healer | 24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df

General

Target

24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe
Size

389KB
MD5

ad9be100cf69828b8e7a7a836154d5e4
SHA1

dbf0f2accdb22e674419d2c0abda7fbef534c3dd
SHA256

24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df
SHA512

0e13d0bc6bfffef4ee50fb62eb2168de8426761b4da0091c95eceb7cb1f461bf05f73677bc07ddf504e69e306a3848e148b22c9fc17eeb3a247647a96d7f0446
SSDEEP

6144:KKy+bnr+Rp0yN90QEnI11PokWcnZNbQR5nfyQPLaW5F/tyKYuNcUNQfMFkkhgVRn:WMrdy90uTPTcty+dqMS/VRi1nm

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afe0-129.dat	healer
behavioral1/files/0x000700000001afe0-130.dat	healer
behavioral1/memory/4328-131-0x0000000000750000-0x000000000075A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p5512939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p5512939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p5512939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p5512939.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p5512939.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
388	z6099417.exe
4328	p5512939.exe
384	r4877536.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p5512939.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6099417.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6099417.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4328	p5512939.exe
4328	p5512939.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	p5512939.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 388	1944	24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe	70
PID 1944 wrote to memory of 388	1944	24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe	70
PID 1944 wrote to memory of 388	1944	24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe	70
PID 388 wrote to memory of 4328	388	z6099417.exe	71
PID 388 wrote to memory of 4328	388	z6099417.exe	71
PID 388 wrote to memory of 384	388	z6099417.exe	72
PID 388 wrote to memory of 384	388	z6099417.exe	72
PID 388 wrote to memory of 384	388	z6099417.exe	72

C:\Users\Admin\AppData\Local\Temp\24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe
"C:\Users\Admin\AppData\Local\Temp\24b96bca469764debd638550bc2704add4701110cc7a691fae627e361d8188df.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6099417.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6099417.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4328
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4877536.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4877536.exe
    3⤵
    - Executes dropped EXE
    PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6099417.exe

Filesize
206KB

MD5
3654700f8e740d91fe6e3f398822bf25

SHA1
9e548f654107e2663e4c7074dd3e6abe9e25354a

SHA256
491316f9f88d72115dd9bd41efcbc31f974b030bf5d33e9308a3ce8b8589652a

SHA512
2aa4bef6904c28aadd04c4703f307d8e05547457717f826c7a8f201f086375a841530391ae79926c57954b3450a74cdd84e1524531cc48f226c824c8bd9a5387

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6099417.exe

Filesize
206KB

MD5
3654700f8e740d91fe6e3f398822bf25

SHA1
9e548f654107e2663e4c7074dd3e6abe9e25354a

SHA256
491316f9f88d72115dd9bd41efcbc31f974b030bf5d33e9308a3ce8b8589652a

SHA512
2aa4bef6904c28aadd04c4703f307d8e05547457717f826c7a8f201f086375a841530391ae79926c57954b3450a74cdd84e1524531cc48f226c824c8bd9a5387

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe

Filesize
14KB

MD5
378e73f5cda4a0c8ed0fc6f199af75b2

SHA1
875e88e459b5bc5a3e97c1661d17c641a5f34e6d

SHA256
e4b65082517250ce8b2813339e2a9853cb389c078b16ffd2ba6cd90c1e15801f

SHA512
83efb06439b4bd2504746b6acd9d9c091faacbf4fac92fa677ce91e6c4af59bc50597a37db1c58c1f1fe580ea0a27818bb38a398a1b1f65aca8d3a8f12bae79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5512939.exe

Filesize
14KB

MD5
378e73f5cda4a0c8ed0fc6f199af75b2

SHA1
875e88e459b5bc5a3e97c1661d17c641a5f34e6d

SHA256
e4b65082517250ce8b2813339e2a9853cb389c078b16ffd2ba6cd90c1e15801f

SHA512
83efb06439b4bd2504746b6acd9d9c091faacbf4fac92fa677ce91e6c4af59bc50597a37db1c58c1f1fe580ea0a27818bb38a398a1b1f65aca8d3a8f12bae79c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4877536.exe

Filesize
172KB

MD5
9346ca64a3826abee40ced926e76f48f

SHA1
3424ca079ff0f0575890924c48fec09e43488c6a

SHA256
ab5038a0ee6206486cb55a4dac5d0a4d209be90bd9395ebb37e31bfb654d3f87

SHA512
733f3fadf7cf3deeda90b046cca19ec47e103567628fcfb8c90e927244b5f0870c3b95d2d67e2d0f0825eed3cddafdf788c10c732e7a5fc7e03c25de27d64530

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4877536.exe

Filesize
172KB

MD5
9346ca64a3826abee40ced926e76f48f

SHA1
3424ca079ff0f0575890924c48fec09e43488c6a

SHA256
ab5038a0ee6206486cb55a4dac5d0a4d209be90bd9395ebb37e31bfb654d3f87

SHA512
733f3fadf7cf3deeda90b046cca19ec47e103567628fcfb8c90e927244b5f0870c3b95d2d67e2d0f0825eed3cddafdf788c10c732e7a5fc7e03c25de27d64530

Download Submit
memory/384-141-0x000000000A9E0000-0x000000000AFE6000-memory.dmp

Filesize
6.0MB

Download
memory/384-139-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/384-138-0x0000000000670000-0x00000000006A0000-memory.dmp

Filesize
192KB

Download
memory/384-140-0x0000000002850000-0x0000000002856000-memory.dmp

Filesize
24KB

Download
memory/384-142-0x000000000A4E0000-0x000000000A5EA000-memory.dmp

Filesize
1.0MB

Download
memory/384-143-0x0000000004F20000-0x0000000004F32000-memory.dmp

Filesize
72KB

Download
memory/384-144-0x000000000A410000-0x000000000A44E000-memory.dmp

Filesize
248KB

Download
memory/384-145-0x000000000A460000-0x000000000A4AB000-memory.dmp

Filesize
300KB

Download
memory/384-146-0x00000000736B0000-0x0000000073D9E000-memory.dmp

Filesize
6.9MB

Download
memory/4328-134-0x00007FF8EBA70000-0x00007FF8EC45C000-memory.dmp

Filesize
9.9MB

Download
memory/4328-132-0x00007FF8EBA70000-0x00007FF8EC45C000-memory.dmp

Filesize
9.9MB

Download
memory/4328-131-0x0000000000750000-0x000000000075A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads