healer | 9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43

Analysis

max time kernel
159s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe
Size

1.3MB
MD5

66517d9105802998a136a7232dc585b5
SHA1

d03716a9353992e300917bf202420c46baa30f3c
SHA256

9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43
SHA512

bece6e5efa02fb09b6cc3fa1f0a6aae07a340a3b9eeecbc30cf5d9283d86c02e4d86203675383b66cc7def0edec8d092aed8b3f9ecc0dd710517cddf60b7f9cd
SSDEEP

24576:+092Q+pf9HgPycWuPNpH9gLcJVuDBWhg+izBqyRC9eQ:+092Q0f9AfWS9JVyxzBTOeQ

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1020-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Executes dropped EXE 5 IoCs

Processes:

x5059925.exex4326485.exex5916665.exeg1516631.exeh1066104.exe

pid process

1132 x5059925.exe
4188 x4326485.exe
3668 x5916665.exe
3872 g1516631.exe
2112 h1066104.exe

pid	process
1132	x5059925.exe
4188	x4326485.exe
3668	x5916665.exe
3872	g1516631.exe
2112	h1066104.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

AppLaunch.exex5059925.exex4326485.exex5916665.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5059925.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4326485.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x5916665.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exeg1516631.exe

description	pid	process	target process
PID 2736 set thread context of 4720	2736	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 3872 set thread context of 1020	3872	g1516631.exe	AppLaunch.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1020 AppLaunch.exe
1020 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1020 AppLaunch.exe

pid	process
1020	AppLaunch.exe
1020	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1020	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exeAppLaunch.exex5059925.exex4326485.exex5916665.exeg1516631.exe

description	pid	process	target process
PID 2736 wrote to memory of 4720	2736	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2736 wrote to memory of 4720	2736	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2736 wrote to memory of 4720	2736	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2736 wrote to memory of 4720	2736	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2736 wrote to memory of 4720	2736	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2736 wrote to memory of 4720	2736	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2736 wrote to memory of 4720	2736	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2736 wrote to memory of 4720	2736	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2736 wrote to memory of 4720	2736	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 2736 wrote to memory of 4720	2736	9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe	AppLaunch.exe
PID 4720 wrote to memory of 1132	4720	AppLaunch.exe	x5059925.exe
PID 4720 wrote to memory of 1132	4720	AppLaunch.exe	x5059925.exe
PID 4720 wrote to memory of 1132	4720	AppLaunch.exe	x5059925.exe
PID 1132 wrote to memory of 4188	1132	x5059925.exe	x4326485.exe
PID 1132 wrote to memory of 4188	1132	x5059925.exe	x4326485.exe
PID 1132 wrote to memory of 4188	1132	x5059925.exe	x4326485.exe
PID 4188 wrote to memory of 3668	4188	x4326485.exe	x5916665.exe
PID 4188 wrote to memory of 3668	4188	x4326485.exe	x5916665.exe
PID 4188 wrote to memory of 3668	4188	x4326485.exe	x5916665.exe
PID 3668 wrote to memory of 3872	3668	x5916665.exe	g1516631.exe
PID 3668 wrote to memory of 3872	3668	x5916665.exe	g1516631.exe
PID 3668 wrote to memory of 3872	3668	x5916665.exe	g1516631.exe
PID 3872 wrote to memory of 4428	3872	g1516631.exe	AppLaunch.exe
PID 3872 wrote to memory of 4428	3872	g1516631.exe	AppLaunch.exe
PID 3872 wrote to memory of 4428	3872	g1516631.exe	AppLaunch.exe
PID 3872 wrote to memory of 1020	3872	g1516631.exe	AppLaunch.exe
PID 3872 wrote to memory of 1020	3872	g1516631.exe	AppLaunch.exe
PID 3872 wrote to memory of 1020	3872	g1516631.exe	AppLaunch.exe
PID 3872 wrote to memory of 1020	3872	g1516631.exe	AppLaunch.exe
PID 3872 wrote to memory of 1020	3872	g1516631.exe	AppLaunch.exe
PID 3872 wrote to memory of 1020	3872	g1516631.exe	AppLaunch.exe
PID 3872 wrote to memory of 1020	3872	g1516631.exe	AppLaunch.exe
PID 3872 wrote to memory of 1020	3872	g1516631.exe	AppLaunch.exe
PID 3668 wrote to memory of 2112	3668	x5916665.exe	h1066104.exe
PID 3668 wrote to memory of 2112	3668	x5916665.exe	h1066104.exe
PID 3668 wrote to memory of 2112	3668	x5916665.exe	h1066104.exe

C:\Users\Admin\AppData\Local\Temp\9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe
"C:\Users\Admin\AppData\Local\Temp\9d414e0d1cf651f1d3021b81c4f834ec32b65020fe48838a1f4bd329ebe22b43.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4720

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5059925.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5059925.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1132

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4326485.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4326485.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4188

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5916665.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5916665.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3668

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1516631.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1516631.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1066104.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1066104.exe
6⤵
- Executes dropped EXE
PID:2112

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5059925.exe
Filesize
767KB

MD5
a19d5b4fc8736a68196c38685643b202

SHA1
c023b363ff7f643ca665b659fbff6982676c5fea

SHA256
e523d543b80a6b8814bef1e176de7eb80d04c39d6d86a0c7a616faa54d2343e7

SHA512
f0a280f3d8472027534e9660cfcc600534e5ff422cbfc64416e93220feaaabaed4365d1a077249fb0efb3d9c1546e10ab11fab8ba4429f7e5aa06b4974b7df83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5059925.exe
Filesize
767KB

MD5
a19d5b4fc8736a68196c38685643b202

SHA1
c023b363ff7f643ca665b659fbff6982676c5fea

SHA256
e523d543b80a6b8814bef1e176de7eb80d04c39d6d86a0c7a616faa54d2343e7

SHA512
f0a280f3d8472027534e9660cfcc600534e5ff422cbfc64416e93220feaaabaed4365d1a077249fb0efb3d9c1546e10ab11fab8ba4429f7e5aa06b4974b7df83

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4326485.exe
Filesize
492KB

MD5
91bd5edaf9ac0c578d465ca8e97eba24

SHA1
d584669e996831801ef1f87a15372d6b6421d085

SHA256
8f38f9c33a3382ebbdb3597b9e83faa1604b8061741f2d8612062ada91ef5a93

SHA512
b3d772f073f1b18095c96cda51ad39dd73d59da295363190e0c151573aa2da66f079fa95eb54883fde02c5e53d69c7abb7b2a606e3b93e0d141ec605a21a5c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4326485.exe
Filesize
492KB

MD5
91bd5edaf9ac0c578d465ca8e97eba24

SHA1
d584669e996831801ef1f87a15372d6b6421d085

SHA256
8f38f9c33a3382ebbdb3597b9e83faa1604b8061741f2d8612062ada91ef5a93

SHA512
b3d772f073f1b18095c96cda51ad39dd73d59da295363190e0c151573aa2da66f079fa95eb54883fde02c5e53d69c7abb7b2a606e3b93e0d141ec605a21a5c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5916665.exe
Filesize
327KB

MD5
0738f3fb61f7352210abdfeead0a943e

SHA1
610f71c23081c22c12805d5d4d68b5ca2984687f

SHA256
59e16aac534e7c1058faaf77eed91a13ba7499f06ecabee93574bd7d3a45c605

SHA512
36cb20aea587e1cd32c43fbda00944bec0819501b794ca6e05393099a8bdcf922ed6a81c37dbcb4e8d8909883b7e91e15e9290b665f2fc28e41811e52d1ab888

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x5916665.exe
Filesize
327KB

MD5
0738f3fb61f7352210abdfeead0a943e

SHA1
610f71c23081c22c12805d5d4d68b5ca2984687f

SHA256
59e16aac534e7c1058faaf77eed91a13ba7499f06ecabee93574bd7d3a45c605

SHA512
36cb20aea587e1cd32c43fbda00944bec0819501b794ca6e05393099a8bdcf922ed6a81c37dbcb4e8d8909883b7e91e15e9290b665f2fc28e41811e52d1ab888

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1516631.exe
Filesize
242KB

MD5
133c167fe95badd4c1d2c378073219e2

SHA1
3a9d712f3cf7c91e77346e5d636c8f0c6f99897a

SHA256
da8a5936c8b8e3dd2927a01d7edd509ccb5103590a23275597cbd74abcf356ea

SHA512
05fc0769280ff87d20edbc81687f6f38bc58ce3153b7d62e7517f6675b243d8bd202dd3b0bc4061787eef494c6349360e5d97cf042a9719051ba0531546f76e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1516631.exe
Filesize
242KB

MD5
133c167fe95badd4c1d2c378073219e2

SHA1
3a9d712f3cf7c91e77346e5d636c8f0c6f99897a

SHA256
da8a5936c8b8e3dd2927a01d7edd509ccb5103590a23275597cbd74abcf356ea

SHA512
05fc0769280ff87d20edbc81687f6f38bc58ce3153b7d62e7517f6675b243d8bd202dd3b0bc4061787eef494c6349360e5d97cf042a9719051ba0531546f76e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1066104.exe
Filesize
174KB

MD5
a4aa91d885060e7dfaa138710e1e9166

SHA1
f632e56ad4902a9d999fe828550ed2e98d59e708

SHA256
c201d25c4b9d262de8af602123c3e6cf27e99f2820a928579aa109de8503575f

SHA512
51435936f4b67bedaf1c37af099d0501734bec44fd9c4b70a1a5a3ad829e2d6b8f383dcd1b1b1b646eecbb06f0547217a324fcd44cf7981da93d3a662fb56379

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1066104.exe
Filesize
174KB

MD5
a4aa91d885060e7dfaa138710e1e9166

SHA1
f632e56ad4902a9d999fe828550ed2e98d59e708

SHA256
c201d25c4b9d262de8af602123c3e6cf27e99f2820a928579aa109de8503575f

SHA512
51435936f4b67bedaf1c37af099d0501734bec44fd9c4b70a1a5a3ad829e2d6b8f383dcd1b1b1b646eecbb06f0547217a324fcd44cf7981da93d3a662fb56379

Download Submit
memory/1020-37-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/1020-50-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/1020-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1020-45-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/2112-41-0x000000000AAB0000-0x000000000B0C8000-memory.dmp

Filesize
6.1MB

Download
memory/2112-42-0x000000000A610000-0x000000000A71A000-memory.dmp

Filesize
1.0MB

Download
memory/2112-51-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/2112-48-0x000000000A720000-0x000000000A76C000-memory.dmp

Filesize
304KB

Download
memory/2112-39-0x0000000000660000-0x0000000000690000-memory.dmp

Filesize
192KB

Download
memory/2112-40-0x0000000002870000-0x0000000002876000-memory.dmp

Filesize
24KB

Download
memory/2112-47-0x000000000A5B0000-0x000000000A5EC000-memory.dmp

Filesize
240KB

Download
memory/2112-36-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/2112-43-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/2112-44-0x000000000A550000-0x000000000A562000-memory.dmp

Filesize
72KB

Download
memory/2112-46-0x0000000002860000-0x0000000002870000-memory.dmp

Filesize
64KB

Download
memory/4720-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4720-3-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4720-38-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4720-2-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4720-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download