healer | 205ae779babd66a06edef8f4549388af61dbb854e06c82a7f291317f4dbe780e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe
Size

828KB
MD5

2a32d9865596340119086b9e9d7407d7
SHA1

cd4daf419b213c6a34241bb7a791f2b59f4d80d8
SHA256

bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26
SHA512

2bcd417c9bc9e1cd1fb0a63dc62fa1599b78f7ea6b3205f2b6c9b5b9f805183b80318fd0f9ff4dd3ca8b55dfafab6cfd8300c638c97e22269904362434e001b8
SSDEEP

24576:9y4zSdEWEkPt03UTE04CiNCAFab9dmcZgf:Y4OEW2rCiUAYJn

Score

10^/10

healer redline crazy muha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

crazy

83.97.73.129:19068

Attributes

auth_value
66bc4d9682ea090eef64a299ece12fdd

Extracted

Family

redline

Botnet

muha

83.97.73.129:19068

Attributes

auth_value
3c237e5fecb41481b7af249e79828a46

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral17/memory/2508-42-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral17/memory/4396-28-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral17/files/0x000700000002344e-48.dat	family_redline
behavioral17/memory/4836-50-0x0000000000CE0000-0x0000000000D10000-memory.dmp	family_redline

Executes dropped EXE 6 IoCs

pid	Process
2872	v9136604.exe
2908	v7678896.exe
3400	v0633454.exe
4652	a9751033.exe
5100	b2585981.exe
4836	c2700905.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7678896.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0633454.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9136604.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4652 set thread context of 4396	4652	a9751033.exe	89
PID 5100 set thread context of 2508	5100	b2585981.exe	95

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2528	4652	WerFault.exe	87
4696	5100	WerFault.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2508	AppLaunch.exe
2508	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	AppLaunch.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 2872	5012	bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe	83
PID 5012 wrote to memory of 2872	5012	bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe	83
PID 5012 wrote to memory of 2872	5012	bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe	83
PID 2872 wrote to memory of 2908	2872	v9136604.exe	84
PID 2872 wrote to memory of 2908	2872	v9136604.exe	84
PID 2872 wrote to memory of 2908	2872	v9136604.exe	84
PID 2908 wrote to memory of 3400	2908	v7678896.exe	86
PID 2908 wrote to memory of 3400	2908	v7678896.exe	86
PID 2908 wrote to memory of 3400	2908	v7678896.exe	86
PID 3400 wrote to memory of 4652	3400	v0633454.exe	87
PID 3400 wrote to memory of 4652	3400	v0633454.exe	87
PID 3400 wrote to memory of 4652	3400	v0633454.exe	87
PID 4652 wrote to memory of 4396	4652	a9751033.exe	89
PID 4652 wrote to memory of 4396	4652	a9751033.exe	89
PID 4652 wrote to memory of 4396	4652	a9751033.exe	89
PID 4652 wrote to memory of 4396	4652	a9751033.exe	89
PID 4652 wrote to memory of 4396	4652	a9751033.exe	89
PID 3400 wrote to memory of 5100	3400	v0633454.exe	93
PID 3400 wrote to memory of 5100	3400	v0633454.exe	93
PID 3400 wrote to memory of 5100	3400	v0633454.exe	93
PID 5100 wrote to memory of 2508	5100	b2585981.exe	95
PID 5100 wrote to memory of 2508	5100	b2585981.exe	95
PID 5100 wrote to memory of 2508	5100	b2585981.exe	95
PID 5100 wrote to memory of 2508	5100	b2585981.exe	95
PID 5100 wrote to memory of 2508	5100	b2585981.exe	95
PID 2908 wrote to memory of 4836	2908	v7678896.exe	98
PID 2908 wrote to memory of 4836	2908	v7678896.exe	98
PID 2908 wrote to memory of 4836	2908	v7678896.exe	98

C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe
"C:\Users\Admin\AppData\Local\Temp\bd2cad400370a1839dedfee01ba51651868baedcef41cd34976bcfc1a2ccbf26.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3400
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        6⤵
        
        PID:4396
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 156
        6⤵
        Program crash
        
        PID:2528
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 148
        6⤵
        Program crash
        
        PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe
      4⤵
      Executes dropped EXE
      PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4652 -ip 4652
1⤵
PID:1568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5100 -ip 5100
1⤵
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9136604.exe

Filesize
607KB

MD5
33ff5c1b7ad2169df36e814a2d691161

SHA1
e80f0be76be35b9997ecfa24a8efc30748552cbe

SHA256
000643ece079f96ed416c42e9dec2e3a647599f99950c60349c52e36cb724e88

SHA512
216ceb4f2a265aae0b413964c91da9f4f4f45baabe4ed952da89dc8089932472aeecb7ae2fb42408dfcfc8ae575d3d0b99cd89f55620946b155a41dee6019bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7678896.exe

Filesize
435KB

MD5
a76aada563b5fff5cf81824d40e87c25

SHA1
b6c50c7d69b765a396e3995642cd3c82ed9eb370

SHA256
f25337a343c26cdecd99eb7f095938fd24fb233463a8af3fa69acc5201eed956

SHA512
093e3da142ee67a4da1c8f352460e5d90e9565ec60855285a19eb6e2c2f85d8b8ec22e0b5f46194222954ffeb19e1a8451f9d364c8869f1ef8050decc7154a56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2700905.exe

Filesize
172KB

MD5
3722a3e958832f918370e3491d62d642

SHA1
86d28aa415f98a3ffa95279b4ac521e96ab8131a

SHA256
fc953ae5ccb8716ad6fa4b015596e010272dc5095fb5cf36fc1fe1ac7ca39db9

SHA512
510caffa854da75b5cef2b52ef61dee6670fc684c090911b9bf51678c68144e3f83a2ca2b43364abd0619c6742c03b9f68f29f91d6bb6259c49fc2b8bbaeb791

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0633454.exe

Filesize
280KB

MD5
7df1e56d4c1a1612ee126463fcf8ceb4

SHA1
774ab26898cfa2ace41b0d5fa53538d318e0fa57

SHA256
a62a548ffb1dcb9166d2336968bea9011a44039f391a1a7ef70364f4a0e131a0

SHA512
a84427f66c991496b014e82a1e52a969da9b627d6dfebdb93b74acdda4907df02b7b7d17b25cb732999e4a01e7f6e327be630b93b6dd6c55ed78e3d920ccae15

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a9751033.exe

Filesize
302KB

MD5
c0e3f771bcbb789d734e7d3e1b1f4e65

SHA1
02e6e5e508188955181ac98bb1b9c414d2c1aa9e

SHA256
53b6f1fa7f2466210d99ea5bba427014f08b5656339d05d1dc0d120b7c6a3b02

SHA512
c983b76772a50aece42107a39c828abfa768fc33c8865df73de57e1beca2919e8cc7b8afe1d5ae3e7556273519e311d5e49ed6d52eaf895c3c3d7c34608d2118

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2585981.exe

Filesize
141KB

MD5
cd5a529d645436b72dc72ebc19950ef3

SHA1
5f571b5fce5b5e210e812e28dad02b80bb1f5d80

SHA256
887d08bb7735494fa22a46935055d0c2d612f70e97ecdd07bccf427d8e49efa3

SHA512
b314a9d61340e1cafd67aef45b5151721a6100ca0f7d6ec787e4fc4d83d1cdb571cfafcd1cc1cee681f3016bfb3fc8074681633607221711163e7da2c2e6b123

Download Submit
memory/2508-42-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4396-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4396-36-0x0000000009F30000-0x0000000009F42000-memory.dmp

Filesize
72KB

Download
memory/4396-35-0x0000000009FF0000-0x000000000A0FA000-memory.dmp

Filesize
1.0MB

Download
memory/4396-39-0x0000000009F90000-0x0000000009FCC000-memory.dmp

Filesize
240KB

Download
memory/4396-41-0x0000000002420000-0x000000000246C000-memory.dmp

Filesize
304KB

Download
memory/4396-34-0x000000000A4E0000-0x000000000AAF8000-memory.dmp

Filesize
6.1MB

Download
memory/4396-33-0x0000000000A20000-0x0000000000A26000-memory.dmp

Filesize
24KB

Download
memory/4836-50-0x0000000000CE0000-0x0000000000D10000-memory.dmp

Filesize
192KB

Download
memory/4836-51-0x0000000001460000-0x0000000001466000-memory.dmp

Filesize
24KB

Download