healer | 1aa612c673e0e8506776c3b8740894f0947bb33bd7b5f22dc14212289801a024

Analysis

max time kernel
141s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac.exe
Size

313KB
MD5

e89494e3d4ef96cd08fcbe2993ca8af8
SHA1

31605254987bc7afbba573536c1792129c29d33e
SHA256

3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac
SHA512

68d689b9343292fe90a4a8481cbc5b667b38d2a8866dd5fd0bcd8ba229839a29cfd88a491eae8a1f7a4139d08ed661310c4759f929faa7cb703eb40a0cc9ecfa
SSDEEP

6144:KEy+bnr+Zp0yN90QE+H5qdPcf3zdighcv6YSt9IfM5+P:EMrFy90y58GtS0rYP

Score

10^/10

healer redline virad dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

virad

77.91.124.82:19071

Attributes

auth_value
434dd63619ca8bbf10125913fb40ca28

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral8/memory/4620-7-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral8/files/0x000700000002349a-10.dat	family_redline
behavioral8/memory/4376-12-0x0000000000D80000-0x0000000000DB0000-memory.dmp	family_redline

Executes dropped EXE 2 IoCs

pid	Process
2444	g8684046.exe
4376	i6696789.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2444 set thread context of 4620	2444	g8684046.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2420	2444	WerFault.exe	83

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4620	AppLaunch.exe
4620	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4620	AppLaunch.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 2444	116	3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac.exe	83
PID 116 wrote to memory of 2444	116	3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac.exe	83
PID 116 wrote to memory of 2444	116	3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac.exe	83
PID 2444 wrote to memory of 4572	2444	g8684046.exe	84
PID 2444 wrote to memory of 4572	2444	g8684046.exe	84
PID 2444 wrote to memory of 4572	2444	g8684046.exe	84
PID 2444 wrote to memory of 4620	2444	g8684046.exe	85
PID 2444 wrote to memory of 4620	2444	g8684046.exe	85
PID 2444 wrote to memory of 4620	2444	g8684046.exe	85
PID 2444 wrote to memory of 4620	2444	g8684046.exe	85
PID 2444 wrote to memory of 4620	2444	g8684046.exe	85
PID 2444 wrote to memory of 4620	2444	g8684046.exe	85
PID 2444 wrote to memory of 4620	2444	g8684046.exe	85
PID 2444 wrote to memory of 4620	2444	g8684046.exe	85
PID 116 wrote to memory of 4376	116	3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac.exe	90
PID 116 wrote to memory of 4376	116	3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac.exe	90
PID 116 wrote to memory of 4376	116	3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac.exe	90

C:\Users\Admin\AppData\Local\Temp\3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac.exe
"C:\Users\Admin\AppData\Local\Temp\3d524b1122044bd6d028d191fe5fdb789d1a25e2c110fa4da0fc49ae0f970cac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8684046.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8684046.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    PID:4572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 584
    3⤵
    - Program crash
    PID:2420
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i6696789.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i6696789.exe
  2⤵
  - Executes dropped EXE
  PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2444 -ip 2444
1⤵
PID:1224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\g8684046.exe

Filesize
218KB

MD5
2ee5505dff640fe55fab76d2a4d040d7

SHA1
852883272454216ab2e79f9f3f388b300fe79f5a

SHA256
724e51bcd809af1fa58a53e097b8532f5305f92e5fcd49b1a39713d4c4242041

SHA512
2f09cc56cc9b73bc52c8ff79c026cf1374be3502021aa980b083dc04e3dca1660d40fd6b62d512513fb9098a3a2c83af65367c296ba896124776acacabd68b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i6696789.exe

Filesize
174KB

MD5
b9955f17f2e8954ad70cb41f46322f31

SHA1
4be92b19187d51867e8e9bb035fffc2d19f5a0e9

SHA256
d64a15a53ff59fb9fb6d2b5b64d9e177b60bf69531a326abfaceb5662d53593a

SHA512
77ea4676fc272690ccfcfbfe20932b97b68fa39929e65d07f246e30e58b5cbc79235174a9ca6639d3090ee1f0764264d691fb8d2e0b33fc2da98eec9d0736bca

Download Submit
memory/4376-14-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/4376-12-0x0000000000D80000-0x0000000000DB0000-memory.dmp

Filesize
192KB

Download
memory/4376-13-0x0000000002F30000-0x0000000002F36000-memory.dmp

Filesize
24KB

Download
memory/4376-15-0x0000000005E80000-0x0000000006498000-memory.dmp

Filesize
6.1MB

Download
memory/4376-16-0x0000000005970000-0x0000000005A7A000-memory.dmp

Filesize
1.0MB

Download
memory/4376-17-0x0000000005860000-0x0000000005872000-memory.dmp

Filesize
72KB

Download
memory/4376-18-0x00000000058C0000-0x00000000058FC000-memory.dmp

Filesize
240KB

Download
memory/4376-19-0x0000000005900000-0x000000000594C000-memory.dmp

Filesize
304KB

Download
memory/4376-21-0x0000000073D50000-0x0000000074500000-memory.dmp

Filesize
7.7MB

Download
memory/4620-8-0x0000000073D5E000-0x0000000073D5F000-memory.dmp

Filesize
4KB

Download
memory/4620-7-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download