healer | 38d451f6249a137350d89401351536b7bd0c90ceae1ad282a8d5d13215298a4f

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-11-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38d451f6249a137350d89401351536b7bd0c90ceae1ad282a8d5d13215298a4f.exe
Size

1.2MB
MD5

df13cfd2f32ca01823bdf2f2ce43c19a
SHA1

2e0b23e52ac2887cd8a5d485752a6af1f050e6ce
SHA256

38d451f6249a137350d89401351536b7bd0c90ceae1ad282a8d5d13215298a4f
SHA512

627d7b720b539ad811325c57934c8d94b7fff9b4e48222e9cc3f79e4aaba16a2884b5d56491190ac81083232858eb41e6fbcd3412a73de8afead11d9eda48e95
SSDEEP

24576:Yyf24YkjsJ8/JfUHLMmGotWUdT04AyiSAl6x5sBPKMiq9LeJ/:ffhYkYG/aL9A+k6DMD9yJ

Score

10^/10

healer redline doma discovery dropper infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

doma

185.161.248.75:4132

Attributes

auth_value
8be53af7f78567706928d0abef953ef4

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/1444-26-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b66-31.dat	family_redline
behavioral1/memory/4888-33-0x00000000002E0000-0x000000000030A000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 9 IoCs

pid	Process
3020	y3957804.exe
4536	y0967485.exe
4596	k0303218.exe
1256	k0303218.exe
2252	k0303218.exe
4900	k0303218.exe
4088	k0303218.exe
1444	k0303218.exe
4888	l9257088.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	38d451f6249a137350d89401351536b7bd0c90ceae1ad282a8d5d13215298a4f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3957804.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0967485.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4596 set thread context of 1444	4596	k0303218.exe	106

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y3957804.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y0967485.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k0303218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k0303218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l9257088.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	38d451f6249a137350d89401351536b7bd0c90ceae1ad282a8d5d13215298a4f.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1444	k0303218.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4596	k0303218.exe
Token: SeDebugPrivilege	1444	k0303218.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 3020	1596	38d451f6249a137350d89401351536b7bd0c90ceae1ad282a8d5d13215298a4f.exe	83
PID 1596 wrote to memory of 3020	1596	38d451f6249a137350d89401351536b7bd0c90ceae1ad282a8d5d13215298a4f.exe	83
PID 1596 wrote to memory of 3020	1596	38d451f6249a137350d89401351536b7bd0c90ceae1ad282a8d5d13215298a4f.exe	83
PID 3020 wrote to memory of 4536	3020	y3957804.exe	85
PID 3020 wrote to memory of 4536	3020	y3957804.exe	85
PID 3020 wrote to memory of 4536	3020	y3957804.exe	85
PID 4536 wrote to memory of 4596	4536	y0967485.exe	86
PID 4536 wrote to memory of 4596	4536	y0967485.exe	86
PID 4536 wrote to memory of 4596	4536	y0967485.exe	86
PID 4596 wrote to memory of 1256	4596	k0303218.exe	89
PID 4596 wrote to memory of 1256	4596	k0303218.exe	89
PID 4596 wrote to memory of 1256	4596	k0303218.exe	89
PID 4596 wrote to memory of 1256	4596	k0303218.exe	89
PID 4596 wrote to memory of 2252	4596	k0303218.exe	93
PID 4596 wrote to memory of 2252	4596	k0303218.exe	93
PID 4596 wrote to memory of 2252	4596	k0303218.exe	93
PID 4596 wrote to memory of 2252	4596	k0303218.exe	93
PID 4596 wrote to memory of 4900	4596	k0303218.exe	98
PID 4596 wrote to memory of 4900	4596	k0303218.exe	98
PID 4596 wrote to memory of 4900	4596	k0303218.exe	98
PID 4596 wrote to memory of 4900	4596	k0303218.exe	98
PID 4596 wrote to memory of 4088	4596	k0303218.exe	101
PID 4596 wrote to memory of 4088	4596	k0303218.exe	101
PID 4596 wrote to memory of 4088	4596	k0303218.exe	101
PID 4596 wrote to memory of 4088	4596	k0303218.exe	101
PID 4596 wrote to memory of 1444	4596	k0303218.exe	106
PID 4596 wrote to memory of 1444	4596	k0303218.exe	106
PID 4596 wrote to memory of 1444	4596	k0303218.exe	106
PID 4596 wrote to memory of 1444	4596	k0303218.exe	106
PID 4596 wrote to memory of 1444	4596	k0303218.exe	106
PID 4596 wrote to memory of 1444	4596	k0303218.exe	106
PID 4596 wrote to memory of 1444	4596	k0303218.exe	106
PID 4596 wrote to memory of 1444	4596	k0303218.exe	106
PID 4536 wrote to memory of 4888	4536	y0967485.exe	107
PID 4536 wrote to memory of 4888	4536	y0967485.exe	107
PID 4536 wrote to memory of 4888	4536	y0967485.exe	107

C:\Users\Admin\AppData\Local\Temp\38d451f6249a137350d89401351536b7bd0c90ceae1ad282a8d5d13215298a4f.exe
"C:\Users\Admin\AppData\Local\Temp\38d451f6249a137350d89401351536b7bd0c90ceae1ad282a8d5d13215298a4f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3957804.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3957804.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0967485.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0967485.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe
        5⤵
        Executes dropped EXE
        
        PID:1256
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe
        5⤵
        Executes dropped EXE
        
        PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe
        5⤵
        Executes dropped EXE
        
        PID:4900
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe
        5⤵
        Executes dropped EXE
        
        PID:4088
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9257088.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9257088.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\k0303218.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3957804.exe

Filesize
866KB

MD5
7f8d3980287cf2414309c4be2555dfce

SHA1
8c1406dcea4b7326195d275831b6a01085ac6434

SHA256
16281f08dd30e0780653734c29704df4c3cf95a0075749d5acee4baa5d2fbb73

SHA512
782958ad4efb842908991f87150bcc276954c1b5495825c524a030147db57b79568ea6425f789b7ecd65cb927c4abd548610243482ed022aaf9f66f5ac05470e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0967485.exe

Filesize
423KB

MD5
284102604570ba4e32f9ff3d9da920be

SHA1
e78ae82733c94f5b395283c83bdd2a9ae5cf537c

SHA256
27c95041dac99d4182f28c8cf4b81253fac7c74533b4f1976940d644edb5d99a

SHA512
67529935a236ee6d4abfb51d41142cf8e998d6f59f48bbbe5d703cc7341f10ab1ec9ea8f70953a3ede4fb6229dea8c423fe5238348f73c4ca2f9dc46a3bf1e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0303218.exe

Filesize
770KB

MD5
c54e9ea7c4f936e05e8fe41b80ab86a9

SHA1
9c8ce0af14f77ff73e1c701667b35069f223736b

SHA256
4962a311c13627eaaf8a82a3ac7cd3e8624f068a67d723d445bff3f31b2040cd

SHA512
4e7227a104f014580769b0ce98e9b4d8add72f57dca0c6ab421641488f34c0115f0dbaeac3cf003c43e97ea77f36c16081510610b0854e125c41a8dbb6bcb78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l9257088.exe

Filesize
145KB

MD5
c332275fa3af45118850ef6a981f33ba

SHA1
cbdaef9faa30293e5ba22de3d32c58e8cbe1333f

SHA256
08ef4442fdeb5f0c2af48854ba4b6938e03b4a8f04a92743563f80886af02723

SHA512
5c4cc9dcbbe685216f55927a9a8714239d36d708bf91aecb2ea2a6a5977be3daf166e55ce3f3cc0fe106dfebaa37cbded5ce6415c349a4409b59a6903760b548

Download Submit
memory/1444-26-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4596-21-0x0000000000090000-0x0000000000156000-memory.dmp

Filesize
792KB

Download
memory/4888-33-0x00000000002E0000-0x000000000030A000-memory.dmp

Filesize
168KB

Download
memory/4888-34-0x0000000005100000-0x0000000005718000-memory.dmp

Filesize
6.1MB

Download
memory/4888-35-0x0000000004C70000-0x0000000004D7A000-memory.dmp

Filesize
1.0MB

Download
memory/4888-36-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

Filesize
72KB

Download
memory/4888-37-0x0000000004C00000-0x0000000004C3C000-memory.dmp

Filesize
240KB

Download
memory/4888-38-0x0000000004D80000-0x0000000004DCC000-memory.dmp

Filesize
304KB

Download