healer | 2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc

Analysis

max time kernel
150s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe
Size

930KB
MD5

3adaf24d1989bdf0316068a9d979b0f8
SHA1

ec573867a14b2d3cdcf22c9482ef33d88804a4ab
SHA256

2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc
SHA512

ce37e4994dc278d662add87a1b133d6bbfccfb43b569a01062f6a0f958095152f3a77adabb2bef3370446c57940a95b6df458232fce6738e70ac3b3c97f5acfb
SSDEEP

12288:dx//yfYb5BIQZVtMdSGfwAIFyNsO/f2hY2YSKRZVEnzJsWNww3yMpj0uIgRPAB+3:TiuBtZVCUUXxSMwJNmOyMpj0uJRI+7

Score

10^/10

healer redline moner dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/5044-25-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
2784	x6817165.exe
1852	x4337223.exe
3100	g7231068.exe
4612	i1006566.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6817165.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4337223.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3132 set thread context of 4740	3132	2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe	89
PID 3100 set thread context of 5044	3100	g7231068.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5044	AppLaunch.exe
5044	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	AppLaunch.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4740	3132	2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe	89
PID 3132 wrote to memory of 4740	3132	2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe	89
PID 3132 wrote to memory of 4740	3132	2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe	89
PID 3132 wrote to memory of 4740	3132	2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe	89
PID 3132 wrote to memory of 4740	3132	2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe	89
PID 3132 wrote to memory of 4740	3132	2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe	89
PID 3132 wrote to memory of 4740	3132	2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe	89
PID 3132 wrote to memory of 4740	3132	2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe	89
PID 3132 wrote to memory of 4740	3132	2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe	89
PID 3132 wrote to memory of 4740	3132	2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe	89
PID 4740 wrote to memory of 2784	4740	AppLaunch.exe	91
PID 4740 wrote to memory of 2784	4740	AppLaunch.exe	91
PID 4740 wrote to memory of 2784	4740	AppLaunch.exe	91
PID 2784 wrote to memory of 1852	2784	x6817165.exe	92
PID 2784 wrote to memory of 1852	2784	x6817165.exe	92
PID 2784 wrote to memory of 1852	2784	x6817165.exe	92
PID 1852 wrote to memory of 3100	1852	x4337223.exe	93
PID 1852 wrote to memory of 3100	1852	x4337223.exe	93
PID 1852 wrote to memory of 3100	1852	x4337223.exe	93
PID 3100 wrote to memory of 5048	3100	g7231068.exe	95
PID 3100 wrote to memory of 5048	3100	g7231068.exe	95
PID 3100 wrote to memory of 5048	3100	g7231068.exe	95
PID 3100 wrote to memory of 5044	3100	g7231068.exe	96
PID 3100 wrote to memory of 5044	3100	g7231068.exe	96
PID 3100 wrote to memory of 5044	3100	g7231068.exe	96
PID 3100 wrote to memory of 5044	3100	g7231068.exe	96
PID 3100 wrote to memory of 5044	3100	g7231068.exe	96
PID 3100 wrote to memory of 5044	3100	g7231068.exe	96
PID 3100 wrote to memory of 5044	3100	g7231068.exe	96
PID 3100 wrote to memory of 5044	3100	g7231068.exe	96
PID 1852 wrote to memory of 4612	1852	x4337223.exe	97
PID 1852 wrote to memory of 4612	1852	x4337223.exe	97
PID 1852 wrote to memory of 4612	1852	x4337223.exe	97

C:\Users\Admin\AppData\Local\Temp\2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe
"C:\Users\Admin\AppData\Local\Temp\2a892da211ca6c64e82deeee6ade8cecace7b89c8e534e05d47a2a8334b7c7cc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6817165.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6817165.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4337223.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4337223.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7231068.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7231068.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3100
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:5048
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1006566.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1006566.exe
        5⤵
        Executes dropped EXE
        
        PID:4612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6817165.exe

Filesize
472KB

MD5
9736c4d54f1d6b94fc80651d61a2779f

SHA1
6795dcffaf0cec5ec738c4f07346ef215ed51122

SHA256
5bbfcf4a968a7e89c82f3a0524db79ac28e8a80da75abdcda5c38df26126fcdf

SHA512
0eb47652035183d8867f8893dd22d07612917aa44528d9a20c7458ae02a81b7b1139216e6eb30c10f55cb71b26ff3ae03799bec8e5500512fa113912ecee18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6817165.exe

Filesize
472KB

MD5
9736c4d54f1d6b94fc80651d61a2779f

SHA1
6795dcffaf0cec5ec738c4f07346ef215ed51122

SHA256
5bbfcf4a968a7e89c82f3a0524db79ac28e8a80da75abdcda5c38df26126fcdf

SHA512
0eb47652035183d8867f8893dd22d07612917aa44528d9a20c7458ae02a81b7b1139216e6eb30c10f55cb71b26ff3ae03799bec8e5500512fa113912ecee18a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4337223.exe

Filesize
306KB

MD5
46324a1afca91fb1d12b99c0864b5a6f

SHA1
b28482b4f63a94b068f158125e654c8cc4f09da2

SHA256
429d2f1a956dc43eb2950680477be5d9e64d534c7a166f1209242ec6d631ab8e

SHA512
44fae54a59d2f78ac70221eadefe5ee1d0bb427a30b4fc198dc31f2c7f5e778baf0334dc9a4cb9fdd12589f2e601f051e8253455a79d17d8c917e4983ff97bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4337223.exe

Filesize
306KB

MD5
46324a1afca91fb1d12b99c0864b5a6f

SHA1
b28482b4f63a94b068f158125e654c8cc4f09da2

SHA256
429d2f1a956dc43eb2950680477be5d9e64d534c7a166f1209242ec6d631ab8e

SHA512
44fae54a59d2f78ac70221eadefe5ee1d0bb427a30b4fc198dc31f2c7f5e778baf0334dc9a4cb9fdd12589f2e601f051e8253455a79d17d8c917e4983ff97bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7231068.exe

Filesize
213KB

MD5
d1665d820d26bc7ec28d59bd8f76d3ad

SHA1
df7a7462d4d720d7e3ec99f75df60779f581cbc0

SHA256
db8975711e14780aedbe99e165182c1a75b4280fbc789c6c4eb0fd49507c8bb1

SHA512
aea70c0e64dbefb0ba854b3bc2832123e7d63a9f3d303d1161d9c3875657379afb4f795c961a365e9e6b64bc45aab10fd11c88b27fcd7b8556e1760cc94bdbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7231068.exe

Filesize
213KB

MD5
d1665d820d26bc7ec28d59bd8f76d3ad

SHA1
df7a7462d4d720d7e3ec99f75df60779f581cbc0

SHA256
db8975711e14780aedbe99e165182c1a75b4280fbc789c6c4eb0fd49507c8bb1

SHA512
aea70c0e64dbefb0ba854b3bc2832123e7d63a9f3d303d1161d9c3875657379afb4f795c961a365e9e6b64bc45aab10fd11c88b27fcd7b8556e1760cc94bdbfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1006566.exe

Filesize
174KB

MD5
7e09f77b587b7f7b80ad1d5da62cd6d5

SHA1
791cda8bd90d131860d525ec6bf38d55a4054684

SHA256
c2d8a63ef0b8bee96ff007c685827ce4d2fb55a06adaf04d98cefce4442d35d2

SHA512
fe883680a953619d52c29b86e653f652f855af320e1cc7e8f6445011be7ca84a3f2435aa4d8e6b4ef52671d36db9efac22c51bfaaff489603636b46bce93a488

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1006566.exe

Filesize
174KB

MD5
7e09f77b587b7f7b80ad1d5da62cd6d5

SHA1
791cda8bd90d131860d525ec6bf38d55a4054684

SHA256
c2d8a63ef0b8bee96ff007c685827ce4d2fb55a06adaf04d98cefce4442d35d2

SHA512
fe883680a953619d52c29b86e653f652f855af320e1cc7e8f6445011be7ca84a3f2435aa4d8e6b4ef52671d36db9efac22c51bfaaff489603636b46bce93a488

Download Submit
memory/4612-30-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/4612-33-0x0000000005F30000-0x0000000006548000-memory.dmp

Filesize
6.1MB

Download
memory/4612-44-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/4612-40-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/4612-38-0x0000000005910000-0x000000000595C000-memory.dmp

Filesize
304KB

Download
memory/4612-29-0x0000000000EA0000-0x0000000000ED0000-memory.dmp

Filesize
192KB

Download
memory/4612-37-0x0000000005790000-0x00000000057CC000-memory.dmp

Filesize
240KB

Download
memory/4612-31-0x0000000001960000-0x0000000001966000-memory.dmp

Filesize
24KB

Download
memory/4612-35-0x0000000005730000-0x0000000005742000-memory.dmp

Filesize
72KB

Download
memory/4612-36-0x0000000005800000-0x0000000005810000-memory.dmp

Filesize
64KB

Download
memory/4612-34-0x0000000005A20000-0x0000000005B2A000-memory.dmp

Filesize
1.0MB

Download
memory/4740-3-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4740-0-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4740-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4740-39-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4740-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/5044-32-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/5044-41-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/5044-43-0x0000000074460000-0x0000000074C10000-memory.dmp

Filesize
7.7MB

Download
memory/5044-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download