healer | b0707ded6960936877cf4a2a4a5a7191894ea5c19ee70296e7004b5431f5044e

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fedbb32d49ceadba3f4f54639ae2d48c963ae6599b439f9922f20fc96716e84c.exe
Size

1.2MB
MD5

76094730492ea88d8299d508bf86a603
SHA1

4f10b858908e81198486c5489cf4ba3c3ee6006f
SHA256

fedbb32d49ceadba3f4f54639ae2d48c963ae6599b439f9922f20fc96716e84c
SHA512

3aa8fca996bf4e116426e2cc961e19c26925a6c5546ab8f04b088939b6ee9992ebcebe7fa691cb75c5644de478a8fa78ca1191c8d33c5e7302cc02b4c3a8e46a
SSDEEP

24576:Dy31TXXKWNRn6cKMGelRndJzjO1O0k2WGtwSHo:WxnKWNR6jO61OT2WGt5H

Score

10^/10

healer mystic redline darts kendo dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

darts

77.91.124.82:19071

Attributes

auth_value
3c8818da7045365845f15ec0946ebf11

Extracted

Family

redline

Botnet

kendo

77.91.124.82:19071

Attributes

auth_value
5a22a881561d49941415902859b51f14

Signatures

Detect Mystic stealer payload 4 IoCs

resource	yara_rule
behavioral22/memory/4880-39-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral22/memory/4880-42-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral22/memory/4880-40-0x0000000000400000-0x0000000000428000-memory.dmp	mystic_family
behavioral22/files/0x0007000000023444-52.dat	mystic_family

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral22/memory/2084-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral22/memory/1104-46-0x0000000000400000-0x0000000000430000-memory.dmp	family_redline
behavioral22/files/0x0007000000023441-57.dat	family_redline
behavioral22/memory/2392-58-0x0000000000C30000-0x0000000000C60000-memory.dmp	family_redline

Executes dropped EXE 9 IoCs

pid	Process
4788	v5926827.exe
2992	v9785829.exe
872	v5694934.exe
3224	v2934414.exe
4920	a6393065.exe
1476	b9901341.exe
1820	c7252303.exe
388	d1833661.exe
2392	e4922868.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9785829.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5694934.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v2934414.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fedbb32d49ceadba3f4f54639ae2d48c963ae6599b439f9922f20fc96716e84c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5926827.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4920 set thread context of 2084	4920	a6393065.exe	88
PID 1476 set thread context of 4880	1476	b9901341.exe	96
PID 1820 set thread context of 1104	1820	c7252303.exe	100

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1008	4920	WerFault.exe	87
4068	1476	WerFault.exe	95
3252	1820	WerFault.exe	99

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2084	AppLaunch.exe
2084	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2084	AppLaunch.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4788	4148	fedbb32d49ceadba3f4f54639ae2d48c963ae6599b439f9922f20fc96716e84c.exe	83
PID 4148 wrote to memory of 4788	4148	fedbb32d49ceadba3f4f54639ae2d48c963ae6599b439f9922f20fc96716e84c.exe	83
PID 4148 wrote to memory of 4788	4148	fedbb32d49ceadba3f4f54639ae2d48c963ae6599b439f9922f20fc96716e84c.exe	83
PID 4788 wrote to memory of 2992	4788	v5926827.exe	84
PID 4788 wrote to memory of 2992	4788	v5926827.exe	84
PID 4788 wrote to memory of 2992	4788	v5926827.exe	84
PID 2992 wrote to memory of 872	2992	v9785829.exe	85
PID 2992 wrote to memory of 872	2992	v9785829.exe	85
PID 2992 wrote to memory of 872	2992	v9785829.exe	85
PID 872 wrote to memory of 3224	872	v5694934.exe	86
PID 872 wrote to memory of 3224	872	v5694934.exe	86
PID 872 wrote to memory of 3224	872	v5694934.exe	86
PID 3224 wrote to memory of 4920	3224	v2934414.exe	87
PID 3224 wrote to memory of 4920	3224	v2934414.exe	87
PID 3224 wrote to memory of 4920	3224	v2934414.exe	87
PID 4920 wrote to memory of 2084	4920	a6393065.exe	88
PID 4920 wrote to memory of 2084	4920	a6393065.exe	88
PID 4920 wrote to memory of 2084	4920	a6393065.exe	88
PID 4920 wrote to memory of 2084	4920	a6393065.exe	88
PID 4920 wrote to memory of 2084	4920	a6393065.exe	88
PID 4920 wrote to memory of 2084	4920	a6393065.exe	88
PID 4920 wrote to memory of 2084	4920	a6393065.exe	88
PID 4920 wrote to memory of 2084	4920	a6393065.exe	88
PID 3224 wrote to memory of 1476	3224	v2934414.exe	95
PID 3224 wrote to memory of 1476	3224	v2934414.exe	95
PID 3224 wrote to memory of 1476	3224	v2934414.exe	95
PID 1476 wrote to memory of 4880	1476	b9901341.exe	96
PID 1476 wrote to memory of 4880	1476	b9901341.exe	96
PID 1476 wrote to memory of 4880	1476	b9901341.exe	96
PID 1476 wrote to memory of 4880	1476	b9901341.exe	96
PID 1476 wrote to memory of 4880	1476	b9901341.exe	96
PID 1476 wrote to memory of 4880	1476	b9901341.exe	96
PID 1476 wrote to memory of 4880	1476	b9901341.exe	96
PID 1476 wrote to memory of 4880	1476	b9901341.exe	96
PID 1476 wrote to memory of 4880	1476	b9901341.exe	96
PID 1476 wrote to memory of 4880	1476	b9901341.exe	96
PID 872 wrote to memory of 1820	872	v5694934.exe	99
PID 872 wrote to memory of 1820	872	v5694934.exe	99
PID 872 wrote to memory of 1820	872	v5694934.exe	99
PID 1820 wrote to memory of 1104	1820	c7252303.exe	100
PID 1820 wrote to memory of 1104	1820	c7252303.exe	100
PID 1820 wrote to memory of 1104	1820	c7252303.exe	100
PID 1820 wrote to memory of 1104	1820	c7252303.exe	100
PID 1820 wrote to memory of 1104	1820	c7252303.exe	100
PID 1820 wrote to memory of 1104	1820	c7252303.exe	100
PID 1820 wrote to memory of 1104	1820	c7252303.exe	100
PID 1820 wrote to memory of 1104	1820	c7252303.exe	100
PID 2992 wrote to memory of 388	2992	v9785829.exe	103
PID 2992 wrote to memory of 388	2992	v9785829.exe	103
PID 2992 wrote to memory of 388	2992	v9785829.exe	103
PID 4788 wrote to memory of 2392	4788	v5926827.exe	104
PID 4788 wrote to memory of 2392	4788	v5926827.exe	104
PID 4788 wrote to memory of 2392	4788	v5926827.exe	104

C:\Users\Admin\AppData\Local\Temp\fedbb32d49ceadba3f4f54639ae2d48c963ae6599b439f9922f20fc96716e84c.exe
"C:\Users\Admin\AppData\Local\Temp\fedbb32d49ceadba3f4f54639ae2d48c963ae6599b439f9922f20fc96716e84c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5926827.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5926827.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9785829.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9785829.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5694934.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5694934.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2934414.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2934414.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3224
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6393065.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6393065.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 572
        7⤵
        Program crash
        
        PID:1008
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9901341.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9901341.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1476 -s 568
        7⤵
        Program crash
        
        PID:4068
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7252303.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7252303.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1820
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:1104
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 552
        6⤵
        Program crash
        
        PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1833661.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1833661.exe
      4⤵
      Executes dropped EXE
      PID:388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e4922868.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e4922868.exe
    3⤵
    - Executes dropped EXE
    PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4920 -ip 4920
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1476 -ip 1476
1⤵
PID:1740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1820 -ip 1820
1⤵
PID:716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5926827.exe

Filesize
941KB

MD5
757f53591d21f8078ccfa638b7e6d13a

SHA1
12fa1700e69a84e7b0a0216fbac762fdf26da3df

SHA256
4e25b879a161b0c06ee2bed9bf1e17166d00bfd242bd3bd0c350570c46b243d1

SHA512
5f85f8113adef7f59cb1942f00d014c64ddfe29db1f32cc4ca469a1d3499c14826ca62a1f822527d282c4f03ff57a4663f397b535b09c868c36225680d3c38ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\e4922868.exe

Filesize
174KB

MD5
928da8954a81284c9243f81f48acb635

SHA1
e4e948c01c732c2da3f3f9571231c0bdc331c4d8

SHA256
98e1a5644f27b85d45832d02261047bff004c2f8065de473aada2260dd8fa3a5

SHA512
d54c50b16b6b66b565ddb110d09031e4ea6ae551ac1a7bd42bf780a22151ea775931f027ab44a45e0ec888fbd3f7e7026161198d377e417783a73aced61e937d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9785829.exe

Filesize
784KB

MD5
eae0b4e50b1cd6c604ec58c3e469346a

SHA1
838eac55853b51e8ade2d65d8c1d6b38b85a1bcb

SHA256
b54ecf36055adb74ee555dd2ad9bd6658cff11549c7bb75a18b619985261572e

SHA512
9a2773fb1f8e415aeefcfde26275b4d2cc9ee2b8b3d74e74b11d7a73dd6a906e1a866425411bd8da1dc26df60ce13a7ace97b70a587c72924244a9316473c7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\d1833661.exe

Filesize
140KB

MD5
936bbbe7ac0e24701929c6bc31177844

SHA1
395d68b54301d45a95c9e599efdd9f07ab823ee9

SHA256
7d31931d5ba0d16a6b0dbbf94de724c77b8fe4080468e489635ba3a4702660a9

SHA512
d5e233718081bc1e52f7326e15f74e60a3e75ee92308223edb8b8089bf99c83822e9e54f1e018b934f9c1d75a84fcfaa39d07f5078640ff6c36d308f8374a36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5694934.exe

Filesize
618KB

MD5
aadab09495880afa09a5d4f79e904e10

SHA1
d2ddbec1dcb41ab8888aa7453cd15295b3f4505f

SHA256
9ca3fb9eb2d3a26c661394b6c12ca4096810f2ddf08e1eb42e297707508b9b12

SHA512
1a186656d45f972262ae286f0dfac5c62c83dc9fbf8cf73db09808f55da08b85e0635f81f896a08165915f60fe3bb0ce8ed0c863a3cd14c75577d8e1f6cd5360

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7252303.exe

Filesize
398KB

MD5
8ebccf922f42c0bd763ad236ae2d035e

SHA1
757e258207f365ae8b543cd20c32a5d4aa35ac5a

SHA256
f5bbfa580ef9bb7ff9917dec5b2a62f70b634aad8bb8c564a29910f44bbabff5

SHA512
7ac931fe104a38c6ec18fd3afa7519571e2aa770a37ba0d822597645356738938e5d040e3c652510b2dc30b2ab26bb58a273216f9b92e2aad884f15cf5a82961

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v2934414.exe

Filesize
347KB

MD5
baa58527384d111c03c1921ae88a5ada

SHA1
37bcb9d8aaeea088b1f3a97b91262e3dc4720426

SHA256
19c84c1cb56849eb6c58d661a9df146223e5679dc423c0174fc00184609e7563

SHA512
6a89ec47f13fb2de64f0c989a245266e367f5f68c7301f7abf9691055e1772d43536a118e8c7014f0159b78a48876ed5bd0ba94f3dd5653770dac8e147ba12b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6393065.exe

Filesize
235KB

MD5
f1eeb4bb31e5b1854808584550382b04

SHA1
7853e673725639dc2e01aea62ddfa1e958a4fb04

SHA256
fc12ea2abb7fe8af5c3d43c6b020197f43fa9dca0affb2b41f707e207b720e80

SHA512
48988e90814f4683e9058110ea940f50b8c23fc46c01000d05360b25989d9b7459a39d6e503f405b8c09ed5673ca4c94eca6b55ec5945e041fd3a3bd50c72ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9901341.exe

Filesize
364KB

MD5
4344fc4d2c29cada24fb0859fe4d8fc3

SHA1
c26dce0add9f4fe379b585b2d5ce7649b42163ab

SHA256
5dd117d9f0e82f324ebb678fcf8cd33408d2de119c129c868d71695927609ffb

SHA512
dd94218a68c5bf539fa1294be961cc49d62bc8c3966bcc589cd4db48032d458db9465d2317196a1f894db3016a0d5485d12b7be28aeabc94c8d143c6d589467c

Download Submit
memory/1104-50-0x00000000054C0000-0x00000000054D2000-memory.dmp

Filesize
72KB

Download
memory/1104-46-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1104-47-0x0000000001430000-0x0000000001436000-memory.dmp

Filesize
24KB

Download
memory/1104-48-0x000000000AEA0000-0x000000000B4B8000-memory.dmp

Filesize
6.1MB

Download
memory/1104-49-0x000000000A990000-0x000000000AA9A000-memory.dmp

Filesize
1.0MB

Download
memory/1104-54-0x000000000A8C0000-0x000000000A8FC000-memory.dmp

Filesize
240KB

Download
memory/1104-59-0x0000000001390000-0x00000000013DC000-memory.dmp

Filesize
304KB

Download
memory/2084-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2392-58-0x0000000000C30000-0x0000000000C60000-memory.dmp

Filesize
192KB

Download
memory/2392-60-0x0000000005450000-0x0000000005456000-memory.dmp

Filesize
24KB

Download
memory/4880-40-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4880-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4880-39-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download