healer | 428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe
Size

1.2MB
MD5

1b770e134595e88e7bfe52bd21910268
SHA1

cddfeff7348a043e63409c5152cba012c4bb447e
SHA256

428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4
SHA512

0a84caa7276dfdbecdd5e34269a5bc19462bf471d153cd23c7ea972194329612fa60fc9a0076610ace8389b6f3d7c09dc8325e778a46b26de3437584d8483745
SSDEEP

24576:o74cr0oaB4zPAqgNC6m38vyLFYlwnlEjhfUiLe6eWyFQG:m4crJyzqgN23gqF+G1h6ebQG

Score

10^/10

healer redline petin discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

petin

77.91.124.82:19071

Attributes

auth_value
f6cf7a48c0291d1ef5a3440429827d6d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4676-32-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000002342b-34.dat	family_redline
behavioral2/memory/4572-36-0x0000000000650000-0x0000000000680000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
1688	x8890438.exe
1204	x4497520.exe
5100	x1540382.exe
3180	g1228229.exe
4572	h7447906.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	x1540382.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AppLaunch.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8890438.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x4497520.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2600 set thread context of 3140	2600	428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe	93
PID 3180 set thread context of 4676	3180	g1228229.exe	101

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x8890438.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x4497520.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x1540382.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	g1228229.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AppLaunch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	h7447906.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4676	AppLaunch.exe
4676	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4676	AppLaunch.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 3140	2600	428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe	93
PID 2600 wrote to memory of 3140	2600	428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe	93
PID 2600 wrote to memory of 3140	2600	428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe	93
PID 2600 wrote to memory of 3140	2600	428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe	93
PID 2600 wrote to memory of 3140	2600	428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe	93
PID 2600 wrote to memory of 3140	2600	428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe	93
PID 2600 wrote to memory of 3140	2600	428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe	93
PID 2600 wrote to memory of 3140	2600	428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe	93
PID 2600 wrote to memory of 3140	2600	428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe	93
PID 2600 wrote to memory of 3140	2600	428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe	93
PID 3140 wrote to memory of 1688	3140	AppLaunch.exe	94
PID 3140 wrote to memory of 1688	3140	AppLaunch.exe	94
PID 3140 wrote to memory of 1688	3140	AppLaunch.exe	94
PID 1688 wrote to memory of 1204	1688	x8890438.exe	95
PID 1688 wrote to memory of 1204	1688	x8890438.exe	95
PID 1688 wrote to memory of 1204	1688	x8890438.exe	95
PID 1204 wrote to memory of 5100	1204	x4497520.exe	96
PID 1204 wrote to memory of 5100	1204	x4497520.exe	96
PID 1204 wrote to memory of 5100	1204	x4497520.exe	96
PID 5100 wrote to memory of 3180	5100	x1540382.exe	97
PID 5100 wrote to memory of 3180	5100	x1540382.exe	97
PID 5100 wrote to memory of 3180	5100	x1540382.exe	97
PID 3180 wrote to memory of 1184	3180	g1228229.exe	99
PID 3180 wrote to memory of 1184	3180	g1228229.exe	99
PID 3180 wrote to memory of 1184	3180	g1228229.exe	99
PID 3180 wrote to memory of 1292	3180	g1228229.exe	100
PID 3180 wrote to memory of 1292	3180	g1228229.exe	100
PID 3180 wrote to memory of 1292	3180	g1228229.exe	100
PID 3180 wrote to memory of 4676	3180	g1228229.exe	101
PID 3180 wrote to memory of 4676	3180	g1228229.exe	101
PID 3180 wrote to memory of 4676	3180	g1228229.exe	101
PID 3180 wrote to memory of 4676	3180	g1228229.exe	101
PID 3180 wrote to memory of 4676	3180	g1228229.exe	101
PID 3180 wrote to memory of 4676	3180	g1228229.exe	101
PID 3180 wrote to memory of 4676	3180	g1228229.exe	101
PID 3180 wrote to memory of 4676	3180	g1228229.exe	101
PID 5100 wrote to memory of 4572	5100	x1540382.exe	102
PID 5100 wrote to memory of 4572	5100	x1540382.exe	102
PID 5100 wrote to memory of 4572	5100	x1540382.exe	102

C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe
"C:\Users\Admin\AppData\Local\Temp\428a17a655ad7a333354512adf488c9d939ec2cbd0ebefe3016c0a7a9b602ce4.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5100
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        
        PID:1292
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        7⤵
        Modifies Windows Defender Real-time Protection settings
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
      - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7447906.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7447906.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8890438.exe

Filesize
744KB

MD5
88d5fd113c09668f3838eef2ab65b905

SHA1
30f05b24630d929558f3974adfee993fef8bd36b

SHA256
e3c1e438cd356f996a754365db5dc415567006bffe35f93d85919b6f88179eef

SHA512
3111772f9af5b7bfe37bbb8faf52e189db3333f9d4909000de8caf90a514b06cb4a48fd58c39c321493e8f7f6c6b8db093827efa5c135eb60643fe5f5de2980f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x4497520.exe

Filesize
480KB

MD5
f4dcf0031561539adcb557adf8b97985

SHA1
1d6c780c0fc7a3a4f24396ec65e92e3702fd0af0

SHA256
cf0d8739cdbe376e1a8b8a3952adc99d47bcd3116b1dd86035724f803ec43dde

SHA512
261da04b6be2e0e43dd11fbd7a53151d9c11d441c584b6e5b45184508ebbad259cdc1f0689f12ef7fd6d9c25e9c2b446742d1995e6a4b8dde933ffbfbc77d0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\x1540382.exe

Filesize
314KB

MD5
9ea3ea99bb86b9d68aee43047d6db7cb

SHA1
e0908f8a9335ca8cf1c13207b97e4785f5f21e98

SHA256
4caecef34efb1cec16aa421840ece7a0119148ef06316d86f32214302baee5ba

SHA512
9d43cf7e1e4da4cc7a66dd5d054dec32460c08751cc3292cb10636fc2ebebd3c629805ed7f06cd4767b25156b1a79be8dc7c07f053b3b0130e466200e76ab988

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\g1228229.exe

Filesize
229KB

MD5
d46c32d6c3de62189b821e9d38959c3a

SHA1
9d91af0c4ac196df3bce8b5ad5ebde458405a1ac

SHA256
6170f39ac92cf7d6416b228963cd414e159c986bce346059953c95c7763e0285

SHA512
2c5aac5425f64ebf426033bef32d35304caf000345f977767f605586dfe7729caf1bfd937e65f37f0eba896ef7836f817c8899b7827ef4a60d7f6b4e74eabcc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\h7447906.exe

Filesize
174KB

MD5
18bde8c4099d21e05eeeb1ad55d7477e

SHA1
cf08147f849b66af7caed2e8a86dbf37963aa980

SHA256
6d1ba25a80f57f73a0ada041ec135321bdd73503b8adee6aea9616106af18da9

SHA512
f764cfa1e6360cc02dae11408190820b454409eba565ff63d7a6061daffc5ce658399dd929a96acb941e4d8dc102e6f905314708647eabcb115610b694b4a267

Download Submit
memory/3140-0-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3140-1-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3140-2-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3140-3-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/3140-43-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/4572-38-0x000000000AAA0000-0x000000000B0B8000-memory.dmp

Filesize
6.1MB

Download
memory/4572-37-0x00000000029F0000-0x00000000029F6000-memory.dmp

Filesize
24KB

Download
memory/4572-36-0x0000000000650000-0x0000000000680000-memory.dmp

Filesize
192KB

Download
memory/4572-39-0x000000000A600000-0x000000000A70A000-memory.dmp

Filesize
1.0MB

Download
memory/4572-40-0x000000000A540000-0x000000000A552000-memory.dmp

Filesize
72KB

Download
memory/4572-41-0x000000000A5A0000-0x000000000A5DC000-memory.dmp

Filesize
240KB

Download
memory/4572-42-0x00000000028D0000-0x000000000291C000-memory.dmp

Filesize
304KB

Download
memory/4676-32-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download