healer | 16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe
Size

1.2MB
MD5

3aa3a8b330051d89a4464bf133824d94
SHA1

2695a9849acf00209505624b254ab68658fbfd05
SHA256

16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231
SHA512

1ccc83891e2ac27ae8dd7c5c4b9b712b4bfb2996334174d0871680285ce35570635747282545fb458f74d63a28ec456255efebf7c34b617fc13ce2b6f8a8bd2b
SSDEEP

24576:jZtJSfVC7okqSyaSBm5My7ZNiEnnq3n6GXhZ:jZtJS0p/S85MyOVXhZ

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4884-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2252	x2797138.exe
4304	x2628021.exe
2844	x0302877.exe
3680	g2471009.exe
4876	h3756296.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0302877.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2797138.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2628021.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4144 set thread context of 3260	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	95
PID 3680 set thread context of 4884	3680	g2471009.exe	101

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4884	AppLaunch.exe
4884	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	AppLaunch.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 2452	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	91
PID 4144 wrote to memory of 2452	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	91
PID 4144 wrote to memory of 2452	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	91
PID 4144 wrote to memory of 1560	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	92
PID 4144 wrote to memory of 1560	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	92
PID 4144 wrote to memory of 1560	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	92
PID 4144 wrote to memory of 3064	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	93
PID 4144 wrote to memory of 3064	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	93
PID 4144 wrote to memory of 3064	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	93
PID 4144 wrote to memory of 1584	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	94
PID 4144 wrote to memory of 1584	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	94
PID 4144 wrote to memory of 1584	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	94
PID 4144 wrote to memory of 3260	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	95
PID 4144 wrote to memory of 3260	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	95
PID 4144 wrote to memory of 3260	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	95
PID 4144 wrote to memory of 3260	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	95
PID 4144 wrote to memory of 3260	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	95
PID 4144 wrote to memory of 3260	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	95
PID 4144 wrote to memory of 3260	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	95
PID 4144 wrote to memory of 3260	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	95
PID 4144 wrote to memory of 3260	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	95
PID 4144 wrote to memory of 3260	4144	16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe	95
PID 3260 wrote to memory of 2252	3260	AppLaunch.exe	96
PID 3260 wrote to memory of 2252	3260	AppLaunch.exe	96
PID 3260 wrote to memory of 2252	3260	AppLaunch.exe	96
PID 2252 wrote to memory of 4304	2252	x2797138.exe	97
PID 2252 wrote to memory of 4304	2252	x2797138.exe	97
PID 2252 wrote to memory of 4304	2252	x2797138.exe	97
PID 4304 wrote to memory of 2844	4304	x2628021.exe	98
PID 4304 wrote to memory of 2844	4304	x2628021.exe	98
PID 4304 wrote to memory of 2844	4304	x2628021.exe	98
PID 2844 wrote to memory of 3680	2844	x0302877.exe	99
PID 2844 wrote to memory of 3680	2844	x0302877.exe	99
PID 2844 wrote to memory of 3680	2844	x0302877.exe	99
PID 3680 wrote to memory of 4884	3680	g2471009.exe	101
PID 3680 wrote to memory of 4884	3680	g2471009.exe	101
PID 3680 wrote to memory of 4884	3680	g2471009.exe	101
PID 3680 wrote to memory of 4884	3680	g2471009.exe	101
PID 3680 wrote to memory of 4884	3680	g2471009.exe	101
PID 3680 wrote to memory of 4884	3680	g2471009.exe	101
PID 3680 wrote to memory of 4884	3680	g2471009.exe	101
PID 3680 wrote to memory of 4884	3680	g2471009.exe	101
PID 2844 wrote to memory of 4876	2844	x0302877.exe	102
PID 2844 wrote to memory of 4876	2844	x0302877.exe	102
PID 2844 wrote to memory of 4876	2844	x0302877.exe	102

C:\Users\Admin\AppData\Local\Temp\16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe
"C:\Users\Admin\AppData\Local\Temp\16ec33d8fc76a95937c2e02b7544ad29b5b443077ca1a05329af4ddc5f2d4231.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:2452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3260
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2797138.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2797138.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2628021.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2628021.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4304
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0302877.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0302877.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2471009.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2471009.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3756296.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3756296.exe
        6⤵
        Executes dropped EXE
        
        PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2797138.exe

Filesize
749KB

MD5
2b1aa0d2bad44e096e64bf7be9a22a22

SHA1
272cbe63e7ea7f7305357fa13daec61bb5ad5b51

SHA256
bd5a32713301bd6fe6bd125c8fefd5907ec1194ebd47f2fe8574e477c24b5ce7

SHA512
1006c9bf371d1a99b4e06f2488a8571a9dd62923c389fdc50dafb324f745e6a9c2c8875faa92bf5a78b03511b2df6eea18e21075f0f25a69a3fa613a0b403d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2797138.exe

Filesize
749KB

MD5
2b1aa0d2bad44e096e64bf7be9a22a22

SHA1
272cbe63e7ea7f7305357fa13daec61bb5ad5b51

SHA256
bd5a32713301bd6fe6bd125c8fefd5907ec1194ebd47f2fe8574e477c24b5ce7

SHA512
1006c9bf371d1a99b4e06f2488a8571a9dd62923c389fdc50dafb324f745e6a9c2c8875faa92bf5a78b03511b2df6eea18e21075f0f25a69a3fa613a0b403d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2628021.exe

Filesize
483KB

MD5
c85d1c4268a675bbf4114b1323765695

SHA1
d39dda6768a00469469aeede774620fae0523325

SHA256
102f6e8ac1ed2a2637481eaa88a762f567cd06b3a48bde993f639e037dfc061b

SHA512
86a432bc3a92ad6b12aa4b513b43d42623310c0a7ab6890db6bb34f840aa83a0be247d8317c044396cc782d4673512daa04719f49a274927dd4ddcec580e3e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2628021.exe

Filesize
483KB

MD5
c85d1c4268a675bbf4114b1323765695

SHA1
d39dda6768a00469469aeede774620fae0523325

SHA256
102f6e8ac1ed2a2637481eaa88a762f567cd06b3a48bde993f639e037dfc061b

SHA512
86a432bc3a92ad6b12aa4b513b43d42623310c0a7ab6890db6bb34f840aa83a0be247d8317c044396cc782d4673512daa04719f49a274927dd4ddcec580e3e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0302877.exe

Filesize
317KB

MD5
0a0ca8c820fb13c71e3d840bffe429a8

SHA1
e822ca717c54c5e777eb6042149ebc696163c7d3

SHA256
00ed13c121fd3d890ae5a56360ead3b2b2b649905c34d24dc85c50e51a97af0e

SHA512
47115ade674c3b20569c965d229dec4d0b94f19806e109f8829268745e3ef58fe1b459ab3a1396fb736ac318c04270df09c7dddd905e6dcf675a118a2bd72de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0302877.exe

Filesize
317KB

MD5
0a0ca8c820fb13c71e3d840bffe429a8

SHA1
e822ca717c54c5e777eb6042149ebc696163c7d3

SHA256
00ed13c121fd3d890ae5a56360ead3b2b2b649905c34d24dc85c50e51a97af0e

SHA512
47115ade674c3b20569c965d229dec4d0b94f19806e109f8829268745e3ef58fe1b459ab3a1396fb736ac318c04270df09c7dddd905e6dcf675a118a2bd72de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2471009.exe

Filesize
230KB

MD5
194b8e7f090924e380b41460e098f569

SHA1
276553941c9b31fa1c87a342960562fd9ba71c19

SHA256
ea64d37a0340a1fe1edbf6cbcee11103c83920775e656f0ae61827e5ba7ef53c

SHA512
d38b01b544be7d33808e82a8cf488b44be671efd2b6a1f80791f03db520e0f06dd1c59cff176dc7b6d6856a873d29d30be867248024fb67efd1d921bfc1b3f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2471009.exe

Filesize
230KB

MD5
194b8e7f090924e380b41460e098f569

SHA1
276553941c9b31fa1c87a342960562fd9ba71c19

SHA256
ea64d37a0340a1fe1edbf6cbcee11103c83920775e656f0ae61827e5ba7ef53c

SHA512
d38b01b544be7d33808e82a8cf488b44be671efd2b6a1f80791f03db520e0f06dd1c59cff176dc7b6d6856a873d29d30be867248024fb67efd1d921bfc1b3f8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3756296.exe

Filesize
174KB

MD5
686f2fe3c1e454279bcf84ff4f39301b

SHA1
0fce8fb4311a65edfeec22aa47c5e14f9ac83e10

SHA256
c713226be72373e4417725add81b73464b1b79e7a79f6a09757537ceb9b42830

SHA512
ef4a0266973ac5a2117e59ee92547ebdda1d3c1502c7f4c8a40745566d60f657940852c966c882f2a7066f0dc77be5bde9104d78f05272de503983c26800bff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3756296.exe

Filesize
174KB

MD5
686f2fe3c1e454279bcf84ff4f39301b

SHA1
0fce8fb4311a65edfeec22aa47c5e14f9ac83e10

SHA256
c713226be72373e4417725add81b73464b1b79e7a79f6a09757537ceb9b42830

SHA512
ef4a0266973ac5a2117e59ee92547ebdda1d3c1502c7f4c8a40745566d60f657940852c966c882f2a7066f0dc77be5bde9104d78f05272de503983c26800bff4

Download Submit
memory/3260-3-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3260-2-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3260-46-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3260-1-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/3260-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/4876-36-0x0000000000780000-0x00000000007B0000-memory.dmp

Filesize
192KB

Download
memory/4876-42-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4876-37-0x0000000002AD0000-0x0000000002AD6000-memory.dmp

Filesize
24KB

Download
memory/4876-51-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4876-40-0x0000000005880000-0x0000000005E98000-memory.dmp

Filesize
6.1MB

Download
memory/4876-41-0x0000000005370000-0x000000000547A000-memory.dmp

Filesize
1.0MB

Download
memory/4876-43-0x0000000005260000-0x0000000005272000-memory.dmp

Filesize
72KB

Download
memory/4876-38-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/4876-44-0x00000000052C0000-0x00000000052FC000-memory.dmp

Filesize
240KB

Download
memory/4876-45-0x0000000005300000-0x000000000534C000-memory.dmp

Filesize
304KB

Download
memory/4876-47-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/4884-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4884-48-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/4884-50-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/4884-39-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download