healer | d9bd2b9e429938942b81859cd646f9010b02e8b061236d5d3a68b4271d30bffc

General

Target

d9bd2b9e429938942b81859cd646f9010b02e8b061236d5d3a68b4271d30bffc.exe
Size

389KB
MD5

6d33326bb6b4cba32de9aba0c4eba347
SHA1

21727d0dcc03376eec2a31414a21d5b7dd883efe
SHA256

d9bd2b9e429938942b81859cd646f9010b02e8b061236d5d3a68b4271d30bffc
SHA512

f331864639a6cdaf059bcf1aeddee813698c47ba9539acf850c7013a277b23e38ad0e834997f0c410f136dbec6d7726ef9f4179f4f694fdcc8933b7b02c17813
SSDEEP

6144:KIy+bnr+gp0yN90QEU3QFGkW8PZNUWJU0a4vKgV/jYEQmyPKuxF/7kgWv:4MrYy90u3oFaFgtgFLWv

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023220-145.dat	healer
behavioral1/files/0x0008000000023220-146.dat	healer
behavioral1/memory/3540-147-0x0000000000630000-0x000000000063A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p2007544.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p2007544.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p2007544.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p2007544.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p2007544.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p2007544.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4940	z3067449.exe
3540	p2007544.exe
2360	r8417918.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p2007544.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3067449.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3067449.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d9bd2b9e429938942b81859cd646f9010b02e8b061236d5d3a68b4271d30bffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9bd2b9e429938942b81859cd646f9010b02e8b061236d5d3a68b4271d30bffc.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2172	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3540	p2007544.exe
3540	p2007544.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3540	p2007544.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4940	212	d9bd2b9e429938942b81859cd646f9010b02e8b061236d5d3a68b4271d30bffc.exe	84
PID 212 wrote to memory of 4940	212	d9bd2b9e429938942b81859cd646f9010b02e8b061236d5d3a68b4271d30bffc.exe	84
PID 212 wrote to memory of 4940	212	d9bd2b9e429938942b81859cd646f9010b02e8b061236d5d3a68b4271d30bffc.exe	84
PID 4940 wrote to memory of 3540	4940	z3067449.exe	85
PID 4940 wrote to memory of 3540	4940	z3067449.exe	85
PID 4940 wrote to memory of 2360	4940	z3067449.exe	90
PID 4940 wrote to memory of 2360	4940	z3067449.exe	90
PID 4940 wrote to memory of 2360	4940	z3067449.exe	90

C:\Users\Admin\AppData\Local\Temp\d9bd2b9e429938942b81859cd646f9010b02e8b061236d5d3a68b4271d30bffc.exe
"C:\Users\Admin\AppData\Local\Temp\d9bd2b9e429938942b81859cd646f9010b02e8b061236d5d3a68b4271d30bffc.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:212
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3067449.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3067449.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2007544.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2007544.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3540
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8417918.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8417918.exe
    3⤵
    - Executes dropped EXE
    PID:2360

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:2172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3067449.exe

Filesize
206KB

MD5
323cd81bafb025ea617f253b764f47a2

SHA1
3b383eabc37fc2d0e12cdadc2ad4d75d3c95a789

SHA256
8571cbf20fbc75ec996933873079a5cc374db487e420f2cf4e53b4293e398c3b

SHA512
d6f87e6a9c4f24531dcafad460c07e0cf96c932c0e8b54104d030b5481483c60c0fa86f4efa00d3731afc6ea6812ebd270ee76ef29a89fef1be3144ab7872c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3067449.exe

Filesize
206KB

MD5
323cd81bafb025ea617f253b764f47a2

SHA1
3b383eabc37fc2d0e12cdadc2ad4d75d3c95a789

SHA256
8571cbf20fbc75ec996933873079a5cc374db487e420f2cf4e53b4293e398c3b

SHA512
d6f87e6a9c4f24531dcafad460c07e0cf96c932c0e8b54104d030b5481483c60c0fa86f4efa00d3731afc6ea6812ebd270ee76ef29a89fef1be3144ab7872c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2007544.exe

Filesize
14KB

MD5
0823b3f21b5815170a87d393da2e718d

SHA1
d40d8f15a9d587977f97b0938a91763b028ba8d1

SHA256
ce510ff31c279e85d4ec8e78b629e783f4084e2b4890474025527374ccffa786

SHA512
7989a05c14fcc938625a6dc539715a051e31024c39c07ee41b2f0d07c957e12de593c439043c573054830c4a9dec218cb23a08bec66bee073ff9403c3d574e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p2007544.exe

Filesize
14KB

MD5
0823b3f21b5815170a87d393da2e718d

SHA1
d40d8f15a9d587977f97b0938a91763b028ba8d1

SHA256
ce510ff31c279e85d4ec8e78b629e783f4084e2b4890474025527374ccffa786

SHA512
7989a05c14fcc938625a6dc539715a051e31024c39c07ee41b2f0d07c957e12de593c439043c573054830c4a9dec218cb23a08bec66bee073ff9403c3d574e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8417918.exe

Filesize
174KB

MD5
fc7040103a1d11d08788ed12b51ad955

SHA1
f3fe994e5bf3d91932bb5e1c250d869fc89a88fb

SHA256
b22b9c429761d55ef4a8632bd5fe294ff30bb8a0096b266961bf16d10fcfc81b

SHA512
78e87f70b764a7d4b0d9d746fb75a0f384e3efd2daa1f2864b5e33cb7f44ccffe83d67541c852c6531716a95340a7c17a199241a74a1094cd76aa9d96618bcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8417918.exe

Filesize
174KB

MD5
fc7040103a1d11d08788ed12b51ad955

SHA1
f3fe994e5bf3d91932bb5e1c250d869fc89a88fb

SHA256
b22b9c429761d55ef4a8632bd5fe294ff30bb8a0096b266961bf16d10fcfc81b

SHA512
78e87f70b764a7d4b0d9d746fb75a0f384e3efd2daa1f2864b5e33cb7f44ccffe83d67541c852c6531716a95340a7c17a199241a74a1094cd76aa9d96618bcc1

Download Submit
memory/2360-157-0x000000000A500000-0x000000000A60A000-memory.dmp

Filesize
1.0MB

Download
memory/2360-154-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/2360-155-0x0000000000550000-0x0000000000580000-memory.dmp

Filesize
192KB

Download
memory/2360-156-0x000000000A9B0000-0x000000000AFC8000-memory.dmp

Filesize
6.1MB

Download
memory/2360-158-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/2360-159-0x000000000A440000-0x000000000A452000-memory.dmp

Filesize
72KB

Download
memory/2360-160-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

Filesize
240KB

Download
memory/2360-161-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/2360-162-0x0000000005000000-0x0000000005010000-memory.dmp

Filesize
64KB

Download
memory/3540-150-0x00007FFD45020000-0x00007FFD45AE1000-memory.dmp

Filesize
10.8MB

Download
memory/3540-148-0x00007FFD45020000-0x00007FFD45AE1000-memory.dmp

Filesize
10.8MB

Download
memory/3540-147-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads