healer | e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe
Size

1.3MB
MD5

2f9db9707287c4b4f254b8f633e142f7
SHA1

25828847651a6d7237a42c22bef1facb91e87e8a
SHA256

e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35
SHA512

dd7cd355253d2481f54004d3b1dc29d750c10b8a03c87ef11c51aa88740a09a0b6c731bc267f18f7903c0df6562b8a0cee94858b385756476179f30a57da14bc
SSDEEP

24576:A09Zc1RlmrksZPZX+KBznrTXamwSU+X8PEyQ:A09Zc1RErksZPZuEnrTJwCsPNQ

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/3748-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4448	x2002347.exe
2440	x6259310.exe
3228	x6759448.exe
3912	g5696766.exe
3932	h2175829.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2002347.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6259310.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x6759448.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 308 set thread context of 1928	308	e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe	87
PID 3912 set thread context of 3748	3912	g5696766.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3748	AppLaunch.exe
3748	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3748	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 308 wrote to memory of 1928	308	e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe	87
PID 308 wrote to memory of 1928	308	e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe	87
PID 308 wrote to memory of 1928	308	e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe	87
PID 308 wrote to memory of 1928	308	e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe	87
PID 308 wrote to memory of 1928	308	e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe	87
PID 308 wrote to memory of 1928	308	e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe	87
PID 308 wrote to memory of 1928	308	e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe	87
PID 308 wrote to memory of 1928	308	e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe	87
PID 308 wrote to memory of 1928	308	e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe	87
PID 308 wrote to memory of 1928	308	e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe	87
PID 1928 wrote to memory of 4448	1928	AppLaunch.exe	90
PID 1928 wrote to memory of 4448	1928	AppLaunch.exe	90
PID 1928 wrote to memory of 4448	1928	AppLaunch.exe	90
PID 4448 wrote to memory of 2440	4448	x2002347.exe	92
PID 4448 wrote to memory of 2440	4448	x2002347.exe	92
PID 4448 wrote to memory of 2440	4448	x2002347.exe	92
PID 2440 wrote to memory of 3228	2440	x6259310.exe	93
PID 2440 wrote to memory of 3228	2440	x6259310.exe	93
PID 2440 wrote to memory of 3228	2440	x6259310.exe	93
PID 3228 wrote to memory of 3912	3228	x6759448.exe	95
PID 3228 wrote to memory of 3912	3228	x6759448.exe	95
PID 3228 wrote to memory of 3912	3228	x6759448.exe	95
PID 3912 wrote to memory of 3936	3912	g5696766.exe	96
PID 3912 wrote to memory of 3936	3912	g5696766.exe	96
PID 3912 wrote to memory of 3936	3912	g5696766.exe	96
PID 3912 wrote to memory of 3748	3912	g5696766.exe	97
PID 3912 wrote to memory of 3748	3912	g5696766.exe	97
PID 3912 wrote to memory of 3748	3912	g5696766.exe	97
PID 3912 wrote to memory of 3748	3912	g5696766.exe	97
PID 3912 wrote to memory of 3748	3912	g5696766.exe	97
PID 3912 wrote to memory of 3748	3912	g5696766.exe	97
PID 3912 wrote to memory of 3748	3912	g5696766.exe	97
PID 3912 wrote to memory of 3748	3912	g5696766.exe	97
PID 3228 wrote to memory of 3932	3228	x6759448.exe	98
PID 3228 wrote to memory of 3932	3228	x6759448.exe	98
PID 3228 wrote to memory of 3932	3228	x6759448.exe	98

C:\Users\Admin\AppData\Local\Temp\e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe
"C:\Users\Admin\AppData\Local\Temp\e13954c59b81c6e9611350915e4e4948ab38f948e0591cfbd61de5656557cb35.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2002347.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2002347.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6259310.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6259310.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2440
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6759448.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6759448.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3228
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5696766.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5696766.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3936
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3748
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2175829.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2175829.exe
        6⤵
        Executes dropped EXE
        
        PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2002347.exe

Filesize
766KB

MD5
38cbaf1ee42b99c5606b0b9f9fa1bcde

SHA1
e1b685ba346ac57aedb21f063646d4fed5a43df6

SHA256
7daeb1aac658758b37a1c39a7b7ca5b4812b0cf7e6d4218ef946adb93597eb5f

SHA512
ee3f03cd8ac3fe6a5f82432f719ec3ef601c0cbf4a20207b169110d038b5614afe16606cf79bec7d9db6ca799e63e9d18615662b2defc5e119388886dec653e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2002347.exe

Filesize
766KB

MD5
38cbaf1ee42b99c5606b0b9f9fa1bcde

SHA1
e1b685ba346ac57aedb21f063646d4fed5a43df6

SHA256
7daeb1aac658758b37a1c39a7b7ca5b4812b0cf7e6d4218ef946adb93597eb5f

SHA512
ee3f03cd8ac3fe6a5f82432f719ec3ef601c0cbf4a20207b169110d038b5614afe16606cf79bec7d9db6ca799e63e9d18615662b2defc5e119388886dec653e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6259310.exe

Filesize
491KB

MD5
849222ad96255787f3a5b8059b45279b

SHA1
98fa132ee212732fa93152ed45d9c1a8f3da28c7

SHA256
75f4fdb0a67979c3d7f9ebdf3bdc680618767bc8016fb57b9572335de9b8e0a7

SHA512
ec1d59fe8c015bbf879774ac2865136f3d7276d9e8a428844a451de459d3dae700967ad1096264d81579defd8c0944ea4e5e3f7375a75f820eeebaefdca9026a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6259310.exe

Filesize
491KB

MD5
849222ad96255787f3a5b8059b45279b

SHA1
98fa132ee212732fa93152ed45d9c1a8f3da28c7

SHA256
75f4fdb0a67979c3d7f9ebdf3bdc680618767bc8016fb57b9572335de9b8e0a7

SHA512
ec1d59fe8c015bbf879774ac2865136f3d7276d9e8a428844a451de459d3dae700967ad1096264d81579defd8c0944ea4e5e3f7375a75f820eeebaefdca9026a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6759448.exe

Filesize
325KB

MD5
96d64246aa07c3741237077b69649848

SHA1
b159ad47d023ba5af38174059b9224c5bae665e2

SHA256
a9733a8aaa27bbcc56984371016ecd155361fee0df91106964ea208eb1423a6c

SHA512
aa56b7b8d65cf0b27542d0a2b4193b25302bcb074ef056f5f59fa795b9564fcc7c7834a8c0e7a2a90dd2bbe70be52b9b13fd1cf6ff19ce7ceae74b4570baa1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6759448.exe

Filesize
325KB

MD5
96d64246aa07c3741237077b69649848

SHA1
b159ad47d023ba5af38174059b9224c5bae665e2

SHA256
a9733a8aaa27bbcc56984371016ecd155361fee0df91106964ea208eb1423a6c

SHA512
aa56b7b8d65cf0b27542d0a2b4193b25302bcb074ef056f5f59fa795b9564fcc7c7834a8c0e7a2a90dd2bbe70be52b9b13fd1cf6ff19ce7ceae74b4570baa1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5696766.exe

Filesize
242KB

MD5
7c6de079817901b2fbb42facc83f19a4

SHA1
81cd7c1e80aeeee033be71ae85e98aa40cdc7797

SHA256
72751a1d41226038b9c7412592a4252ca3e05e842af294dfcdbd7cdfe80bac0f

SHA512
3e15170d43dd569739f8efd7e74871fdb705cafd056c2dd27c978ff5b21eb12b5c9f0074ca5f4af86f45a1b7d07e374d0f63938751b1d5a01eae48c29050bc4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5696766.exe

Filesize
242KB

MD5
7c6de079817901b2fbb42facc83f19a4

SHA1
81cd7c1e80aeeee033be71ae85e98aa40cdc7797

SHA256
72751a1d41226038b9c7412592a4252ca3e05e842af294dfcdbd7cdfe80bac0f

SHA512
3e15170d43dd569739f8efd7e74871fdb705cafd056c2dd27c978ff5b21eb12b5c9f0074ca5f4af86f45a1b7d07e374d0f63938751b1d5a01eae48c29050bc4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2175829.exe

Filesize
175KB

MD5
c0994b89ea5564a98df4b201f293c1ef

SHA1
4f561eca16f74e2a75406470964daff93be54599

SHA256
2017baaec8669f2cee648494ba23940e52cae597c5400d780cd6d74b52bb4dfe

SHA512
2d0caf6e3154b06ffc885e6442fdcf32fa7a19f7f3a6da2fd58442ceaa13da4fc1b7df325ed8ccdf4d5d025cbee3a628c661591d5a8cf82216f7d0d252f224cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2175829.exe

Filesize
175KB

MD5
c0994b89ea5564a98df4b201f293c1ef

SHA1
4f561eca16f74e2a75406470964daff93be54599

SHA256
2017baaec8669f2cee648494ba23940e52cae597c5400d780cd6d74b52bb4dfe

SHA512
2d0caf6e3154b06ffc885e6442fdcf32fa7a19f7f3a6da2fd58442ceaa13da4fc1b7df325ed8ccdf4d5d025cbee3a628c661591d5a8cf82216f7d0d252f224cd

Download Submit
memory/1928-36-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1928-2-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1928-3-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1928-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1928-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3748-41-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/3748-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3748-49-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/3748-37-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/3932-43-0x000000000B020000-0x000000000B638000-memory.dmp

Filesize
6.1MB

Download
memory/3932-40-0x0000000002EA0000-0x0000000002EA6000-memory.dmp

Filesize
24KB

Download
memory/3932-42-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/3932-39-0x0000000000B80000-0x0000000000BB0000-memory.dmp

Filesize
192KB

Download
memory/3932-44-0x000000000AB30000-0x000000000AC3A000-memory.dmp

Filesize
1.0MB

Download
memory/3932-45-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/3932-46-0x000000000AA70000-0x000000000AA82000-memory.dmp

Filesize
72KB

Download
memory/3932-47-0x000000000AAD0000-0x000000000AB0C000-memory.dmp

Filesize
240KB

Download
memory/3932-38-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/3932-50-0x000000000AC40000-0x000000000AC8C000-memory.dmp

Filesize
304KB

Download
memory/3932-51-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download