healer | 0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9

Analysis

max time kernel
145s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe
Size

1.2MB
MD5

870a986bde08a35ba78fc02686a0e147
SHA1

ea25f929b1771fd9befe90096f5f53193a24904d
SHA256

0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9
SHA512

5de72f58b8e4dcca9efc5942caccd1082cc83962612fc1684f6e6e7ab24e0296cfedd0b4056968fac561d1c60be9e7909d89cb3c45a4beff644080a1b5f3da3e
SSDEEP

24576:49q+V4zY5k0GF8JNX4T7rXRKdz9F1MNm20q0K9Y/ZwbwUkG:Eq+V4dIJ6ThKZlMNmrf5ZwcdG

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4428-33-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2160	x9023953.exe
3960	x6961114.exe
1856	x6164437.exe
1000	g0409734.exe
4708	h2388824.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x6164437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9023953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6961114.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5064 set thread context of 3560	5064	0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe	81
PID 1000 set thread context of 4428	1000	g0409734.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4428	AppLaunch.exe
4428	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4428	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 3560	5064	0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe	81
PID 5064 wrote to memory of 3560	5064	0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe	81
PID 5064 wrote to memory of 3560	5064	0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe	81
PID 5064 wrote to memory of 3560	5064	0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe	81
PID 5064 wrote to memory of 3560	5064	0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe	81
PID 5064 wrote to memory of 3560	5064	0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe	81
PID 5064 wrote to memory of 3560	5064	0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe	81
PID 5064 wrote to memory of 3560	5064	0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe	81
PID 5064 wrote to memory of 3560	5064	0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe	81
PID 5064 wrote to memory of 3560	5064	0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe	81
PID 3560 wrote to memory of 2160	3560	AppLaunch.exe	84
PID 3560 wrote to memory of 2160	3560	AppLaunch.exe	84
PID 3560 wrote to memory of 2160	3560	AppLaunch.exe	84
PID 2160 wrote to memory of 3960	2160	x9023953.exe	86
PID 2160 wrote to memory of 3960	2160	x9023953.exe	86
PID 2160 wrote to memory of 3960	2160	x9023953.exe	86
PID 3960 wrote to memory of 1856	3960	x6961114.exe	87
PID 3960 wrote to memory of 1856	3960	x6961114.exe	87
PID 3960 wrote to memory of 1856	3960	x6961114.exe	87
PID 1856 wrote to memory of 1000	1856	x6164437.exe	88
PID 1856 wrote to memory of 1000	1856	x6164437.exe	88
PID 1856 wrote to memory of 1000	1856	x6164437.exe	88
PID 1000 wrote to memory of 4428	1000	g0409734.exe	90
PID 1000 wrote to memory of 4428	1000	g0409734.exe	90
PID 1000 wrote to memory of 4428	1000	g0409734.exe	90
PID 1000 wrote to memory of 4428	1000	g0409734.exe	90
PID 1000 wrote to memory of 4428	1000	g0409734.exe	90
PID 1000 wrote to memory of 4428	1000	g0409734.exe	90
PID 1000 wrote to memory of 4428	1000	g0409734.exe	90
PID 1000 wrote to memory of 4428	1000	g0409734.exe	90
PID 1856 wrote to memory of 4708	1856	x6164437.exe	91
PID 1856 wrote to memory of 4708	1856	x6164437.exe	91
PID 1856 wrote to memory of 4708	1856	x6164437.exe	91

C:\Users\Admin\AppData\Local\Temp\0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe
"C:\Users\Admin\AppData\Local\Temp\0c78a466c229ba641b210b42b62b377b721c7c3a6bdc24f4333bcf0293028ec9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9023953.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9023953.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6961114.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6961114.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3960
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6164437.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6164437.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0409734.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0409734.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2388824.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2388824.exe
        6⤵
        Executes dropped EXE
        
        PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9023953.exe

Filesize
744KB

MD5
441037d1810e373cfcf3c759b65492fc

SHA1
4cb0067209fbc4b35fe3c9d8fabf9ba3d8aa00ad

SHA256
b2060772a9dc7eb475132c2dc3b58a51ebd4a7304338d4f22fb966ee0445bc1e

SHA512
d94b7902ed8672fc8115607808cee2b3bfb1fa6f565f4361200b6fa074c883dc2b6541709f566d7cb93452624d31a7a29ad9d24af48a7dbe1dfdc7b6c96fa384

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9023953.exe

Filesize
744KB

MD5
441037d1810e373cfcf3c759b65492fc

SHA1
4cb0067209fbc4b35fe3c9d8fabf9ba3d8aa00ad

SHA256
b2060772a9dc7eb475132c2dc3b58a51ebd4a7304338d4f22fb966ee0445bc1e

SHA512
d94b7902ed8672fc8115607808cee2b3bfb1fa6f565f4361200b6fa074c883dc2b6541709f566d7cb93452624d31a7a29ad9d24af48a7dbe1dfdc7b6c96fa384

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6961114.exe

Filesize
480KB

MD5
f7ba17f438e9d510001e6aa754ef3a9a

SHA1
78e8058d47fa55971ef767a05dd2ebfe71380f0f

SHA256
7fc8a9328c962bca0caa0ab9fa3a3c39f6c72d1b8e1a696400e534d813122f84

SHA512
2e4873e6e47bd78cc61445c21e0e63c8c143d8eb872b9793ebff2e5acc5f5da7f224773e8511cc1f973daa1c4faea1346abd69e50451dc687b6fe36d8d9311b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6961114.exe

Filesize
480KB

MD5
f7ba17f438e9d510001e6aa754ef3a9a

SHA1
78e8058d47fa55971ef767a05dd2ebfe71380f0f

SHA256
7fc8a9328c962bca0caa0ab9fa3a3c39f6c72d1b8e1a696400e534d813122f84

SHA512
2e4873e6e47bd78cc61445c21e0e63c8c143d8eb872b9793ebff2e5acc5f5da7f224773e8511cc1f973daa1c4faea1346abd69e50451dc687b6fe36d8d9311b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6164437.exe

Filesize
314KB

MD5
936ab66e2dd543643004f206c4f146e7

SHA1
f714edb5920c3221f235219cbb906c9479c2ac39

SHA256
8e26c676744a1124758eab23e38bedf8b663b24ddc0ce2242fd0c79c14e551c8

SHA512
e131db4fd4b2c5439bcfa45fa62665bf155a68ae511d2cc6edecf7c05ecdf44fce8649c387136f51ba905d95c8713912bbd2c35d4e1fe809c7c51941e0c917a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6164437.exe

Filesize
314KB

MD5
936ab66e2dd543643004f206c4f146e7

SHA1
f714edb5920c3221f235219cbb906c9479c2ac39

SHA256
8e26c676744a1124758eab23e38bedf8b663b24ddc0ce2242fd0c79c14e551c8

SHA512
e131db4fd4b2c5439bcfa45fa62665bf155a68ae511d2cc6edecf7c05ecdf44fce8649c387136f51ba905d95c8713912bbd2c35d4e1fe809c7c51941e0c917a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0409734.exe

Filesize
229KB

MD5
078a483cb25a9d1685338f2630177a44

SHA1
a01bbdd5b9eb3f82b84311eee2d31e424718f50d

SHA256
b3d8c68a2d5542a1c0c05fc5dc5eb9a3d5bf6bc77f9456e004be1158493433db

SHA512
d57c91cfce4bb6bf77ef7a7876f4561bf80f7d20dc8f742e530c34f84478ade80b1d4cfb08e20ed565702d20ec8c3986fa6b8c54d18909e73489481c8ef7215d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0409734.exe

Filesize
229KB

MD5
078a483cb25a9d1685338f2630177a44

SHA1
a01bbdd5b9eb3f82b84311eee2d31e424718f50d

SHA256
b3d8c68a2d5542a1c0c05fc5dc5eb9a3d5bf6bc77f9456e004be1158493433db

SHA512
d57c91cfce4bb6bf77ef7a7876f4561bf80f7d20dc8f742e530c34f84478ade80b1d4cfb08e20ed565702d20ec8c3986fa6b8c54d18909e73489481c8ef7215d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2388824.exe

Filesize
174KB

MD5
7879683e3a16d66438ea0409c2bf0974

SHA1
360f53047c2ad9e9655f5c1d384bd5ff98d1d2b3

SHA256
11ba64d02dcef36e94f40075d97e2b807bcb30091cbbbe42ef23e29cb1a2378f

SHA512
788967bd31ffeb528cd5960cb77b89c25418a00c65b3b2d3d5c3332e09f1254ad7736e86090f7e02dbd82b09cdbda6d79cfc8a19a2fac5dae582351ac05db43d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h2388824.exe

Filesize
174KB

MD5
7879683e3a16d66438ea0409c2bf0974

SHA1
360f53047c2ad9e9655f5c1d384bd5ff98d1d2b3

SHA256
11ba64d02dcef36e94f40075d97e2b807bcb30091cbbbe42ef23e29cb1a2378f

SHA512
788967bd31ffeb528cd5960cb77b89c25418a00c65b3b2d3d5c3332e09f1254ad7736e86090f7e02dbd82b09cdbda6d79cfc8a19a2fac5dae582351ac05db43d

Download Submit
memory/3560-11-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3560-3-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3560-2-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3560-1-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3560-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4428-33-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4428-48-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4428-38-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4428-42-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4708-40-0x0000000005590000-0x0000000005596000-memory.dmp

Filesize
24KB

Download
memory/4708-41-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4708-39-0x0000000000C70000-0x0000000000CA0000-memory.dmp

Filesize
192KB

Download
memory/4708-43-0x0000000005CD0000-0x00000000062E8000-memory.dmp

Filesize
6.1MB

Download
memory/4708-44-0x0000000005840000-0x000000000594A000-memory.dmp

Filesize
1.0MB

Download
memory/4708-45-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/4708-46-0x0000000005780000-0x0000000005792000-memory.dmp

Filesize
72KB

Download
memory/4708-37-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4708-49-0x00000000057E0000-0x000000000581C000-memory.dmp

Filesize
240KB

Download
memory/4708-50-0x0000000005950000-0x000000000599C000-memory.dmp

Filesize
304KB

Download
memory/4708-51-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download