9d5d6ee6047ddaa84fd9ef9c40aee35999c9af0669de713e1442c27126f08220218764932e94bf5dda2e74d24a2ccbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5161620.exe
Filesize
242KB

MD5
5fe490f7d6e932659f5cf144d01ff99c

SHA1
c61b71295e173c18132bfd405f294ad9dd0c5e6f

SHA256
56809d846d03ef42a36d44d3efcbbe67c679bfe70896fd95870698b655a1e9fd

SHA512
4157b3af929abc5120823ec6ca1ae36cd8e5679a883bfd0860c261e7d95dafbb5f12c2c375dfd8b6224ee0aac141267d985c5aa540ca66192038c842b21d7df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5161620.exe
Filesize
242KB

MD5
5fe490f7d6e932659f5cf144d01ff99c

SHA1
c61b71295e173c18132bfd405f294ad9dd0c5e6f

SHA256
56809d846d03ef42a36d44d3efcbbe67c679bfe70896fd95870698b655a1e9fd

SHA512
4157b3af929abc5120823ec6ca1ae36cd8e5679a883bfd0860c261e7d95dafbb5f12c2c375dfd8b6224ee0aac141267d985c5aa540ca66192038c842b21d7df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0756968.exe
Filesize
174KB

MD5
7dfb4dd8d76d945f8884f3abc307734f

SHA1
459f0b63e1a6c56dfc359b30724cc51d068dc378

SHA256
019c41012cedd3b9bccaede02fff1f3848f4786b4ab82fdea81ffaa707718b07

SHA512
3a726a679fb9346cdf344b1a75a344fe2f9bcbf3f8df3bffcaa433804549219de9d15330d6ff0daa8c10126f71c941753853f627a8766e5cd505aa57a6c35261

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0756968.exe
Filesize
174KB

MD5
7dfb4dd8d76d945f8884f3abc307734f

SHA1
459f0b63e1a6c56dfc359b30724cc51d068dc378

SHA256
019c41012cedd3b9bccaede02fff1f3848f4786b4ab82fdea81ffaa707718b07

SHA512
3a726a679fb9346cdf344b1a75a344fe2f9bcbf3f8df3bffcaa433804549219de9d15330d6ff0daa8c10126f71c941753853f627a8766e5cd505aa57a6c35261

Download Submit
memory/1220-33-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1220-37-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/1220-51-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/1220-47-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2152-3-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2152-2-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2152-1-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2152-32-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/2152-0-0x0000000000400000-0x000000000050C000-memory.dmp

Filesize
1.0MB

Download
memory/3044-40-0x0000000003220000-0x0000000003226000-memory.dmp

Filesize
24KB

Download
memory/3044-41-0x0000000005ED0000-0x00000000064E8000-memory.dmp

Filesize
6.1MB

Download
memory/3044-42-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/3044-44-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/3044-43-0x00000000058D0000-0x00000000058E2000-memory.dmp

Filesize
72KB

Download
memory/3044-45-0x0000000005930000-0x000000000596C000-memory.dmp

Filesize
240KB

Download
memory/3044-46-0x0000000005970000-0x00000000059BC000-memory.dmp

Filesize
304KB

Download
memory/3044-39-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/3044-48-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/3044-49-0x00000000057A0000-0x00000000057B0000-memory.dmp

Filesize
64KB

Download
memory/3044-38-0x0000000000DF0000-0x0000000000E20000-memory.dmp

Filesize
192KB

Download