healer | e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30

Analysis

max time kernel
27s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe
Size

1.2MB
MD5

d73611ca509e3df6f539fa1402951811
SHA1

b1d3094add29bc7325a7f7eeed0d723bf2e7ae36
SHA256

e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30
SHA512

7040168b6936202dbd81fa807a666120cbed09144c8e20be3950750dde505c71a33b790c48ab24be965af8299451c3c4fac4f4ead36cab53d6710ec452ff2126
SSDEEP

24576:T74crraN9vX/M4w0C6syOXn6n1kAl+z9DZ6FhRnaS6zG:34crrcvX06OX6nei+DZSRnapG

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/2632-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3064	x9109758.exe
2072	x6589173.exe
3796	x2084573.exe
4744	g0382885.exe
1076	h7672877.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9109758.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x6589173.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x2084573.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3388 set thread context of 2076	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	92
PID 4744 set thread context of 2632	4744	g0382885.exe	99

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2632	AppLaunch.exe
2632	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 3256	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	91
PID 3388 wrote to memory of 3256	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	91
PID 3388 wrote to memory of 3256	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	91
PID 3388 wrote to memory of 2076	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	92
PID 3388 wrote to memory of 2076	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	92
PID 3388 wrote to memory of 2076	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	92
PID 3388 wrote to memory of 2076	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	92
PID 3388 wrote to memory of 2076	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	92
PID 3388 wrote to memory of 2076	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	92
PID 3388 wrote to memory of 2076	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	92
PID 3388 wrote to memory of 2076	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	92
PID 3388 wrote to memory of 2076	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	92
PID 3388 wrote to memory of 2076	3388	e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe	92
PID 2076 wrote to memory of 3064	2076	AppLaunch.exe	93
PID 2076 wrote to memory of 3064	2076	AppLaunch.exe	93
PID 2076 wrote to memory of 3064	2076	AppLaunch.exe	93
PID 3064 wrote to memory of 2072	3064	x9109758.exe	94
PID 3064 wrote to memory of 2072	3064	x9109758.exe	94
PID 3064 wrote to memory of 2072	3064	x9109758.exe	94
PID 2072 wrote to memory of 3796	2072	x6589173.exe	95
PID 2072 wrote to memory of 3796	2072	x6589173.exe	95
PID 2072 wrote to memory of 3796	2072	x6589173.exe	95
PID 3796 wrote to memory of 4744	3796	x2084573.exe	97
PID 3796 wrote to memory of 4744	3796	x2084573.exe	97
PID 3796 wrote to memory of 4744	3796	x2084573.exe	97
PID 4744 wrote to memory of 4980	4744	g0382885.exe	98
PID 4744 wrote to memory of 4980	4744	g0382885.exe	98
PID 4744 wrote to memory of 4980	4744	g0382885.exe	98
PID 4744 wrote to memory of 2632	4744	g0382885.exe	99
PID 4744 wrote to memory of 2632	4744	g0382885.exe	99
PID 4744 wrote to memory of 2632	4744	g0382885.exe	99
PID 4744 wrote to memory of 2632	4744	g0382885.exe	99
PID 4744 wrote to memory of 2632	4744	g0382885.exe	99
PID 4744 wrote to memory of 2632	4744	g0382885.exe	99
PID 4744 wrote to memory of 2632	4744	g0382885.exe	99
PID 4744 wrote to memory of 2632	4744	g0382885.exe	99
PID 3796 wrote to memory of 1076	3796	x2084573.exe	100
PID 3796 wrote to memory of 1076	3796	x2084573.exe	100
PID 3796 wrote to memory of 1076	3796	x2084573.exe	100

C:\Users\Admin\AppData\Local\Temp\e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe
"C:\Users\Admin\AppData\Local\Temp\e87946fe7e0d900c39212c13c6adb1b4d7df1cddc6dbf47df24ef91ba832cb30.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3256
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9109758.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9109758.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6589173.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6589173.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2084573.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2084573.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3796
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0382885.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0382885.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4980
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7672877.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7672877.exe
        6⤵
        Executes dropped EXE
        
        PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9109758.exe

Filesize
744KB

MD5
573dd700134b279da25855071b8eea8c

SHA1
868413a7cc1e9d0597df0d0b9776d431a46f1c92

SHA256
265b6315148d8aa53d23ad9018eea80a7ee92fcf34310b01913f2fd9e508c16f

SHA512
0ffd72b65996efeef5106151ad9def27b46d38e70b8d6428b1f938f987a23de884154479d65a4907052e25d745362519adb0f74f90c1c5ecd42c7ed4c247b58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9109758.exe

Filesize
744KB

MD5
573dd700134b279da25855071b8eea8c

SHA1
868413a7cc1e9d0597df0d0b9776d431a46f1c92

SHA256
265b6315148d8aa53d23ad9018eea80a7ee92fcf34310b01913f2fd9e508c16f

SHA512
0ffd72b65996efeef5106151ad9def27b46d38e70b8d6428b1f938f987a23de884154479d65a4907052e25d745362519adb0f74f90c1c5ecd42c7ed4c247b58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6589173.exe

Filesize
480KB

MD5
c0b2452f7c097d99ad9ccf3c0b6c131a

SHA1
54c45c5eedab44619e1136d37bcf1caaac73640d

SHA256
3d897dc4ef75f670c47c15d30c0e864571047ab332534422f2d563d8d6aa4131

SHA512
cc970ca5b991b92cee3a7f67c36a68bd4e8eece8c245d1b0673a3484f6fc7e449ac22fcf2158c7c39a935b2834cc11cae021271caad803f98ff4e8be4944544b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6589173.exe

Filesize
480KB

MD5
c0b2452f7c097d99ad9ccf3c0b6c131a

SHA1
54c45c5eedab44619e1136d37bcf1caaac73640d

SHA256
3d897dc4ef75f670c47c15d30c0e864571047ab332534422f2d563d8d6aa4131

SHA512
cc970ca5b991b92cee3a7f67c36a68bd4e8eece8c245d1b0673a3484f6fc7e449ac22fcf2158c7c39a935b2834cc11cae021271caad803f98ff4e8be4944544b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2084573.exe

Filesize
314KB

MD5
65d79fa9de2e4d42ad0aee2b5b7cb675

SHA1
8426cfb1e80c099c14f1062b2e02dd42487e38dd

SHA256
ac2b8b23dd1274a0bb9073179eaf15ba2093ac4cb1dece85e3663faf2251876d

SHA512
3d1e9377966c6184604b26ba9cfd60b8f50fab2f0256cc57fc241e4c2099dd8dca314fbb0f60a380edc5c4c3b78e39d30882e1a7ced447a558934348adb0ace0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x2084573.exe

Filesize
314KB

MD5
65d79fa9de2e4d42ad0aee2b5b7cb675

SHA1
8426cfb1e80c099c14f1062b2e02dd42487e38dd

SHA256
ac2b8b23dd1274a0bb9073179eaf15ba2093ac4cb1dece85e3663faf2251876d

SHA512
3d1e9377966c6184604b26ba9cfd60b8f50fab2f0256cc57fc241e4c2099dd8dca314fbb0f60a380edc5c4c3b78e39d30882e1a7ced447a558934348adb0ace0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0382885.exe

Filesize
229KB

MD5
60e1489752e5928aaed0c823d32f2e01

SHA1
e2e08000d466e9b66c36151f8fe3f722936e4a83

SHA256
072c79223e282745ec8307398ed4a7f2248e79e579f9501c4a194959b3566ccf

SHA512
f92158ad9a24428d387a3d7f9ce9d2e1a273b2348ff1879907d483954d857bf3ee16b8d9fe797eca7cbef7d47051e2c52a3edd3f8035b96f39836e762c111d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0382885.exe

Filesize
229KB

MD5
60e1489752e5928aaed0c823d32f2e01

SHA1
e2e08000d466e9b66c36151f8fe3f722936e4a83

SHA256
072c79223e282745ec8307398ed4a7f2248e79e579f9501c4a194959b3566ccf

SHA512
f92158ad9a24428d387a3d7f9ce9d2e1a273b2348ff1879907d483954d857bf3ee16b8d9fe797eca7cbef7d47051e2c52a3edd3f8035b96f39836e762c111d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7672877.exe

Filesize
174KB

MD5
e879e858bbcf4dbc95ab76c646c63520

SHA1
482a81ca5213b0dbd29445da464b84fd81b6bf99

SHA256
1311861cf26b4cffd2db884ea997619cd02579ea5233c9758007b854812fdb07

SHA512
0d0ef5074099bd0f98d86bd7f7de7fa8bccda032938be80f2a44c5544e950fd883dd67700dc268d84d9c37fe0dba58c39a493bf07e844827e4841a3c9dbfcf9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7672877.exe

Filesize
174KB

MD5
e879e858bbcf4dbc95ab76c646c63520

SHA1
482a81ca5213b0dbd29445da464b84fd81b6bf99

SHA256
1311861cf26b4cffd2db884ea997619cd02579ea5233c9758007b854812fdb07

SHA512
0d0ef5074099bd0f98d86bd7f7de7fa8bccda032938be80f2a44c5544e950fd883dd67700dc268d84d9c37fe0dba58c39a493bf07e844827e4841a3c9dbfcf9b

Download Submit
memory/1076-41-0x0000000004BC0000-0x0000000004CCA000-memory.dmp

Filesize
1.0MB

Download
memory/1076-44-0x0000000004AB0000-0x0000000004AEC000-memory.dmp

Filesize
240KB

Download
memory/1076-51-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/1076-48-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/1076-45-0x0000000004AF0000-0x0000000004B3C000-memory.dmp

Filesize
304KB

Download
memory/1076-36-0x00000000000A0000-0x00000000000D0000-memory.dmp

Filesize
192KB

Download
memory/1076-39-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/1076-38-0x00000000022E0000-0x00000000022E6000-memory.dmp

Filesize
24KB

Download
memory/1076-40-0x00000000050D0000-0x00000000056E8000-memory.dmp

Filesize
6.1MB

Download
memory/1076-43-0x0000000004920000-0x0000000004932000-memory.dmp

Filesize
72KB

Download
memory/1076-42-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/2076-2-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2076-3-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2076-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2076-46-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2076-1-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2632-37-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/2632-47-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/2632-50-0x0000000073D90000-0x0000000074540000-memory.dmp

Filesize
7.7MB

Download
memory/2632-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download