healer | e660be79de0932d6c5c0f1b65dc5d842ed790962625d5dd8731c30f46ae264a2

Analysis

max time kernel
141s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc0a361a973318fa776eb3e7f9c88901ca8d1d588434f1df0348b63576b6412b.exe
Size

326KB
MD5

7cb0300735975423f301d6388b45f117
SHA1

6f080e78bf293f5611c51f21a8675155132ef1b7
SHA256

bc0a361a973318fa776eb3e7f9c88901ca8d1d588434f1df0348b63576b6412b
SHA512

496b09eb6d739e7a701fcd31695661a28063f14071b683d01508d756621d626420c4a279abf44d96f9496307e5f84a6f756f070cdf1240cb88fe0bc8118b8379
SSDEEP

6144:K8y+bnr+Jp0yN90QE2IwCaiWsHRcVGPGEAChBeMymVtQ:kMrVy90xIsHRcVuG3ItQ

Score

10^/10

healer redline moner dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

moner

77.91.124.82:19071

Attributes

auth_value
a94cd9e01643e1945b296c28a2f28707

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral25/memory/3212-7-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral25/files/0x000800000002325e-9.dat	family_redline
behavioral25/memory/4384-13-0x00000000002D0000-0x0000000000300000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
3752	g4865397.exe
4384	i4385614.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bc0a361a973318fa776eb3e7f9c88901ca8d1d588434f1df0348b63576b6412b.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3752 set thread context of 3212	3752	g4865397.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3212	AppLaunch.exe
3212	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3212	AppLaunch.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3752	2112	bc0a361a973318fa776eb3e7f9c88901ca8d1d588434f1df0348b63576b6412b.exe	91
PID 2112 wrote to memory of 3752	2112	bc0a361a973318fa776eb3e7f9c88901ca8d1d588434f1df0348b63576b6412b.exe	91
PID 2112 wrote to memory of 3752	2112	bc0a361a973318fa776eb3e7f9c88901ca8d1d588434f1df0348b63576b6412b.exe	91
PID 3752 wrote to memory of 3212	3752	g4865397.exe	93
PID 3752 wrote to memory of 3212	3752	g4865397.exe	93
PID 3752 wrote to memory of 3212	3752	g4865397.exe	93
PID 3752 wrote to memory of 3212	3752	g4865397.exe	93
PID 3752 wrote to memory of 3212	3752	g4865397.exe	93
PID 3752 wrote to memory of 3212	3752	g4865397.exe	93
PID 3752 wrote to memory of 3212	3752	g4865397.exe	93
PID 3752 wrote to memory of 3212	3752	g4865397.exe	93
PID 2112 wrote to memory of 4384	2112	bc0a361a973318fa776eb3e7f9c88901ca8d1d588434f1df0348b63576b6412b.exe	94
PID 2112 wrote to memory of 4384	2112	bc0a361a973318fa776eb3e7f9c88901ca8d1d588434f1df0348b63576b6412b.exe	94
PID 2112 wrote to memory of 4384	2112	bc0a361a973318fa776eb3e7f9c88901ca8d1d588434f1df0348b63576b6412b.exe	94

C:\Users\Admin\AppData\Local\Temp\bc0a361a973318fa776eb3e7f9c88901ca8d1d588434f1df0348b63576b6412b.exe
"C:\Users\Admin\AppData\Local\Temp\bc0a361a973318fa776eb3e7f9c88901ca8d1d588434f1df0348b63576b6412b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g4865397.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g4865397.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4385614.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4385614.exe
  2⤵
  - Executes dropped EXE
  PID:4384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
1⤵
PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g4865397.exe

Filesize
257KB

MD5
dfbe4e5c15472af9a3006aeca09a9963

SHA1
d2bbd57abcfd54b8445235804dfaab7fb12dad5e

SHA256
5e74060c4c441db7e0a218c8af28bced2338ddd97a30e2d6d155f1ddddfd9ca8

SHA512
d56f6505a80ad4e5394a49960f1507b368c68acdc324ec9a20085683245dd2a9673cb33d5d6de9aac5dd998e09ed2e3224df3997577551956fba95c8f3a43180

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i4385614.exe

Filesize
174KB

MD5
caf130415d451b88c00552dbe72956be

SHA1
78a8c237386c883ef202b322d4e9a836fba74443

SHA256
2bad2cc00480dd05d6657e66004e850b4769ce20190fc25cab485e0984c56d07

SHA512
49aa1054dc507f1eb856fdab33c2f86a59bc5a70682a4750be9de16921b533e30c327b6627052fe525c0becd9bec9a3f26286e249c3f2f03ac77a919bda74d2f

Download Submit
memory/3212-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3212-11-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

Filesize
4KB

Download
memory/4384-14-0x00000000009D0000-0x00000000009D6000-memory.dmp

Filesize
24KB

Download
memory/4384-13-0x00000000002D0000-0x0000000000300000-memory.dmp

Filesize
192KB

Download
memory/4384-12-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download
memory/4384-15-0x000000000A600000-0x000000000AC18000-memory.dmp

Filesize
6.1MB

Download
memory/4384-16-0x000000000A140000-0x000000000A24A000-memory.dmp

Filesize
1.0MB

Download
memory/4384-17-0x000000000A080000-0x000000000A092000-memory.dmp

Filesize
72KB

Download
memory/4384-18-0x000000000A0E0000-0x000000000A11C000-memory.dmp

Filesize
240KB

Download
memory/4384-19-0x000000000A250000-0x000000000A29C000-memory.dmp

Filesize
304KB

Download
memory/4384-21-0x0000000074B30000-0x00000000752E0000-memory.dmp

Filesize
7.7MB

Download