healer | a9a7ea8829bb602286fd74fa713e8631a592ace5257c53f4b2ca46af328d4929

General

Target

a9a7ea8829bb602286fd74fa713e8631a592ace5257c53f4b2ca46af328d4929.exe
Size

389KB
MD5

1b5969476c005e742bc7e7221b056e4b
SHA1

6d5bd634489cf6b8d9f4bb1ab0dbfdd9b4c73876
SHA256

a9a7ea8829bb602286fd74fa713e8631a592ace5257c53f4b2ca46af328d4929
SHA512

fabfca67f2b3153aa6353f93d5c783ee5ecf84c12a8ede3340e01458e23a6fe4bc88c11600efec46c8cc720bf80e87948c5a5837c24f86d395d7a590969c7940
SSDEEP

12288:IMrxy90gRdPn9wrloru03BM/YqQUMvsF+mRGlHW:ZyTPvOZorhz0Mvdm4lHW

Score

10^/10

healer redline roma dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

roma

C2

77.91.68.56:19071

Attributes

auth_value
f099c2cf92834dbc554a94e1456cf576

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023098-148.dat	healer
behavioral1/files/0x0007000000023098-149.dat	healer
behavioral1/memory/404-150-0x0000000000AD0000-0x0000000000ADA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p3214579.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p3214579.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p3214579.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p3214579.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p3214579.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p3214579.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4492	z5429913.exe
404	p3214579.exe
1964	r7115260.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p3214579.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a9a7ea8829bb602286fd74fa713e8631a592ace5257c53f4b2ca46af328d4929.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a9a7ea8829bb602286fd74fa713e8631a592ace5257c53f4b2ca46af328d4929.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5429913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5429913.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
404	p3214579.exe
404	p3214579.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	p3214579.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4492	4588	a9a7ea8829bb602286fd74fa713e8631a592ace5257c53f4b2ca46af328d4929.exe	85
PID 4588 wrote to memory of 4492	4588	a9a7ea8829bb602286fd74fa713e8631a592ace5257c53f4b2ca46af328d4929.exe	85
PID 4588 wrote to memory of 4492	4588	a9a7ea8829bb602286fd74fa713e8631a592ace5257c53f4b2ca46af328d4929.exe	85
PID 4492 wrote to memory of 404	4492	z5429913.exe	86
PID 4492 wrote to memory of 404	4492	z5429913.exe	86
PID 4492 wrote to memory of 1964	4492	z5429913.exe	92
PID 4492 wrote to memory of 1964	4492	z5429913.exe	92
PID 4492 wrote to memory of 1964	4492	z5429913.exe	92

C:\Users\Admin\AppData\Local\Temp\a9a7ea8829bb602286fd74fa713e8631a592ace5257c53f4b2ca46af328d4929.exe
"C:\Users\Admin\AppData\Local\Temp\a9a7ea8829bb602286fd74fa713e8631a592ace5257c53f4b2ca46af328d4929.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5429913.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5429913.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3214579.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3214579.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7115260.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7115260.exe
    3⤵
    - Executes dropped EXE
    PID:1964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5429913.exe

Filesize
206KB

MD5
5234abdefddf08b25ef95edc0c8ce3ca

SHA1
bc513391f6762bfd88a4ffac58d6a41203681848

SHA256
dbeb6c63f55f2f638c4db5e3e664b64470a15641f2c2e0fdbbff6807756af00d

SHA512
3dd99d54231f47daa9229df973b40fe138a67c63c353af78b72117a8f4acbc0e044333a1d9b11d1ff2abf75eb907d084cf91fbd039918392ee11263e6a9ca1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5429913.exe

Filesize
206KB

MD5
5234abdefddf08b25ef95edc0c8ce3ca

SHA1
bc513391f6762bfd88a4ffac58d6a41203681848

SHA256
dbeb6c63f55f2f638c4db5e3e664b64470a15641f2c2e0fdbbff6807756af00d

SHA512
3dd99d54231f47daa9229df973b40fe138a67c63c353af78b72117a8f4acbc0e044333a1d9b11d1ff2abf75eb907d084cf91fbd039918392ee11263e6a9ca1e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3214579.exe

Filesize
13KB

MD5
ca1b84b9fe8b235b28f44956f3ac93d1

SHA1
2bf4547b4997a1ba903102dd850fe958ff3ddf7b

SHA256
9f924f6db9ce659ca230c4c60a2aabf448f13fa5de5284e6dadfafebcc5bd1d7

SHA512
c93ff39b832294b8985756101e5aed1cb00be2c8af5538a7e486197f1d24bb378865673267eaeab000c8410daf379fd878c2749f57c3cab87521db619243118d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3214579.exe

Filesize
13KB

MD5
ca1b84b9fe8b235b28f44956f3ac93d1

SHA1
2bf4547b4997a1ba903102dd850fe958ff3ddf7b

SHA256
9f924f6db9ce659ca230c4c60a2aabf448f13fa5de5284e6dadfafebcc5bd1d7

SHA512
c93ff39b832294b8985756101e5aed1cb00be2c8af5538a7e486197f1d24bb378865673267eaeab000c8410daf379fd878c2749f57c3cab87521db619243118d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7115260.exe

Filesize
174KB

MD5
df1507186a9b2628c6906ba160418ccc

SHA1
6f6d9a50a7b952533c96be01e2d9e153a227c81c

SHA256
c71dcb679d7b3b81ef51940842cb9de808860193e7e16ca0bfe65dd90ccfd3d3

SHA512
6885f60e3358d8e62684e41e832c4e27f067a683ecbb2ddf200818e78e2726041eb6743c27925d525bed0c6dcfd849f35a53420b7105249b03db8cb4a8fe3e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r7115260.exe

Filesize
174KB

MD5
df1507186a9b2628c6906ba160418ccc

SHA1
6f6d9a50a7b952533c96be01e2d9e153a227c81c

SHA256
c71dcb679d7b3b81ef51940842cb9de808860193e7e16ca0bfe65dd90ccfd3d3

SHA512
6885f60e3358d8e62684e41e832c4e27f067a683ecbb2ddf200818e78e2726041eb6743c27925d525bed0c6dcfd849f35a53420b7105249b03db8cb4a8fe3e2a

Download Submit
memory/404-150-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/404-154-0x00007FF9ECF50000-0x00007FF9EDA11000-memory.dmp

Filesize
10.8MB

Download
memory/404-152-0x00007FF9ECF50000-0x00007FF9EDA11000-memory.dmp

Filesize
10.8MB

Download
memory/404-151-0x00007FF9ECF50000-0x00007FF9EDA11000-memory.dmp

Filesize
10.8MB

Download
memory/1964-158-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1964-159-0x0000000000830000-0x0000000000860000-memory.dmp

Filesize
192KB

Download
memory/1964-160-0x00000000058B0000-0x0000000005EC8000-memory.dmp

Filesize
6.1MB

Download
memory/1964-161-0x00000000053E0000-0x00000000054EA000-memory.dmp

Filesize
1.0MB

Download
memory/1964-162-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/1964-163-0x0000000005300000-0x0000000005312000-memory.dmp

Filesize
72KB

Download
memory/1964-164-0x0000000005360000-0x000000000539C000-memory.dmp

Filesize
240KB

Download
memory/1964-165-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/1964-166-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads