healer | 0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23

Analysis

max time kernel
146s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe
Size

930KB
MD5

0a9f448d25e286b4f3b0302b2a5d3e04
SHA1

8d462480db6dc73928abebb3c05e1a3907deb513
SHA256

0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23
SHA512

51e551492947efbac1451bf043d12dbb849f0d53ffcdb754c7578cb3a477e6bc1f87f33a4d34ec4aa45636ab8d8c2e4f029180e1f29d8ba24a3686fe83fe04ce
SSDEEP

24576:riuBtZ26pccG2/HOm2gsO0RShC8gG77lhttmszJS2Za:euBf2CV2QuRSQG77Ptd9jZa

Score

10^/10

healer redline moner dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/1988-25-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
792	x6258799.exe
3772	x4095875.exe
1576	g0709530.exe
3876	i5782986.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6258799.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4095875.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4108 set thread context of 448	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	96
PID 1576 set thread context of 1988	1576	g0709530.exe	104

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1988	AppLaunch.exe
1988	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	AppLaunch.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 1804	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	93
PID 4108 wrote to memory of 1804	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	93
PID 4108 wrote to memory of 1804	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	93
PID 4108 wrote to memory of 5044	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	94
PID 4108 wrote to memory of 5044	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	94
PID 4108 wrote to memory of 5044	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	94
PID 4108 wrote to memory of 1960	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	95
PID 4108 wrote to memory of 1960	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	95
PID 4108 wrote to memory of 1960	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	95
PID 4108 wrote to memory of 448	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	96
PID 4108 wrote to memory of 448	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	96
PID 4108 wrote to memory of 448	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	96
PID 4108 wrote to memory of 448	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	96
PID 4108 wrote to memory of 448	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	96
PID 4108 wrote to memory of 448	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	96
PID 4108 wrote to memory of 448	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	96
PID 4108 wrote to memory of 448	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	96
PID 4108 wrote to memory of 448	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	96
PID 4108 wrote to memory of 448	4108	0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe	96
PID 448 wrote to memory of 792	448	AppLaunch.exe	97
PID 448 wrote to memory of 792	448	AppLaunch.exe	97
PID 448 wrote to memory of 792	448	AppLaunch.exe	97
PID 792 wrote to memory of 3772	792	x6258799.exe	99
PID 792 wrote to memory of 3772	792	x6258799.exe	99
PID 792 wrote to memory of 3772	792	x6258799.exe	99
PID 3772 wrote to memory of 1576	3772	x4095875.exe	100
PID 3772 wrote to memory of 1576	3772	x4095875.exe	100
PID 3772 wrote to memory of 1576	3772	x4095875.exe	100
PID 1576 wrote to memory of 2252	1576	g0709530.exe	102
PID 1576 wrote to memory of 2252	1576	g0709530.exe	102
PID 1576 wrote to memory of 2252	1576	g0709530.exe	102
PID 1576 wrote to memory of 932	1576	g0709530.exe	103
PID 1576 wrote to memory of 932	1576	g0709530.exe	103
PID 1576 wrote to memory of 932	1576	g0709530.exe	103
PID 1576 wrote to memory of 1988	1576	g0709530.exe	104
PID 1576 wrote to memory of 1988	1576	g0709530.exe	104
PID 1576 wrote to memory of 1988	1576	g0709530.exe	104
PID 1576 wrote to memory of 1988	1576	g0709530.exe	104
PID 1576 wrote to memory of 1988	1576	g0709530.exe	104
PID 1576 wrote to memory of 1988	1576	g0709530.exe	104
PID 1576 wrote to memory of 1988	1576	g0709530.exe	104
PID 1576 wrote to memory of 1988	1576	g0709530.exe	104
PID 3772 wrote to memory of 3876	3772	x4095875.exe	105
PID 3772 wrote to memory of 3876	3772	x4095875.exe	105
PID 3772 wrote to memory of 3876	3772	x4095875.exe	105

C:\Users\Admin\AppData\Local\Temp\0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe
"C:\Users\Admin\AppData\Local\Temp\0422e1ffa772ffa6c8878d7ec33216cf69fa5608bf42f1cb1449e58e4d1b5f23.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:5044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6258799.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6258799.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4095875.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4095875.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3772
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0709530.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0709530.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2252
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:932
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5782986.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5782986.exe
        5⤵
        Executes dropped EXE
        
        PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6258799.exe

Filesize
472KB

MD5
72c2f15f545956d72e62467235e1e044

SHA1
ae1f9ee91ca8c9b5b24484abc7ef2c80215d400c

SHA256
7f180f464e7d84cfbfc08e3825baeef6aec299768ac48a2fed314e95404676f6

SHA512
6efdb2c7a844149a96bc0dc109a7a2f2cc90d7dea9a8c386a9528f9e759635ee595a62f0147073f014b21be4fe9fe28fa1868061b13d18a75ba21866d34a0373

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6258799.exe

Filesize
472KB

MD5
72c2f15f545956d72e62467235e1e044

SHA1
ae1f9ee91ca8c9b5b24484abc7ef2c80215d400c

SHA256
7f180f464e7d84cfbfc08e3825baeef6aec299768ac48a2fed314e95404676f6

SHA512
6efdb2c7a844149a96bc0dc109a7a2f2cc90d7dea9a8c386a9528f9e759635ee595a62f0147073f014b21be4fe9fe28fa1868061b13d18a75ba21866d34a0373

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4095875.exe

Filesize
306KB

MD5
b883a12a8a92b77ccd65a1abfd230667

SHA1
0d1686ea863a1da5112d0a474038cc5f72a91100

SHA256
30f893300687e0813094059cedc2474674fa5044aedb483f80da78ab331619da

SHA512
eb9d4bf7b76de65eab6b09f07a40fcbb9273a0615d23dd8dbd48dff99e9afe95a23562095e6bea90e27fcef3b5df312e6ea5b1456809b9534568c0349124d2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4095875.exe

Filesize
306KB

MD5
b883a12a8a92b77ccd65a1abfd230667

SHA1
0d1686ea863a1da5112d0a474038cc5f72a91100

SHA256
30f893300687e0813094059cedc2474674fa5044aedb483f80da78ab331619da

SHA512
eb9d4bf7b76de65eab6b09f07a40fcbb9273a0615d23dd8dbd48dff99e9afe95a23562095e6bea90e27fcef3b5df312e6ea5b1456809b9534568c0349124d2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0709530.exe

Filesize
213KB

MD5
3884d7eb5035fd4994a78a7fad8a35ef

SHA1
7d548968e43105ef1b398f01bc91527c6b711cd1

SHA256
397158ff448474a71d802e3a94ea5c4f1fbc7cc419199441eab2b69b69131981

SHA512
4878e4301bc48c3c5441a29a9e90915a6b9fa8fab37add8e12aad84f74ce60797b414d7c05cd6fe0a97ab5760a3a91fb6bdbdb923f17071cb0c0f1df82f859ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0709530.exe

Filesize
213KB

MD5
3884d7eb5035fd4994a78a7fad8a35ef

SHA1
7d548968e43105ef1b398f01bc91527c6b711cd1

SHA256
397158ff448474a71d802e3a94ea5c4f1fbc7cc419199441eab2b69b69131981

SHA512
4878e4301bc48c3c5441a29a9e90915a6b9fa8fab37add8e12aad84f74ce60797b414d7c05cd6fe0a97ab5760a3a91fb6bdbdb923f17071cb0c0f1df82f859ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5782986.exe

Filesize
174KB

MD5
30ed5fdb3c55519709fe8b46283cf6d3

SHA1
70d5b1dc26b919b6eb0b4dcb035aae40b76456aa

SHA256
38edad74eef19e5a0b33ee56b0b5e439a8803e0044bf0d12bdcd4b45ff327965

SHA512
5e11e90ca7f6bbf481b77e86ba2381cc9d592c4ad7856e7e66804ed9b86e204dc77c0e2112cd675f10cab870006e1f155f305eaf953ce005239918968c6775a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i5782986.exe

Filesize
174KB

MD5
30ed5fdb3c55519709fe8b46283cf6d3

SHA1
70d5b1dc26b919b6eb0b4dcb035aae40b76456aa

SHA256
38edad74eef19e5a0b33ee56b0b5e439a8803e0044bf0d12bdcd4b45ff327965

SHA512
5e11e90ca7f6bbf481b77e86ba2381cc9d592c4ad7856e7e66804ed9b86e204dc77c0e2112cd675f10cab870006e1f155f305eaf953ce005239918968c6775a2

Download Submit
memory/448-3-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/448-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/448-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/448-39-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/448-0-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/1988-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1988-44-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/1988-31-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/1988-41-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/3876-30-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/3876-34-0x0000000005590000-0x000000000569A000-memory.dmp

Filesize
1.0MB

Download
memory/3876-35-0x00000000054A0000-0x00000000054B2000-memory.dmp

Filesize
72KB

Download
memory/3876-36-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/3876-37-0x0000000005500000-0x000000000553C000-memory.dmp

Filesize
240KB

Download
memory/3876-38-0x0000000005540000-0x000000000558C000-memory.dmp

Filesize
304KB

Download
memory/3876-33-0x0000000005AA0000-0x00000000060B8000-memory.dmp

Filesize
6.1MB

Download
memory/3876-40-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/3876-32-0x0000000005320000-0x0000000005326000-memory.dmp

Filesize
24KB

Download
memory/3876-42-0x0000000005370000-0x0000000005380000-memory.dmp

Filesize
64KB

Download
memory/3876-29-0x00000000009C0000-0x00000000009F0000-memory.dmp

Filesize
192KB

Download