healer | f1d51190ca4031030654bb7c305ee00301c6292fd2ef85443cedee2b421433f1

General

Target

f1d51190ca4031030654bb7c305ee00301c6292fd2ef85443cedee2b421433f1.exe
Size

389KB
MD5

8bacdcc4fa47e3f98d7b3f1a23fe5ff1
SHA1

d906fedc1181ad50c6406a1ab7fcdaa5e46d961d
SHA256

f1d51190ca4031030654bb7c305ee00301c6292fd2ef85443cedee2b421433f1
SHA512

eb22c15455c7621176107da12d04221cd2a3ce1fe51bacd25c7d8639b03ad623b9f5fda13db7dca68477feae0ee1b82db1a6f80fca06337d8f46e75cfb7fdac3
SSDEEP

6144:K5y+bnr+xp0yN90QE5+kr5SdvWbeyRQxXGrSCG5EwL/JfWsdW2WMfSBEzoSNFlfq:LMrBy90rrR8xxF5zLlWTkKEzkN7

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000231ae-145.dat	healer
behavioral1/files/0x00080000000231ae-146.dat	healer
behavioral1/memory/1148-147-0x00000000001B0000-0x00000000001BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p6421250.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p6421250.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p6421250.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p6421250.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p6421250.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p6421250.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
852	z9450628.exe
1148	p6421250.exe
5032	r1108892.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p6421250.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	f1d51190ca4031030654bb7c305ee00301c6292fd2ef85443cedee2b421433f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f1d51190ca4031030654bb7c305ee00301c6292fd2ef85443cedee2b421433f1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z9450628.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9450628.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1148	p6421250.exe
1148	p6421250.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	p6421250.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 852	548	f1d51190ca4031030654bb7c305ee00301c6292fd2ef85443cedee2b421433f1.exe	85
PID 548 wrote to memory of 852	548	f1d51190ca4031030654bb7c305ee00301c6292fd2ef85443cedee2b421433f1.exe	85
PID 548 wrote to memory of 852	548	f1d51190ca4031030654bb7c305ee00301c6292fd2ef85443cedee2b421433f1.exe	85
PID 852 wrote to memory of 1148	852	z9450628.exe	86
PID 852 wrote to memory of 1148	852	z9450628.exe	86
PID 852 wrote to memory of 5032	852	z9450628.exe	98
PID 852 wrote to memory of 5032	852	z9450628.exe	98
PID 852 wrote to memory of 5032	852	z9450628.exe	98

C:\Users\Admin\AppData\Local\Temp\f1d51190ca4031030654bb7c305ee00301c6292fd2ef85443cedee2b421433f1.exe
"C:\Users\Admin\AppData\Local\Temp\f1d51190ca4031030654bb7c305ee00301c6292fd2ef85443cedee2b421433f1.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9450628.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9450628.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6421250.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6421250.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1108892.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1108892.exe
    3⤵
    - Executes dropped EXE
    PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9450628.exe

Filesize
206KB

MD5
4e5c70d878a1aa5979185e3ecfba636c

SHA1
2cda41ce52c7e4d4e40694bd90dbfc1d03809dab

SHA256
3ce21499b5ee589cd8aa67b2c13794f736d6e702ed5af9aa7827854df11dbf02

SHA512
cdd1b4045abb3e14ad06f6fe20c698149017f360bd2915ba2112ed869145acb1a75f7a964ba40e3aeb1dbabb355964ae668f3bfe5f4d430f442de2ac0fc61f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9450628.exe

Filesize
206KB

MD5
4e5c70d878a1aa5979185e3ecfba636c

SHA1
2cda41ce52c7e4d4e40694bd90dbfc1d03809dab

SHA256
3ce21499b5ee589cd8aa67b2c13794f736d6e702ed5af9aa7827854df11dbf02

SHA512
cdd1b4045abb3e14ad06f6fe20c698149017f360bd2915ba2112ed869145acb1a75f7a964ba40e3aeb1dbabb355964ae668f3bfe5f4d430f442de2ac0fc61f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6421250.exe

Filesize
15KB

MD5
5d350daf879a6183266924ff5b22d1a7

SHA1
78614be3980eaff090bcd4d3dcc95b6a4d95eb2a

SHA256
d185992f02f19bd0ce3f92560cccc0ab7bc36a8a34c420c8a4bcdbb20a66a8ad

SHA512
e148b3006d42e3459c101db7d75e727d1bf9a785ac8511e5a63e6fe28ad0fe881c59cb74817503d2f6f604657a2271f3d784b406d84e3df46f75c65c7f501e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p6421250.exe

Filesize
15KB

MD5
5d350daf879a6183266924ff5b22d1a7

SHA1
78614be3980eaff090bcd4d3dcc95b6a4d95eb2a

SHA256
d185992f02f19bd0ce3f92560cccc0ab7bc36a8a34c420c8a4bcdbb20a66a8ad

SHA512
e148b3006d42e3459c101db7d75e727d1bf9a785ac8511e5a63e6fe28ad0fe881c59cb74817503d2f6f604657a2271f3d784b406d84e3df46f75c65c7f501e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1108892.exe

Filesize
175KB

MD5
fda64f04b6d6e78283c61488599eda4d

SHA1
7d16291991ab470c9b5d71de6a1716b23c00fb62

SHA256
0f7ba7815c0e6bb1ebcf624ef8d737b1750043c619d03d74bdd4e8de2c70dcd3

SHA512
b0a5cd6bfc138907d1e3b109d87bae93fd0aaad5925ff39dedc2544098d5813088f2cd7aa35ebe9bca755462ccd1e9708679761ce25cd397936e434aea47c019

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r1108892.exe

Filesize
175KB

MD5
fda64f04b6d6e78283c61488599eda4d

SHA1
7d16291991ab470c9b5d71de6a1716b23c00fb62

SHA256
0f7ba7815c0e6bb1ebcf624ef8d737b1750043c619d03d74bdd4e8de2c70dcd3

SHA512
b0a5cd6bfc138907d1e3b109d87bae93fd0aaad5925ff39dedc2544098d5813088f2cd7aa35ebe9bca755462ccd1e9708679761ce25cd397936e434aea47c019

Download Submit
memory/1148-147-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/1148-150-0x00007FFF66150000-0x00007FFF66C11000-memory.dmp

Filesize
10.8MB

Download
memory/1148-148-0x00007FFF66150000-0x00007FFF66C11000-memory.dmp

Filesize
10.8MB

Download
memory/5032-154-0x0000000000880000-0x00000000008B0000-memory.dmp

Filesize
192KB

Download
memory/5032-155-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download
memory/5032-156-0x0000000005890000-0x0000000005EA8000-memory.dmp

Filesize
6.1MB

Download
memory/5032-157-0x0000000005380000-0x000000000548A000-memory.dmp

Filesize
1.0MB

Download
memory/5032-158-0x0000000005100000-0x0000000005112000-memory.dmp

Filesize
72KB

Download
memory/5032-159-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/5032-160-0x0000000005270000-0x00000000052AC000-memory.dmp

Filesize
240KB

Download
memory/5032-161-0x0000000073C20000-0x00000000743D0000-memory.dmp

Filesize
7.7MB

Download
memory/5032-162-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads