healer | 397e75374b14eb2672801d3c76354d62225ebd35fa9a20a3e6b42604c2a1f380

General

Target

397e75374b14eb2672801d3c76354d62225ebd35fa9a20a3e6b42604c2a1f380.exe
Size

389KB
MD5

8fe751efdc0967277c229ef2d19fcac5
SHA1

cea8b541adafaf1034d08edc073aec7c143c73ba
SHA256

397e75374b14eb2672801d3c76354d62225ebd35fa9a20a3e6b42604c2a1f380
SHA512

f2e6973011feaf91da46c1fe84a4fcc2f69f78b5b5c291f8803de3af217038eacade69a268549ceeaf47176c28235b671319fafbb888ec3135ad140bfafea07a
SSDEEP

6144:Kgy+bnr+Rp0yN90QEGjPlnS3y0tRYk8XPI3Syh4kn5QryH:QMrBy90cDlS3JoA3S+4g5QW

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afb0-132.dat	healer
behavioral1/files/0x000700000001afb0-133.dat	healer
behavioral1/memory/4160-134-0x00000000007A0000-0x00000000007AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p3697221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p3697221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p3697221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p3697221.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p3697221.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2336	z5433238.exe
4160	p3697221.exe
4088	r2012429.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p3697221.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5433238.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5433238.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	397e75374b14eb2672801d3c76354d62225ebd35fa9a20a3e6b42604c2a1f380.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	397e75374b14eb2672801d3c76354d62225ebd35fa9a20a3e6b42604c2a1f380.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4160	p3697221.exe
4160	p3697221.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4160	p3697221.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 2336	604	397e75374b14eb2672801d3c76354d62225ebd35fa9a20a3e6b42604c2a1f380.exe	70
PID 604 wrote to memory of 2336	604	397e75374b14eb2672801d3c76354d62225ebd35fa9a20a3e6b42604c2a1f380.exe	70
PID 604 wrote to memory of 2336	604	397e75374b14eb2672801d3c76354d62225ebd35fa9a20a3e6b42604c2a1f380.exe	70
PID 2336 wrote to memory of 4160	2336	z5433238.exe	71
PID 2336 wrote to memory of 4160	2336	z5433238.exe	71
PID 2336 wrote to memory of 4088	2336	z5433238.exe	72
PID 2336 wrote to memory of 4088	2336	z5433238.exe	72
PID 2336 wrote to memory of 4088	2336	z5433238.exe	72

C:\Users\Admin\AppData\Local\Temp\397e75374b14eb2672801d3c76354d62225ebd35fa9a20a3e6b42604c2a1f380.exe
"C:\Users\Admin\AppData\Local\Temp\397e75374b14eb2672801d3c76354d62225ebd35fa9a20a3e6b42604c2a1f380.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5433238.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5433238.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3697221.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3697221.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4160
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2012429.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2012429.exe
    3⤵
    - Executes dropped EXE
    PID:4088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5433238.exe

Filesize
206KB

MD5
a25d8ba955bf14b15d5fde62c99c2d67

SHA1
8341024b3df54301fe269e0a70fe17b79c3a7ef4

SHA256
e178d713b1551c5be5c269091eae7dc197dba5c4ea53bd17fa16fcfb473ace11

SHA512
c2356098e9fe0db8fd6607bb8d952ac8d5d9467c116a47e8a2ac34c23150e9080c7cb668578150f216192419161c9e4fc22931d5aa0cc92b79211c105b4531af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5433238.exe

Filesize
206KB

MD5
a25d8ba955bf14b15d5fde62c99c2d67

SHA1
8341024b3df54301fe269e0a70fe17b79c3a7ef4

SHA256
e178d713b1551c5be5c269091eae7dc197dba5c4ea53bd17fa16fcfb473ace11

SHA512
c2356098e9fe0db8fd6607bb8d952ac8d5d9467c116a47e8a2ac34c23150e9080c7cb668578150f216192419161c9e4fc22931d5aa0cc92b79211c105b4531af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3697221.exe

Filesize
14KB

MD5
b2045385b6aebb06dd572ddf5e4ec150

SHA1
64426ca314ec48a40ad051f110693313c546f048

SHA256
7b9924beb56addf5f2ff997e29b4d3d4916ba8998e3737bb1976d72369702407

SHA512
a2d9f36e794999355d663c7b97c3b136cfe485ae0f7acd5cb4adfae37d6dc62be8600071aae78ec5d3c2350597ea431efb07f8ebfd5a5bc368042b823f64a503

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3697221.exe

Filesize
14KB

MD5
b2045385b6aebb06dd572ddf5e4ec150

SHA1
64426ca314ec48a40ad051f110693313c546f048

SHA256
7b9924beb56addf5f2ff997e29b4d3d4916ba8998e3737bb1976d72369702407

SHA512
a2d9f36e794999355d663c7b97c3b136cfe485ae0f7acd5cb4adfae37d6dc62be8600071aae78ec5d3c2350597ea431efb07f8ebfd5a5bc368042b823f64a503

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2012429.exe

Filesize
173KB

MD5
f507e436215c6306404f5ba9fb1d5f59

SHA1
6e0c30f70162e62d382f00529825b7d051ae5a06

SHA256
b527a0f48c3db24591083c933f92a01f11c9966cc66c1cbeca2492a8be60e994

SHA512
e132970adfb583adbe9bcc7da412eae3e1eb423e18e592be36f99911773fca317c67a884a38fcb5bba088b8c76610d586f00ee22c09e6a4899dd4184fb8722e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2012429.exe

Filesize
173KB

MD5
f507e436215c6306404f5ba9fb1d5f59

SHA1
6e0c30f70162e62d382f00529825b7d051ae5a06

SHA256
b527a0f48c3db24591083c933f92a01f11c9966cc66c1cbeca2492a8be60e994

SHA512
e132970adfb583adbe9bcc7da412eae3e1eb423e18e592be36f99911773fca317c67a884a38fcb5bba088b8c76610d586f00ee22c09e6a4899dd4184fb8722e4

Download Submit
memory/4088-144-0x00000000054A0000-0x0000000005AA6000-memory.dmp

Filesize
6.0MB

Download
memory/4088-141-0x0000000000500000-0x0000000000530000-memory.dmp

Filesize
192KB

Download
memory/4088-142-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download
memory/4088-143-0x0000000004DC0000-0x0000000004DC6000-memory.dmp

Filesize
24KB

Download
memory/4088-145-0x0000000004FA0000-0x00000000050AA000-memory.dmp

Filesize
1.0MB

Download
memory/4088-146-0x0000000004E10000-0x0000000004E22000-memory.dmp

Filesize
72KB

Download
memory/4088-147-0x0000000004E90000-0x0000000004ECE000-memory.dmp

Filesize
248KB

Download
memory/4088-148-0x0000000004ED0000-0x0000000004F1B000-memory.dmp

Filesize
300KB

Download
memory/4088-149-0x0000000073650000-0x0000000073D3E000-memory.dmp

Filesize
6.9MB

Download
memory/4160-137-0x00007FFCC20B0000-0x00007FFCC2A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4160-135-0x00007FFCC20B0000-0x00007FFCC2A9C000-memory.dmp

Filesize
9.9MB

Download
memory/4160-134-0x00000000007A0000-0x00000000007AA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads