healer | 9e39e15db7d8e103bbc91bc4fc682f420da1e249db4a416b8956adc64309690d

General

Target

9e39e15db7d8e103bbc91bc4fc682f420da1e249db4a416b8956adc64309690d.exe
Size

389KB
MD5

def8a2452dfb5e41c3acdd0d3055b4e5
SHA1

e6d0591c1b6af46ca20fd4fe3152a552ca370617
SHA256

9e39e15db7d8e103bbc91bc4fc682f420da1e249db4a416b8956adc64309690d
SHA512

03466a86e3bf5076c944bda6ba4f6ade9ab66051561ad30b6a18732a41592f691807ddf9a7e7496d44408acb996e6760831e8090e242701f9a20f10bba1fefd8
SSDEEP

12288:IMr3y90j6IzPNnpo5WZ/2ag+AjEnrEWZZyvppo:/ycDNnPZ/2aej1cN

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afc3-132.dat	healer
behavioral1/files/0x000700000001afc3-133.dat	healer
behavioral1/memory/692-134-0x00000000005F0000-0x00000000005FA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p5133600.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p5133600.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p5133600.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p5133600.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p5133600.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4776	z8369243.exe
692	p5133600.exe
4436	r8347735.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p5133600.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9e39e15db7d8e103bbc91bc4fc682f420da1e249db4a416b8956adc64309690d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9e39e15db7d8e103bbc91bc4fc682f420da1e249db4a416b8956adc64309690d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z8369243.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z8369243.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
692	p5133600.exe
692	p5133600.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	692	p5133600.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 4776	4704	9e39e15db7d8e103bbc91bc4fc682f420da1e249db4a416b8956adc64309690d.exe	70
PID 4704 wrote to memory of 4776	4704	9e39e15db7d8e103bbc91bc4fc682f420da1e249db4a416b8956adc64309690d.exe	70
PID 4704 wrote to memory of 4776	4704	9e39e15db7d8e103bbc91bc4fc682f420da1e249db4a416b8956adc64309690d.exe	70
PID 4776 wrote to memory of 692	4776	z8369243.exe	71
PID 4776 wrote to memory of 692	4776	z8369243.exe	71
PID 4776 wrote to memory of 4436	4776	z8369243.exe	72
PID 4776 wrote to memory of 4436	4776	z8369243.exe	72
PID 4776 wrote to memory of 4436	4776	z8369243.exe	72

C:\Users\Admin\AppData\Local\Temp\9e39e15db7d8e103bbc91bc4fc682f420da1e249db4a416b8956adc64309690d.exe
"C:\Users\Admin\AppData\Local\Temp\9e39e15db7d8e103bbc91bc4fc682f420da1e249db4a416b8956adc64309690d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8369243.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8369243.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5133600.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5133600.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8347735.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8347735.exe
    3⤵
    - Executes dropped EXE
    PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8369243.exe

Filesize
206KB

MD5
922a6287834a386b4ecbb2df87b642ea

SHA1
6b632e75e22ccaf9a77a2b88c785a554e513e21d

SHA256
e18b111e7cc77b3214811c36d66351ed5e0fa01d11f19eafb16b6ea99bea5dc4

SHA512
c40ee0ae8f9fe366d4e54d32aa4b1fefc7a817381af86138b6f262201591d38938378d1182d81eeae26e7b4a2765fc1888bcaa4891a8325b9479e0b91886155d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8369243.exe

Filesize
206KB

MD5
922a6287834a386b4ecbb2df87b642ea

SHA1
6b632e75e22ccaf9a77a2b88c785a554e513e21d

SHA256
e18b111e7cc77b3214811c36d66351ed5e0fa01d11f19eafb16b6ea99bea5dc4

SHA512
c40ee0ae8f9fe366d4e54d32aa4b1fefc7a817381af86138b6f262201591d38938378d1182d81eeae26e7b4a2765fc1888bcaa4891a8325b9479e0b91886155d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5133600.exe

Filesize
15KB

MD5
634c8902516ad541a29b80f91bbff625

SHA1
832705858a029391736f62cc75f67be2dd0af676

SHA256
5aa1036cf6005ff38515632aafa8d71c861fd4544c704aca4e3ebf4a951fe4cb

SHA512
501baa65f08101235ac1eab79c2a7f0cc44561f60573d61a2a684fdaab319dba0111cf8ee71ef29d56688bf0510e8e29943ed02cbb2048a995e0da9307002527

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p5133600.exe

Filesize
15KB

MD5
634c8902516ad541a29b80f91bbff625

SHA1
832705858a029391736f62cc75f67be2dd0af676

SHA256
5aa1036cf6005ff38515632aafa8d71c861fd4544c704aca4e3ebf4a951fe4cb

SHA512
501baa65f08101235ac1eab79c2a7f0cc44561f60573d61a2a684fdaab319dba0111cf8ee71ef29d56688bf0510e8e29943ed02cbb2048a995e0da9307002527

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8347735.exe

Filesize
174KB

MD5
6157465725d4abe70728eafd53a67c37

SHA1
b497d8e0b9bfde015e039f16494962cefd9647cb

SHA256
a65369fced97407132a773433825ac96149ff055e6963a62c18e15ca5fbe18c2

SHA512
11eebd02ee81d794cbd608168f2f3fe0491bd7c2a3d8f86574d962f4eb7e3b2301eaa517f727be044cdde67e3f0a7d357b40e32e95b1ff10d2508b78198422fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r8347735.exe

Filesize
174KB

MD5
6157465725d4abe70728eafd53a67c37

SHA1
b497d8e0b9bfde015e039f16494962cefd9647cb

SHA256
a65369fced97407132a773433825ac96149ff055e6963a62c18e15ca5fbe18c2

SHA512
11eebd02ee81d794cbd608168f2f3fe0491bd7c2a3d8f86574d962f4eb7e3b2301eaa517f727be044cdde67e3f0a7d357b40e32e95b1ff10d2508b78198422fd

Download Submit
memory/692-134-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/692-137-0x00007FFB2C9D0000-0x00007FFB2D3BC000-memory.dmp

Filesize
9.9MB

Download
memory/692-135-0x00007FFB2C9D0000-0x00007FFB2D3BC000-memory.dmp

Filesize
9.9MB

Download
memory/4436-142-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/4436-141-0x00000000001D0000-0x0000000000200000-memory.dmp

Filesize
192KB

Download
memory/4436-143-0x0000000004990000-0x0000000004996000-memory.dmp

Filesize
24KB

Download
memory/4436-144-0x000000000A4C0000-0x000000000AAC6000-memory.dmp

Filesize
6.0MB

Download
memory/4436-145-0x0000000009FE0000-0x000000000A0EA000-memory.dmp

Filesize
1.0MB

Download
memory/4436-146-0x0000000009F10000-0x0000000009F22000-memory.dmp

Filesize
72KB

Download
memory/4436-147-0x0000000009F70000-0x0000000009FAE000-memory.dmp

Filesize
248KB

Download
memory/4436-148-0x000000000A0F0000-0x000000000A13B000-memory.dmp

Filesize
300KB

Download
memory/4436-149-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads