healer | 156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb

Analysis

max time kernel
160s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe
Size

1.2MB
MD5

057a0f1fbedc775aacf74f713f7fd426
SHA1

6e58f222f68fe7ef3b2f6bb355e0799137fedced
SHA256

156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb
SHA512

2970bd0353388e0f3ec6de955fb8c5a2d47f753041e0234730dfc210758d9e46b7691555292b366bff740cfdb7bb4b7ed0d686e1ce519af15b62f066c9f6bc42
SSDEEP

24576:731rUbB61caZU1YezvhG2gT1jYvqfmBEPC/i:b1r+Icags281jWEPC/i

Score

10^/10

healer redline ramon dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

ramon

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/1868-33-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
3624	x7368988.exe
3996	x5724934.exe
3756	x4029619.exe
4296	g1052984.exe
2088	h7885793.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x4029619.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x7368988.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5724934.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1044 set thread context of 628	1044	156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe	89
PID 4296 set thread context of 1868	4296	g1052984.exe	99

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1868	AppLaunch.exe
1868	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	AppLaunch.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 628	1044	156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe	89
PID 1044 wrote to memory of 628	1044	156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe	89
PID 1044 wrote to memory of 628	1044	156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe	89
PID 1044 wrote to memory of 628	1044	156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe	89
PID 1044 wrote to memory of 628	1044	156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe	89
PID 1044 wrote to memory of 628	1044	156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe	89
PID 1044 wrote to memory of 628	1044	156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe	89
PID 1044 wrote to memory of 628	1044	156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe	89
PID 1044 wrote to memory of 628	1044	156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe	89
PID 1044 wrote to memory of 628	1044	156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe	89
PID 628 wrote to memory of 3624	628	AppLaunch.exe	91
PID 628 wrote to memory of 3624	628	AppLaunch.exe	91
PID 628 wrote to memory of 3624	628	AppLaunch.exe	91
PID 3624 wrote to memory of 3996	3624	x7368988.exe	92
PID 3624 wrote to memory of 3996	3624	x7368988.exe	92
PID 3624 wrote to memory of 3996	3624	x7368988.exe	92
PID 3996 wrote to memory of 3756	3996	x5724934.exe	93
PID 3996 wrote to memory of 3756	3996	x5724934.exe	93
PID 3996 wrote to memory of 3756	3996	x5724934.exe	93
PID 3756 wrote to memory of 4296	3756	x4029619.exe	94
PID 3756 wrote to memory of 4296	3756	x4029619.exe	94
PID 3756 wrote to memory of 4296	3756	x4029619.exe	94
PID 4296 wrote to memory of 2352	4296	g1052984.exe	96
PID 4296 wrote to memory of 2352	4296	g1052984.exe	96
PID 4296 wrote to memory of 2352	4296	g1052984.exe	96
PID 4296 wrote to memory of 1632	4296	g1052984.exe	97
PID 4296 wrote to memory of 1632	4296	g1052984.exe	97
PID 4296 wrote to memory of 1632	4296	g1052984.exe	97
PID 4296 wrote to memory of 3840	4296	g1052984.exe	98
PID 4296 wrote to memory of 3840	4296	g1052984.exe	98
PID 4296 wrote to memory of 3840	4296	g1052984.exe	98
PID 4296 wrote to memory of 1868	4296	g1052984.exe	99
PID 4296 wrote to memory of 1868	4296	g1052984.exe	99
PID 4296 wrote to memory of 1868	4296	g1052984.exe	99
PID 4296 wrote to memory of 1868	4296	g1052984.exe	99
PID 4296 wrote to memory of 1868	4296	g1052984.exe	99
PID 4296 wrote to memory of 1868	4296	g1052984.exe	99
PID 4296 wrote to memory of 1868	4296	g1052984.exe	99
PID 4296 wrote to memory of 1868	4296	g1052984.exe	99
PID 3756 wrote to memory of 2088	3756	x4029619.exe	100
PID 3756 wrote to memory of 2088	3756	x4029619.exe	100
PID 3756 wrote to memory of 2088	3756	x4029619.exe	100

C:\Users\Admin\AppData\Local\Temp\156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe
"C:\Users\Admin\AppData\Local\Temp\156f81e6d48e16ee1ee49abd80e98a723c860a403f2d1faa60e435ffeaec4abb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7368988.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7368988.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3624
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5724934.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5724934.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4029619.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4029619.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3756
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1052984.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1052984.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:2352
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:3840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7885793.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7885793.exe
        6⤵
        Executes dropped EXE
        
        PID:2088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7368988.exe

Filesize
757KB

MD5
87672fedd21766deb026b4897b077a38

SHA1
e9e1ef933f9a5cc11e0ee5aa92d638e4097345be

SHA256
7b47f051db4324761dd065162565f89c42376bc5266e2d85c3010bbeccf9117d

SHA512
dd99a71a41375ee5b355fc5283cb0806a20a4fc85e995fd00cce3aa85fdc9e651d7e3c34aa6d2a1430a7858340d7a04769a2a905a83307443a7ee4044dcbe4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7368988.exe

Filesize
757KB

MD5
87672fedd21766deb026b4897b077a38

SHA1
e9e1ef933f9a5cc11e0ee5aa92d638e4097345be

SHA256
7b47f051db4324761dd065162565f89c42376bc5266e2d85c3010bbeccf9117d

SHA512
dd99a71a41375ee5b355fc5283cb0806a20a4fc85e995fd00cce3aa85fdc9e651d7e3c34aa6d2a1430a7858340d7a04769a2a905a83307443a7ee4044dcbe4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5724934.exe

Filesize
487KB

MD5
6e79735daab64f6d33c0cea2b1616759

SHA1
0e4d00ee2efa86b2e23651997526d58a22b6a259

SHA256
a1419ad873c8f7ffa617752d258d264b39f3d99b5c36a92feee30eba1c85514a

SHA512
f157d7eb383a861d800603372cf6946fa0ee35044f94920688bbd18fc3759fee62e185958ddcebabc65adb1ea133e360d679c68ca430a7e3cd93359270ab901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5724934.exe

Filesize
487KB

MD5
6e79735daab64f6d33c0cea2b1616759

SHA1
0e4d00ee2efa86b2e23651997526d58a22b6a259

SHA256
a1419ad873c8f7ffa617752d258d264b39f3d99b5c36a92feee30eba1c85514a

SHA512
f157d7eb383a861d800603372cf6946fa0ee35044f94920688bbd18fc3759fee62e185958ddcebabc65adb1ea133e360d679c68ca430a7e3cd93359270ab901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4029619.exe

Filesize
321KB

MD5
610473f90224fa23d6d3587596396aa9

SHA1
bf4182a6f4058b95789dc5394cc1d87a0ce532f8

SHA256
52ba4310f3c515237bc92ad8202322a2f8d7ffaae3e604537a27a73e006c8630

SHA512
38c9592c556ba6b8a9b449edc2f430b015c2b99d6d42d68496e702860b407a0374698a7b568feb58a262a0a5b9683d1d0b37e8a16b9300d49f780f3cf00fb17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x4029619.exe

Filesize
321KB

MD5
610473f90224fa23d6d3587596396aa9

SHA1
bf4182a6f4058b95789dc5394cc1d87a0ce532f8

SHA256
52ba4310f3c515237bc92ad8202322a2f8d7ffaae3e604537a27a73e006c8630

SHA512
38c9592c556ba6b8a9b449edc2f430b015c2b99d6d42d68496e702860b407a0374698a7b568feb58a262a0a5b9683d1d0b37e8a16b9300d49f780f3cf00fb17a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1052984.exe

Filesize
243KB

MD5
2fa3249778b9238045410b448caf578a

SHA1
fa3110cadb8723fd54a09078eda813a9175281de

SHA256
c0b6a06752d45d47bf7c6737d69a88896fadc34b515d09fd3ae4472848044f96

SHA512
98a1de84e17c7bdddbc417371cd78f0555cf44c131f110b196acd78ad583b58c2ae646d089ecc8b841f34a24fbab8d84e99532c66dd67bf42d90b26f967a89c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1052984.exe

Filesize
243KB

MD5
2fa3249778b9238045410b448caf578a

SHA1
fa3110cadb8723fd54a09078eda813a9175281de

SHA256
c0b6a06752d45d47bf7c6737d69a88896fadc34b515d09fd3ae4472848044f96

SHA512
98a1de84e17c7bdddbc417371cd78f0555cf44c131f110b196acd78ad583b58c2ae646d089ecc8b841f34a24fbab8d84e99532c66dd67bf42d90b26f967a89c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7885793.exe

Filesize
174KB

MD5
89432741e7e15d007ae30553122b044b

SHA1
b36242478f05d4b405f96361f41093f32e6d2f80

SHA256
42cf1bef4aa04d4ff59669e2f909040bf277d6fc4fd14e9c6568c9e19fe781bf

SHA512
e4293982f1d5367001c792bd1c16f4a61d1e6f0cddd33106d83d2c066d4d27328d1bcc9e9bb8071fe43b16d5ceba31cb5a79072b7b009c8313d7dccdbeeb3936

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7885793.exe

Filesize
174KB

MD5
89432741e7e15d007ae30553122b044b

SHA1
b36242478f05d4b405f96361f41093f32e6d2f80

SHA256
42cf1bef4aa04d4ff59669e2f909040bf277d6fc4fd14e9c6568c9e19fe781bf

SHA512
e4293982f1d5367001c792bd1c16f4a61d1e6f0cddd33106d83d2c066d4d27328d1bcc9e9bb8071fe43b16d5ceba31cb5a79072b7b009c8313d7dccdbeeb3936

Download Submit
memory/628-8-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/628-3-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/628-2-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/628-1-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/628-0-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/1868-33-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1868-44-0x0000000073FD0000-0x0000000074780000-memory.dmp

Filesize
7.7MB

Download
memory/1868-38-0x0000000073FD0000-0x0000000074780000-memory.dmp

Filesize
7.7MB

Download
memory/1868-42-0x0000000073FD0000-0x0000000074780000-memory.dmp

Filesize
7.7MB

Download
memory/2088-40-0x0000000002730000-0x0000000002736000-memory.dmp

Filesize
24KB

Download
memory/2088-41-0x0000000073FD0000-0x0000000074780000-memory.dmp

Filesize
7.7MB

Download
memory/2088-39-0x0000000000530000-0x0000000000560000-memory.dmp

Filesize
192KB

Download
memory/2088-37-0x0000000073FD0000-0x0000000074780000-memory.dmp

Filesize
7.7MB

Download
memory/2088-45-0x000000000A8B0000-0x000000000AEC8000-memory.dmp

Filesize
6.1MB

Download
memory/2088-46-0x000000000A3A0000-0x000000000A4AA000-memory.dmp

Filesize
1.0MB

Download
memory/2088-47-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2088-48-0x000000000A360000-0x000000000A372000-memory.dmp

Filesize
72KB

Download
memory/2088-49-0x000000000A6F0000-0x000000000A72C000-memory.dmp

Filesize
240KB

Download
memory/2088-50-0x000000000A730000-0x000000000A77C000-memory.dmp

Filesize
304KB

Download
memory/2088-51-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download