healer | 0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9

Analysis

max time kernel
26s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe
Size

1.2MB
MD5

fe3f38ecd2588f5859199841286083ae
SHA1

dbdb1f87ded800cc360c28968d01d42e21dd744f
SHA256

0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9
SHA512

8e0d9f22b13b0e85f6903468d5c86b4272e50d2c042520a81cb2ac668d9ce4920084e196799f9f43d17f026f8d31feb7e81e5f3eb24fd13c56651b0858f46dfc
SSDEEP

24576:jBuqRu53jCLkdw27qLL4WLz/liL+IUA5d/53OiFOr4UL6wzpwOYLG:NuqRq3Z7qLL4WLLliL+MHBNFOrjL6wzD

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4600-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 1 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
816	x4720343.exe
3740	x6595187.exe
412	x6936643.exe
1604	g6381809.exe
3204	h3829564.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4720343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6595187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x6936643.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 4496	2164	0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe	91
PID 1604 set thread context of 4600	1604	g6381809.exe	97

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4600	AppLaunch.exe
4600	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4600	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 4496	2164	0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe	91
PID 2164 wrote to memory of 4496	2164	0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe	91
PID 2164 wrote to memory of 4496	2164	0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe	91
PID 2164 wrote to memory of 4496	2164	0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe	91
PID 2164 wrote to memory of 4496	2164	0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe	91
PID 2164 wrote to memory of 4496	2164	0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe	91
PID 2164 wrote to memory of 4496	2164	0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe	91
PID 2164 wrote to memory of 4496	2164	0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe	91
PID 2164 wrote to memory of 4496	2164	0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe	91
PID 2164 wrote to memory of 4496	2164	0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe	91
PID 4496 wrote to memory of 816	4496	AppLaunch.exe	92
PID 4496 wrote to memory of 816	4496	AppLaunch.exe	92
PID 4496 wrote to memory of 816	4496	AppLaunch.exe	92
PID 816 wrote to memory of 3740	816	x4720343.exe	93
PID 816 wrote to memory of 3740	816	x4720343.exe	93
PID 816 wrote to memory of 3740	816	x4720343.exe	93
PID 3740 wrote to memory of 412	3740	x6595187.exe	94
PID 3740 wrote to memory of 412	3740	x6595187.exe	94
PID 3740 wrote to memory of 412	3740	x6595187.exe	94
PID 412 wrote to memory of 1604	412	x6936643.exe	95
PID 412 wrote to memory of 1604	412	x6936643.exe	95
PID 412 wrote to memory of 1604	412	x6936643.exe	95
PID 1604 wrote to memory of 4600	1604	g6381809.exe	97
PID 1604 wrote to memory of 4600	1604	g6381809.exe	97
PID 1604 wrote to memory of 4600	1604	g6381809.exe	97
PID 1604 wrote to memory of 4600	1604	g6381809.exe	97
PID 1604 wrote to memory of 4600	1604	g6381809.exe	97
PID 1604 wrote to memory of 4600	1604	g6381809.exe	97
PID 1604 wrote to memory of 4600	1604	g6381809.exe	97
PID 1604 wrote to memory of 4600	1604	g6381809.exe	97
PID 412 wrote to memory of 3204	412	x6936643.exe	98
PID 412 wrote to memory of 3204	412	x6936643.exe	98
PID 412 wrote to memory of 3204	412	x6936643.exe	98

C:\Users\Admin\AppData\Local\Temp\0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe
"C:\Users\Admin\AppData\Local\Temp\0f55c7a42f1cbcb1bc18edcd516aef6b3fee31f46112a0d484b0d1bf5cb0a5c9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4720343.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4720343.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6595187.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6595187.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3740
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6936643.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6936643.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:412
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6381809.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6381809.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3829564.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3829564.exe
        6⤵
        Executes dropped EXE
        
        PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4720343.exe

Filesize
745KB

MD5
a9cef0127b4da3362f9c3ebc62218847

SHA1
c9bceea68c96ae7d76a1cdfd2003f4acfe436112

SHA256
80dbda4b189da16cfc1c43b72fa88a69736520a43b49126ddd1d799237216fe0

SHA512
a14208b140295bdefe8352cf5fac05b1d4e4b461c87e2564f4a3a9e4ae49a0af36ebb8286d830f21405fba0f902d6a1d584cfe46265bf6ee2769936064652d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4720343.exe

Filesize
745KB

MD5
a9cef0127b4da3362f9c3ebc62218847

SHA1
c9bceea68c96ae7d76a1cdfd2003f4acfe436112

SHA256
80dbda4b189da16cfc1c43b72fa88a69736520a43b49126ddd1d799237216fe0

SHA512
a14208b140295bdefe8352cf5fac05b1d4e4b461c87e2564f4a3a9e4ae49a0af36ebb8286d830f21405fba0f902d6a1d584cfe46265bf6ee2769936064652d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6595187.exe

Filesize
481KB

MD5
e2fc03c8b5ff9f38ce3f810f4a1de9c4

SHA1
7f586115744064dedf827414ac59bac2dad43850

SHA256
d368c5ee02af3824de35d532d4e60192d9d0e9c8ec044bbb9c84523231bcd1d5

SHA512
d5c45d07e3a92a6cfcc961fae60532bcd6fad81fd50d3d2a7c5c3c81faff3cc8720adce7661dd3a5ea6514cd2bf5cc330be8b3b2ae59c3842486044997dcb26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6595187.exe

Filesize
481KB

MD5
e2fc03c8b5ff9f38ce3f810f4a1de9c4

SHA1
7f586115744064dedf827414ac59bac2dad43850

SHA256
d368c5ee02af3824de35d532d4e60192d9d0e9c8ec044bbb9c84523231bcd1d5

SHA512
d5c45d07e3a92a6cfcc961fae60532bcd6fad81fd50d3d2a7c5c3c81faff3cc8720adce7661dd3a5ea6514cd2bf5cc330be8b3b2ae59c3842486044997dcb26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6936643.exe

Filesize
315KB

MD5
d907a18e6aa796dc56dcb9ea1553f790

SHA1
e3f891ed4247efe01b31a302647a35826c68500e

SHA256
18bbe29a653a23030a57ac445b869f544ad84fd6ccab6cbffb3a9ae54d889d98

SHA512
5324b371a330b51f66471099399d20d120acf9984064c9851f1fdfd42bad550fe881b8772ed35f18c4020a7f468ac4fed09279152554b7b12edbcf033d7e5b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x6936643.exe

Filesize
315KB

MD5
d907a18e6aa796dc56dcb9ea1553f790

SHA1
e3f891ed4247efe01b31a302647a35826c68500e

SHA256
18bbe29a653a23030a57ac445b869f544ad84fd6ccab6cbffb3a9ae54d889d98

SHA512
5324b371a330b51f66471099399d20d120acf9984064c9851f1fdfd42bad550fe881b8772ed35f18c4020a7f468ac4fed09279152554b7b12edbcf033d7e5b80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6381809.exe

Filesize
229KB

MD5
35ac06f35158af032949712601dbbf7f

SHA1
8cfd1716c9e3712ff0088473a52333f1cdf54bd9

SHA256
b2717d1bf90db18a3e24c47899b1da4246c0ec64a3eed774edb8785dfd5a9d9d

SHA512
efc1cc07e617e4b61f5f280fb7dc73e211c29ce9e81790f118f72ddd5c522d4f768b40127364104505ea5f153cc7ccd458341011ab3e3a075af992d0ffcbd6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g6381809.exe

Filesize
229KB

MD5
35ac06f35158af032949712601dbbf7f

SHA1
8cfd1716c9e3712ff0088473a52333f1cdf54bd9

SHA256
b2717d1bf90db18a3e24c47899b1da4246c0ec64a3eed774edb8785dfd5a9d9d

SHA512
efc1cc07e617e4b61f5f280fb7dc73e211c29ce9e81790f118f72ddd5c522d4f768b40127364104505ea5f153cc7ccd458341011ab3e3a075af992d0ffcbd6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3829564.exe

Filesize
174KB

MD5
153f2229bba6ffa42dddd8844bb6e859

SHA1
0070f1d0e2a600dba9efe3777a285d204b8f8d36

SHA256
dbac3a72f8cee676089b00f8dc20f53799f6f47e569c91579af5c414f2bd2ddb

SHA512
c4b195816dfd958e5106d56722045c0f1a8ecd2c4fdc804d11268a3634a0ea51de706e36eb41ecb8e24fd525942075c661df0f7f80ff9c04d6594277f12667cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h3829564.exe

Filesize
174KB

MD5
153f2229bba6ffa42dddd8844bb6e859

SHA1
0070f1d0e2a600dba9efe3777a285d204b8f8d36

SHA256
dbac3a72f8cee676089b00f8dc20f53799f6f47e569c91579af5c414f2bd2ddb

SHA512
c4b195816dfd958e5106d56722045c0f1a8ecd2c4fdc804d11268a3634a0ea51de706e36eb41ecb8e24fd525942075c661df0f7f80ff9c04d6594277f12667cb

Download Submit
memory/3204-45-0x00000000059D0000-0x0000000005A1C000-memory.dmp

Filesize
304KB

Download
memory/3204-44-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/3204-51-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/3204-47-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/3204-39-0x0000000003290000-0x0000000003296000-memory.dmp

Filesize
24KB

Download
memory/3204-36-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/3204-37-0x0000000000E70000-0x0000000000EA0000-memory.dmp

Filesize
192KB

Download
memory/3204-41-0x0000000005B50000-0x0000000005C5A000-memory.dmp

Filesize
1.0MB

Download
memory/3204-40-0x0000000006060000-0x0000000006678000-memory.dmp

Filesize
6.1MB

Download
memory/3204-43-0x0000000005A30000-0x0000000005A40000-memory.dmp

Filesize
64KB

Download
memory/3204-42-0x00000000033E0000-0x00000000033F2000-memory.dmp

Filesize
72KB

Download
memory/4496-1-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4496-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4496-3-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4496-46-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4496-2-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4600-38-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4600-48-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4600-50-0x0000000074590000-0x0000000074D40000-memory.dmp

Filesize
7.7MB

Download
memory/4600-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download