healer | eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db

Analysis

max time kernel
138s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 03:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe
Size

1.2MB
MD5

9cb509a501dca0ca4bd43e7bd8800319
SHA1

8800bb6f3df45a90a6f581b4cd8bd22cd4962ffd
SHA256

eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db
SHA512

b5e025194912f27c8474448476b816f332a41ce508cdf6c0e32f5a7a01293cdbe8d833dc1f8f09c121c3eccd8821aec75181cdd96887fa63b0cc4b14fb916294
SSDEEP

24576:MZtxDwqN5sh/Y7VH8pdBF9lpQyz3u9hEhbfx/vhZ:MZtRH01oyzuAtVhZ

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/2212-33-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1896	x4112606.exe
4716	x8931942.exe
2096	x4459478.exe
1264	g1456264.exe
3592	h1265912.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4112606.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x8931942.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4459478.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5116 set thread context of 1884	5116	eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe	91
PID 1264 set thread context of 2212	1264	g1456264.exe	99

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2212	AppLaunch.exe
2212	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2212	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 1884	5116	eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe	91
PID 5116 wrote to memory of 1884	5116	eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe	91
PID 5116 wrote to memory of 1884	5116	eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe	91
PID 5116 wrote to memory of 1884	5116	eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe	91
PID 5116 wrote to memory of 1884	5116	eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe	91
PID 5116 wrote to memory of 1884	5116	eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe	91
PID 5116 wrote to memory of 1884	5116	eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe	91
PID 5116 wrote to memory of 1884	5116	eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe	91
PID 5116 wrote to memory of 1884	5116	eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe	91
PID 5116 wrote to memory of 1884	5116	eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe	91
PID 1884 wrote to memory of 1896	1884	AppLaunch.exe	92
PID 1884 wrote to memory of 1896	1884	AppLaunch.exe	92
PID 1884 wrote to memory of 1896	1884	AppLaunch.exe	92
PID 1896 wrote to memory of 4716	1896	x4112606.exe	94
PID 1896 wrote to memory of 4716	1896	x4112606.exe	94
PID 1896 wrote to memory of 4716	1896	x4112606.exe	94
PID 4716 wrote to memory of 2096	4716	x8931942.exe	95
PID 4716 wrote to memory of 2096	4716	x8931942.exe	95
PID 4716 wrote to memory of 2096	4716	x8931942.exe	95
PID 2096 wrote to memory of 1264	2096	x4459478.exe	96
PID 2096 wrote to memory of 1264	2096	x4459478.exe	96
PID 2096 wrote to memory of 1264	2096	x4459478.exe	96
PID 1264 wrote to memory of 4868	1264	g1456264.exe	98
PID 1264 wrote to memory of 4868	1264	g1456264.exe	98
PID 1264 wrote to memory of 4868	1264	g1456264.exe	98
PID 1264 wrote to memory of 2212	1264	g1456264.exe	99
PID 1264 wrote to memory of 2212	1264	g1456264.exe	99
PID 1264 wrote to memory of 2212	1264	g1456264.exe	99
PID 1264 wrote to memory of 2212	1264	g1456264.exe	99
PID 1264 wrote to memory of 2212	1264	g1456264.exe	99
PID 1264 wrote to memory of 2212	1264	g1456264.exe	99
PID 1264 wrote to memory of 2212	1264	g1456264.exe	99
PID 1264 wrote to memory of 2212	1264	g1456264.exe	99
PID 2096 wrote to memory of 3592	2096	x4459478.exe	100
PID 2096 wrote to memory of 3592	2096	x4459478.exe	100
PID 2096 wrote to memory of 3592	2096	x4459478.exe	100

C:\Users\Admin\AppData\Local\Temp\eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe
"C:\Users\Admin\AppData\Local\Temp\eb105aa3dd9eeca6ea432a8f1e023b96707dd39c1a5ebdb0c7466e53b08dd7db.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4112606.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4112606.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8931942.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8931942.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4716
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4459478.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4459478.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2096
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1456264.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1456264.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1265912.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1265912.exe
        6⤵
        Executes dropped EXE
        
        PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4112606.exe

Filesize
750KB

MD5
1e1e984ca01441792b0efa253a96ca4c

SHA1
700d3a718f07c7ca49b606d351f9558077d0bf32

SHA256
8814cddfeb5d32b60235d7d2431128743c9cee8d6dc005fd2a9b84624e5e9b7a

SHA512
6fd48e3061413f56a419bb727ebf70f0e6f9c6020883733ee8f21accbd8fb2d2c0270cf47725cd264255bbedc768da735c2e46ae88670e4c62d8d4224675c26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4112606.exe

Filesize
750KB

MD5
1e1e984ca01441792b0efa253a96ca4c

SHA1
700d3a718f07c7ca49b606d351f9558077d0bf32

SHA256
8814cddfeb5d32b60235d7d2431128743c9cee8d6dc005fd2a9b84624e5e9b7a

SHA512
6fd48e3061413f56a419bb727ebf70f0e6f9c6020883733ee8f21accbd8fb2d2c0270cf47725cd264255bbedc768da735c2e46ae88670e4c62d8d4224675c26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8931942.exe

Filesize
483KB

MD5
5344eba6db5ad86e75bc82eb22eb4d7a

SHA1
b37ccdb830db91d6680cc6c13a3785092713aa5c

SHA256
c62771542a7334a7dd8bb128e59279119d2749310c2251694a990cf38840fedb

SHA512
e28a24dd31cb2ed03f9fe43b626c17e9de20ee85e9f4100ef3641e4966fdb42fc3e75a11f94a333feb12acf97296ca546debc1b2d1e1b635a59fa2f4c9417694

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x8931942.exe

Filesize
483KB

MD5
5344eba6db5ad86e75bc82eb22eb4d7a

SHA1
b37ccdb830db91d6680cc6c13a3785092713aa5c

SHA256
c62771542a7334a7dd8bb128e59279119d2749310c2251694a990cf38840fedb

SHA512
e28a24dd31cb2ed03f9fe43b626c17e9de20ee85e9f4100ef3641e4966fdb42fc3e75a11f94a333feb12acf97296ca546debc1b2d1e1b635a59fa2f4c9417694

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4459478.exe

Filesize
317KB

MD5
fa83f77033b8bb337eda497b36fd350b

SHA1
c8bd45c0b0334c11dec84c8f96ee503c5a3db191

SHA256
d42a5106a52ec21132362c44f19de06ceda30031fcc6844216c818e5caaa3afd

SHA512
b5469b679780639355fd009c9311a5200878bbb3e5994113fd54a4bc8e51ab7636f2f24365a6ea2addde51f26fd3fd4a39c48dd65b99abd2529950640fc1402d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4459478.exe

Filesize
317KB

MD5
fa83f77033b8bb337eda497b36fd350b

SHA1
c8bd45c0b0334c11dec84c8f96ee503c5a3db191

SHA256
d42a5106a52ec21132362c44f19de06ceda30031fcc6844216c818e5caaa3afd

SHA512
b5469b679780639355fd009c9311a5200878bbb3e5994113fd54a4bc8e51ab7636f2f24365a6ea2addde51f26fd3fd4a39c48dd65b99abd2529950640fc1402d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1456264.exe

Filesize
230KB

MD5
f1ba3be24fbcb545485754002346efc3

SHA1
40405a04149346602ddf2f0ccde20cbd606a594d

SHA256
69d5635af160cadf82e04121eeb764b432bd1af011410aaa326f9eaba6c402b7

SHA512
9919a806ec3717fdb5ea2b6caced3ea9815a9d9cce30babbb24127fa4fb212f344ffa546883f7d055d97df2de95c63a000c81b28880ab04b8cad8ea335ae8283

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1456264.exe

Filesize
230KB

MD5
f1ba3be24fbcb545485754002346efc3

SHA1
40405a04149346602ddf2f0ccde20cbd606a594d

SHA256
69d5635af160cadf82e04121eeb764b432bd1af011410aaa326f9eaba6c402b7

SHA512
9919a806ec3717fdb5ea2b6caced3ea9815a9d9cce30babbb24127fa4fb212f344ffa546883f7d055d97df2de95c63a000c81b28880ab04b8cad8ea335ae8283

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1265912.exe

Filesize
174KB

MD5
3bc22ce44a6fe6c53fc69c5a9f7b6e3f

SHA1
549165f0a51be5ea30ff600990d34dcff58da18c

SHA256
ae9777c51e11bac77a0f4fc357066eae54ec2ff254b5941259302ce1c57dc38a

SHA512
324ba599f0ab7bb7531f9d1e4c81612e08bf9af3d4951a0ee879b1896e45f70146a1a3e134eafd45dcfa8b45f412ea911f3e42367cc49a371e19e34b985f654c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1265912.exe

Filesize
174KB

MD5
3bc22ce44a6fe6c53fc69c5a9f7b6e3f

SHA1
549165f0a51be5ea30ff600990d34dcff58da18c

SHA256
ae9777c51e11bac77a0f4fc357066eae54ec2ff254b5941259302ce1c57dc38a

SHA512
324ba599f0ab7bb7531f9d1e4c81612e08bf9af3d4951a0ee879b1896e45f70146a1a3e134eafd45dcfa8b45f412ea911f3e42367cc49a371e19e34b985f654c

Download Submit
memory/1884-18-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1884-3-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1884-2-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1884-1-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/1884-0-0x0000000000400000-0x0000000000506000-memory.dmp

Filesize
1.0MB

Download
memory/2212-33-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2212-50-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/2212-42-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/2212-39-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/3592-40-0x00000000025B0000-0x00000000025B6000-memory.dmp

Filesize
24KB

Download
memory/3592-41-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/3592-38-0x0000000074680000-0x0000000074E30000-memory.dmp

Filesize
7.7MB

Download
memory/3592-43-0x00000000053C0000-0x00000000059D8000-memory.dmp

Filesize
6.1MB

Download
memory/3592-44-0x0000000004EB0000-0x0000000004FBA000-memory.dmp

Filesize
1.0MB

Download
memory/3592-45-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/3592-46-0x0000000004D50000-0x0000000004D62000-memory.dmp

Filesize
72KB

Download
memory/3592-47-0x0000000004DE0000-0x0000000004E1C000-memory.dmp

Filesize
240KB

Download
memory/3592-48-0x0000000004E20000-0x0000000004E6C000-memory.dmp

Filesize
304KB

Download
memory/3592-37-0x00000000003D0000-0x0000000000400000-memory.dmp

Filesize
192KB

Download
memory/3592-51-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download