healer | e660be79de0932d6c5c0f1b65dc5d842ed790962625d5dd8731c30f46ae264a2

Analysis

max time kernel
133s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

636c6831e9337ae0be8ccc466e94bff1945dfb0b1bb8dad69a2978f68f48512d.exe
Size

493KB
MD5

a6b7191b24acf40a0f0b7db4b471b265
SHA1

3abf85119b6e3fa84b0372ebcb1d3a5dd0773664
SHA256

636c6831e9337ae0be8ccc466e94bff1945dfb0b1bb8dad69a2978f68f48512d
SHA512

e23a604bf582fc0c8e9b6fcbd54567dfc9e464c489fce9d8d0b3741fd9333ccced07f5e1d6fa6653d81424d7ef4112d6eb15f5380a7d2b4014deab5719f832d8
SSDEEP

12288:EMrsy90tdTf27By0GK1hLrnsv2NCBiBC:wy69wBy0GGhLUZiBC

Score

10^/10

healer redline virad dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral12/memory/3752-14-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i4873880.exe	family_redline
behavioral12/memory/3916-18-0x00000000004C0000-0x00000000004F0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x5320064.exeg6540956.exei4873880.exe

pid process

2924 x5320064.exe
5048 g6540956.exe
3916 i4873880.exe

pid	process
2924	x5320064.exe
5048	g6540956.exe
3916	i4873880.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

636c6831e9337ae0be8ccc466e94bff1945dfb0b1bb8dad69a2978f68f48512d.exex5320064.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	636c6831e9337ae0be8ccc466e94bff1945dfb0b1bb8dad69a2978f68f48512d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x5320064.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g6540956.exe

description pid process target process

PID 5048 set thread context of 3752 5048 g6540956.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

AppLaunch.exe

pid process

3752 AppLaunch.exe
3752 AppLaunch.exe
3752 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 3752 AppLaunch.exe

description	pid	process	target process
PID 5048 set thread context of 3752	5048	g6540956.exe	AppLaunch.exe

pid	process
3752	AppLaunch.exe
3752	AppLaunch.exe
3752	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3752	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

636c6831e9337ae0be8ccc466e94bff1945dfb0b1bb8dad69a2978f68f48512d.exex5320064.exeg6540956.exe

description	pid	process	target process
PID 3484 wrote to memory of 2924	3484	636c6831e9337ae0be8ccc466e94bff1945dfb0b1bb8dad69a2978f68f48512d.exe	x5320064.exe
PID 3484 wrote to memory of 2924	3484	636c6831e9337ae0be8ccc466e94bff1945dfb0b1bb8dad69a2978f68f48512d.exe	x5320064.exe
PID 3484 wrote to memory of 2924	3484	636c6831e9337ae0be8ccc466e94bff1945dfb0b1bb8dad69a2978f68f48512d.exe	x5320064.exe
PID 2924 wrote to memory of 5048	2924	x5320064.exe	g6540956.exe
PID 2924 wrote to memory of 5048	2924	x5320064.exe	g6540956.exe
PID 2924 wrote to memory of 5048	2924	x5320064.exe	g6540956.exe
PID 5048 wrote to memory of 2136	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 2136	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 2136	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 4740	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 4740	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 4740	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 3752	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 3752	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 3752	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 3752	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 3752	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 3752	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 3752	5048	g6540956.exe	AppLaunch.exe
PID 5048 wrote to memory of 3752	5048	g6540956.exe	AppLaunch.exe
PID 2924 wrote to memory of 3916	2924	x5320064.exe	i4873880.exe
PID 2924 wrote to memory of 3916	2924	x5320064.exe	i4873880.exe
PID 2924 wrote to memory of 3916	2924	x5320064.exe	i4873880.exe

C:\Users\Admin\AppData\Local\Temp\636c6831e9337ae0be8ccc466e94bff1945dfb0b1bb8dad69a2978f68f48512d.exe
"C:\Users\Admin\AppData\Local\Temp\636c6831e9337ae0be8ccc466e94bff1945dfb0b1bb8dad69a2978f68f48512d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5320064.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5320064.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6540956.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6540956.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2136
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:4740
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3752
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i4873880.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i4873880.exe
    3⤵
    - Executes dropped EXE
    PID:3916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1316,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4312 /prefetch:8
1⤵
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5320064.exe

Filesize
327KB

MD5
26a60138f082d2550e8c90e5c201ad42

SHA1
4b8224931f88ce84c3407bd44e623470881cdea3

SHA256
79f37fb7c462ecb14967c5c2242c309dce7197aed67a4042d4e273aac5835379

SHA512
48b000d3b7cd43511c64f10b0958ded84ed90088832d4f0e78e729620844b7148f7d9518bf7b959a424b7ea8393fa33bded2dcec75b98e3634eeef19e94be022

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g6540956.exe

Filesize
256KB

MD5
5c6d00b85fe1a881ec4d92fee7b42ccc

SHA1
cca36188c28f76c9afd4cd29673606280480ef71

SHA256
3876f5bd7205feaf32e869107c005fbf5e5d356fbb44e79d20a0e46bf338a161

SHA512
e5ef50cc0a3f79f0e2486f0d809a75fa8620e9ff8a33976aaca706989156831fa9776f1ac0d522d672dd7329a74946d6d8447e4d4e1a2eb741531c92038c9b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i4873880.exe

Filesize
175KB

MD5
43b98a520d7244c89f3ea359f077b2aa

SHA1
aa92a8538d8f7b52f989fcb8a74c67768e95a0fe

SHA256
8a8f47a15e9fd38692000976f60982f08d554bbd1540fa99ea4df50cf6f67f5e

SHA512
d29b6a41db821563203f5fdc953c6859c5045a9900fc26fb7cfbe1cbb876c3829b2807735a0ee63f3d4efc5a527f22acc3530810dede0347484a047ec35e6ad8

Download Submit
memory/3752-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3916-18-0x00000000004C0000-0x00000000004F0000-memory.dmp

Filesize
192KB

Download
memory/3916-19-0x0000000002640000-0x0000000002646000-memory.dmp

Filesize
24KB

Download
memory/3916-20-0x0000000005620000-0x0000000005C38000-memory.dmp

Filesize
6.1MB

Download
memory/3916-21-0x0000000005110000-0x000000000521A000-memory.dmp

Filesize
1.0MB

Download
memory/3916-22-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download
memory/3916-23-0x0000000002760000-0x000000000279C000-memory.dmp

Filesize
240KB

Download
memory/3916-24-0x00000000027A0000-0x00000000027EC000-memory.dmp

Filesize
304KB

Download