healer | 3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd

Analysis

max time kernel
142s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe
Size

1.2MB
MD5

48696f23706f300c52b22b0f6bf64442
SHA1

c22fae747bbe2750aa0d189bde85889a9dc64c1c
SHA256

3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd
SHA512

debf7e0241a96a9e91c2c22852ebd46a96edf789bd9a1d950df3fee0f13db00b1463e860917b0b2fc35c34dcdd0d1058498d890ad3dbf9717f05c39533147b40
SSDEEP

24576:974cru7u4Ww72pJpu1tZN+uaJVobWLSZLnE0P40VwOCiUaxG:x4cruzf7kTmtPJAoKeZccG

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/3364-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1208	x3006093.exe
4200	x0267829.exe
1080	x8998236.exe
1056	g5914923.exe
3236	h1660691.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3006093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0267829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x8998236.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4640 set thread context of 452	4640	3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe	91
PID 1056 set thread context of 3364	1056	g5914923.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3364	AppLaunch.exe
3364	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3364	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 452	4640	3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe	91
PID 4640 wrote to memory of 452	4640	3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe	91
PID 4640 wrote to memory of 452	4640	3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe	91
PID 4640 wrote to memory of 452	4640	3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe	91
PID 4640 wrote to memory of 452	4640	3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe	91
PID 4640 wrote to memory of 452	4640	3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe	91
PID 4640 wrote to memory of 452	4640	3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe	91
PID 4640 wrote to memory of 452	4640	3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe	91
PID 4640 wrote to memory of 452	4640	3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe	91
PID 4640 wrote to memory of 452	4640	3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe	91
PID 452 wrote to memory of 1208	452	AppLaunch.exe	92
PID 452 wrote to memory of 1208	452	AppLaunch.exe	92
PID 452 wrote to memory of 1208	452	AppLaunch.exe	92
PID 1208 wrote to memory of 4200	1208	x3006093.exe	93
PID 1208 wrote to memory of 4200	1208	x3006093.exe	93
PID 1208 wrote to memory of 4200	1208	x3006093.exe	93
PID 4200 wrote to memory of 1080	4200	x0267829.exe	94
PID 4200 wrote to memory of 1080	4200	x0267829.exe	94
PID 4200 wrote to memory of 1080	4200	x0267829.exe	94
PID 1080 wrote to memory of 1056	1080	x8998236.exe	95
PID 1080 wrote to memory of 1056	1080	x8998236.exe	95
PID 1080 wrote to memory of 1056	1080	x8998236.exe	95
PID 1056 wrote to memory of 3364	1056	g5914923.exe	97
PID 1056 wrote to memory of 3364	1056	g5914923.exe	97
PID 1056 wrote to memory of 3364	1056	g5914923.exe	97
PID 1056 wrote to memory of 3364	1056	g5914923.exe	97
PID 1056 wrote to memory of 3364	1056	g5914923.exe	97
PID 1056 wrote to memory of 3364	1056	g5914923.exe	97
PID 1056 wrote to memory of 3364	1056	g5914923.exe	97
PID 1056 wrote to memory of 3364	1056	g5914923.exe	97
PID 1080 wrote to memory of 3236	1080	x8998236.exe	98
PID 1080 wrote to memory of 3236	1080	x8998236.exe	98
PID 1080 wrote to memory of 3236	1080	x8998236.exe	98

C:\Users\Admin\AppData\Local\Temp\3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe
"C:\Users\Admin\AppData\Local\Temp\3ba1af93660639e5b231599060ff30a39fbea202f44272cd230bdc7a80715afd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3006093.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3006093.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0267829.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0267829.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4200
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8998236.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8998236.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1080
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5914923.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5914923.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1660691.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1660691.exe
        6⤵
        Executes dropped EXE
        
        PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3006093.exe

Filesize
745KB

MD5
853c7f3c282bf4c0f7e031c1a3dfaa62

SHA1
b8f0a1d8c29a49f7ad5a6cca606ba40e46567fca

SHA256
4231b570c6acef4bba875727f37448924f4e62804447fec73e27263e04cd9dc4

SHA512
585f0eca13b24c93184bbd1c703bbfd1e970569898fec8eefd87c772d6b24472541928b0f7573af092db40b7d7515ae4e541658aeee73177f50d5c028dd616b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3006093.exe

Filesize
745KB

MD5
853c7f3c282bf4c0f7e031c1a3dfaa62

SHA1
b8f0a1d8c29a49f7ad5a6cca606ba40e46567fca

SHA256
4231b570c6acef4bba875727f37448924f4e62804447fec73e27263e04cd9dc4

SHA512
585f0eca13b24c93184bbd1c703bbfd1e970569898fec8eefd87c772d6b24472541928b0f7573af092db40b7d7515ae4e541658aeee73177f50d5c028dd616b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0267829.exe

Filesize
480KB

MD5
d996e2d758c1c58737964bd2ff1d4bc5

SHA1
cec0de1354c5cf7d4bd3f7a4ecab61b5ad78e2ad

SHA256
be1c2fd4d45b0626ede2e6c88169b371c3adca841c097ac98ac081ee05941342

SHA512
5ae70a78e9bd12638c2e75fc3218f94ec7da30a979ec20570a36d8a042625233262726aa0db3f7918cb9d02a614486ab4aa1ea1c477be802ff9c46d87ac130be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0267829.exe

Filesize
480KB

MD5
d996e2d758c1c58737964bd2ff1d4bc5

SHA1
cec0de1354c5cf7d4bd3f7a4ecab61b5ad78e2ad

SHA256
be1c2fd4d45b0626ede2e6c88169b371c3adca841c097ac98ac081ee05941342

SHA512
5ae70a78e9bd12638c2e75fc3218f94ec7da30a979ec20570a36d8a042625233262726aa0db3f7918cb9d02a614486ab4aa1ea1c477be802ff9c46d87ac130be

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8998236.exe

Filesize
315KB

MD5
be5df1f31cc428dc5755c1cfed611f08

SHA1
c3c6be95e340d8c3575afd5eafb4f20cae9d41bc

SHA256
b38319bd34df44b083f2e61ed96c5d2bc59963994779d2af2ec3ec9bbe19c17c

SHA512
d3ed7765d5c21047aa9a13f6366350a6e4a33efa3715fbdfbab2cb910bcff73903bfc5dac84d4d3d153939ded130b5535e762c9f806bba7caf8dda94abf31abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x8998236.exe

Filesize
315KB

MD5
be5df1f31cc428dc5755c1cfed611f08

SHA1
c3c6be95e340d8c3575afd5eafb4f20cae9d41bc

SHA256
b38319bd34df44b083f2e61ed96c5d2bc59963994779d2af2ec3ec9bbe19c17c

SHA512
d3ed7765d5c21047aa9a13f6366350a6e4a33efa3715fbdfbab2cb910bcff73903bfc5dac84d4d3d153939ded130b5535e762c9f806bba7caf8dda94abf31abe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5914923.exe

Filesize
229KB

MD5
1fad0a01522fee178daa3d6fac277453

SHA1
44fe54d9faa5108fe38c48d923908ed1089570ea

SHA256
905bc494eb4fa3c4841e85122a242db40195f2540a9819d1e95d76742cfe8276

SHA512
ddc17451351412bd2198b4474995c679a0358414e8814519c331c780756cde8bc564ae4bf38bb1eeb272fd656336f8191929762c26dd53acbfb8408a57e5bac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g5914923.exe

Filesize
229KB

MD5
1fad0a01522fee178daa3d6fac277453

SHA1
44fe54d9faa5108fe38c48d923908ed1089570ea

SHA256
905bc494eb4fa3c4841e85122a242db40195f2540a9819d1e95d76742cfe8276

SHA512
ddc17451351412bd2198b4474995c679a0358414e8814519c331c780756cde8bc564ae4bf38bb1eeb272fd656336f8191929762c26dd53acbfb8408a57e5bac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1660691.exe

Filesize
174KB

MD5
c38f3156fb58b89259270511bf785e43

SHA1
c4e7e1a428ade890024e67cd273d8602bf39724d

SHA256
5a12855fb27dc9911b4a70afc5b0c662359453625f56aa365aab2bf6db62274f

SHA512
af896ead1dfc3d248c9c6f88fe4cf78cd611b7f04be6f6783d663d5945040e6f19e96f16535f4097799c06127aad6794d4a583d3bd96e360cdeea5ac5b41cb67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h1660691.exe

Filesize
174KB

MD5
c38f3156fb58b89259270511bf785e43

SHA1
c4e7e1a428ade890024e67cd273d8602bf39724d

SHA256
5a12855fb27dc9911b4a70afc5b0c662359453625f56aa365aab2bf6db62274f

SHA512
af896ead1dfc3d248c9c6f88fe4cf78cd611b7f04be6f6783d663d5945040e6f19e96f16535f4097799c06127aad6794d4a583d3bd96e360cdeea5ac5b41cb67

Download Submit
memory/452-40-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/452-2-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/452-3-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/452-1-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/452-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3236-41-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3236-43-0x0000000005E80000-0x0000000006498000-memory.dmp

Filesize
6.1MB

Download
memory/3236-51-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/3236-39-0x0000000003080000-0x0000000003086000-memory.dmp

Filesize
24KB

Download
memory/3236-37-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3236-48-0x0000000005AD0000-0x0000000005B1C000-memory.dmp

Filesize
304KB

Download
memory/3236-47-0x0000000005960000-0x000000000599C000-memory.dmp

Filesize
240KB

Download
memory/3236-36-0x0000000000DF0000-0x0000000000E20000-memory.dmp

Filesize
192KB

Download
memory/3236-44-0x00000000059C0000-0x0000000005ACA000-memory.dmp

Filesize
1.0MB

Download
memory/3236-45-0x0000000005900000-0x0000000005912000-memory.dmp

Filesize
72KB

Download
memory/3236-46-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/3364-42-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3364-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3364-50-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download
memory/3364-38-0x0000000074560000-0x0000000074D10000-memory.dmp

Filesize
7.7MB

Download