healer | 273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f

Analysis

max time kernel
138s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe
Size

1.2MB
MD5

e966df11efdda51785f917fcf54d65f6
SHA1

3b9a75625a144164befcd2efc93f781633968309
SHA256

273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f
SHA512

ba925d35836375573725a7822d5f4a00e876d2880d920da46a8947742efca56ec57d3ea9adc80240d254dcc4adf80f1bee6163c798196a46a4de8b10692cd4ff
SSDEEP

24576:ApWiJ3ocpaIUmUn0MuXJ6wAPvaIJ8N/1OzmSQbPjvI7Ic1G:YWiJ3D1LMcEva28/8mSXsc1G

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/2420-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4056	x6203690.exe
532	x1661893.exe
4540	x0213046.exe
1452	g2441596.exe
5040	h1168188.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6203690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1661893.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x0213046.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3628 set thread context of 4848	3628	273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe	91
PID 1452 set thread context of 2420	1452	g2441596.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2420	AppLaunch.exe
2420	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4848	3628	273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe	91
PID 3628 wrote to memory of 4848	3628	273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe	91
PID 3628 wrote to memory of 4848	3628	273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe	91
PID 3628 wrote to memory of 4848	3628	273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe	91
PID 3628 wrote to memory of 4848	3628	273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe	91
PID 3628 wrote to memory of 4848	3628	273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe	91
PID 3628 wrote to memory of 4848	3628	273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe	91
PID 3628 wrote to memory of 4848	3628	273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe	91
PID 3628 wrote to memory of 4848	3628	273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe	91
PID 3628 wrote to memory of 4848	3628	273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe	91
PID 4848 wrote to memory of 4056	4848	AppLaunch.exe	92
PID 4848 wrote to memory of 4056	4848	AppLaunch.exe	92
PID 4848 wrote to memory of 4056	4848	AppLaunch.exe	92
PID 4056 wrote to memory of 532	4056	x6203690.exe	93
PID 4056 wrote to memory of 532	4056	x6203690.exe	93
PID 4056 wrote to memory of 532	4056	x6203690.exe	93
PID 532 wrote to memory of 4540	532	x1661893.exe	94
PID 532 wrote to memory of 4540	532	x1661893.exe	94
PID 532 wrote to memory of 4540	532	x1661893.exe	94
PID 4540 wrote to memory of 1452	4540	x0213046.exe	95
PID 4540 wrote to memory of 1452	4540	x0213046.exe	95
PID 4540 wrote to memory of 1452	4540	x0213046.exe	95
PID 1452 wrote to memory of 2420	1452	g2441596.exe	97
PID 1452 wrote to memory of 2420	1452	g2441596.exe	97
PID 1452 wrote to memory of 2420	1452	g2441596.exe	97
PID 1452 wrote to memory of 2420	1452	g2441596.exe	97
PID 1452 wrote to memory of 2420	1452	g2441596.exe	97
PID 1452 wrote to memory of 2420	1452	g2441596.exe	97
PID 1452 wrote to memory of 2420	1452	g2441596.exe	97
PID 1452 wrote to memory of 2420	1452	g2441596.exe	97
PID 4540 wrote to memory of 5040	4540	x0213046.exe	98
PID 4540 wrote to memory of 5040	4540	x0213046.exe	98
PID 4540 wrote to memory of 5040	4540	x0213046.exe	98

C:\Users\Admin\AppData\Local\Temp\273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe
"C:\Users\Admin\AppData\Local\Temp\273a02119052ba2c3daaa34c73b21a2b9eacdfcd8a642a643702f04c4674303f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6203690.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6203690.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1661893.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1661893.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:532
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0213046.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0213046.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4540
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2441596.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2441596.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1168188.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1168188.exe
        6⤵
        Executes dropped EXE
        
        PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6203690.exe

Filesize
744KB

MD5
b991febbfe4a523d012d1085fd61c46a

SHA1
0de95324ce8709d26f8875576077d1c559a2bf30

SHA256
deb07621246548932997e943c011ba46ba65627148d289e27d100206a3bd3848

SHA512
04770dd0014ba7ac02807dd5a873901e44e2bdb24e4442a00cd306482bc4a5f21c99498b930913fe57220a7a05d9c262701be7a2d052c82362b8a4f46d695c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6203690.exe

Filesize
744KB

MD5
b991febbfe4a523d012d1085fd61c46a

SHA1
0de95324ce8709d26f8875576077d1c559a2bf30

SHA256
deb07621246548932997e943c011ba46ba65627148d289e27d100206a3bd3848

SHA512
04770dd0014ba7ac02807dd5a873901e44e2bdb24e4442a00cd306482bc4a5f21c99498b930913fe57220a7a05d9c262701be7a2d052c82362b8a4f46d695c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1661893.exe

Filesize
480KB

MD5
7ca92b1cb0eea6d30f8cbdacb0e9c650

SHA1
4044c62fb6e1131f23258a0622b9cae0edb40564

SHA256
d60f878a5292f31838793d20739eb6806630925f3bccbe709bcbc40720cc57ca

SHA512
a2dd7c839fadaae8ff083ad9a54df3c09706747d9fd46087035b854c8984011e4c9830b2a9f878a28316f71784f654c7390c7221cfdec1145f430dee02fd2ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1661893.exe

Filesize
480KB

MD5
7ca92b1cb0eea6d30f8cbdacb0e9c650

SHA1
4044c62fb6e1131f23258a0622b9cae0edb40564

SHA256
d60f878a5292f31838793d20739eb6806630925f3bccbe709bcbc40720cc57ca

SHA512
a2dd7c839fadaae8ff083ad9a54df3c09706747d9fd46087035b854c8984011e4c9830b2a9f878a28316f71784f654c7390c7221cfdec1145f430dee02fd2ffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0213046.exe

Filesize
314KB

MD5
de9e678b53c72f5206e265d8849765e8

SHA1
8886b1684cd08b4f8c648b846ff2f8595615791a

SHA256
edd114f766705f7e3852e3bf2d38252d16c54239de2ebdf01fa588cc98ae4559

SHA512
9d7417b9eb6b49e2d7d29c3a569d430fdd5a88021019ac474f20dc389e9f900660b384a6157937c1556bd642eee41b7a0861c5be241e114a9d29a231d0b326fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x0213046.exe

Filesize
314KB

MD5
de9e678b53c72f5206e265d8849765e8

SHA1
8886b1684cd08b4f8c648b846ff2f8595615791a

SHA256
edd114f766705f7e3852e3bf2d38252d16c54239de2ebdf01fa588cc98ae4559

SHA512
9d7417b9eb6b49e2d7d29c3a569d430fdd5a88021019ac474f20dc389e9f900660b384a6157937c1556bd642eee41b7a0861c5be241e114a9d29a231d0b326fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2441596.exe

Filesize
229KB

MD5
270fdaf7f056e81bddfc1d15edb1d982

SHA1
68943efba3fca6831929fea9e066f4869fdb48ea

SHA256
caf0afe890d90022125b730cfe3ea752d54c59257561395ea079190a9ceb161d

SHA512
4314b29d2b52e586dfdeecfeb20e5ca3b2282901773471f5819ebdf182854d6d5af6485608db024ac4be008bfd0f0e1b71823b3d27d65304be8238957149562d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g2441596.exe

Filesize
229KB

MD5
270fdaf7f056e81bddfc1d15edb1d982

SHA1
68943efba3fca6831929fea9e066f4869fdb48ea

SHA256
caf0afe890d90022125b730cfe3ea752d54c59257561395ea079190a9ceb161d

SHA512
4314b29d2b52e586dfdeecfeb20e5ca3b2282901773471f5819ebdf182854d6d5af6485608db024ac4be008bfd0f0e1b71823b3d27d65304be8238957149562d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1168188.exe

Filesize
174KB

MD5
a46d071dd3b2282ec66cf03b5f2e6eae

SHA1
233d6992328a58d45e5ae7c69714d65b9d6f8ec8

SHA256
c935edaec97e1ac7756af7550c8678ecb2c667763b20adcb02aa5d77d15f5279

SHA512
ae2abcbf219af047e6a95a44d60a68aa7842c9a5d10413f8a587fdd9349fefbceefee2fc430d9f144a4f9f40054956d33507c4b8a5a950956b6a00f492271f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1168188.exe

Filesize
174KB

MD5
a46d071dd3b2282ec66cf03b5f2e6eae

SHA1
233d6992328a58d45e5ae7c69714d65b9d6f8ec8

SHA256
c935edaec97e1ac7756af7550c8678ecb2c667763b20adcb02aa5d77d15f5279

SHA512
ae2abcbf219af047e6a95a44d60a68aa7842c9a5d10413f8a587fdd9349fefbceefee2fc430d9f144a4f9f40054956d33507c4b8a5a950956b6a00f492271f57

Download Submit
memory/2420-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2420-36-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2420-50-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/2420-47-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/4848-46-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4848-2-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4848-1-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4848-0-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/4848-3-0x0000000000400000-0x0000000000504000-memory.dmp

Filesize
1.0MB

Download
memory/5040-37-0x00000000000F0000-0x0000000000120000-memory.dmp

Filesize
192KB

Download
memory/5040-41-0x0000000004CA0000-0x0000000004DAA000-memory.dmp

Filesize
1.0MB

Download
memory/5040-43-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/5040-42-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download
memory/5040-44-0x0000000004C20000-0x0000000004C5C000-memory.dmp

Filesize
240KB

Download
memory/5040-45-0x0000000004DB0000-0x0000000004DFC000-memory.dmp

Filesize
304KB

Download
memory/5040-40-0x00000000051B0000-0x00000000057C8000-memory.dmp

Filesize
6.1MB

Download
memory/5040-38-0x00000000025C0000-0x00000000025C6000-memory.dmp

Filesize
24KB

Download
memory/5040-48-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/5040-39-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/5040-51-0x0000000004B80000-0x0000000004B90000-memory.dmp

Filesize
64KB

Download