healer | 6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054

Analysis

max time kernel
138s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe
Size

1.3MB
MD5

df69165c0d54694e4c5899676359524c
SHA1

28acd35d187039fc5ea49b80b324dc01b87f5160
SHA256

6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054
SHA512

e09c13caf502d2b3dd4c8b22c8c3d369b6d874354c9406757a3a244d9939f81988f2ee678ce08adce51f3931a94d59381488e03b60671e01d76a650ecccaef99
SSDEEP

24576:F09n9p2dg5HnTMXbhxutzjknGZnR+cGp7hnbdHdNrQ:F093225HQX1xutRnGHB3Q

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/716-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1044	x5886334.exe
4128	x2403709.exe
2624	x0868854.exe
4072	g2775741.exe
2212	h8337605.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5886334.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2403709.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0868854.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4280 set thread context of 3400	4280	6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe	91
PID 4072 set thread context of 716	4072	g2775741.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
716	AppLaunch.exe
716	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	716	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 3400	4280	6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe	91
PID 4280 wrote to memory of 3400	4280	6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe	91
PID 4280 wrote to memory of 3400	4280	6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe	91
PID 4280 wrote to memory of 3400	4280	6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe	91
PID 4280 wrote to memory of 3400	4280	6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe	91
PID 4280 wrote to memory of 3400	4280	6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe	91
PID 4280 wrote to memory of 3400	4280	6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe	91
PID 4280 wrote to memory of 3400	4280	6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe	91
PID 4280 wrote to memory of 3400	4280	6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe	91
PID 4280 wrote to memory of 3400	4280	6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe	91
PID 3400 wrote to memory of 1044	3400	AppLaunch.exe	92
PID 3400 wrote to memory of 1044	3400	AppLaunch.exe	92
PID 3400 wrote to memory of 1044	3400	AppLaunch.exe	92
PID 1044 wrote to memory of 4128	1044	x5886334.exe	93
PID 1044 wrote to memory of 4128	1044	x5886334.exe	93
PID 1044 wrote to memory of 4128	1044	x5886334.exe	93
PID 4128 wrote to memory of 2624	4128	x2403709.exe	94
PID 4128 wrote to memory of 2624	4128	x2403709.exe	94
PID 4128 wrote to memory of 2624	4128	x2403709.exe	94
PID 2624 wrote to memory of 4072	2624	x0868854.exe	95
PID 2624 wrote to memory of 4072	2624	x0868854.exe	95
PID 2624 wrote to memory of 4072	2624	x0868854.exe	95
PID 4072 wrote to memory of 652	4072	g2775741.exe	96
PID 4072 wrote to memory of 652	4072	g2775741.exe	96
PID 4072 wrote to memory of 652	4072	g2775741.exe	96
PID 4072 wrote to memory of 716	4072	g2775741.exe	97
PID 4072 wrote to memory of 716	4072	g2775741.exe	97
PID 4072 wrote to memory of 716	4072	g2775741.exe	97
PID 4072 wrote to memory of 716	4072	g2775741.exe	97
PID 4072 wrote to memory of 716	4072	g2775741.exe	97
PID 4072 wrote to memory of 716	4072	g2775741.exe	97
PID 4072 wrote to memory of 716	4072	g2775741.exe	97
PID 4072 wrote to memory of 716	4072	g2775741.exe	97
PID 2624 wrote to memory of 2212	2624	x0868854.exe	98
PID 2624 wrote to memory of 2212	2624	x0868854.exe	98
PID 2624 wrote to memory of 2212	2624	x0868854.exe	98

C:\Users\Admin\AppData\Local\Temp\6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe
"C:\Users\Admin\AppData\Local\Temp\6e15c0105c279ff20c9c84fdb0c3997e08cc6e60eab47c3cb3da8499159db054.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5886334.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5886334.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2403709.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2403709.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4128
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0868854.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0868854.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2624
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2775741.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2775741.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:652
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8337605.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8337605.exe
        6⤵
        Executes dropped EXE
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5886334.exe

Filesize
767KB

MD5
84acf3fe20eab18fe5f6d32d0f340cc5

SHA1
7330c2e578a78fb7f3227f6bec3c9600d3a64d5f

SHA256
daef05acb7a5b468ea8ac0c06544f59202f3bc32dc45851dea78ac0a2b563718

SHA512
7e15bad8d655713c0d2ca000287266bd5974fe43f5236344b9e7d160de532acb071bb4a9e14f095b4bddd3c769f3be0611d1ad3ba583a1400a5384c92bbb4e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5886334.exe

Filesize
767KB

MD5
84acf3fe20eab18fe5f6d32d0f340cc5

SHA1
7330c2e578a78fb7f3227f6bec3c9600d3a64d5f

SHA256
daef05acb7a5b468ea8ac0c06544f59202f3bc32dc45851dea78ac0a2b563718

SHA512
7e15bad8d655713c0d2ca000287266bd5974fe43f5236344b9e7d160de532acb071bb4a9e14f095b4bddd3c769f3be0611d1ad3ba583a1400a5384c92bbb4e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2403709.exe

Filesize
492KB

MD5
cb2734ad592277556b871886fed743a8

SHA1
5f4797463704c36d20ed9973fd2ce1bef24fdce3

SHA256
feff0fa20e2dfccab80108be08586fe6c6347ad57bf58abf350380dd3bb99a4b

SHA512
ea1940313f865c100bd01d68a082ef4ba608aacc75bf98614f0bd60fde100c0aaa4088658ddc1cfa33720b3d3693d65ba3e6b27eb3600a865b405a439dfed47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2403709.exe

Filesize
492KB

MD5
cb2734ad592277556b871886fed743a8

SHA1
5f4797463704c36d20ed9973fd2ce1bef24fdce3

SHA256
feff0fa20e2dfccab80108be08586fe6c6347ad57bf58abf350380dd3bb99a4b

SHA512
ea1940313f865c100bd01d68a082ef4ba608aacc75bf98614f0bd60fde100c0aaa4088658ddc1cfa33720b3d3693d65ba3e6b27eb3600a865b405a439dfed47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0868854.exe

Filesize
326KB

MD5
289912be5b237c6b52d24bb48f23548f

SHA1
67c42a4674f863133b80db5804ae250bb8023f83

SHA256
6d5b38cc33dbd23f577c4c2ce9ac10e5a35cc6f36080231a867eae60df2f7f62

SHA512
3b0cf1422c9debd0fbfc491e8a3cd678a6acbc19a9ee68bf65cf8be1598fd61548faeed9287d1b5a6204e9d306091f449a9effc3e829307e9eac69ca32003429

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0868854.exe

Filesize
326KB

MD5
289912be5b237c6b52d24bb48f23548f

SHA1
67c42a4674f863133b80db5804ae250bb8023f83

SHA256
6d5b38cc33dbd23f577c4c2ce9ac10e5a35cc6f36080231a867eae60df2f7f62

SHA512
3b0cf1422c9debd0fbfc491e8a3cd678a6acbc19a9ee68bf65cf8be1598fd61548faeed9287d1b5a6204e9d306091f449a9effc3e829307e9eac69ca32003429

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2775741.exe

Filesize
242KB

MD5
d8e2f23301ef658943ec96b798b3e4bb

SHA1
78d730aba76c12b8f80e816c181c84e164016b7f

SHA256
682e97600d18ae0c2bf053742baf6edae8237d0b0ced6156810f303586f360ef

SHA512
1edc9c5dbffbdd9d35e73beb9b6eda9b058a6fc90d8b5d2a74598a8ccf387362822b5a2962fc0ba98e67cba0ff1c0a481296974307113ed8b65679e8cb482339

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2775741.exe

Filesize
242KB

MD5
d8e2f23301ef658943ec96b798b3e4bb

SHA1
78d730aba76c12b8f80e816c181c84e164016b7f

SHA256
682e97600d18ae0c2bf053742baf6edae8237d0b0ced6156810f303586f360ef

SHA512
1edc9c5dbffbdd9d35e73beb9b6eda9b058a6fc90d8b5d2a74598a8ccf387362822b5a2962fc0ba98e67cba0ff1c0a481296974307113ed8b65679e8cb482339

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8337605.exe

Filesize
174KB

MD5
5025d27b142e4228a99ac6adced72d6b

SHA1
de6f428b8a1b705e9059db15eeb7a4fab40df750

SHA256
cc34d5ba9ce8fd9f4167b589b11ba77666c2f82ae983e3e59df99b6c29d593c0

SHA512
4298402cd7a09b8a4f0f7319c4f0ee5801f915a9ddde7fa0c7f457082de10bcea1676338e9e2e8a2de5aca5332cb53417e6d05bb4a5fb5959304dbc09be3ccab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h8337605.exe

Filesize
174KB

MD5
5025d27b142e4228a99ac6adced72d6b

SHA1
de6f428b8a1b705e9059db15eeb7a4fab40df750

SHA256
cc34d5ba9ce8fd9f4167b589b11ba77666c2f82ae983e3e59df99b6c29d593c0

SHA512
4298402cd7a09b8a4f0f7319c4f0ee5801f915a9ddde7fa0c7f457082de10bcea1676338e9e2e8a2de5aca5332cb53417e6d05bb4a5fb5959304dbc09be3ccab

Download Submit
memory/716-38-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/716-50-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/716-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/716-48-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-41-0x0000000005300000-0x000000000540A000-memory.dmp

Filesize
1.0MB

Download
memory/2212-42-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/2212-37-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-51-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2212-39-0x0000000002AD0000-0x0000000002AD6000-memory.dmp

Filesize
24KB

Download
memory/2212-40-0x0000000005810000-0x0000000005E28000-memory.dmp

Filesize
6.1MB

Download
memory/2212-47-0x0000000074640000-0x0000000074DF0000-memory.dmp

Filesize
7.7MB

Download
memory/2212-36-0x0000000000740000-0x0000000000770000-memory.dmp

Filesize
192KB

Download
memory/2212-43-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2212-44-0x0000000005270000-0x00000000052AC000-memory.dmp

Filesize
240KB

Download
memory/2212-45-0x00000000052B0000-0x00000000052FC000-memory.dmp

Filesize
304KB

Download
memory/3400-46-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3400-3-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3400-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3400-2-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3400-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download