healer | 8ee265740e734e664a806025412118c1398e5fd5de8de7844c913c144f497faa

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905a82b6666de3b294cd219ea3915e2e4b0952c88e92f3c21b67df4b93990103.exe
Size

661KB
MD5

18d7fd980598cc8e0a453d540624bb38
SHA1

9d7b7e90c579473861abed6203bb022416b124bd
SHA256

905a82b6666de3b294cd219ea3915e2e4b0952c88e92f3c21b67df4b93990103
SHA512

05f04f5b18d30a8ac8fa39b0547bf828e4e1e31f07b791e8f0269d351d7951cae9ce06ecee597d2c694cc5a9822f27429096707cd976c3e807c9f0046bf62dcb
SSDEEP

12288:LMrvy90ZikgBzlsz1BvNreTx80Nc8WIzhl5rJlSPUi51saqHl80mc:sy47Wq1BFCBNcvIzhLJlRFT

Score

10^/10

healer redline mrak dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mrak

77.91.124.82:19071

Attributes

auth_value
7d9a335ab5dfd42d374867c96fe25302

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral10/memory/2432-21-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral10/files/0x0007000000023457-24.dat	family_redline
behavioral10/memory/1616-25-0x0000000000130000-0x0000000000160000-memory.dmp	family_redline

Executes dropped EXE 4 IoCs

pid	Process
4764	x2541029.exe
1200	x2591871.exe
1320	g1323073.exe
1616	i1635147.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	905a82b6666de3b294cd219ea3915e2e4b0952c88e92f3c21b67df4b93990103.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2541029.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x2591871.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1320 set thread context of 2432	1320	g1323073.exe	86

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3484	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
756	1320	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2432	AppLaunch.exe
2432	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	AppLaunch.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 4764	1760	905a82b6666de3b294cd219ea3915e2e4b0952c88e92f3c21b67df4b93990103.exe	82
PID 1760 wrote to memory of 4764	1760	905a82b6666de3b294cd219ea3915e2e4b0952c88e92f3c21b67df4b93990103.exe	82
PID 1760 wrote to memory of 4764	1760	905a82b6666de3b294cd219ea3915e2e4b0952c88e92f3c21b67df4b93990103.exe	82
PID 4764 wrote to memory of 1200	4764	x2541029.exe	83
PID 4764 wrote to memory of 1200	4764	x2541029.exe	83
PID 4764 wrote to memory of 1200	4764	x2541029.exe	83
PID 1200 wrote to memory of 1320	1200	x2591871.exe	84
PID 1200 wrote to memory of 1320	1200	x2591871.exe	84
PID 1200 wrote to memory of 1320	1200	x2591871.exe	84
PID 1320 wrote to memory of 2432	1320	g1323073.exe	86
PID 1320 wrote to memory of 2432	1320	g1323073.exe	86
PID 1320 wrote to memory of 2432	1320	g1323073.exe	86
PID 1320 wrote to memory of 2432	1320	g1323073.exe	86
PID 1320 wrote to memory of 2432	1320	g1323073.exe	86
PID 1320 wrote to memory of 2432	1320	g1323073.exe	86
PID 1320 wrote to memory of 2432	1320	g1323073.exe	86
PID 1320 wrote to memory of 2432	1320	g1323073.exe	86
PID 1200 wrote to memory of 1616	1200	x2591871.exe	92
PID 1200 wrote to memory of 1616	1200	x2591871.exe	92
PID 1200 wrote to memory of 1616	1200	x2591871.exe	92

C:\Users\Admin\AppData\Local\Temp\905a82b6666de3b294cd219ea3915e2e4b0952c88e92f3c21b67df4b93990103.exe
"C:\Users\Admin\AppData\Local\Temp\905a82b6666de3b294cd219ea3915e2e4b0952c88e92f3c21b67df4b93990103.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2541029.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2541029.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2591871.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2591871.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1323073.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1323073.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 584
        5⤵
        Program crash
        
        PID:756
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1635147.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1635147.exe
      4⤵
      Executes dropped EXE
      PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1320 -ip 1320
1⤵
PID:1020

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2541029.exe

Filesize
439KB

MD5
92397294e10285ad5c2df30ae562d828

SHA1
e74755601cec958ccc1fa4fe2d76357a9d45272c

SHA256
f74864e624cb1641404f3280de45762c6ec7b94e08c02e13fb812a20bc4a02aa

SHA512
a4ded9b84e85ef677961c9c2e1b85c35f9326132092d9ccabf213724d25e8a36aec2db9ebf63af1d1d5e5cf6c95c1811b2ee525c2876db5e1a2d9d43259f2b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2591871.exe

Filesize
273KB

MD5
588a564fff4342e2a66003b86828c725

SHA1
daa98184e5ad032a271fd03946b8b3b0820a1dbd

SHA256
ebbb6cc79b850c37f7385e2407520cdef0c96f085a8bfb06b3093073cf602f5c

SHA512
937787388d504c547f0b484a3e29a698c82a5dc4d135099a5e88ee36b1e6b92cf8290b76195a791b171e3d6ffc913227a84144cd379a255914cbdb24dc3845dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1323073.exe

Filesize
135KB

MD5
da139a890120e0e4f6d493c5ece00a53

SHA1
738c86be3e213ee020b909b99ed2500babeb4173

SHA256
14604e244f376b1d97bb4e3650826b4245a7cbf565a98ce992acb9d9cea237a6

SHA512
347064cff4715ecc76a93cbef477d24443c86458677adf85ad23a992d0d9f0120051e77947b315e57cd93fae0666182d850dafcc868d31f1aaa0747f45fcb512

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i1635147.exe

Filesize
176KB

MD5
7672f8389923ff6b62b4de76b120a2d4

SHA1
4eeb65cf36b0ed206ba9293e4310bedbab0acabb

SHA256
0ce98a97464e50a3314a4472fd3f3f3e8ad345b96dcb9a5c0033824456757051

SHA512
caa41c8109140b007bc0ec3883998569e85c382a6e32e5ef436c1772a1663a6a885a064be5e7b69e5b02e43700651768eb9ccfc31d2f9e0874fccb99d6b004ea

Download Submit
memory/1616-25-0x0000000000130000-0x0000000000160000-memory.dmp

Filesize
192KB

Download
memory/1616-26-0x0000000004A50000-0x0000000004A56000-memory.dmp

Filesize
24KB

Download
memory/1616-27-0x0000000005120000-0x0000000005738000-memory.dmp

Filesize
6.1MB

Download
memory/1616-28-0x0000000004C10000-0x0000000004D1A000-memory.dmp

Filesize
1.0MB

Download
memory/1616-29-0x0000000004AA0000-0x0000000004AB2000-memory.dmp

Filesize
72KB

Download
memory/1616-30-0x0000000004B40000-0x0000000004B7C000-memory.dmp

Filesize
240KB

Download
memory/1616-31-0x0000000004B80000-0x0000000004BCC000-memory.dmp

Filesize
304KB

Download
memory/2432-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download