healer | baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53

Analysis

max time kernel
156s
max time network
177s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe
Size

930KB
MD5

907487b7057497aab62507295465de86
SHA1

4f0e4d83e5d2f6e4ec59be862ff25b82c1c98cc7
SHA256

baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53
SHA512

a19c06b1a0d6a7b5ce0fd0e303021f794abff8009bb075b119b8a1331a4b7f2945ad5fa0a94a922369b6c1abca5d0cc5f06d3c53327545aa882e0a4b983038c6
SSDEEP

24576:miuBtZ0D50ho7HOzxmr0RTESFMltWSbBJpc+rsqU:1uBf0lzHOUoRtFMlpBJG+rsqU

Score

10^/10

healer redline moner dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4276-25-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4424	x9378723.exe
2668	x5028224.exe
4464	g7655978.exe
5044	i1051609.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x9378723.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x5028224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4524 set thread context of 4728	4524	baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe	88
PID 4464 set thread context of 4276	4464	g7655978.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4276	AppLaunch.exe
4276	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4276	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4728	4524	baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe	88
PID 4524 wrote to memory of 4728	4524	baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe	88
PID 4524 wrote to memory of 4728	4524	baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe	88
PID 4524 wrote to memory of 4728	4524	baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe	88
PID 4524 wrote to memory of 4728	4524	baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe	88
PID 4524 wrote to memory of 4728	4524	baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe	88
PID 4524 wrote to memory of 4728	4524	baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe	88
PID 4524 wrote to memory of 4728	4524	baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe	88
PID 4524 wrote to memory of 4728	4524	baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe	88
PID 4524 wrote to memory of 4728	4524	baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe	88
PID 4728 wrote to memory of 4424	4728	AppLaunch.exe	90
PID 4728 wrote to memory of 4424	4728	AppLaunch.exe	90
PID 4728 wrote to memory of 4424	4728	AppLaunch.exe	90
PID 4424 wrote to memory of 2668	4424	x9378723.exe	93
PID 4424 wrote to memory of 2668	4424	x9378723.exe	93
PID 4424 wrote to memory of 2668	4424	x9378723.exe	93
PID 2668 wrote to memory of 4464	2668	x5028224.exe	94
PID 2668 wrote to memory of 4464	2668	x5028224.exe	94
PID 2668 wrote to memory of 4464	2668	x5028224.exe	94
PID 4464 wrote to memory of 4276	4464	g7655978.exe	96
PID 4464 wrote to memory of 4276	4464	g7655978.exe	96
PID 4464 wrote to memory of 4276	4464	g7655978.exe	96
PID 4464 wrote to memory of 4276	4464	g7655978.exe	96
PID 4464 wrote to memory of 4276	4464	g7655978.exe	96
PID 4464 wrote to memory of 4276	4464	g7655978.exe	96
PID 4464 wrote to memory of 4276	4464	g7655978.exe	96
PID 4464 wrote to memory of 4276	4464	g7655978.exe	96
PID 2668 wrote to memory of 5044	2668	x5028224.exe	98
PID 2668 wrote to memory of 5044	2668	x5028224.exe	98
PID 2668 wrote to memory of 5044	2668	x5028224.exe	98

C:\Users\Admin\AppData\Local\Temp\baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe
"C:\Users\Admin\AppData\Local\Temp\baa37e9da77190eb942ace4948bb1f3c72a6d16b967da7d446799fd521f42b53.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9378723.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9378723.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5028224.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5028224.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7655978.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7655978.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4276
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1051609.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1051609.exe
        5⤵
        Executes dropped EXE
        
        PID:5044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9378723.exe

Filesize
472KB

MD5
f8b76c5d3180f1ef08d529a38e1934c8

SHA1
570f26257c607f200de390414a9d463514222b17

SHA256
172ad43bce84c7054681cdf0d751753f0a86513b56ea2efa14f35c8b801ce6ad

SHA512
cec8c93445795ba68468410f7973f22a8515f37cf34c5ff9598b16ce32fca3a0da799e07063a08473ed254b1de5d192e2a3d4bb128964b0b6db768b2b06663d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9378723.exe

Filesize
472KB

MD5
f8b76c5d3180f1ef08d529a38e1934c8

SHA1
570f26257c607f200de390414a9d463514222b17

SHA256
172ad43bce84c7054681cdf0d751753f0a86513b56ea2efa14f35c8b801ce6ad

SHA512
cec8c93445795ba68468410f7973f22a8515f37cf34c5ff9598b16ce32fca3a0da799e07063a08473ed254b1de5d192e2a3d4bb128964b0b6db768b2b06663d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5028224.exe

Filesize
306KB

MD5
67637bf1ac54b3d8add55d17e35b4a1b

SHA1
16d051f7b1e560fe3292b3d70a48b86aabca4ab3

SHA256
2e7b39728a45aa8e313ac0c2a5e727b95a9fd4a5d4f07ebd0e88aaad294d0ac0

SHA512
3a274586104148276b307824e95ed821cbdd19d505303712665e40e94ffe039c50c05eff2201c1dd83ab9fa2005010904677412ecb6a8f319882781056fc8048

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5028224.exe

Filesize
306KB

MD5
67637bf1ac54b3d8add55d17e35b4a1b

SHA1
16d051f7b1e560fe3292b3d70a48b86aabca4ab3

SHA256
2e7b39728a45aa8e313ac0c2a5e727b95a9fd4a5d4f07ebd0e88aaad294d0ac0

SHA512
3a274586104148276b307824e95ed821cbdd19d505303712665e40e94ffe039c50c05eff2201c1dd83ab9fa2005010904677412ecb6a8f319882781056fc8048

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7655978.exe

Filesize
213KB

MD5
aa64f1e4848ef0a2b475794fe096ca47

SHA1
6753608e67d7e53547a6f0643f6d20117b600a86

SHA256
021aba955ea11407f42ed4e5608aab9f7fa8732832aae44782d2f0cba000b535

SHA512
4bb111194263973d39eea6b5c16bd9a8a2a72df2124d3047abc20488f613b6d0c56e8b55c208d0510a45ad2e7f86c274258147d9c357673071c67e5ff51be5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7655978.exe

Filesize
213KB

MD5
aa64f1e4848ef0a2b475794fe096ca47

SHA1
6753608e67d7e53547a6f0643f6d20117b600a86

SHA256
021aba955ea11407f42ed4e5608aab9f7fa8732832aae44782d2f0cba000b535

SHA512
4bb111194263973d39eea6b5c16bd9a8a2a72df2124d3047abc20488f613b6d0c56e8b55c208d0510a45ad2e7f86c274258147d9c357673071c67e5ff51be5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1051609.exe

Filesize
174KB

MD5
0b6d9df517eefeb03b8d07bfdce32245

SHA1
a9988ae9164ff888326d49ba0c39544f91e8753f

SHA256
3107c2db3e218c2f539d571e7fee6183f936520d0e0f150677e2ef7473f9edd4

SHA512
3eb312a0c15d0a1a42fd7619acc76aceb21749229c537a0444eaf7c5dfe18b2f052d93c29895d8198e8f203ec973b2e344d863fa93d8ac4db4f5889d324574dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1051609.exe

Filesize
174KB

MD5
0b6d9df517eefeb03b8d07bfdce32245

SHA1
a9988ae9164ff888326d49ba0c39544f91e8753f

SHA256
3107c2db3e218c2f539d571e7fee6183f936520d0e0f150677e2ef7473f9edd4

SHA512
3eb312a0c15d0a1a42fd7619acc76aceb21749229c537a0444eaf7c5dfe18b2f052d93c29895d8198e8f203ec973b2e344d863fa93d8ac4db4f5889d324574dc

Download Submit
memory/4276-40-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4276-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4276-31-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4276-43-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/4728-3-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4728-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4728-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4728-29-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4728-0-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/5044-30-0x00000000003F0000-0x0000000000420000-memory.dmp

Filesize
192KB

Download
memory/5044-34-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/5044-36-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download
memory/5044-37-0x0000000004D80000-0x0000000004D92000-memory.dmp

Filesize
72KB

Download
memory/5044-35-0x0000000004E60000-0x0000000004F6A000-memory.dmp

Filesize
1.0MB

Download
memory/5044-38-0x0000000004DE0000-0x0000000004E1C000-memory.dmp

Filesize
240KB

Download
memory/5044-39-0x0000000004F70000-0x0000000004FBC000-memory.dmp

Filesize
304KB

Download
memory/5044-33-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5044-41-0x0000000074870000-0x0000000075020000-memory.dmp

Filesize
7.7MB

Download
memory/5044-32-0x0000000002630000-0x0000000002636000-memory.dmp

Filesize
24KB

Download
memory/5044-44-0x0000000002780000-0x0000000002790000-memory.dmp

Filesize
64KB

Download