healer | ffe8fa0cf1ed446eeb9dc6eef440d6e2121396f13b66e26a431adcd9f2d605e3

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77dcf409276e0e91ce08daea19f8477d18c5dba52a0ecbb55c40bc98744973b4.exe
Size

628KB
MD5

1466afcf9212b6b9064360ff405de2ae
SHA1

a124963faff7312f1ebda5edfb99a63d48a8fa78
SHA256

77dcf409276e0e91ce08daea19f8477d18c5dba52a0ecbb55c40bc98744973b4
SHA512

cd35527c01c944ffd9eb477d4ab62ca3c6dc8e5e7e4bbb39ecad997867cddb132e820e26aed9b87c54720d3d917374912034fab473bf10b1b25db494e4bf79ec
SSDEEP

12288:6Mrvy90Ia7VfVNeSa+kGuYsCwuqnRGddMTTzP814D8QO9Hk:NyZQFVBwYsCGIddMD81oAk

Score

10^/10

healer redline buben dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

buben

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral16/memory/2008-14-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral16/files/0x0007000000023428-17.dat	family_redline
behavioral16/memory/5024-19-0x0000000000B70000-0x0000000000BA0000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
3680	x2351329.exe
4148	g0829273.exe
5024	h7713098.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x2351329.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	77dcf409276e0e91ce08daea19f8477d18c5dba52a0ecbb55c40bc98744973b4.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4148 set thread context of 2008	4148	g0829273.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
904	4148	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2008	AppLaunch.exe
2008	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	AppLaunch.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 3680	4864	77dcf409276e0e91ce08daea19f8477d18c5dba52a0ecbb55c40bc98744973b4.exe	83
PID 4864 wrote to memory of 3680	4864	77dcf409276e0e91ce08daea19f8477d18c5dba52a0ecbb55c40bc98744973b4.exe	83
PID 4864 wrote to memory of 3680	4864	77dcf409276e0e91ce08daea19f8477d18c5dba52a0ecbb55c40bc98744973b4.exe	83
PID 3680 wrote to memory of 4148	3680	x2351329.exe	84
PID 3680 wrote to memory of 4148	3680	x2351329.exe	84
PID 3680 wrote to memory of 4148	3680	x2351329.exe	84
PID 4148 wrote to memory of 3160	4148	g0829273.exe	87
PID 4148 wrote to memory of 3160	4148	g0829273.exe	87
PID 4148 wrote to memory of 3160	4148	g0829273.exe	87
PID 4148 wrote to memory of 2220	4148	g0829273.exe	88
PID 4148 wrote to memory of 2220	4148	g0829273.exe	88
PID 4148 wrote to memory of 2220	4148	g0829273.exe	88
PID 4148 wrote to memory of 2008	4148	g0829273.exe	89
PID 4148 wrote to memory of 2008	4148	g0829273.exe	89
PID 4148 wrote to memory of 2008	4148	g0829273.exe	89
PID 4148 wrote to memory of 2008	4148	g0829273.exe	89
PID 4148 wrote to memory of 2008	4148	g0829273.exe	89
PID 4148 wrote to memory of 2008	4148	g0829273.exe	89
PID 4148 wrote to memory of 2008	4148	g0829273.exe	89
PID 4148 wrote to memory of 2008	4148	g0829273.exe	89
PID 3680 wrote to memory of 5024	3680	x2351329.exe	95
PID 3680 wrote to memory of 5024	3680	x2351329.exe	95
PID 3680 wrote to memory of 5024	3680	x2351329.exe	95

C:\Users\Admin\AppData\Local\Temp\77dcf409276e0e91ce08daea19f8477d18c5dba52a0ecbb55c40bc98744973b4.exe
"C:\Users\Admin\AppData\Local\Temp\77dcf409276e0e91ce08daea19f8477d18c5dba52a0ecbb55c40bc98744973b4.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2351329.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2351329.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0829273.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0829273.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4148
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:3160
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      PID:2220
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 556
      4⤵
      Program crash
      PID:904
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7713098.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7713098.exe
    3⤵
    - Executes dropped EXE
    PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4148 -ip 4148
1⤵
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2351329.exe

Filesize
442KB

MD5
9855f38a8a8ea7c646ff92c5235706fc

SHA1
ae105a50947d519d8519107c806e5801c6223c99

SHA256
a721604405568c4e04724997888e6b99e6a233a1c371c633aa4614fe4eb66cb7

SHA512
64e3b8920e68ac2040c023cd8eb0cba32e24bacc24a4f4993d9337242904bf4904e590a187cdbd5711d30ff491da1a5326ad4aa408310271831b62910061776c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\g0829273.exe

Filesize
861KB

MD5
75ca77df618ffa9831f98514a973ef1d

SHA1
3a7b794b96a45474c7076f7f8fc09bd0862ca2b1

SHA256
b37ca92466455c6a75fdccd9befd17841b36366c81391f667406861ff5d26cb8

SHA512
bb13e2a9fcf123880d7de753d3ea1986e628ead3ccf5435691d76db08ed6e6ea181deb1cae544a424ec8d52dc0e424728db95859addaa36e90a069210398c401

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\h7713098.exe

Filesize
174KB

MD5
450b027858d0838381dbfa3ac451f5ee

SHA1
f7dd7eaa0d8c2ed0086dae1df74aad58fd189b77

SHA256
085aadd16d76967c97897de1eed88532ef778627d8730f33866e2c4a185243ff

SHA512
268d865f7aa6e5af246129cdc5dd8c4bae062220a31773f1ae41e434bc9986be84d55aa750f2da305d67e6e5d9724a943e5789276ef35e604fcd34f7c2977462

Download Submit
memory/2008-14-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2008-15-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

Filesize
4KB

Download
memory/5024-19-0x0000000000B70000-0x0000000000BA0000-memory.dmp

Filesize
192KB

Download
memory/5024-20-0x00000000012E0000-0x00000000012E6000-memory.dmp

Filesize
24KB

Download
memory/5024-21-0x0000000005B10000-0x0000000006128000-memory.dmp

Filesize
6.1MB

Download
memory/5024-22-0x0000000005600000-0x000000000570A000-memory.dmp

Filesize
1.0MB

Download
memory/5024-23-0x0000000005510000-0x0000000005522000-memory.dmp

Filesize
72KB

Download
memory/5024-24-0x0000000005570000-0x00000000055AC000-memory.dmp

Filesize
240KB

Download
memory/5024-25-0x00000000055B0000-0x00000000055FC000-memory.dmp

Filesize
304KB

Download