healer | 2b679c73c1c34a4f212161cce6a191a1aaaef7f06a5a1d0c4231edf567a1a038

General

Target

2b679c73c1c34a4f212161cce6a191a1aaaef7f06a5a1d0c4231edf567a1a038.exe
Size

389KB
MD5

b24a041c6ad5792b803f486f55811c3c
SHA1

1f51afef9c3b974f1f2c3cb999b02ccbe4b00632
SHA256

2b679c73c1c34a4f212161cce6a191a1aaaef7f06a5a1d0c4231edf567a1a038
SHA512

4f858c94f89caaca045a0e519b561852de9bc367ec92f5092655c472e0b509c9041b63a681d5b38e44bc6cfb32ecff2704c1fff3defa3d260ed6a6ad93a7ef52
SSDEEP

6144:KSy+bnr+Jp0yN90QElbkhwBmVlYAtXAt3onsXSjPRmPOe6Xsc0LKiOMpjvFNK:SMr5y90nOwBmLYAtwswPOe6W+z8je

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231f8-145.dat	healer
behavioral1/files/0x00070000000231f8-146.dat	healer
behavioral1/memory/1060-147-0x0000000000F30000-0x0000000000F3A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p1065964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p1065964.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p1065964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p1065964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p1065964.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p1065964.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
688	z5846180.exe
1060	p1065964.exe
4992	r4904181.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p1065964.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	2b679c73c1c34a4f212161cce6a191a1aaaef7f06a5a1d0c4231edf567a1a038.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2b679c73c1c34a4f212161cce6a191a1aaaef7f06a5a1d0c4231edf567a1a038.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z5846180.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5846180.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1060	p1065964.exe
1060	p1065964.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	p1065964.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 688	4308	2b679c73c1c34a4f212161cce6a191a1aaaef7f06a5a1d0c4231edf567a1a038.exe	86
PID 4308 wrote to memory of 688	4308	2b679c73c1c34a4f212161cce6a191a1aaaef7f06a5a1d0c4231edf567a1a038.exe	86
PID 4308 wrote to memory of 688	4308	2b679c73c1c34a4f212161cce6a191a1aaaef7f06a5a1d0c4231edf567a1a038.exe	86
PID 688 wrote to memory of 1060	688	z5846180.exe	87
PID 688 wrote to memory of 1060	688	z5846180.exe	87
PID 688 wrote to memory of 4992	688	z5846180.exe	92
PID 688 wrote to memory of 4992	688	z5846180.exe	92
PID 688 wrote to memory of 4992	688	z5846180.exe	92

C:\Users\Admin\AppData\Local\Temp\2b679c73c1c34a4f212161cce6a191a1aaaef7f06a5a1d0c4231edf567a1a038.exe
"C:\Users\Admin\AppData\Local\Temp\2b679c73c1c34a4f212161cce6a191a1aaaef7f06a5a1d0c4231edf567a1a038.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5846180.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5846180.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1065964.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1065964.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4904181.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4904181.exe
    3⤵
    - Executes dropped EXE
    PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5846180.exe

Filesize
206KB

MD5
6f0b2e77bc7f1a2350e10922b1d8c63d

SHA1
e56a077ccefcc36657502a05002d9ac22505f429

SHA256
9481b6366ec74310c068311e4771140ca9748d908aab2fcc5961317b5b79fb93

SHA512
49898687294929a2a15e3d0438840fa395b567036088f00e318e8f6b2b9e85af3c01acc53cfb64c150363458758a9f9603bfac7a5d21aa7bdca7af41f720a790

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5846180.exe

Filesize
206KB

MD5
6f0b2e77bc7f1a2350e10922b1d8c63d

SHA1
e56a077ccefcc36657502a05002d9ac22505f429

SHA256
9481b6366ec74310c068311e4771140ca9748d908aab2fcc5961317b5b79fb93

SHA512
49898687294929a2a15e3d0438840fa395b567036088f00e318e8f6b2b9e85af3c01acc53cfb64c150363458758a9f9603bfac7a5d21aa7bdca7af41f720a790

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1065964.exe

Filesize
15KB

MD5
986121ae69b512ea7578f159d9f3466c

SHA1
881f944338732acaf876cfede9d921dcfbec85c2

SHA256
c0dc576055e3a98d7b1a3dfb8c3a433183b5f55c520f781c0af15b53273955b2

SHA512
1979849ae618ec36f0fe1f6ba475cb8273af2405f4d8c5d090ddde3e13a3391ed98d4c6764b5ecf4e5f67df2a8f576bc72eb45e62c699766f0dfa0b8aa4e0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p1065964.exe

Filesize
15KB

MD5
986121ae69b512ea7578f159d9f3466c

SHA1
881f944338732acaf876cfede9d921dcfbec85c2

SHA256
c0dc576055e3a98d7b1a3dfb8c3a433183b5f55c520f781c0af15b53273955b2

SHA512
1979849ae618ec36f0fe1f6ba475cb8273af2405f4d8c5d090ddde3e13a3391ed98d4c6764b5ecf4e5f67df2a8f576bc72eb45e62c699766f0dfa0b8aa4e0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4904181.exe

Filesize
175KB

MD5
18bea103b68724a9994978e60326f5ec

SHA1
aca0d03c776e2cee6bee86665f68efc9522cf07f

SHA256
e0e6ba4dc4d5039051db0dd3debf108d21bafeb1d8b28f80c067e57d129b05e9

SHA512
63e93bff5f0368d53e1e609b2264df1f4384a44f7c6bba3ff3db6678e8c8de49144f89642d85eff27d245d4657a30c0e1b4f5929f585ffb6b48d9c8224800843

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4904181.exe

Filesize
175KB

MD5
18bea103b68724a9994978e60326f5ec

SHA1
aca0d03c776e2cee6bee86665f68efc9522cf07f

SHA256
e0e6ba4dc4d5039051db0dd3debf108d21bafeb1d8b28f80c067e57d129b05e9

SHA512
63e93bff5f0368d53e1e609b2264df1f4384a44f7c6bba3ff3db6678e8c8de49144f89642d85eff27d245d4657a30c0e1b4f5929f585ffb6b48d9c8224800843

Download Submit
memory/1060-147-0x0000000000F30000-0x0000000000F3A000-memory.dmp

Filesize
40KB

Download
memory/1060-151-0x00007FFF16020000-0x00007FFF16AE1000-memory.dmp

Filesize
10.8MB

Download
memory/1060-149-0x00007FFF16020000-0x00007FFF16AE1000-memory.dmp

Filesize
10.8MB

Download
memory/1060-148-0x00007FFF16020000-0x00007FFF16AE1000-memory.dmp

Filesize
10.8MB

Download
memory/4992-156-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/4992-155-0x0000000000580000-0x00000000005B0000-memory.dmp

Filesize
192KB

Download
memory/4992-157-0x000000000A890000-0x000000000AEA8000-memory.dmp

Filesize
6.1MB

Download
memory/4992-158-0x000000000A3F0000-0x000000000A4FA000-memory.dmp

Filesize
1.0MB

Download
memory/4992-159-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/4992-160-0x000000000A330000-0x000000000A342000-memory.dmp

Filesize
72KB

Download
memory/4992-161-0x000000000A390000-0x000000000A3CC000-memory.dmp

Filesize
240KB

Download
memory/4992-162-0x0000000074730000-0x0000000074EE0000-memory.dmp

Filesize
7.7MB

Download
memory/4992-163-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads