healer | 33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee

Analysis

max time kernel
146s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe
Size

929KB
MD5

ed964fee64055b4096166df6f5f3e22e
SHA1

dae6f41a12e9ee27d65d45978ba7a9d267f3836e
SHA256

33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee
SHA512

50be78d8536a464f93ab367fa6e8cd628b1ebfbedec3144e524a56da2c98c15298b4a853ff0a54f237ddd6cd198820f034ebdbcaa97a9913566cf60a358a21a0
SSDEEP

24576:niuBtZmtAY46Fr/gtgBpv7IzGyw5iwoRv/7VXn:iuBffY46FkgBdIzGyaaDV

Score

10^/10

healer redline moner dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/3092-25-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4580	x3811518.exe
1724	x7656850.exe
1576	g4421788.exe
4472	i2928556.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x3811518.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7656850.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3936 set thread context of 3444	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	92
PID 1576 set thread context of 3092	1576	g4421788.exe	103

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3092	AppLaunch.exe
3092	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 1664	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	90
PID 3936 wrote to memory of 1664	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	90
PID 3936 wrote to memory of 1664	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	90
PID 3936 wrote to memory of 3444	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	92
PID 3936 wrote to memory of 3444	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	92
PID 3936 wrote to memory of 3444	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	92
PID 3936 wrote to memory of 3444	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	92
PID 3936 wrote to memory of 3444	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	92
PID 3936 wrote to memory of 3444	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	92
PID 3936 wrote to memory of 3444	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	92
PID 3936 wrote to memory of 3444	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	92
PID 3936 wrote to memory of 3444	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	92
PID 3936 wrote to memory of 3444	3936	33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe	92
PID 3444 wrote to memory of 4580	3444	AppLaunch.exe	96
PID 3444 wrote to memory of 4580	3444	AppLaunch.exe	96
PID 3444 wrote to memory of 4580	3444	AppLaunch.exe	96
PID 4580 wrote to memory of 1724	4580	x3811518.exe	99
PID 4580 wrote to memory of 1724	4580	x3811518.exe	99
PID 4580 wrote to memory of 1724	4580	x3811518.exe	99
PID 1724 wrote to memory of 1576	1724	x7656850.exe	101
PID 1724 wrote to memory of 1576	1724	x7656850.exe	101
PID 1724 wrote to memory of 1576	1724	x7656850.exe	101
PID 1576 wrote to memory of 3092	1576	g4421788.exe	103
PID 1576 wrote to memory of 3092	1576	g4421788.exe	103
PID 1576 wrote to memory of 3092	1576	g4421788.exe	103
PID 1576 wrote to memory of 3092	1576	g4421788.exe	103
PID 1576 wrote to memory of 3092	1576	g4421788.exe	103
PID 1576 wrote to memory of 3092	1576	g4421788.exe	103
PID 1576 wrote to memory of 3092	1576	g4421788.exe	103
PID 1576 wrote to memory of 3092	1576	g4421788.exe	103
PID 1724 wrote to memory of 4472	1724	x7656850.exe	104
PID 1724 wrote to memory of 4472	1724	x7656850.exe	104
PID 1724 wrote to memory of 4472	1724	x7656850.exe	104

C:\Users\Admin\AppData\Local\Temp\33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe
"C:\Users\Admin\AppData\Local\Temp\33b9a28785a491f4f90579417bfac07baaa55e2033b854af7414f50f82b06bee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3811518.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3811518.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7656850.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7656850.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4421788.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4421788.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3092
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2928556.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2928556.exe
        5⤵
        Executes dropped EXE
        
        PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3811518.exe

Filesize
472KB

MD5
875dc96420f724de6c1ceef3dc77f5e4

SHA1
7630efd33be0d871a6a4330c9810bb40b5b3a866

SHA256
b476e55a6d48d7f5f8aef66214296d4f3c09c815b2eac6b0cf538dcacb9f71a4

SHA512
67acbf8a0b06f668c4f7d93c1764bb4fd9f30477e2f38706aed7b3a67b009da82c1b4b0869842efc26a267568b4788aebe613b40fccbc7725072ee741b4be3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3811518.exe

Filesize
472KB

MD5
875dc96420f724de6c1ceef3dc77f5e4

SHA1
7630efd33be0d871a6a4330c9810bb40b5b3a866

SHA256
b476e55a6d48d7f5f8aef66214296d4f3c09c815b2eac6b0cf538dcacb9f71a4

SHA512
67acbf8a0b06f668c4f7d93c1764bb4fd9f30477e2f38706aed7b3a67b009da82c1b4b0869842efc26a267568b4788aebe613b40fccbc7725072ee741b4be3a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7656850.exe

Filesize
306KB

MD5
c8db65cd7e253e254dde1947bdf260aa

SHA1
e64f49e49c496e3efe2c14d6af08b1da2969318e

SHA256
30c73a816d4f83e589601ec51d7883a9c889716bdf3b62b41ba23d304716390b

SHA512
96ae4b55a3bdb78a102b55f4a455670d8039c08d05b842d5ab3f870e7da85383c7fb9f0caaa5c62713ebefa403919f7871724591f92e2fc2c53d9a2f6cf3b833

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7656850.exe

Filesize
306KB

MD5
c8db65cd7e253e254dde1947bdf260aa

SHA1
e64f49e49c496e3efe2c14d6af08b1da2969318e

SHA256
30c73a816d4f83e589601ec51d7883a9c889716bdf3b62b41ba23d304716390b

SHA512
96ae4b55a3bdb78a102b55f4a455670d8039c08d05b842d5ab3f870e7da85383c7fb9f0caaa5c62713ebefa403919f7871724591f92e2fc2c53d9a2f6cf3b833

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4421788.exe

Filesize
213KB

MD5
c515b7fa2249fcfb15dd2a96445224b3

SHA1
946d0e047cd5721f296f6e2718648392b9e4bd0e

SHA256
16e3b3ab9474fe57ac2b7dd2bfeb1f14526bd8cb3d59ca68f33c08b86c73d7d2

SHA512
3ad7981c33ffd698434077dac602edfedb3fe50130851d0d61155974f9557bab71f6edfb7eb2675f59c84f48eeea744a33dd921207935afd1af75de029ac7e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4421788.exe

Filesize
213KB

MD5
c515b7fa2249fcfb15dd2a96445224b3

SHA1
946d0e047cd5721f296f6e2718648392b9e4bd0e

SHA256
16e3b3ab9474fe57ac2b7dd2bfeb1f14526bd8cb3d59ca68f33c08b86c73d7d2

SHA512
3ad7981c33ffd698434077dac602edfedb3fe50130851d0d61155974f9557bab71f6edfb7eb2675f59c84f48eeea744a33dd921207935afd1af75de029ac7e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2928556.exe

Filesize
175KB

MD5
0b7ebdada2313ccbe9425fdeac2e1e74

SHA1
06c529a5ca1ade4c41e3c4dc563d7834f616a905

SHA256
1e92b0999f14e071ff14f37c8bc8580c7a67b2919eb8ff06220438d6ec4e6020

SHA512
9bf4d73401fc0abe003b62c034ef33afdf90e392c78b3af3eb8725b6bdac43d7af8a730d8f54e0ceb852dc6f0b34900694c56f17d5c7368ca73fc2f74a9df9f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2928556.exe

Filesize
175KB

MD5
0b7ebdada2313ccbe9425fdeac2e1e74

SHA1
06c529a5ca1ade4c41e3c4dc563d7834f616a905

SHA256
1e92b0999f14e071ff14f37c8bc8580c7a67b2919eb8ff06220438d6ec4e6020

SHA512
9bf4d73401fc0abe003b62c034ef33afdf90e392c78b3af3eb8725b6bdac43d7af8a730d8f54e0ceb852dc6f0b34900694c56f17d5c7368ca73fc2f74a9df9f4

Download Submit
memory/3092-41-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/3092-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3092-44-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/3092-32-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/3444-3-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3444-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3444-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3444-29-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/3444-0-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4472-30-0x00000000000B0000-0x00000000000E0000-memory.dmp

Filesize
192KB

Download
memory/4472-34-0x00000000051B0000-0x00000000057C8000-memory.dmp

Filesize
6.1MB

Download
memory/4472-35-0x0000000004CA0000-0x0000000004DAA000-memory.dmp

Filesize
1.0MB

Download
memory/4472-36-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/4472-37-0x0000000004B90000-0x0000000004BA2000-memory.dmp

Filesize
72KB

Download
memory/4472-38-0x0000000004BF0000-0x0000000004C2C000-memory.dmp

Filesize
240KB

Download
memory/4472-39-0x0000000004C30000-0x0000000004C7C000-memory.dmp

Filesize
304KB

Download
memory/4472-40-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4472-33-0x0000000002480000-0x0000000002486000-memory.dmp

Filesize
24KB

Download
memory/4472-42-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/4472-31-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download