healer | 998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369

Analysis

max time kernel
145s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe
Size

1.3MB
MD5

aec6e2c6915f1ade95f713c411a67abc
SHA1

db6c2797e127469fc31fca94bcbbd7b7f30873cc
SHA256

998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369
SHA512

fd3db79725b5031f4656330680f583e5672dfabe1a339d446eec7fa63f7eeddf96aecb9e9bbe9c7c8baa26cba9cd2a944b91b7e7c06ba9f03de84f42cf2c9214
SSDEEP

24576:f090NLtvam4tjMAE5ee4NSLsxNnorZwyvOWM1tlcNecZGInwhQ:f090NGjm5ee4NSgxS1Y71tlckFInwhQ

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/3912-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2184	x1370042.exe
3992	x0624820.exe
3872	x2099697.exe
1588	g2717605.exe
3292	h6253002.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1370042.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0624820.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2099697.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2820 set thread context of 972	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	89
PID 1588 set thread context of 3912	1588	g2717605.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3912	AppLaunch.exe
3912	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3912	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2488	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	88
PID 2820 wrote to memory of 2488	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	88
PID 2820 wrote to memory of 2488	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	88
PID 2820 wrote to memory of 972	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	89
PID 2820 wrote to memory of 972	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	89
PID 2820 wrote to memory of 972	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	89
PID 2820 wrote to memory of 972	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	89
PID 2820 wrote to memory of 972	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	89
PID 2820 wrote to memory of 972	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	89
PID 2820 wrote to memory of 972	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	89
PID 2820 wrote to memory of 972	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	89
PID 2820 wrote to memory of 972	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	89
PID 2820 wrote to memory of 972	2820	998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe	89
PID 972 wrote to memory of 2184	972	AppLaunch.exe	90
PID 972 wrote to memory of 2184	972	AppLaunch.exe	90
PID 972 wrote to memory of 2184	972	AppLaunch.exe	90
PID 2184 wrote to memory of 3992	2184	x1370042.exe	91
PID 2184 wrote to memory of 3992	2184	x1370042.exe	91
PID 2184 wrote to memory of 3992	2184	x1370042.exe	91
PID 3992 wrote to memory of 3872	3992	x0624820.exe	92
PID 3992 wrote to memory of 3872	3992	x0624820.exe	92
PID 3992 wrote to memory of 3872	3992	x0624820.exe	92
PID 3872 wrote to memory of 1588	3872	x2099697.exe	93
PID 3872 wrote to memory of 1588	3872	x2099697.exe	93
PID 3872 wrote to memory of 1588	3872	x2099697.exe	93
PID 1588 wrote to memory of 3912	1588	g2717605.exe	95
PID 1588 wrote to memory of 3912	1588	g2717605.exe	95
PID 1588 wrote to memory of 3912	1588	g2717605.exe	95
PID 1588 wrote to memory of 3912	1588	g2717605.exe	95
PID 1588 wrote to memory of 3912	1588	g2717605.exe	95
PID 1588 wrote to memory of 3912	1588	g2717605.exe	95
PID 1588 wrote to memory of 3912	1588	g2717605.exe	95
PID 1588 wrote to memory of 3912	1588	g2717605.exe	95
PID 3872 wrote to memory of 3292	3872	x2099697.exe	94
PID 3872 wrote to memory of 3292	3872	x2099697.exe	94
PID 3872 wrote to memory of 3292	3872	x2099697.exe	94

C:\Users\Admin\AppData\Local\Temp\998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe
"C:\Users\Admin\AppData\Local\Temp\998b66ae07ceb7e07a142e964934e6939c3587cc15871a4c8c40f19cd3381369.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1370042.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1370042.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0624820.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0624820.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3992
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2099697.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2099697.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3872
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2717605.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2717605.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6253002.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6253002.exe
        6⤵
        Executes dropped EXE
        
        PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1370042.exe

Filesize
767KB

MD5
4c681049923573eef4f6f78759474ac6

SHA1
703effe5cb0b8eaf2ed2f2c0d005284bffaccc16

SHA256
5f42b07dbae322ec6765aef5c0f7c012c7de63946fe4e7f4e4d225b4f68afeb2

SHA512
3bcfde5ca62c9b9f7e4df28b6d5cbce6a7b72a5b3c16062a4c08e11d3a0742ba5b893fb5a504997d87f52dff44e9fc630be954eca8b68bd5bf4ba05ef568a37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1370042.exe

Filesize
767KB

MD5
4c681049923573eef4f6f78759474ac6

SHA1
703effe5cb0b8eaf2ed2f2c0d005284bffaccc16

SHA256
5f42b07dbae322ec6765aef5c0f7c012c7de63946fe4e7f4e4d225b4f68afeb2

SHA512
3bcfde5ca62c9b9f7e4df28b6d5cbce6a7b72a5b3c16062a4c08e11d3a0742ba5b893fb5a504997d87f52dff44e9fc630be954eca8b68bd5bf4ba05ef568a37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0624820.exe

Filesize
492KB

MD5
e4a2cec407f705540e20de6a6b623109

SHA1
9d8693d239cc6dd5518d5ca7de175df7b53625b7

SHA256
a0c0b2983e9709353a5e325fee3b4e22abedc1319f69907456916024b93b35e7

SHA512
43dca40da74fc59fa586bcbcec2ec978d679509f7e89294866616e8b67b5311231a3efe86b5577781c82f1d6696242ce970c0fb28d05fa1c2fa782a15306d7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0624820.exe

Filesize
492KB

MD5
e4a2cec407f705540e20de6a6b623109

SHA1
9d8693d239cc6dd5518d5ca7de175df7b53625b7

SHA256
a0c0b2983e9709353a5e325fee3b4e22abedc1319f69907456916024b93b35e7

SHA512
43dca40da74fc59fa586bcbcec2ec978d679509f7e89294866616e8b67b5311231a3efe86b5577781c82f1d6696242ce970c0fb28d05fa1c2fa782a15306d7ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2099697.exe

Filesize
326KB

MD5
29cf98af75f8ed9c3d202982fa9dd9f4

SHA1
07235a30ffc48723f547468c4cbeb9ae511efb13

SHA256
02b85f783022feea6ff3ca1c8a7bc1e8ab1b7f660dbf8bc52253281e7e1b3f68

SHA512
44ba8bf63225091437ddd0d9764b9587ba2cc5ca170067c7d8e59bc71f4a6733f5ab34da5cdcc96d7edb6e47d35ee73417b21b8a946b5110e80a77cf76eecbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2099697.exe

Filesize
326KB

MD5
29cf98af75f8ed9c3d202982fa9dd9f4

SHA1
07235a30ffc48723f547468c4cbeb9ae511efb13

SHA256
02b85f783022feea6ff3ca1c8a7bc1e8ab1b7f660dbf8bc52253281e7e1b3f68

SHA512
44ba8bf63225091437ddd0d9764b9587ba2cc5ca170067c7d8e59bc71f4a6733f5ab34da5cdcc96d7edb6e47d35ee73417b21b8a946b5110e80a77cf76eecbba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2717605.exe

Filesize
242KB

MD5
95666899cee18e1d3e7a45176ee209ad

SHA1
996c799ce9899b74a0018b5def4405498c07ed65

SHA256
8b7d9fddd6ecbbc3b6c2da6b3aea777abcc2038ab130e35127041ee5eb09df2b

SHA512
7f22fe94e457f94244af753d6f243d09cfe05ccc83ed3207548ff3a69573fe2d9e82457079b4357bf14f0f80c7942b634f6e84af9fff6fa50a5f4bb1828c036f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2717605.exe

Filesize
242KB

MD5
95666899cee18e1d3e7a45176ee209ad

SHA1
996c799ce9899b74a0018b5def4405498c07ed65

SHA256
8b7d9fddd6ecbbc3b6c2da6b3aea777abcc2038ab130e35127041ee5eb09df2b

SHA512
7f22fe94e457f94244af753d6f243d09cfe05ccc83ed3207548ff3a69573fe2d9e82457079b4357bf14f0f80c7942b634f6e84af9fff6fa50a5f4bb1828c036f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6253002.exe

Filesize
174KB

MD5
1fa5d9ee5a2af6c011937f713e087d2f

SHA1
61e31b1113e07804431a12240f3758324f5c91bc

SHA256
2615fbdea33cbbd84144a90323171c60c96617eedfa1f0b9f0b45b081e3515e0

SHA512
636d2078ec61723fa31b7d6dc23e072d1522f7ad5d36929e33baa72b1fdccebaee01e86442a1457cf4869594faaa3843640ab2d7c7cc22224594fbed4f9e073d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h6253002.exe

Filesize
174KB

MD5
1fa5d9ee5a2af6c011937f713e087d2f

SHA1
61e31b1113e07804431a12240f3758324f5c91bc

SHA256
2615fbdea33cbbd84144a90323171c60c96617eedfa1f0b9f0b45b081e3515e0

SHA512
636d2078ec61723fa31b7d6dc23e072d1522f7ad5d36929e33baa72b1fdccebaee01e86442a1457cf4869594faaa3843640ab2d7c7cc22224594fbed4f9e073d

Download Submit
memory/972-40-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/972-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/972-2-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/972-3-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/972-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3292-46-0x0000000005260000-0x0000000005272000-memory.dmp

Filesize
72KB

Download
memory/3292-47-0x00000000052C0000-0x00000000052FC000-memory.dmp

Filesize
240KB

Download
memory/3292-38-0x00000000008C0000-0x00000000008F0000-memory.dmp

Filesize
192KB

Download
memory/3292-51-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3292-37-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/3292-44-0x0000000005370000-0x000000000547A000-memory.dmp

Filesize
1.0MB

Download
memory/3292-43-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/3292-50-0x0000000005300000-0x000000000534C000-memory.dmp

Filesize
304KB

Download
memory/3292-39-0x0000000001010000-0x0000000001016000-memory.dmp

Filesize
24KB

Download
memory/3292-45-0x0000000005250000-0x0000000005260000-memory.dmp

Filesize
64KB

Download
memory/3292-42-0x0000000005880000-0x0000000005E98000-memory.dmp

Filesize
6.1MB

Download
memory/3912-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3912-49-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/3912-41-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/3912-36-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download