healer | 448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0

Analysis

max time kernel
159s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe
Size

1.2MB
MD5

9f84fdb05cc4534d6421d2a652a92a39
SHA1

a5eb895a6acb05b0a91565cc330d24feec6bceab
SHA256

448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0
SHA512

ec827dbca47aa50fcc6ad7e629326d76ee4e11c76ac2a48af086b01857369ef5018cf58b98f64535888b4804967abeba1f5547336cb074352ce63d4500ce5af6
SSDEEP

24576:J74cr9pNvxrS8r8o884vYjfT+45gE9d0wfWoDEQquDLTNRV6HG:t4cr9HVS8F8nvYbT+45gE9djW7MDp6HG

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/380-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
4420	x0525002.exe
1124	x3511447.exe
1208	x9166067.exe
3248	g3368761.exe
1740	h7881291.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x3511447.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9166067.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x0525002.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4844 set thread context of 1704	4844	448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe	86
PID 3248 set thread context of 380	3248	g3368761.exe	94

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
380	AppLaunch.exe
380	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	380	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4844 wrote to memory of 1704	4844	448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe	86
PID 4844 wrote to memory of 1704	4844	448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe	86
PID 4844 wrote to memory of 1704	4844	448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe	86
PID 4844 wrote to memory of 1704	4844	448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe	86
PID 4844 wrote to memory of 1704	4844	448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe	86
PID 4844 wrote to memory of 1704	4844	448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe	86
PID 4844 wrote to memory of 1704	4844	448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe	86
PID 4844 wrote to memory of 1704	4844	448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe	86
PID 4844 wrote to memory of 1704	4844	448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe	86
PID 4844 wrote to memory of 1704	4844	448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe	86
PID 1704 wrote to memory of 4420	1704	AppLaunch.exe	89
PID 1704 wrote to memory of 4420	1704	AppLaunch.exe	89
PID 1704 wrote to memory of 4420	1704	AppLaunch.exe	89
PID 4420 wrote to memory of 1124	4420	x0525002.exe	90
PID 4420 wrote to memory of 1124	4420	x0525002.exe	90
PID 4420 wrote to memory of 1124	4420	x0525002.exe	90
PID 1124 wrote to memory of 1208	1124	x3511447.exe	91
PID 1124 wrote to memory of 1208	1124	x3511447.exe	91
PID 1124 wrote to memory of 1208	1124	x3511447.exe	91
PID 1208 wrote to memory of 3248	1208	x9166067.exe	92
PID 1208 wrote to memory of 3248	1208	x9166067.exe	92
PID 1208 wrote to memory of 3248	1208	x9166067.exe	92
PID 3248 wrote to memory of 380	3248	g3368761.exe	94
PID 3248 wrote to memory of 380	3248	g3368761.exe	94
PID 3248 wrote to memory of 380	3248	g3368761.exe	94
PID 3248 wrote to memory of 380	3248	g3368761.exe	94
PID 3248 wrote to memory of 380	3248	g3368761.exe	94
PID 3248 wrote to memory of 380	3248	g3368761.exe	94
PID 3248 wrote to memory of 380	3248	g3368761.exe	94
PID 3248 wrote to memory of 380	3248	g3368761.exe	94
PID 1208 wrote to memory of 1740	1208	x9166067.exe	95
PID 1208 wrote to memory of 1740	1208	x9166067.exe	95
PID 1208 wrote to memory of 1740	1208	x9166067.exe	95

C:\Users\Admin\AppData\Local\Temp\448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe
"C:\Users\Admin\AppData\Local\Temp\448f631bdfbcec0ac93bd2bbdaf60f9f25b6c1b838b2f073acafc6edbf3644d0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0525002.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0525002.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4420
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3511447.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3511447.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1124
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9166067.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9166067.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3368761.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3368761.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7881291.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7881291.exe
        6⤵
        Executes dropped EXE
        
        PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0525002.exe

Filesize
745KB

MD5
1f71443551b60b23407e14ebf7e94e5b

SHA1
ce3dcac2914a54fdeb210d6aef56c627ba67721d

SHA256
8b6c2a2bfd5b2149b1144b92ce77164f5a8f9678159bfa72bfeb3d6b562d3c71

SHA512
5c3a9c9188bafd21eca9884531c64065aed5c8054700e8d9fe2e51b3398a00e6b991cd8d479efd7e3f387a3a1965110f616d8e30f9a8db43e02e29f3a1fe5aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x0525002.exe

Filesize
745KB

MD5
1f71443551b60b23407e14ebf7e94e5b

SHA1
ce3dcac2914a54fdeb210d6aef56c627ba67721d

SHA256
8b6c2a2bfd5b2149b1144b92ce77164f5a8f9678159bfa72bfeb3d6b562d3c71

SHA512
5c3a9c9188bafd21eca9884531c64065aed5c8054700e8d9fe2e51b3398a00e6b991cd8d479efd7e3f387a3a1965110f616d8e30f9a8db43e02e29f3a1fe5aa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3511447.exe

Filesize
481KB

MD5
4e3676cc2fccccca8cb25d3ae1206742

SHA1
4024e00b783912613277e6391aac9ea652649935

SHA256
b2e26e9546a4b363edbb56aecbb814334ac128b5a2fbf956afb357b32866eb81

SHA512
de32d4d53513c5521332da8e608805e1b4233fb2bcb7b751da4419e725e90e0c6d8d83554bf9e7e373d197d3a25a9a367bb0814fff394b018728316efea9720e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x3511447.exe

Filesize
481KB

MD5
4e3676cc2fccccca8cb25d3ae1206742

SHA1
4024e00b783912613277e6391aac9ea652649935

SHA256
b2e26e9546a4b363edbb56aecbb814334ac128b5a2fbf956afb357b32866eb81

SHA512
de32d4d53513c5521332da8e608805e1b4233fb2bcb7b751da4419e725e90e0c6d8d83554bf9e7e373d197d3a25a9a367bb0814fff394b018728316efea9720e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9166067.exe

Filesize
315KB

MD5
49c22ecfae1a21a04d828bf3cbd24924

SHA1
faa138214c983a419fee85ffe12218919d404beb

SHA256
46ea9def411282f0457f115be5d319a59ddec49bf39ff48ed4b52b37f536a5d8

SHA512
785771e46a6a2713191db9d911a0afba48cc4caf2380e029835bafb6f8446ee71bb7ecbe66c24f6f0bb1b2e945927703e434b0d88132ec4da8f6cb5f1dd0fdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9166067.exe

Filesize
315KB

MD5
49c22ecfae1a21a04d828bf3cbd24924

SHA1
faa138214c983a419fee85ffe12218919d404beb

SHA256
46ea9def411282f0457f115be5d319a59ddec49bf39ff48ed4b52b37f536a5d8

SHA512
785771e46a6a2713191db9d911a0afba48cc4caf2380e029835bafb6f8446ee71bb7ecbe66c24f6f0bb1b2e945927703e434b0d88132ec4da8f6cb5f1dd0fdcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3368761.exe

Filesize
229KB

MD5
6b188d019cace7ae6e149f6efa59e651

SHA1
5245b46c93cd49d7981e09987ab5be098932a5a7

SHA256
c4a59012390cd6a35c35eec9edc3b35236496ee9ffdef7cbeb92b1b4a869ae71

SHA512
7fca017d13ab8c160c12750d2c748793572106d97c3dbd80d47c72b034723d34c52a002d672e4629fbf24aacc3d474aef9237f41908735f21044206913115636

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g3368761.exe

Filesize
229KB

MD5
6b188d019cace7ae6e149f6efa59e651

SHA1
5245b46c93cd49d7981e09987ab5be098932a5a7

SHA256
c4a59012390cd6a35c35eec9edc3b35236496ee9ffdef7cbeb92b1b4a869ae71

SHA512
7fca017d13ab8c160c12750d2c748793572106d97c3dbd80d47c72b034723d34c52a002d672e4629fbf24aacc3d474aef9237f41908735f21044206913115636

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7881291.exe

Filesize
174KB

MD5
eef78d6255a0b12248d99d8279437534

SHA1
19ac1517e1a3396ce6f25b1da65aa6d8043ce6b9

SHA256
fe08a21c626f6f5c8d6b4a457bf7d8ef6d10588b2bba7f8996a553b2a40489e3

SHA512
7bc3d9f552d1e5c4adbf1a5491958adc691fba307a7242926b23c915b50cae44aee7afd32d8f01369615bc0df0f48c568405198b19d8c9930dbe93af1325c0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7881291.exe

Filesize
174KB

MD5
eef78d6255a0b12248d99d8279437534

SHA1
19ac1517e1a3396ce6f25b1da65aa6d8043ce6b9

SHA256
fe08a21c626f6f5c8d6b4a457bf7d8ef6d10588b2bba7f8996a553b2a40489e3

SHA512
7bc3d9f552d1e5c4adbf1a5491958adc691fba307a7242926b23c915b50cae44aee7afd32d8f01369615bc0df0f48c568405198b19d8c9930dbe93af1325c0f8

Download Submit
memory/380-51-0x00000000740E0000-0x0000000074890000-memory.dmp

Filesize
7.7MB

Download
memory/380-45-0x00000000740E0000-0x0000000074890000-memory.dmp

Filesize
7.7MB

Download
memory/380-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/380-38-0x00000000740E0000-0x0000000074890000-memory.dmp

Filesize
7.7MB

Download
memory/1704-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1704-1-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1704-2-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1704-33-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1704-3-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1740-39-0x00000000027F0000-0x00000000027F6000-memory.dmp

Filesize
24KB

Download
memory/1740-41-0x00000000052C0000-0x00000000058D8000-memory.dmp

Filesize
6.1MB

Download
memory/1740-42-0x0000000004DB0000-0x0000000004EBA000-memory.dmp

Filesize
1.0MB

Download
memory/1740-43-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/1740-44-0x0000000004CC0000-0x0000000004CD2000-memory.dmp

Filesize
72KB

Download
memory/1740-40-0x00000000740E0000-0x0000000074890000-memory.dmp

Filesize
7.7MB

Download
memory/1740-46-0x0000000004D20000-0x0000000004D5C000-memory.dmp

Filesize
240KB

Download
memory/1740-47-0x0000000004D60000-0x0000000004DAC000-memory.dmp

Filesize
304KB

Download
memory/1740-48-0x00000000740E0000-0x0000000074890000-memory.dmp

Filesize
7.7MB

Download
memory/1740-49-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/1740-37-0x0000000000320000-0x0000000000350000-memory.dmp

Filesize
192KB

Download