healer | 31969f0a5dbca92dd2739cfdb7651a0ceb4af5b7d20ce617bee30479d1424fff

General

Target

31969f0a5dbca92dd2739cfdb7651a0ceb4af5b7d20ce617bee30479d1424fff.exe
Size

389KB
MD5

1df37ffd68e024a5b20554e7ecf8f01c
SHA1

ce893db0e5882090dfe9755d9f49f5d40348d0e1
SHA256

31969f0a5dbca92dd2739cfdb7651a0ceb4af5b7d20ce617bee30479d1424fff
SHA512

3a23e1dccf286d380b2474948134273397edf703de553c9f663a4c13f7f938176e9f86271973f8996fe19dff9cf070962c964949fec320f85194515735fd993d
SSDEEP

6144:Koy+bnr+np0yN90QEDvwHiW0FKFA8/6CCmRnn4JZHVxHY0NSSWj6xwp5/:0MrHy90BYHi7FPzrU47HHY0NSf6xo5/

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000600000001b00a-129.dat	healer
behavioral1/files/0x000600000001b00a-130.dat	healer
behavioral1/memory/4936-131-0x00000000008E0000-0x00000000008EA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p2923306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p2923306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p2923306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p2923306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p2923306.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
5048	z6281494.exe
4936	p2923306.exe
2156	r6312869.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p2923306.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	31969f0a5dbca92dd2739cfdb7651a0ceb4af5b7d20ce617bee30479d1424fff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	31969f0a5dbca92dd2739cfdb7651a0ceb4af5b7d20ce617bee30479d1424fff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6281494.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6281494.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4936	p2923306.exe
4936	p2923306.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4936	p2923306.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 5048	2540	31969f0a5dbca92dd2739cfdb7651a0ceb4af5b7d20ce617bee30479d1424fff.exe	70
PID 2540 wrote to memory of 5048	2540	31969f0a5dbca92dd2739cfdb7651a0ceb4af5b7d20ce617bee30479d1424fff.exe	70
PID 2540 wrote to memory of 5048	2540	31969f0a5dbca92dd2739cfdb7651a0ceb4af5b7d20ce617bee30479d1424fff.exe	70
PID 5048 wrote to memory of 4936	5048	z6281494.exe	71
PID 5048 wrote to memory of 4936	5048	z6281494.exe	71
PID 5048 wrote to memory of 2156	5048	z6281494.exe	72
PID 5048 wrote to memory of 2156	5048	z6281494.exe	72
PID 5048 wrote to memory of 2156	5048	z6281494.exe	72

C:\Users\Admin\AppData\Local\Temp\31969f0a5dbca92dd2739cfdb7651a0ceb4af5b7d20ce617bee30479d1424fff.exe
"C:\Users\Admin\AppData\Local\Temp\31969f0a5dbca92dd2739cfdb7651a0ceb4af5b7d20ce617bee30479d1424fff.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6281494.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6281494.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2923306.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2923306.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6312869.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6312869.exe
    3⤵
    - Executes dropped EXE
    PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6281494.exe

Filesize
206KB

MD5
8d96ad1f7fa49d8633862c67c1d27f79

SHA1
a9bfe69c3423b87342338af1a7fd772ded69ecaf

SHA256
3b53cb9c3da05503476d1ab26e61e2a120bc5316542c0feafe5547ff0edc274b

SHA512
7c12caa96a7eeeb5644573ad978686857facb70986cadc94c4231923d4c94a28a64615a9e2d7cfb6974b3d0c813a79ecd91bc249044b492cfec481db74778a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6281494.exe

Filesize
206KB

MD5
8d96ad1f7fa49d8633862c67c1d27f79

SHA1
a9bfe69c3423b87342338af1a7fd772ded69ecaf

SHA256
3b53cb9c3da05503476d1ab26e61e2a120bc5316542c0feafe5547ff0edc274b

SHA512
7c12caa96a7eeeb5644573ad978686857facb70986cadc94c4231923d4c94a28a64615a9e2d7cfb6974b3d0c813a79ecd91bc249044b492cfec481db74778a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2923306.exe

Filesize
14KB

MD5
0a150139bc07a4465b0111d616ac5b0f

SHA1
9a3183beba4a48162702c3346aa54108407f5bf0

SHA256
50b3cee09834d4a2900eb1808cf7bf47f670381ef1f9769c3f1cd5bffd89067a

SHA512
1fe04b1d233be86fea4b10432ed50ad48dcf451c597ff2eb7e9b5566a8002eb2079d0e79df02adfd5780cad6c7a107101aa963e0f8805fda0f932ecb8c7aebcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2923306.exe

Filesize
14KB

MD5
0a150139bc07a4465b0111d616ac5b0f

SHA1
9a3183beba4a48162702c3346aa54108407f5bf0

SHA256
50b3cee09834d4a2900eb1808cf7bf47f670381ef1f9769c3f1cd5bffd89067a

SHA512
1fe04b1d233be86fea4b10432ed50ad48dcf451c597ff2eb7e9b5566a8002eb2079d0e79df02adfd5780cad6c7a107101aa963e0f8805fda0f932ecb8c7aebcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6312869.exe

Filesize
173KB

MD5
f794af4c81107accee845f34044fec6f

SHA1
f8066eb6879fda06246d2214cf767c4e86bb3e94

SHA256
a71342545d2e6d42c7677f3ab2620e340ca5198bae4e6da96737b5b84683d86d

SHA512
cd7b8aff3bf2f0162d5de60772ba0eb3405409860997173724cdb3caa2e84ad7103c46de2bb41ec4e97d775fa55b0d36694b42b90bbebf9b06d8c6e2c57f07ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6312869.exe

Filesize
173KB

MD5
f794af4c81107accee845f34044fec6f

SHA1
f8066eb6879fda06246d2214cf767c4e86bb3e94

SHA256
a71342545d2e6d42c7677f3ab2620e340ca5198bae4e6da96737b5b84683d86d

SHA512
cd7b8aff3bf2f0162d5de60772ba0eb3405409860997173724cdb3caa2e84ad7103c46de2bb41ec4e97d775fa55b0d36694b42b90bbebf9b06d8c6e2c57f07ca

Download Submit
memory/2156-141-0x000000000AF50000-0x000000000B556000-memory.dmp

Filesize
6.0MB

Download
memory/2156-139-0x0000000072FC0000-0x00000000736AE000-memory.dmp

Filesize
6.9MB

Download
memory/2156-138-0x0000000000CD0000-0x0000000000D00000-memory.dmp

Filesize
192KB

Download
memory/2156-140-0x0000000002D20000-0x0000000002D26000-memory.dmp

Filesize
24KB

Download
memory/2156-142-0x000000000AAE0000-0x000000000ABEA000-memory.dmp

Filesize
1.0MB

Download
memory/2156-143-0x000000000AA10000-0x000000000AA22000-memory.dmp

Filesize
72KB

Download
memory/2156-144-0x000000000AA70000-0x000000000AAAE000-memory.dmp

Filesize
248KB

Download
memory/2156-145-0x000000000ABF0000-0x000000000AC3B000-memory.dmp

Filesize
300KB

Download
memory/2156-146-0x0000000072FC0000-0x00000000736AE000-memory.dmp

Filesize
6.9MB

Download
memory/4936-134-0x00007FF9B5E30000-0x00007FF9B681C000-memory.dmp

Filesize
9.9MB

Download
memory/4936-132-0x00007FF9B5E30000-0x00007FF9B681C000-memory.dmp

Filesize
9.9MB

Download
memory/4936-131-0x00000000008E0000-0x00000000008EA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads