healer | a44d7397ca2486a37cfbc6cd473037b204a5fe4678303dd2f187c814c85f25db

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exe
Size

731KB
MD5

77d27efd5c42bfed4fbc15af6461b04f
SHA1

1d8e3d0bb2e1560257ddfca9cbf1d92de7722c2c
SHA256

2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe
SHA512

68a474f4021be855e74d8bf6c8e45b3d64480964a7ae2f3a559fd859988ccfd6f322cb94e7a0f9a4f8e49faa0bbc8a9c79fb774562b585e5cf010127f3fc42d9
SSDEEP

12288:VMrRy909oJomjcs/4c7SDjZCjqEP9ylQSbY5dJJ9Hd+FwPCHMnY:8yhbcsgc744q+QlMdJJ9db2

Score

10^/10

healer redline ramon dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

ramon

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1712-14-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i1863921.exe	family_redline
behavioral2/memory/3704-18-0x0000000000AC0000-0x0000000000AF0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

Processes:

x8647530.exeg4667930.exei1863921.exe

pid process

640 x8647530.exe
216 g4667930.exe
3704 i1863921.exe

pid	process
640	x8647530.exe
216	g4667930.exe
3704	i1863921.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exex8647530.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8647530.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

g4667930.exe

description pid process target process

PID 216 set thread context of 1712 216 g4667930.exe AppLaunch.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

1712 AppLaunch.exe
1712 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

AppLaunch.exe

description pid process

Token: SeDebugPrivilege 1712 AppLaunch.exe

description	pid	process	target process
PID 216 set thread context of 1712	216	g4667930.exe	AppLaunch.exe

pid	process
1712	AppLaunch.exe
1712	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1712	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exex8647530.exeg4667930.exe

description	pid	process	target process
PID 1448 wrote to memory of 640	1448	2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exe	x8647530.exe
PID 1448 wrote to memory of 640	1448	2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exe	x8647530.exe
PID 1448 wrote to memory of 640	1448	2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exe	x8647530.exe
PID 640 wrote to memory of 216	640	x8647530.exe	g4667930.exe
PID 640 wrote to memory of 216	640	x8647530.exe	g4667930.exe
PID 640 wrote to memory of 216	640	x8647530.exe	g4667930.exe
PID 216 wrote to memory of 1268	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 1268	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 1268	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 2948	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 2948	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 2948	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 1712	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 1712	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 1712	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 1712	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 1712	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 1712	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 1712	216	g4667930.exe	AppLaunch.exe
PID 216 wrote to memory of 1712	216	g4667930.exe	AppLaunch.exe
PID 640 wrote to memory of 3704	640	x8647530.exe	i1863921.exe
PID 640 wrote to memory of 3704	640	x8647530.exe	i1863921.exe
PID 640 wrote to memory of 3704	640	x8647530.exe	i1863921.exe

C:\Users\Admin\AppData\Local\Temp\2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exe
"C:\Users\Admin\AppData\Local\Temp\2d225565e090ae7f3ebf2de337fac7a1658473382e87c3cef7cac8a13b7f5ebe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1448

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8647530.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8647530.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:640

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4667930.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4667930.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i1863921.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i1863921.exe
3⤵
- Executes dropped EXE
PID:3704

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8647530.exe
Filesize
565KB

MD5
60dc0bc6e0cba3fc8dc243eb9e1cd44c

SHA1
11fcec600038029f6aa1791553a0dc8b0de031d1

SHA256
46c926cc3cb91068b8b7b0c92f78d7a74dc558a47cefd42f460bd8a16c4dfc89

SHA512
dffe480393d89d5efb7b810417ab8380187c622476e8789792ee095fe64bd812a8e331e8d61c2ed98701b7e65c4c7d95c923ef12f246a93e08e65ec3a120cf78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g4667930.exe
Filesize
1.6MB

MD5
8cbfad69ee18aea6b9e07fc64be58559

SHA1
2f347e9b92f509e9d0e6faac736bf11b2b137bb4

SHA256
3cb5937c03f0a2d43ef08066527577b93afc03bb68da7f73e1d798434b8ab566

SHA512
b2cce7fdfacd8fc8d1d8b791aec1c8d08dce58fd19079b928dc76751828e6164ea6d26c742c78499532dcc86d9e0b91b657f04c0d71e2408ebd5813d9f3c175f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i1863921.exe
Filesize
174KB

MD5
8c1b51d7584ff1bf439fb04df414add0

SHA1
e2f8ef595b52fb830eaed8b0643d1ad9c3722061

SHA256
eb4c98f436b15c51b747c27f7fe7d5b90f6a7d9e94d578faa32d5a47e32e7a94

SHA512
582a6142e272b13722f608389e7cd7b1dd9e93a263ff34ea6fd4a5c53f69ea279aff5ccf1b9beb69089d0d11864e79ab719afb7686c833d1059c0d6e57e9a5da

Download Submit
memory/1712-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3704-18-0x0000000000AC0000-0x0000000000AF0000-memory.dmp

Filesize
192KB

Download
memory/3704-19-0x0000000002D70000-0x0000000002D76000-memory.dmp

Filesize
24KB

Download
memory/3704-20-0x000000000AF40000-0x000000000B558000-memory.dmp

Filesize
6.1MB

Download
memory/3704-21-0x000000000AA70000-0x000000000AB7A000-memory.dmp

Filesize
1.0MB

Download
memory/3704-22-0x000000000A9B0000-0x000000000A9C2000-memory.dmp

Filesize
72KB

Download
memory/3704-23-0x000000000AA10000-0x000000000AA4C000-memory.dmp

Filesize
240KB

Download
memory/3704-24-0x0000000004EB0000-0x0000000004EFC000-memory.dmp

Filesize
304KB

Download