healer | 145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 01:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe
Size

3.1MB
MD5

5b9ec3fae99bb92e75e9a1f015b3243e
SHA1

3c5e818c028c64749214c759ff770ddfb29520ae
SHA256

145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b
SHA512

a46bd9129c8bc108bc3af261e3318849c60fe38ea3713b9a1ebfdf7f62a82d9217a21a9f4864236961a6b3dc09e3c2678aa2b78eac5d618d1e356dc42091f5bc
SSDEEP

49152:L0G61NSHhsXL1pxR1d6a3vMUMduYJIWk1KvYY+rClyuqsTgj2mM/7:L0GoL1AAMwYJIWkQvYDrZVsE6

Score

10^/10

healer redline ramon dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

ramon

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/3232-25-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1216	x1205865.exe
3680	x7739434.exe
1664	g7978098.exe
4676	i4297917.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1205865.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7739434.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 4396	2740	145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe	93
PID 1664 set thread context of 3232	1664	g7978098.exe	99

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3232	AppLaunch.exe
3232	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3232	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 4396	2740	145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe	93
PID 2740 wrote to memory of 4396	2740	145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe	93
PID 2740 wrote to memory of 4396	2740	145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe	93
PID 2740 wrote to memory of 4396	2740	145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe	93
PID 2740 wrote to memory of 4396	2740	145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe	93
PID 2740 wrote to memory of 4396	2740	145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe	93
PID 2740 wrote to memory of 4396	2740	145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe	93
PID 2740 wrote to memory of 4396	2740	145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe	93
PID 2740 wrote to memory of 4396	2740	145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe	93
PID 2740 wrote to memory of 4396	2740	145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe	93
PID 4396 wrote to memory of 1216	4396	AppLaunch.exe	95
PID 4396 wrote to memory of 1216	4396	AppLaunch.exe	95
PID 4396 wrote to memory of 1216	4396	AppLaunch.exe	95
PID 1216 wrote to memory of 3680	1216	x1205865.exe	96
PID 1216 wrote to memory of 3680	1216	x1205865.exe	96
PID 1216 wrote to memory of 3680	1216	x1205865.exe	96
PID 3680 wrote to memory of 1664	3680	x7739434.exe	97
PID 3680 wrote to memory of 1664	3680	x7739434.exe	97
PID 3680 wrote to memory of 1664	3680	x7739434.exe	97
PID 1664 wrote to memory of 3232	1664	g7978098.exe	99
PID 1664 wrote to memory of 3232	1664	g7978098.exe	99
PID 1664 wrote to memory of 3232	1664	g7978098.exe	99
PID 1664 wrote to memory of 3232	1664	g7978098.exe	99
PID 1664 wrote to memory of 3232	1664	g7978098.exe	99
PID 1664 wrote to memory of 3232	1664	g7978098.exe	99
PID 1664 wrote to memory of 3232	1664	g7978098.exe	99
PID 1664 wrote to memory of 3232	1664	g7978098.exe	99
PID 3680 wrote to memory of 4676	3680	x7739434.exe	100
PID 3680 wrote to memory of 4676	3680	x7739434.exe	100
PID 3680 wrote to memory of 4676	3680	x7739434.exe	100

C:\Users\Admin\AppData\Local\Temp\145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe
"C:\Users\Admin\AppData\Local\Temp\145089eac4eee464f440bc6df141bb1eb04a043aa92673f4e0b30632d63f7f0b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1205865.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1205865.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1216
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7739434.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7739434.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7978098.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7978098.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4297917.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4297917.exe
        5⤵
        Executes dropped EXE
        
        PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1205865.exe

Filesize
731KB

MD5
ec84d3a0ac276692af8d455b3a69185e

SHA1
812e84e385245783e28c367c27802149f6d0da4d

SHA256
cf010d3fe624bf1d7e3758d5c6789205f72e68e5a615d0fe6e413abf10bd0ac9

SHA512
57c7c92a8beae2033924f939637378648142b5e0cbbd3905b3958cd899002c346a79b2c3cf6cc860c6a67017391b94b28a369a2636355f2e7515dacb852ca071

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1205865.exe

Filesize
731KB

MD5
ec84d3a0ac276692af8d455b3a69185e

SHA1
812e84e385245783e28c367c27802149f6d0da4d

SHA256
cf010d3fe624bf1d7e3758d5c6789205f72e68e5a615d0fe6e413abf10bd0ac9

SHA512
57c7c92a8beae2033924f939637378648142b5e0cbbd3905b3958cd899002c346a79b2c3cf6cc860c6a67017391b94b28a369a2636355f2e7515dacb852ca071

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7739434.exe

Filesize
565KB

MD5
dd731d1f75eaa51f12b9400c5a1995d7

SHA1
bfb9c68d91964d0417f859f5401b6ea76a14ce17

SHA256
1ed8fe1ba149ce35f13f2c23a0deba29b29b40c72a0a2ed39aa4cba4a3e9edbe

SHA512
b31addf38a3498f8c3ea2ee522221cad008dcec1e211492ab6bb4d544d31a45c5713babd87f9298717e7b5aa56c84c170ee4483f441e1d9d94160fdac8f62acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7739434.exe

Filesize
565KB

MD5
dd731d1f75eaa51f12b9400c5a1995d7

SHA1
bfb9c68d91964d0417f859f5401b6ea76a14ce17

SHA256
1ed8fe1ba149ce35f13f2c23a0deba29b29b40c72a0a2ed39aa4cba4a3e9edbe

SHA512
b31addf38a3498f8c3ea2ee522221cad008dcec1e211492ab6bb4d544d31a45c5713babd87f9298717e7b5aa56c84c170ee4483f441e1d9d94160fdac8f62acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7978098.exe

Filesize
1.6MB

MD5
2ea1833b63d5420a03f96ecb56c6f8d8

SHA1
90462279987b5288bb8de60491dc001f969e581b

SHA256
cd693729981bd527e0af2d1a70f6605d54418a24d3f3068535862353a3ea2522

SHA512
2adddb9303d1124f65f74cd9daf740566e345025c90bcf4afdd68db81e6ea29d8a12d5a3bd264669d0104b4341c3053eb6bc962cb7e98c76962f7122a2f0b042

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7978098.exe

Filesize
1.6MB

MD5
2ea1833b63d5420a03f96ecb56c6f8d8

SHA1
90462279987b5288bb8de60491dc001f969e581b

SHA256
cd693729981bd527e0af2d1a70f6605d54418a24d3f3068535862353a3ea2522

SHA512
2adddb9303d1124f65f74cd9daf740566e345025c90bcf4afdd68db81e6ea29d8a12d5a3bd264669d0104b4341c3053eb6bc962cb7e98c76962f7122a2f0b042

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4297917.exe

Filesize
174KB

MD5
1757158187d4347b298a36cb19e29ac3

SHA1
43ad875fa3936ed72d4f7d335081a683a3b6692e

SHA256
d5bf1fb412f16d881ccb9dc8644dd5f1bdadac2ed774e2a88a3f6da6069198ed

SHA512
a697d5d8a0ad5ab81d1f081e759d17a091840501055b96af499186ef2ccdd16844c2ea976178be61001f25dd60cb2876009a72ed155719197108375897b90d16

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i4297917.exe

Filesize
174KB

MD5
1757158187d4347b298a36cb19e29ac3

SHA1
43ad875fa3936ed72d4f7d335081a683a3b6692e

SHA256
d5bf1fb412f16d881ccb9dc8644dd5f1bdadac2ed774e2a88a3f6da6069198ed

SHA512
a697d5d8a0ad5ab81d1f081e759d17a091840501055b96af499186ef2ccdd16844c2ea976178be61001f25dd60cb2876009a72ed155719197108375897b90d16

Download Submit
memory/3232-40-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3232-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3232-31-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3232-43-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4396-3-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4396-2-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4396-1-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4396-29-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4396-0-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4676-30-0x00000000008D0000-0x0000000000900000-memory.dmp

Filesize
192KB

Download
memory/4676-34-0x0000000005810000-0x0000000005E28000-memory.dmp

Filesize
6.1MB

Download
memory/4676-35-0x0000000005320000-0x000000000542A000-memory.dmp

Filesize
1.0MB

Download
memory/4676-36-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download
memory/4676-37-0x0000000005260000-0x0000000005272000-memory.dmp

Filesize
72KB

Download
memory/4676-38-0x00000000052C0000-0x00000000052FC000-memory.dmp

Filesize
240KB

Download
memory/4676-39-0x0000000005430000-0x000000000547C000-memory.dmp

Filesize
304KB

Download
memory/4676-33-0x0000000001040000-0x0000000001046000-memory.dmp

Filesize
24KB

Download
memory/4676-41-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4676-32-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/4676-44-0x00000000050A0000-0x00000000050B0000-memory.dmp

Filesize
64KB

Download