healer | 4f766c017bfbad361b1174b5601e7edf24edc63fdfa256466c5f287bab432e92

General

Target

e38dbf16156701d495ce045e1.exe
Size

523KB
MD5

e38dbf16156701d495ce045e1ba088bd
SHA1

15df0c391ca0f8ee8c3ce1f0a401c9ddad785844
SHA256

4f766c017bfbad361b1174b5601e7edf24edc63fdfa256466c5f287bab432e92
SHA512

e7922fccf35d627bdb0c2d43e39cf3ec5e539e10a4a5c1548fd69a1f9e62ecea681dfd99e0d45817cfc023c58e70ae2505befa2c5133fd58b8d74c5c6710a7ca
SSDEEP

12288:ps1xBfvmaRdnQgUReeDP27a/QlbHw0dbm94pFWpQ/8lXAYbdiDC:pMxtvm82g7eMUr4pFiQ/anbb

Score

10^/10

healer redline furod dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

furod

C2

77.91.68.70:19073

Attributes

auth_value
d2386245fe11799b28b4521492a5879d

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/4004-153-0x00000000001F0000-0x00000000001FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k2564633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k2564633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k2564633.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k2564633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k2564633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k2564633.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2336	y6299837.exe
4004	k2564633.exe
632	l0316585.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k2564633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k2564633.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y6299837.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e38dbf16156701d495ce045e1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e38dbf16156701d495ce045e1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6299837.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4004	k2564633.exe
4004	k2564633.exe
4004	k2564633.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4004	k2564633.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2336	1740	e38dbf16156701d495ce045e1.exe	87
PID 1740 wrote to memory of 2336	1740	e38dbf16156701d495ce045e1.exe	87
PID 1740 wrote to memory of 2336	1740	e38dbf16156701d495ce045e1.exe	87
PID 2336 wrote to memory of 4004	2336	y6299837.exe	88
PID 2336 wrote to memory of 4004	2336	y6299837.exe	88
PID 2336 wrote to memory of 4004	2336	y6299837.exe	88
PID 2336 wrote to memory of 632	2336	y6299837.exe	100
PID 2336 wrote to memory of 632	2336	y6299837.exe	100
PID 2336 wrote to memory of 632	2336	y6299837.exe	100

C:\Users\Admin\AppData\Local\Temp\e38dbf16156701d495ce045e1.exe
"C:\Users\Admin\AppData\Local\Temp\e38dbf16156701d495ce045e1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6299837.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6299837.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2564633.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2564633.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0316585.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0316585.exe
    3⤵
    - Executes dropped EXE
    PID:632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\System.dll.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6299837.exe

Filesize
257KB

MD5
74374eb5d506d28a8d52f9aa1e84370b

SHA1
76170dd53cedde4b9d24e8d003644983c9632afb

SHA256
5883f1c1bdcc086dd9e7b37d40e102aa2cd43a67dc966aaf435595781779e0de

SHA512
55b4bf9c70cb7559144f47eb5e78c8d601cb0555cf4113c25fe5cb7206e7219638db6fad9137409371ee2d17d75a4f243b90ba3c64a1b10083cb0645b83299a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y6299837.exe

Filesize
257KB

MD5
74374eb5d506d28a8d52f9aa1e84370b

SHA1
76170dd53cedde4b9d24e8d003644983c9632afb

SHA256
5883f1c1bdcc086dd9e7b37d40e102aa2cd43a67dc966aaf435595781779e0de

SHA512
55b4bf9c70cb7559144f47eb5e78c8d601cb0555cf4113c25fe5cb7206e7219638db6fad9137409371ee2d17d75a4f243b90ba3c64a1b10083cb0645b83299a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2564633.exe

Filesize
94KB

MD5
e8cf8082b8526d01388fb7aae3208f6b

SHA1
86a7e92aeed9d99619ccbff4ac9af3a4146a5c03

SHA256
1672be3d51d41f13f300ab8a23d4978a8b9a946869967037b26a6c4925edce41

SHA512
de19d1b9fd89015cd2463eff686291ecb0cfa163745ab676d00ab4cf02f1eca2a657f63ec3bdb7039dea1fda708575b9d3ca067ed49e6223135a8d6642ca82a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k2564633.exe

Filesize
94KB

MD5
e8cf8082b8526d01388fb7aae3208f6b

SHA1
86a7e92aeed9d99619ccbff4ac9af3a4146a5c03

SHA256
1672be3d51d41f13f300ab8a23d4978a8b9a946869967037b26a6c4925edce41

SHA512
de19d1b9fd89015cd2463eff686291ecb0cfa163745ab676d00ab4cf02f1eca2a657f63ec3bdb7039dea1fda708575b9d3ca067ed49e6223135a8d6642ca82a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0316585.exe

Filesize
254KB

MD5
63935f952ae2c90bb0478b0f92ce490e

SHA1
339d68e6c0c7b96fab21c8df4aacf7b97450b37b

SHA256
32a1c77052b8d890f1e28d1b9d3c29456a8de09e41c8f7280fec94972bc445a8

SHA512
200649e780dd86d12e293f931b489a1df52c7687d13f3254d240c7ff6ef22d850123c456434a808c299eeac801dba760d8fb72a1eae71e1ded54a47e20e2548a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0316585.exe

Filesize
254KB

MD5
63935f952ae2c90bb0478b0f92ce490e

SHA1
339d68e6c0c7b96fab21c8df4aacf7b97450b37b

SHA256
32a1c77052b8d890f1e28d1b9d3c29456a8de09e41c8f7280fec94972bc445a8

SHA512
200649e780dd86d12e293f931b489a1df52c7687d13f3254d240c7ff6ef22d850123c456434a808c299eeac801dba760d8fb72a1eae71e1ded54a47e20e2548a

Download Submit
memory/632-162-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/632-167-0x0000000009F70000-0x000000000A588000-memory.dmp

Filesize
6.1MB

Download
memory/632-168-0x000000000A720000-0x000000000A82A000-memory.dmp

Filesize
1.0MB

Download
memory/632-169-0x000000000A640000-0x000000000A652000-memory.dmp

Filesize
72KB

Download
memory/632-170-0x000000000A660000-0x000000000A69C000-memory.dmp

Filesize
240KB

Download
memory/632-171-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/632-172-0x0000000001FF0000-0x0000000002000000-memory.dmp

Filesize
64KB

Download
memory/1740-133-0x00000000005C0000-0x0000000000633000-memory.dmp

Filesize
460KB

Download
memory/4004-153-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads