healer | 291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2023, 03:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe
Size

929KB
MD5

d6dc032aaf1b9960207e19a67aa11a8f
SHA1

bd6728c247061dba9bb1a39ee80f635bdb7d6ad1
SHA256

291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec
SHA512

d5ee33f59ae5d164c072285f85c50a7e67ae8dfb5528431806b605e0b84d6cb0c4a2f5a0f2fded9e89c0bc279e80c4f2aeb88fc9edb564ec7a972ad5f9916682
SSDEEP

24576:KiuBtZKnzlIEuWq4j8ou7wH1q+ZDcI7G:BuBfKzKWq4aq1HtG

Score

10^/10

healer redline moner dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/2232-25-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
4660	x4359031.exe
4752	x7906112.exe
2764	g5100492.exe
5040	i2970496.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x7906112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x4359031.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4120 set thread context of 4936	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	95
PID 2764 set thread context of 2232	2764	g5100492.exe	101

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2232	AppLaunch.exe
2232	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	AppLaunch.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4120 wrote to memory of 4300	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	94
PID 4120 wrote to memory of 4300	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	94
PID 4120 wrote to memory of 4300	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	94
PID 4120 wrote to memory of 4936	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	95
PID 4120 wrote to memory of 4936	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	95
PID 4120 wrote to memory of 4936	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	95
PID 4120 wrote to memory of 4936	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	95
PID 4120 wrote to memory of 4936	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	95
PID 4120 wrote to memory of 4936	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	95
PID 4120 wrote to memory of 4936	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	95
PID 4120 wrote to memory of 4936	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	95
PID 4120 wrote to memory of 4936	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	95
PID 4120 wrote to memory of 4936	4120	291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe	95
PID 4936 wrote to memory of 4660	4936	AppLaunch.exe	96
PID 4936 wrote to memory of 4660	4936	AppLaunch.exe	96
PID 4936 wrote to memory of 4660	4936	AppLaunch.exe	96
PID 4660 wrote to memory of 4752	4660	x4359031.exe	97
PID 4660 wrote to memory of 4752	4660	x4359031.exe	97
PID 4660 wrote to memory of 4752	4660	x4359031.exe	97
PID 4752 wrote to memory of 2764	4752	x7906112.exe	98
PID 4752 wrote to memory of 2764	4752	x7906112.exe	98
PID 4752 wrote to memory of 2764	4752	x7906112.exe	98
PID 2764 wrote to memory of 4264	2764	g5100492.exe	100
PID 2764 wrote to memory of 4264	2764	g5100492.exe	100
PID 2764 wrote to memory of 4264	2764	g5100492.exe	100
PID 2764 wrote to memory of 2232	2764	g5100492.exe	101
PID 2764 wrote to memory of 2232	2764	g5100492.exe	101
PID 2764 wrote to memory of 2232	2764	g5100492.exe	101
PID 2764 wrote to memory of 2232	2764	g5100492.exe	101
PID 2764 wrote to memory of 2232	2764	g5100492.exe	101
PID 2764 wrote to memory of 2232	2764	g5100492.exe	101
PID 2764 wrote to memory of 2232	2764	g5100492.exe	101
PID 2764 wrote to memory of 2232	2764	g5100492.exe	101
PID 4752 wrote to memory of 5040	4752	x7906112.exe	102
PID 4752 wrote to memory of 5040	4752	x7906112.exe	102
PID 4752 wrote to memory of 5040	4752	x7906112.exe	102

C:\Users\Admin\AppData\Local\Temp\291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe
"C:\Users\Admin\AppData\Local\Temp\291a879997f29105dc599878aa6bf635eabcfaf97646413f2a4110614234d8ec.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4359031.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4359031.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7906112.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7906112.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4752
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5100492.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5100492.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4264
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2970496.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2970496.exe
        5⤵
        Executes dropped EXE
        
        PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4359031.exe

Filesize
472KB

MD5
2ac3f714f44184a16a9cf2b599dd83cc

SHA1
ceb5baedd82d145d7f06a849350eecc197a71b16

SHA256
2911a68e05ce3885255d3e1c0ff57c1eacf4fcbaab6035b45222b2cb828abe25

SHA512
3e7bbd8031c3752959cbcee256daff892c46a1923f68a24d07c56c562e0df86938deb545e44fc16cbd1d776bdd2b2617cde247c75a13aed54a6c9978761f9e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4359031.exe

Filesize
472KB

MD5
2ac3f714f44184a16a9cf2b599dd83cc

SHA1
ceb5baedd82d145d7f06a849350eecc197a71b16

SHA256
2911a68e05ce3885255d3e1c0ff57c1eacf4fcbaab6035b45222b2cb828abe25

SHA512
3e7bbd8031c3752959cbcee256daff892c46a1923f68a24d07c56c562e0df86938deb545e44fc16cbd1d776bdd2b2617cde247c75a13aed54a6c9978761f9e7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7906112.exe

Filesize
306KB

MD5
1823e5a5d6cc5e9ab36f51105aa32239

SHA1
19239809d8171bee342d778c242106c8dcd7f44f

SHA256
9cccd2cdf54184dc031da0cad255be118ee6d1fcef48fafe33476be24f628da4

SHA512
0ca579af597df4eb1b4a33538b8c041b479aca86ca6b168eade6e5c0395a2c8b635911c84a9c73ab49305897ac2fa84453a5c0f505ff58e9be95d89144e31bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7906112.exe

Filesize
306KB

MD5
1823e5a5d6cc5e9ab36f51105aa32239

SHA1
19239809d8171bee342d778c242106c8dcd7f44f

SHA256
9cccd2cdf54184dc031da0cad255be118ee6d1fcef48fafe33476be24f628da4

SHA512
0ca579af597df4eb1b4a33538b8c041b479aca86ca6b168eade6e5c0395a2c8b635911c84a9c73ab49305897ac2fa84453a5c0f505ff58e9be95d89144e31bbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5100492.exe

Filesize
213KB

MD5
4d999ebadf91845716694cb2930b4764

SHA1
6944b01facecb5fbc9a705c0096b0af8bd22442f

SHA256
06dbd7b214e0f3e595596ee7db3a3d7cd9a3821cbc76fd2a950b07d81f744d00

SHA512
f163973e7c957fd9f329ac909a2332f8fb7995c48f5929f3f11594c5145d6b633f3f4cafdbb1408b9e56453b69c8969443c5896cdffabb6a18d572087c97620d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5100492.exe

Filesize
213KB

MD5
4d999ebadf91845716694cb2930b4764

SHA1
6944b01facecb5fbc9a705c0096b0af8bd22442f

SHA256
06dbd7b214e0f3e595596ee7db3a3d7cd9a3821cbc76fd2a950b07d81f744d00

SHA512
f163973e7c957fd9f329ac909a2332f8fb7995c48f5929f3f11594c5145d6b633f3f4cafdbb1408b9e56453b69c8969443c5896cdffabb6a18d572087c97620d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2970496.exe

Filesize
174KB

MD5
2d3ee851cc389c1a6d45ae5672b33fe6

SHA1
f1f78fde6c6756b4111338e043eae880727e1e85

SHA256
f72a91f0170fb665826b1c88d6968231af88d1424ee5fb25838988bb61b3cf06

SHA512
238caff461221bdbc95d7f47cd0c255e68a01e33246d9eff3ae90c0602ddad7bd392e3639a1c072ecc6e5acbd4aa3c48a7526be0ad1dcc77a43ecee33c0ed572

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i2970496.exe

Filesize
174KB

MD5
2d3ee851cc389c1a6d45ae5672b33fe6

SHA1
f1f78fde6c6756b4111338e043eae880727e1e85

SHA256
f72a91f0170fb665826b1c88d6968231af88d1424ee5fb25838988bb61b3cf06

SHA512
238caff461221bdbc95d7f47cd0c255e68a01e33246d9eff3ae90c0602ddad7bd392e3639a1c072ecc6e5acbd4aa3c48a7526be0ad1dcc77a43ecee33c0ed572

Download Submit
memory/2232-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2232-44-0x0000000073C10000-0x00000000743C0000-memory.dmp

Filesize
7.7MB

Download
memory/2232-31-0x0000000073C10000-0x00000000743C0000-memory.dmp

Filesize
7.7MB

Download
memory/2232-41-0x0000000073C10000-0x00000000743C0000-memory.dmp

Filesize
7.7MB

Download
memory/4936-3-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4936-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4936-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4936-39-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/4936-0-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/5040-30-0x0000000073C10000-0x00000000743C0000-memory.dmp

Filesize
7.7MB

Download
memory/5040-34-0x0000000005BB0000-0x0000000005CBA000-memory.dmp

Filesize
1.0MB

Download
memory/5040-35-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/5040-36-0x0000000005910000-0x0000000005922000-memory.dmp

Filesize
72KB

Download
memory/5040-37-0x0000000005AA0000-0x0000000005ADC000-memory.dmp

Filesize
240KB

Download
memory/5040-38-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

Filesize
304KB

Download
memory/5040-33-0x00000000060C0000-0x00000000066D8000-memory.dmp

Filesize
6.1MB

Download
memory/5040-40-0x0000000073C10000-0x00000000743C0000-memory.dmp

Filesize
7.7MB

Download
memory/5040-32-0x0000000003420000-0x0000000003426000-memory.dmp

Filesize
24KB

Download
memory/5040-42-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/5040-29-0x0000000000F50000-0x0000000000F80000-memory.dmp

Filesize
192KB

Download