healer | 012e45bf9e254d66e33a51a72a445d515734fbe311a27d03980fc023cae431fa

General

Target

012e45bf9e254d66e33a51a72a445d515734fbe311a27d03980fc023cae431fa.exe
Size

389KB
MD5

4ddec11ec1718af98cb222f832a0e0a4
SHA1

dccbb9f098a4d3ae90f3a7ca030b19c8ef77539d
SHA256

012e45bf9e254d66e33a51a72a445d515734fbe311a27d03980fc023cae431fa
SHA512

88d58d363e700ac7fc868e6793c9443bed5eaad12c0e2f1eb750d9a43e5e7f16f0d62c8a3859d522d498d674b3c2e559124426ea715e3aab45f2465517d176e3
SSDEEP

6144:Kfy+bnr+ep0yN90QEmsGOwqm0kW6nZNfpnO2J1qcW2fhnMELOOwB8XB98YE8UHtR:JMriy90UsGjqcPvNOOCA/gHVR

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afe5-130.dat	healer
behavioral1/files/0x000700000001afe5-131.dat	healer
behavioral1/memory/1984-132-0x0000000000940000-0x000000000094A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p0693154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p0693154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p0693154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p0693154.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p0693154.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1308	z6213354.exe
1984	p0693154.exe
1368	r1510859.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p0693154.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z6213354.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6213354.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	012e45bf9e254d66e33a51a72a445d515734fbe311a27d03980fc023cae431fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	012e45bf9e254d66e33a51a72a445d515734fbe311a27d03980fc023cae431fa.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1984	p0693154.exe
1984	p0693154.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	p0693154.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1308	1016	012e45bf9e254d66e33a51a72a445d515734fbe311a27d03980fc023cae431fa.exe	70
PID 1016 wrote to memory of 1308	1016	012e45bf9e254d66e33a51a72a445d515734fbe311a27d03980fc023cae431fa.exe	70
PID 1016 wrote to memory of 1308	1016	012e45bf9e254d66e33a51a72a445d515734fbe311a27d03980fc023cae431fa.exe	70
PID 1308 wrote to memory of 1984	1308	z6213354.exe	71
PID 1308 wrote to memory of 1984	1308	z6213354.exe	71
PID 1308 wrote to memory of 1368	1308	z6213354.exe	72
PID 1308 wrote to memory of 1368	1308	z6213354.exe	72
PID 1308 wrote to memory of 1368	1308	z6213354.exe	72

C:\Users\Admin\AppData\Local\Temp\012e45bf9e254d66e33a51a72a445d515734fbe311a27d03980fc023cae431fa.exe
"C:\Users\Admin\AppData\Local\Temp\012e45bf9e254d66e33a51a72a445d515734fbe311a27d03980fc023cae431fa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6213354.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6213354.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0693154.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0693154.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1510859.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1510859.exe
    3⤵
    - Executes dropped EXE
    PID:1368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6213354.exe

Filesize
206KB

MD5
32f72bfa9338eda2c5e75b080ef5b93a

SHA1
24b9b2e8a46d4d499103a2be24308d93ea2a3764

SHA256
f5bd444e97f2e77e2085e1a30ea3bde548fec2fd4b5ec1a77df0aa2a0beb3d93

SHA512
0484751925f1e15fed7102c4fb1fbba519af2bfc3773c43ce57d58f092ecf0ec8ac03560b1c942c0fac104516c354cd372a835058317c1098c75f75029051075

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6213354.exe

Filesize
206KB

MD5
32f72bfa9338eda2c5e75b080ef5b93a

SHA1
24b9b2e8a46d4d499103a2be24308d93ea2a3764

SHA256
f5bd444e97f2e77e2085e1a30ea3bde548fec2fd4b5ec1a77df0aa2a0beb3d93

SHA512
0484751925f1e15fed7102c4fb1fbba519af2bfc3773c43ce57d58f092ecf0ec8ac03560b1c942c0fac104516c354cd372a835058317c1098c75f75029051075

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0693154.exe

Filesize
14KB

MD5
f1d1827a4c79b1a42a8d3085d6a01527

SHA1
8ef108eddb49d4c01e2341125df41a4e54b7b573

SHA256
2dd571353e890b28cea40a71f85d7b5ccec364c126de2bed8ece6d66a76551b5

SHA512
bb1c4aac872c029a7105cc22849bc891edbf67754969a11cd84d1a0ca80bb863ff63df524b7cc25184ac1f14023731afbfd79d3219864a1ebe859af601fd38a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0693154.exe

Filesize
14KB

MD5
f1d1827a4c79b1a42a8d3085d6a01527

SHA1
8ef108eddb49d4c01e2341125df41a4e54b7b573

SHA256
2dd571353e890b28cea40a71f85d7b5ccec364c126de2bed8ece6d66a76551b5

SHA512
bb1c4aac872c029a7105cc22849bc891edbf67754969a11cd84d1a0ca80bb863ff63df524b7cc25184ac1f14023731afbfd79d3219864a1ebe859af601fd38a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1510859.exe

Filesize
173KB

MD5
6c760615a9b50dd99982374fec9e9051

SHA1
0eea67572454d5f3aba650b52197d3af1f63bb1d

SHA256
1a2a162e31ad1dd9bd1130fc8055e0039c25fcd6c714088c578eae915c71eec8

SHA512
1e294429505de305afef89322163f6e303354a1051969dde0d5c2309d02f05841e0622c0e5100343093b74ad72c7d949a17ec308788f4fd03b796ee1f324cb30

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1510859.exe

Filesize
173KB

MD5
6c760615a9b50dd99982374fec9e9051

SHA1
0eea67572454d5f3aba650b52197d3af1f63bb1d

SHA256
1a2a162e31ad1dd9bd1130fc8055e0039c25fcd6c714088c578eae915c71eec8

SHA512
1e294429505de305afef89322163f6e303354a1051969dde0d5c2309d02f05841e0622c0e5100343093b74ad72c7d949a17ec308788f4fd03b796ee1f324cb30

Download Submit
memory/1368-142-0x000000000AFD0000-0x000000000B5D6000-memory.dmp

Filesize
6.0MB

Download
memory/1368-139-0x0000000000CC0000-0x0000000000CF0000-memory.dmp

Filesize
192KB

Download
memory/1368-140-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1368-141-0x0000000002F40000-0x0000000002F46000-memory.dmp

Filesize
24KB

Download
memory/1368-143-0x000000000AAD0000-0x000000000ABDA000-memory.dmp

Filesize
1.0MB

Download
memory/1368-144-0x000000000AA00000-0x000000000AA12000-memory.dmp

Filesize
72KB

Download
memory/1368-145-0x000000000AA60000-0x000000000AA9E000-memory.dmp

Filesize
248KB

Download
memory/1368-146-0x000000000ABE0000-0x000000000AC2B000-memory.dmp

Filesize
300KB

Download
memory/1368-147-0x00000000736C0000-0x0000000073DAE000-memory.dmp

Filesize
6.9MB

Download
memory/1984-135-0x00007FFDF2640000-0x00007FFDF302C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-133-0x00007FFDF2640000-0x00007FFDF302C000-memory.dmp

Filesize
9.9MB

Download
memory/1984-132-0x0000000000940000-0x000000000094A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads