healer | 0f145eac0eced7d496fb9b2b599690f80d961655c5fda5c7569e162d2e54c5e5

General

Target

0f145eac0eced7d496fb9b2b599690f80d961655c5fda5c7569e162d2e54c5e5.exe
Size

389KB
MD5

e9644d116664bb35aa9049dbc7c3e4f2
SHA1

44d39516a8bec806628a29f65db51ba758d3eda8
SHA256

0f145eac0eced7d496fb9b2b599690f80d961655c5fda5c7569e162d2e54c5e5
SHA512

47d7ace4548359798649d8da2550a610de918321c900a176c64b5b6ef922f1d72737677d07bff202f9b0ea7f2e501729f2b2a8e6b0c790d6f1f3537b882be494
SSDEEP

12288:9MrXy90SVk4xDj87L07UWWQ/vgcl435mg:Wyk4G7HW0cmgg

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023269-146.dat	healer
behavioral1/files/0x0007000000023269-145.dat	healer
behavioral1/memory/3348-147-0x0000000000300000-0x000000000030A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p5454522.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p5454522.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p5454522.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p5454522.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p5454522.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p5454522.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
116	z6433380.exe
3348	p5454522.exe
1932	r1459663.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p5454522.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0f145eac0eced7d496fb9b2b599690f80d961655c5fda5c7569e162d2e54c5e5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6433380.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6433380.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	0f145eac0eced7d496fb9b2b599690f80d961655c5fda5c7569e162d2e54c5e5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3348	p5454522.exe
3348	p5454522.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3348	p5454522.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 116	3020	0f145eac0eced7d496fb9b2b599690f80d961655c5fda5c7569e162d2e54c5e5.exe	85
PID 3020 wrote to memory of 116	3020	0f145eac0eced7d496fb9b2b599690f80d961655c5fda5c7569e162d2e54c5e5.exe	85
PID 3020 wrote to memory of 116	3020	0f145eac0eced7d496fb9b2b599690f80d961655c5fda5c7569e162d2e54c5e5.exe	85
PID 116 wrote to memory of 3348	116	z6433380.exe	87
PID 116 wrote to memory of 3348	116	z6433380.exe	87
PID 116 wrote to memory of 1932	116	z6433380.exe	94
PID 116 wrote to memory of 1932	116	z6433380.exe	94
PID 116 wrote to memory of 1932	116	z6433380.exe	94

C:\Users\Admin\AppData\Local\Temp\0f145eac0eced7d496fb9b2b599690f80d961655c5fda5c7569e162d2e54c5e5.exe
"C:\Users\Admin\AppData\Local\Temp\0f145eac0eced7d496fb9b2b599690f80d961655c5fda5c7569e162d2e54c5e5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6433380.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6433380.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5454522.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5454522.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1459663.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1459663.exe
    3⤵
    - Executes dropped EXE
    PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6433380.exe

Filesize
206KB

MD5
f8fcbedfeea11c10c3865452f5ac666d

SHA1
ecd3396713ac8d36b3d7a9e4f072b0fbb1a776bd

SHA256
7fed9f50c94fb9d64a9d6a39a0e26c6a73ae0963af20247ed470172d4c5de34f

SHA512
6ede08ef344bcdaf54baa8c70842e5dadf9d531286c92787331d80f0d7c8eafdca73eba55425cd581caf47d81171a309263d988d8dc28196ac2fe0c422f3b6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6433380.exe

Filesize
206KB

MD5
f8fcbedfeea11c10c3865452f5ac666d

SHA1
ecd3396713ac8d36b3d7a9e4f072b0fbb1a776bd

SHA256
7fed9f50c94fb9d64a9d6a39a0e26c6a73ae0963af20247ed470172d4c5de34f

SHA512
6ede08ef344bcdaf54baa8c70842e5dadf9d531286c92787331d80f0d7c8eafdca73eba55425cd581caf47d81171a309263d988d8dc28196ac2fe0c422f3b6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5454522.exe

Filesize
14KB

MD5
9510036458b23bb9ccfcbf0458635daa

SHA1
237c5e8d951ca75418f2d05d8d07b6d0afcff4f5

SHA256
1c44afb8a252e23fac36b3a71fc7737381cccd65bb137a5bc96294e28bbeef25

SHA512
8a6a708cd062b71d06b5db145d06c83d8dc62bd7a0a55d7f03ac75bbb1c19efa556a6f11e8b3f5931d6fdaab8efbcc18fc3dd84a57d185126ee97e58b09a0d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5454522.exe

Filesize
14KB

MD5
9510036458b23bb9ccfcbf0458635daa

SHA1
237c5e8d951ca75418f2d05d8d07b6d0afcff4f5

SHA256
1c44afb8a252e23fac36b3a71fc7737381cccd65bb137a5bc96294e28bbeef25

SHA512
8a6a708cd062b71d06b5db145d06c83d8dc62bd7a0a55d7f03ac75bbb1c19efa556a6f11e8b3f5931d6fdaab8efbcc18fc3dd84a57d185126ee97e58b09a0d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1459663.exe

Filesize
173KB

MD5
5925669de99b196f95ee5f33e6666d78

SHA1
3e275bffac890cd24ff681ec9d43c476e5072c7e

SHA256
eee502d61b5c87288ec040925e71d470946449c97bc4e5104bfa2a6bada7a04d

SHA512
d7cfc3b71091a9db9937be29bbd2c9a74a61f03ef03cdefd5491a0df7299523b1bb4bf24d6841528e6a494302c7dc54097383473296659b0b0237f62a0c4e162

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1459663.exe

Filesize
173KB

MD5
5925669de99b196f95ee5f33e6666d78

SHA1
3e275bffac890cd24ff681ec9d43c476e5072c7e

SHA256
eee502d61b5c87288ec040925e71d470946449c97bc4e5104bfa2a6bada7a04d

SHA512
d7cfc3b71091a9db9937be29bbd2c9a74a61f03ef03cdefd5491a0df7299523b1bb4bf24d6841528e6a494302c7dc54097383473296659b0b0237f62a0c4e162

Download Submit
memory/1932-157-0x000000000A620000-0x000000000A72A000-memory.dmp

Filesize
1.0MB

Download
memory/1932-154-0x0000000000670000-0x00000000006A0000-memory.dmp

Filesize
192KB

Download
memory/1932-155-0x00000000742D0000-0x0000000074A80000-memory.dmp

Filesize
7.7MB

Download
memory/1932-156-0x000000000AB30000-0x000000000B148000-memory.dmp

Filesize
6.1MB

Download
memory/1932-159-0x0000000002C40000-0x0000000002C52000-memory.dmp

Filesize
72KB

Download
memory/1932-158-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/1932-160-0x0000000005110000-0x000000000514C000-memory.dmp

Filesize
240KB

Download
memory/1932-161-0x00000000742D0000-0x0000000074A80000-memory.dmp

Filesize
7.7MB

Download
memory/1932-162-0x0000000005180000-0x0000000005190000-memory.dmp

Filesize
64KB

Download
memory/3348-150-0x00007FFAD3F50000-0x00007FFAD4A11000-memory.dmp

Filesize
10.8MB

Download
memory/3348-148-0x00007FFAD3F50000-0x00007FFAD4A11000-memory.dmp

Filesize
10.8MB

Download
memory/3348-147-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads