healer | 46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee

Analysis

max time kernel
148s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe
Size

1.2MB
MD5

0807974f1d38a15397f3b5c102ece74b
SHA1

5ecc71351c4f56d9adc5581ade4aea0206ca009b
SHA256

46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee
SHA512

d425427f32e9f307c03382b53183924b46bda7db6300d8b0430d1eb15ccc82bd4b8ec5f285101609ed4a571fb6748561973b04382d5c37779b572db6c971687b
SSDEEP

24576:n74crpNHAs6ry4pL4hlVdF25Bi47dFg965HNsWOf3lW9wTxiwjLVmJG:74crzHAZxp0h3gM47qSeWOf3WwMwQJG

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/3940-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2384	x0730625.exe
2176	x2547606.exe
3204	x4222639.exe
2464	g0432772.exe
624	h1187597.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4222639.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0730625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2547606.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4992 set thread context of 1424	4992	46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe	89
PID 2464 set thread context of 3940	2464	g0432772.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3940	AppLaunch.exe
3940	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 1424	4992	46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe	89
PID 4992 wrote to memory of 1424	4992	46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe	89
PID 4992 wrote to memory of 1424	4992	46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe	89
PID 4992 wrote to memory of 1424	4992	46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe	89
PID 4992 wrote to memory of 1424	4992	46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe	89
PID 4992 wrote to memory of 1424	4992	46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe	89
PID 4992 wrote to memory of 1424	4992	46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe	89
PID 4992 wrote to memory of 1424	4992	46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe	89
PID 4992 wrote to memory of 1424	4992	46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe	89
PID 4992 wrote to memory of 1424	4992	46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe	89
PID 1424 wrote to memory of 2384	1424	AppLaunch.exe	90
PID 1424 wrote to memory of 2384	1424	AppLaunch.exe	90
PID 1424 wrote to memory of 2384	1424	AppLaunch.exe	90
PID 2384 wrote to memory of 2176	2384	x0730625.exe	93
PID 2384 wrote to memory of 2176	2384	x0730625.exe	93
PID 2384 wrote to memory of 2176	2384	x0730625.exe	93
PID 2176 wrote to memory of 3204	2176	x2547606.exe	94
PID 2176 wrote to memory of 3204	2176	x2547606.exe	94
PID 2176 wrote to memory of 3204	2176	x2547606.exe	94
PID 3204 wrote to memory of 2464	3204	x4222639.exe	95
PID 3204 wrote to memory of 2464	3204	x4222639.exe	95
PID 3204 wrote to memory of 2464	3204	x4222639.exe	95
PID 2464 wrote to memory of 3940	2464	g0432772.exe	97
PID 2464 wrote to memory of 3940	2464	g0432772.exe	97
PID 2464 wrote to memory of 3940	2464	g0432772.exe	97
PID 2464 wrote to memory of 3940	2464	g0432772.exe	97
PID 2464 wrote to memory of 3940	2464	g0432772.exe	97
PID 2464 wrote to memory of 3940	2464	g0432772.exe	97
PID 2464 wrote to memory of 3940	2464	g0432772.exe	97
PID 2464 wrote to memory of 3940	2464	g0432772.exe	97
PID 3204 wrote to memory of 624	3204	x4222639.exe	98
PID 3204 wrote to memory of 624	3204	x4222639.exe	98
PID 3204 wrote to memory of 624	3204	x4222639.exe	98

C:\Users\Admin\AppData\Local\Temp\46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe
"C:\Users\Admin\AppData\Local\Temp\46dc4cbed6cf12ca135e5836feaa130bfdda31513669cb34e4be103ce88a66ee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0730625.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0730625.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2547606.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2547606.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4222639.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4222639.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3204
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0432772.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0432772.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1187597.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1187597.exe
        6⤵
        Executes dropped EXE
        
        PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0730625.exe

Filesize
744KB

MD5
b972a7cbd9032f0cc04e0c64fe8f22d7

SHA1
63953f6c5a9704040fbea98c4427575bbe94a282

SHA256
148595643682d6ee478b59d2e3648335f717a2187198c5cc538ae5f735ef132c

SHA512
1656e1a8812c11bc98681a0da438e47f837983cf60735f5e27d7d331e466d66c77194dbd1027f8db454b9dd89c337300e2b42e5c78352a9c02d311564ac139fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0730625.exe

Filesize
744KB

MD5
b972a7cbd9032f0cc04e0c64fe8f22d7

SHA1
63953f6c5a9704040fbea98c4427575bbe94a282

SHA256
148595643682d6ee478b59d2e3648335f717a2187198c5cc538ae5f735ef132c

SHA512
1656e1a8812c11bc98681a0da438e47f837983cf60735f5e27d7d331e466d66c77194dbd1027f8db454b9dd89c337300e2b42e5c78352a9c02d311564ac139fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2547606.exe

Filesize
480KB

MD5
a9844931f3f6c087cdbbf4d42f2a83ed

SHA1
d375c294022ec8eb4f63e5b7d79f95acf880c699

SHA256
86e314057f4e02d0cf6ed27fa26c5bf0f974fc69066b253db3a11b7aebef6a99

SHA512
d2ac2400b2183668ee908feedf58da01177768007f4d27f39f8a740cd3b69e6f7753b2ab0f04f4c63ed34e43c30c37562c22671d93a45eeba75c4b3fe63f324c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2547606.exe

Filesize
480KB

MD5
a9844931f3f6c087cdbbf4d42f2a83ed

SHA1
d375c294022ec8eb4f63e5b7d79f95acf880c699

SHA256
86e314057f4e02d0cf6ed27fa26c5bf0f974fc69066b253db3a11b7aebef6a99

SHA512
d2ac2400b2183668ee908feedf58da01177768007f4d27f39f8a740cd3b69e6f7753b2ab0f04f4c63ed34e43c30c37562c22671d93a45eeba75c4b3fe63f324c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4222639.exe

Filesize
315KB

MD5
92bf8aefa017b11d01f8c4e4eedc4a89

SHA1
c22b2eabcd56437a71137bb6e88336b073bf9a8b

SHA256
d3ace32b37a42381dadf82f8acc5bff8d063545ba09b11c2c699abd33d766786

SHA512
1e7a94737cb3836ff66f4c680fc18fc8fcfde602ac5de388391646d62f025aebcaaee55a33e1e5264c6594b14a1e75becdbd58380e80ab5372871c55ce97af88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4222639.exe

Filesize
315KB

MD5
92bf8aefa017b11d01f8c4e4eedc4a89

SHA1
c22b2eabcd56437a71137bb6e88336b073bf9a8b

SHA256
d3ace32b37a42381dadf82f8acc5bff8d063545ba09b11c2c699abd33d766786

SHA512
1e7a94737cb3836ff66f4c680fc18fc8fcfde602ac5de388391646d62f025aebcaaee55a33e1e5264c6594b14a1e75becdbd58380e80ab5372871c55ce97af88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0432772.exe

Filesize
229KB

MD5
b24e77957a400b9516a82787dcac0673

SHA1
ad17d0bb35df095b3435b52deee37ec1ad51a398

SHA256
0813bc6da0b2cdce3f54656156a33d97be8b2ba7551fad4b9989bca01c16eff5

SHA512
9bd172026269fa8c2fd3142089b2e8a9767ab29d2fc636b1b84ccd3c6143d1bcaa7b366ffbae8a1bdca49744a75a164a29488059635907ce414bf69e31771455

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0432772.exe

Filesize
229KB

MD5
b24e77957a400b9516a82787dcac0673

SHA1
ad17d0bb35df095b3435b52deee37ec1ad51a398

SHA256
0813bc6da0b2cdce3f54656156a33d97be8b2ba7551fad4b9989bca01c16eff5

SHA512
9bd172026269fa8c2fd3142089b2e8a9767ab29d2fc636b1b84ccd3c6143d1bcaa7b366ffbae8a1bdca49744a75a164a29488059635907ce414bf69e31771455

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1187597.exe

Filesize
174KB

MD5
a0b7f9fb8e7d623ac88e6050aaa669d1

SHA1
b21ffa54bbd25e75409cff048782761a8d5715f1

SHA256
32a418064c3a33c4536f6ada5e3eed1a721608323d59d728501eee1fc81ac65b

SHA512
98d57dd28862fc17f35ecb2f2cea39dfac002f1820b48ff6f61b848961f049d591bda66d9920672c15c0a0d3802b8a2ce9049fb82115865ab8395154463eccdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1187597.exe

Filesize
174KB

MD5
a0b7f9fb8e7d623ac88e6050aaa669d1

SHA1
b21ffa54bbd25e75409cff048782761a8d5715f1

SHA256
32a418064c3a33c4536f6ada5e3eed1a721608323d59d728501eee1fc81ac65b

SHA512
98d57dd28862fc17f35ecb2f2cea39dfac002f1820b48ff6f61b848961f049d591bda66d9920672c15c0a0d3802b8a2ce9049fb82115865ab8395154463eccdc

Download Submit
memory/624-46-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/624-38-0x00000000008E0000-0x0000000000910000-memory.dmp

Filesize
192KB

Download
memory/624-39-0x0000000005240000-0x0000000005246000-memory.dmp

Filesize
24KB

Download
memory/624-45-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/624-43-0x000000000A7D0000-0x000000000A7E2000-memory.dmp

Filesize
72KB

Download
memory/624-42-0x000000000A890000-0x000000000A99A000-memory.dmp

Filesize
1.0MB

Download
memory/624-37-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/624-41-0x000000000AD80000-0x000000000B398000-memory.dmp

Filesize
6.1MB

Download
memory/624-51-0x00000000052D0000-0x00000000052E0000-memory.dmp

Filesize
64KB

Download
memory/624-48-0x000000000A9A0000-0x000000000A9EC000-memory.dmp

Filesize
304KB

Download
memory/624-47-0x000000000A830000-0x000000000A86C000-memory.dmp

Filesize
240KB

Download
memory/1424-2-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1424-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1424-40-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1424-1-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1424-3-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3940-36-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/3940-44-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/3940-50-0x0000000074210000-0x00000000749C0000-memory.dmp

Filesize
7.7MB

Download
memory/3940-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download