healer | 176abc5d4c53fc1397a77e15c4028591fc335ce9464a700eddd56742d55dd10d

Analysis

max time kernel
133s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe
Size

1.1MB
MD5

7cd7a01c2f80541e608d5d23296eb636
SHA1

b37ab77e3fabfa5c6b2ae1da51e4a8b9b109a667
SHA256

0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d
SHA512

9a3a3020ca964ba97cbe51c3fed6f7e20db50279b065d38969044fdf7b1ea211cd666704f02d93cd5759e64c024422a021207006c887d9b965f8f33314098c22
SSDEEP

24576:7y5At6OE2X7xTSNsnb7OAoSLsjhCNHOen5QG7J0PvZftv:u5vOECWNaboE0E5QG7J0PD

Score

10^/10

healer redline buben dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/2500-28-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023484-30.dat	family_redline
behavioral1/memory/3268-32-0x0000000000660000-0x0000000000690000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4884	x6295458.exe
4072	x0207371.exe
4824	x9212893.exe
3096	g9517128.exe
3268	h7143551.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x6295458.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0207371.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x9212893.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3096 set thread context of 2500	3096	g9517128.exe	90

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1640	3096	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2500	AppLaunch.exe
2500	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	AppLaunch.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 4884	2428	0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe	83
PID 2428 wrote to memory of 4884	2428	0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe	83
PID 2428 wrote to memory of 4884	2428	0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe	83
PID 4884 wrote to memory of 4072	4884	x6295458.exe	84
PID 4884 wrote to memory of 4072	4884	x6295458.exe	84
PID 4884 wrote to memory of 4072	4884	x6295458.exe	84
PID 4072 wrote to memory of 4824	4072	x0207371.exe	85
PID 4072 wrote to memory of 4824	4072	x0207371.exe	85
PID 4072 wrote to memory of 4824	4072	x0207371.exe	85
PID 4824 wrote to memory of 3096	4824	x9212893.exe	86
PID 4824 wrote to memory of 3096	4824	x9212893.exe	86
PID 4824 wrote to memory of 3096	4824	x9212893.exe	86
PID 3096 wrote to memory of 2812	3096	g9517128.exe	89
PID 3096 wrote to memory of 2812	3096	g9517128.exe	89
PID 3096 wrote to memory of 2812	3096	g9517128.exe	89
PID 3096 wrote to memory of 2500	3096	g9517128.exe	90
PID 3096 wrote to memory of 2500	3096	g9517128.exe	90
PID 3096 wrote to memory of 2500	3096	g9517128.exe	90
PID 3096 wrote to memory of 2500	3096	g9517128.exe	90
PID 3096 wrote to memory of 2500	3096	g9517128.exe	90
PID 3096 wrote to memory of 2500	3096	g9517128.exe	90
PID 3096 wrote to memory of 2500	3096	g9517128.exe	90
PID 3096 wrote to memory of 2500	3096	g9517128.exe	90
PID 4824 wrote to memory of 3268	4824	x9212893.exe	96
PID 4824 wrote to memory of 3268	4824	x9212893.exe	96
PID 4824 wrote to memory of 3268	4824	x9212893.exe	96

C:\Users\Admin\AppData\Local\Temp\0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe
"C:\Users\Admin\AppData\Local\Temp\0a7a53ccfce8285cb27448942f3d9d7ebbb0f13842117794de0c0f0400ce0e4d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6295458.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6295458.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4884
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0207371.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0207371.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9212893.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9212893.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9517128.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9517128.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:3096
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2812
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3096 -s 140
        6⤵
        Program crash
        
        PID:1640
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7143551.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7143551.exe
        5⤵
        Executes dropped EXE
        
        PID:3268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3096 -ip 3096
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6295458.exe

Filesize
1020KB

MD5
c732444b1a4b6342cd32fe983744dc11

SHA1
4dbfaad3b0b6bbaafa3ca8a4591deef16cd1c656

SHA256
dc1f709edc0b02aae429e065036e9052183f1b2db3aa11152238df7f6ce36898

SHA512
640cc9e61501399f4b8594a1a12cc39d7b7081bad916c72f623968520a2fd825e51f314924b9f10e0d453b00853a04fc98ae7edd39a8d69d2419c0ccf3d2498f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0207371.exe

Filesize
628KB

MD5
ec5d3174d1e156a7c5e44bcb4dca767b

SHA1
d62f698a93eec7f720b4881c93a2dade7a039768

SHA256
e15387bd2b9cd563ab53c15dd9f0a30f3bf2ade0746ebf7bbf14ab503e0e7e96

SHA512
509f7dd06e17b8eb75f91bcd2ba7894010216c72e9ab67eb7ac554f92a35dee671a645677b8a6e919de136a70e5962f16d4e4edb38ed6deeedf45fac28ce45f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x9212893.exe

Filesize
443KB

MD5
a841924ba81d0edf6b2bf18f9d9ee88c

SHA1
82f725085c8cd7b8c9af9c179c5474c8093979f7

SHA256
ca83228a0ff1a05d928e0ac0862a446eb07850dbe41902d91b95eb0b827413e0

SHA512
7cd7b0693e4e2e2585fe139b36dffc1dfe318b39a7fbb2ab715141df5bf18a935d6a3033ea0938816cf84d46eeee73122e8b468451d5b54eee538df06f95d50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g9517128.exe

Filesize
861KB

MD5
c8e6b5a0dcbfea40d9258abc35f44d62

SHA1
04a23d2e6d95167eab063395efdfc0587f93982f

SHA256
81a1a268668faf4d41746eca6fef423e405402d66f7d274a87ec3f9fd2ed5fbd

SHA512
374aea9bf311f66279ad0e3b34e8bd8ce55873d98b6edca5af5063930746758ae1cff42b6e383edfb0059c725a075c7c74ce19bd0cd937555d0c1d5812c8feef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7143551.exe

Filesize
174KB

MD5
6d6f11e15dcc95716394a624f19bd912

SHA1
b21bfb5435495745689f57bc8414c93ef19bb417

SHA256
b71ae2e2ae8aef48a34f10f01d767ab7baf5ce0a6523d7efa98a28fd6cd2fe11

SHA512
ed7ada9b4850302757366555afc7a3242d5fc71fcb6304afbcb6d725693696a2c39c2c33b11ef2eb96499c36d1bfbd874e953959a8e536f9674c39896ccc310d

Download Submit
memory/2500-28-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3268-32-0x0000000000660000-0x0000000000690000-memory.dmp

Filesize
192KB

Download
memory/3268-33-0x0000000000D10000-0x0000000000D16000-memory.dmp

Filesize
24KB

Download
memory/3268-34-0x0000000005650000-0x0000000005C68000-memory.dmp

Filesize
6.1MB

Download
memory/3268-36-0x0000000004EF0000-0x0000000004F02000-memory.dmp

Filesize
72KB

Download
memory/3268-35-0x0000000005140000-0x000000000524A000-memory.dmp

Filesize
1.0MB

Download
memory/3268-37-0x0000000005070000-0x00000000050AC000-memory.dmp

Filesize
240KB

Download
memory/3268-38-0x00000000050B0000-0x00000000050FC000-memory.dmp

Filesize
304KB

Download