healer | fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a

Analysis

max time kernel
174s
max time network
190s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe
Size

1.2MB
MD5

d1fe87b968d82a18079d364fbacd925c
SHA1

1c0a756cd3aeb46dd9cc68b27ce5d8e14895d635
SHA256

fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a
SHA512

36b268b08cf3ec4897faf21fe0974aa2208ef144a7f8235248bc0e197dc01f3dc758ac23f9e3d25a02889c7a7d178fa5ea9eecda61dcfd22ae8b4cfaa08358a2
SSDEEP

24576:k/84HcyCYwmdpQHAZ6MEf/k19o0HxSFsNQe4XdB7xxX16G:e84HZ+OuHAZI8LrckQe4XdB7/X8G

Score

10^/10

healer redline petin dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4420-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
1532	x2299979.exe
3188	x9421471.exe
1584	x3651099.exe
3640	g0053253.exe
4868	h0416700.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2299979.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x9421471.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x3651099.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 1028	2588	fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe	89
PID 3640 set thread context of 4420	3640	g0053253.exe	95

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4420	AppLaunch.exe
4420	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1028	2588	fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe	89
PID 2588 wrote to memory of 1028	2588	fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe	89
PID 2588 wrote to memory of 1028	2588	fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe	89
PID 2588 wrote to memory of 1028	2588	fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe	89
PID 2588 wrote to memory of 1028	2588	fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe	89
PID 2588 wrote to memory of 1028	2588	fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe	89
PID 2588 wrote to memory of 1028	2588	fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe	89
PID 2588 wrote to memory of 1028	2588	fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe	89
PID 2588 wrote to memory of 1028	2588	fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe	89
PID 2588 wrote to memory of 1028	2588	fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe	89
PID 1028 wrote to memory of 1532	1028	AppLaunch.exe	90
PID 1028 wrote to memory of 1532	1028	AppLaunch.exe	90
PID 1028 wrote to memory of 1532	1028	AppLaunch.exe	90
PID 1532 wrote to memory of 3188	1532	x2299979.exe	91
PID 1532 wrote to memory of 3188	1532	x2299979.exe	91
PID 1532 wrote to memory of 3188	1532	x2299979.exe	91
PID 3188 wrote to memory of 1584	3188	x9421471.exe	92
PID 3188 wrote to memory of 1584	3188	x9421471.exe	92
PID 3188 wrote to memory of 1584	3188	x9421471.exe	92
PID 1584 wrote to memory of 3640	1584	x3651099.exe	93
PID 1584 wrote to memory of 3640	1584	x3651099.exe	93
PID 1584 wrote to memory of 3640	1584	x3651099.exe	93
PID 3640 wrote to memory of 4420	3640	g0053253.exe	95
PID 3640 wrote to memory of 4420	3640	g0053253.exe	95
PID 3640 wrote to memory of 4420	3640	g0053253.exe	95
PID 3640 wrote to memory of 4420	3640	g0053253.exe	95
PID 3640 wrote to memory of 4420	3640	g0053253.exe	95
PID 3640 wrote to memory of 4420	3640	g0053253.exe	95
PID 3640 wrote to memory of 4420	3640	g0053253.exe	95
PID 3640 wrote to memory of 4420	3640	g0053253.exe	95
PID 1584 wrote to memory of 4868	1584	x3651099.exe	96
PID 1584 wrote to memory of 4868	1584	x3651099.exe	96
PID 1584 wrote to memory of 4868	1584	x3651099.exe	96

C:\Users\Admin\AppData\Local\Temp\fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe
"C:\Users\Admin\AppData\Local\Temp\fc9fe514f85f4c49194475bba840d353d153d3d9f73f44e8441e7619445bf58a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2299979.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2299979.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9421471.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9421471.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3651099.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3651099.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0053253.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0053253.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0416700.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0416700.exe
        6⤵
        Executes dropped EXE
        
        PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2299979.exe

Filesize
745KB

MD5
72a775910662a0757ae2c6753af0710f

SHA1
e1f209cbe70cad5dcdb5c8df7bc61a9b3b3bb9eb

SHA256
519d6f9773c0d79c43438fe765964eda90d418b9f4890bce29e657e65961d925

SHA512
bf396e4b20cde3a0d759895e725324f2bbbd26df2131be02554e0268ef4e2d104881be8fa59070569950e74a6210cf4cabaafaa75f1a866d40369570875ba31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2299979.exe

Filesize
745KB

MD5
72a775910662a0757ae2c6753af0710f

SHA1
e1f209cbe70cad5dcdb5c8df7bc61a9b3b3bb9eb

SHA256
519d6f9773c0d79c43438fe765964eda90d418b9f4890bce29e657e65961d925

SHA512
bf396e4b20cde3a0d759895e725324f2bbbd26df2131be02554e0268ef4e2d104881be8fa59070569950e74a6210cf4cabaafaa75f1a866d40369570875ba31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9421471.exe

Filesize
481KB

MD5
eb6254f0fb1aec17b7fe6fd19428868f

SHA1
e2a3e1bed84ca35d0be47c3c775342eaa4e0ab72

SHA256
f8c48266517d8fde55ac7db0d7c7d108699c3298eed7a4c41cc5101847ceeaef

SHA512
fa052553a4b488949ecea8d7586dfa53c6c9ff3bd610c30c303dccca49e2fd15844af7a8fa9c0a9ea1d4ad6de29b18191ad3dcd74da43f4be21ba3b015b4876c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x9421471.exe

Filesize
481KB

MD5
eb6254f0fb1aec17b7fe6fd19428868f

SHA1
e2a3e1bed84ca35d0be47c3c775342eaa4e0ab72

SHA256
f8c48266517d8fde55ac7db0d7c7d108699c3298eed7a4c41cc5101847ceeaef

SHA512
fa052553a4b488949ecea8d7586dfa53c6c9ff3bd610c30c303dccca49e2fd15844af7a8fa9c0a9ea1d4ad6de29b18191ad3dcd74da43f4be21ba3b015b4876c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3651099.exe

Filesize
315KB

MD5
9b6af45161acd5035c4210e3f199221e

SHA1
d6edf16f85a6cd0f1b54d7dffb595fe32ea2f997

SHA256
b51a9c89e85b8db1e782ce8dd7950a6997f321055074da694e0976b26f20b920

SHA512
4040bf5f22770326ae9b2cf040b649696af428d2cbcc8f786787152bd45322c3979d5806d21fa583ed641fb08beaa71851c6e161aa6dee280ce062af7f529bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x3651099.exe

Filesize
315KB

MD5
9b6af45161acd5035c4210e3f199221e

SHA1
d6edf16f85a6cd0f1b54d7dffb595fe32ea2f997

SHA256
b51a9c89e85b8db1e782ce8dd7950a6997f321055074da694e0976b26f20b920

SHA512
4040bf5f22770326ae9b2cf040b649696af428d2cbcc8f786787152bd45322c3979d5806d21fa583ed641fb08beaa71851c6e161aa6dee280ce062af7f529bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0053253.exe

Filesize
229KB

MD5
f465933428d63d7ec7ba8e477c9d22ae

SHA1
f6b571a13d36639660611a0511e39a1d10a7003b

SHA256
302373241e051e620e0b6b58d41a1fde04710c32d659da72d6f0f8767bd3b6aa

SHA512
1a5291569da3a7d6c4986d22b2b84e2dd62263bf4f01fca26bc40e18aee74d991197b33ca05ba7ffe5029256b3be7ffec3040fa0310ff148c62bebcb65d09e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g0053253.exe

Filesize
229KB

MD5
f465933428d63d7ec7ba8e477c9d22ae

SHA1
f6b571a13d36639660611a0511e39a1d10a7003b

SHA256
302373241e051e620e0b6b58d41a1fde04710c32d659da72d6f0f8767bd3b6aa

SHA512
1a5291569da3a7d6c4986d22b2b84e2dd62263bf4f01fca26bc40e18aee74d991197b33ca05ba7ffe5029256b3be7ffec3040fa0310ff148c62bebcb65d09e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0416700.exe

Filesize
174KB

MD5
f4c23bfe82fcd2315712ba5e0c3f7210

SHA1
341dceb6e8fde24e8ced0d4e90b28acd379e6fcf

SHA256
a947d2aa5240068ca75238c733e9e9f69a8cd48c013db0d78c6fc27bdd2d7706

SHA512
0d1775b7017982f30595fae3bd57e6e51b42d333364bafb2f0e71dbc17ca4f6c661b9db56c88702d73a44aba9984a85827f8cd62bd921b228b3a46ec6bebe88d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h0416700.exe

Filesize
174KB

MD5
f4c23bfe82fcd2315712ba5e0c3f7210

SHA1
341dceb6e8fde24e8ced0d4e90b28acd379e6fcf

SHA256
a947d2aa5240068ca75238c733e9e9f69a8cd48c013db0d78c6fc27bdd2d7706

SHA512
0d1775b7017982f30595fae3bd57e6e51b42d333364bafb2f0e71dbc17ca4f6c661b9db56c88702d73a44aba9984a85827f8cd62bd921b228b3a46ec6bebe88d

Download Submit
memory/1028-3-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1028-2-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1028-1-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1028-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1028-36-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4420-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4420-49-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4420-38-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4420-42-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4868-41-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4868-40-0x0000000003210000-0x0000000003216000-memory.dmp

Filesize
24KB

Download
memory/4868-39-0x0000000000EE0000-0x0000000000F10000-memory.dmp

Filesize
192KB

Download
memory/4868-43-0x000000000B310000-0x000000000B928000-memory.dmp

Filesize
6.1MB

Download
memory/4868-44-0x000000000AE90000-0x000000000AF9A000-memory.dmp

Filesize
1.0MB

Download
memory/4868-45-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/4868-46-0x000000000ADD0000-0x000000000ADE2000-memory.dmp

Filesize
72KB

Download
memory/4868-47-0x000000000AE30000-0x000000000AE6C000-memory.dmp

Filesize
240KB

Download
memory/4868-37-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/4868-50-0x000000000AFA0000-0x000000000AFEC000-memory.dmp

Filesize
304KB

Download
memory/4868-51-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download