healer | 6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699

Analysis

max time kernel
166s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe
Size

930KB
MD5

734a023fa9fa82776fc53c2df87b7fdd
SHA1

eea9aa9fc02c97f13e0b68eedf1adb2e9f7242d9
SHA256

6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699
SHA512

ef751bb0db9e3ff69a182610fc52bcd50e14af354de8df0016ab8f42c82b55f21bfd1415059f975f347b930e90c149294ae30686167f02725bfda12407bbc58a
SSDEEP

12288:Mz//yfYb5BIQZVt9lEfjOyxoHuRd76fK4GNrdaOWHn5eBoytHxQk5E5SL9:WiuBtZENd76fwdabHn5WxQysSh

Score

10^/10

healer redline moner dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4512-25-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
936	x1552152.exe
4900	x1053078.exe
5116	g0114763.exe
968	i8240294.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x1552152.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x1053078.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4076 set thread context of 876	4076	6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe	93
PID 5116 set thread context of 4512	5116	g0114763.exe	99

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4512	AppLaunch.exe
4512	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4512	AppLaunch.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 876	4076	6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe	93
PID 4076 wrote to memory of 876	4076	6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe	93
PID 4076 wrote to memory of 876	4076	6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe	93
PID 4076 wrote to memory of 876	4076	6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe	93
PID 4076 wrote to memory of 876	4076	6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe	93
PID 4076 wrote to memory of 876	4076	6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe	93
PID 4076 wrote to memory of 876	4076	6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe	93
PID 4076 wrote to memory of 876	4076	6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe	93
PID 4076 wrote to memory of 876	4076	6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe	93
PID 4076 wrote to memory of 876	4076	6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe	93
PID 876 wrote to memory of 936	876	AppLaunch.exe	94
PID 876 wrote to memory of 936	876	AppLaunch.exe	94
PID 876 wrote to memory of 936	876	AppLaunch.exe	94
PID 936 wrote to memory of 4900	936	x1552152.exe	95
PID 936 wrote to memory of 4900	936	x1552152.exe	95
PID 936 wrote to memory of 4900	936	x1552152.exe	95
PID 4900 wrote to memory of 5116	4900	x1053078.exe	97
PID 4900 wrote to memory of 5116	4900	x1053078.exe	97
PID 4900 wrote to memory of 5116	4900	x1053078.exe	97
PID 5116 wrote to memory of 4512	5116	g0114763.exe	99
PID 5116 wrote to memory of 4512	5116	g0114763.exe	99
PID 5116 wrote to memory of 4512	5116	g0114763.exe	99
PID 5116 wrote to memory of 4512	5116	g0114763.exe	99
PID 5116 wrote to memory of 4512	5116	g0114763.exe	99
PID 5116 wrote to memory of 4512	5116	g0114763.exe	99
PID 5116 wrote to memory of 4512	5116	g0114763.exe	99
PID 5116 wrote to memory of 4512	5116	g0114763.exe	99
PID 4900 wrote to memory of 968	4900	x1053078.exe	100
PID 4900 wrote to memory of 968	4900	x1053078.exe	100
PID 4900 wrote to memory of 968	4900	x1053078.exe	100

C:\Users\Admin\AppData\Local\Temp\6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe
"C:\Users\Admin\AppData\Local\Temp\6872427be16ef40aa63fa4eda70686710de1031508a48644fdc131e4f2638699.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1552152.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1552152.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:936
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1053078.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1053078.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0114763.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0114763.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5116
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8240294.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8240294.exe
        5⤵
        Executes dropped EXE
        
        PID:968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1552152.exe

Filesize
472KB

MD5
d96a3653fe5b9fd9a212ff52da5ce306

SHA1
f57e2f4799740ca0738c90d33be6f077360d8658

SHA256
4ce0fd827745a565467d4048fb58873564b1bf02bf72e1e928bfecd59f40a59e

SHA512
faeae2d97facdeca9688a474edb037dd4374067ea59722a9161fe64290403cdfebf69683788cc283273cf011af8a182b92007e2c92942575d96decae33fa08ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x1552152.exe

Filesize
472KB

MD5
d96a3653fe5b9fd9a212ff52da5ce306

SHA1
f57e2f4799740ca0738c90d33be6f077360d8658

SHA256
4ce0fd827745a565467d4048fb58873564b1bf02bf72e1e928bfecd59f40a59e

SHA512
faeae2d97facdeca9688a474edb037dd4374067ea59722a9161fe64290403cdfebf69683788cc283273cf011af8a182b92007e2c92942575d96decae33fa08ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1053078.exe

Filesize
306KB

MD5
7853cc067f086e6b1d7f5b3f1b9ccb3c

SHA1
dcee6cdaa8bbd5a78fe8f224a90e81696d0e3eda

SHA256
7f1bbc1e0919c26d717547401fdf6471fa8b97478cb0ea31f79f8ed4b0a51dcc

SHA512
0d04d61e47372700c1d54cbcaa284aea52505c3129780a4fdc59df5b2e5b866b717b4284e1881a4140e5bd67eac258802841978ae2238f4dd1cc3acd3c10df4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1053078.exe

Filesize
306KB

MD5
7853cc067f086e6b1d7f5b3f1b9ccb3c

SHA1
dcee6cdaa8bbd5a78fe8f224a90e81696d0e3eda

SHA256
7f1bbc1e0919c26d717547401fdf6471fa8b97478cb0ea31f79f8ed4b0a51dcc

SHA512
0d04d61e47372700c1d54cbcaa284aea52505c3129780a4fdc59df5b2e5b866b717b4284e1881a4140e5bd67eac258802841978ae2238f4dd1cc3acd3c10df4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0114763.exe

Filesize
213KB

MD5
ad3025c3f8ffbd1ce3df572c44b0cd42

SHA1
77ba6d8804481fafffff8fdfa924f3290083df75

SHA256
84158f9a3de580ecde0f64994d13dea41bf7bf48c4729101f9daa05b705cacee

SHA512
c779584bdb54b7d0bb2173db24719e4f2066a4fefb3226ca804a1c4deb12ec66979ebbe598ecd5cf9bfae3eda62e9511a0cfdc97cac085b89b5a214b0de311ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0114763.exe

Filesize
213KB

MD5
ad3025c3f8ffbd1ce3df572c44b0cd42

SHA1
77ba6d8804481fafffff8fdfa924f3290083df75

SHA256
84158f9a3de580ecde0f64994d13dea41bf7bf48c4729101f9daa05b705cacee

SHA512
c779584bdb54b7d0bb2173db24719e4f2066a4fefb3226ca804a1c4deb12ec66979ebbe598ecd5cf9bfae3eda62e9511a0cfdc97cac085b89b5a214b0de311ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8240294.exe

Filesize
174KB

MD5
37e17fc9fcfb4834c6d2268ab640fbe8

SHA1
664c74b3b3d3f48c56df41a8a759448bfc73af42

SHA256
b662386f71511ede35a0b758cd76e6372fa166548065ba7d7a1ea02581b7b7d9

SHA512
3140c0b10cdb96307a4e75ca2d6ceb1c9c934969d8e2b10dae30b61b0528d4322803117b5b5a22e977b5b872b34b3c8fa8d6c2256b44404d00d113c8096375bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8240294.exe

Filesize
174KB

MD5
37e17fc9fcfb4834c6d2268ab640fbe8

SHA1
664c74b3b3d3f48c56df41a8a759448bfc73af42

SHA256
b662386f71511ede35a0b758cd76e6372fa166548065ba7d7a1ea02581b7b7d9

SHA512
3140c0b10cdb96307a4e75ca2d6ceb1c9c934969d8e2b10dae30b61b0528d4322803117b5b5a22e977b5b872b34b3c8fa8d6c2256b44404d00d113c8096375bf

Download Submit
memory/876-3-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/876-2-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/876-1-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/876-0-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/876-39-0x0000000000400000-0x00000000004BB000-memory.dmp

Filesize
748KB

Download
memory/968-37-0x0000000004DF0000-0x0000000004E2C000-memory.dmp

Filesize
240KB

Download
memory/968-35-0x0000000004D90000-0x0000000004DA2000-memory.dmp

Filesize
72KB

Download
memory/968-31-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/968-32-0x0000000004CE0000-0x0000000004CE6000-memory.dmp

Filesize
24KB

Download
memory/968-33-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/968-34-0x0000000004E60000-0x0000000004F6A000-memory.dmp

Filesize
1.0MB

Download
memory/968-36-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/968-42-0x0000000004D40000-0x0000000004D50000-memory.dmp

Filesize
64KB

Download
memory/968-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/968-38-0x0000000004F70000-0x0000000004FBC000-memory.dmp

Filesize
304KB

Download
memory/968-41-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/4512-40-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/4512-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4512-30-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/4512-44-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download