healer | a83d2fd85a3a038933985bca867e614f193a103abdeeacdedb3c7d3880b07ca0

General

Target

a83d2fd85a3a038933985bca867e614f193a103abdeeacdedb3c7d3880b07ca0.exe
Size

389KB
MD5

18154c1a8ba152d639bc5ac7eec7bc87
SHA1

b318cd14d556a910d3888f79e8360db9af70a1c5
SHA256

a83d2fd85a3a038933985bca867e614f193a103abdeeacdedb3c7d3880b07ca0
SHA512

b93286fe0975c91d212774b2bac9b0766dfb9066ec6eb3dcec473b13e85de86ccbb55a780c978d0acf41fb043f8934a370f694af0c933419f6603169ca4bdb6b
SSDEEP

12288:KMrry90XZwOKNXb83dTrgD/ya8w4yR4WJXKi:RylRbQTrgDqa8wdam9

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afbd-134.dat	healer
behavioral1/files/0x000700000001afbd-133.dat	healer
behavioral1/memory/4624-135-0x00000000003A0000-0x00000000003AA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p0871760.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p0871760.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p0871760.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p0871760.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p0871760.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
4520	z0978593.exe
4624	p0871760.exe
4988	r9974647.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p0871760.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a83d2fd85a3a038933985bca867e614f193a103abdeeacdedb3c7d3880b07ca0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a83d2fd85a3a038933985bca867e614f193a103abdeeacdedb3c7d3880b07ca0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z0978593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0978593.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4624	p0871760.exe
4624	p0871760.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	p0871760.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4520	4524	a83d2fd85a3a038933985bca867e614f193a103abdeeacdedb3c7d3880b07ca0.exe	68
PID 4524 wrote to memory of 4520	4524	a83d2fd85a3a038933985bca867e614f193a103abdeeacdedb3c7d3880b07ca0.exe	68
PID 4524 wrote to memory of 4520	4524	a83d2fd85a3a038933985bca867e614f193a103abdeeacdedb3c7d3880b07ca0.exe	68
PID 4520 wrote to memory of 4624	4520	z0978593.exe	69
PID 4520 wrote to memory of 4624	4520	z0978593.exe	69
PID 4520 wrote to memory of 4988	4520	z0978593.exe	70
PID 4520 wrote to memory of 4988	4520	z0978593.exe	70
PID 4520 wrote to memory of 4988	4520	z0978593.exe	70

C:\Users\Admin\AppData\Local\Temp\a83d2fd85a3a038933985bca867e614f193a103abdeeacdedb3c7d3880b07ca0.exe
"C:\Users\Admin\AppData\Local\Temp\a83d2fd85a3a038933985bca867e614f193a103abdeeacdedb3c7d3880b07ca0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0978593.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0978593.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0871760.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0871760.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9974647.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9974647.exe
    3⤵
    - Executes dropped EXE
    PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0978593.exe

Filesize
206KB

MD5
e93ca0cd104702d5214025a623bfbcec

SHA1
96d838da359c124fe12fa692e1b86f8d6f1bcc01

SHA256
f2eae0cce7bf91c9b2cf50b8daf50427a5f7ebdd4b3b20c36a8c9afdeb4d19c3

SHA512
ded35b3d9cdecbe17d49fd4bf09328e10da9c617f1cec923e3a9b458d4eae0302b8822c5e4dffed688fc9b72e67b8ab31bc6294e2b52453faac91382ce32be00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0978593.exe

Filesize
206KB

MD5
e93ca0cd104702d5214025a623bfbcec

SHA1
96d838da359c124fe12fa692e1b86f8d6f1bcc01

SHA256
f2eae0cce7bf91c9b2cf50b8daf50427a5f7ebdd4b3b20c36a8c9afdeb4d19c3

SHA512
ded35b3d9cdecbe17d49fd4bf09328e10da9c617f1cec923e3a9b458d4eae0302b8822c5e4dffed688fc9b72e67b8ab31bc6294e2b52453faac91382ce32be00

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0871760.exe

Filesize
15KB

MD5
e93cb32d9a4ae9a4e03d12256237ad39

SHA1
9f65546b5183cecf92b6786975cf92aff455facf

SHA256
bd85b5c1b52d6162cf966391c899af643953e4d91a623bb4c97850e776e91724

SHA512
5ae289e89d628135cd143e54995ebfa0a078966e007aca88ec4a76d17a5dfbbe04a79d72836f8bd2acadc7279cc71425c95ee8c59be2eadb912a51367eea9e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0871760.exe

Filesize
15KB

MD5
e93cb32d9a4ae9a4e03d12256237ad39

SHA1
9f65546b5183cecf92b6786975cf92aff455facf

SHA256
bd85b5c1b52d6162cf966391c899af643953e4d91a623bb4c97850e776e91724

SHA512
5ae289e89d628135cd143e54995ebfa0a078966e007aca88ec4a76d17a5dfbbe04a79d72836f8bd2acadc7279cc71425c95ee8c59be2eadb912a51367eea9e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9974647.exe

Filesize
175KB

MD5
d0b48b96d3c6fa69dd75757f282ab14b

SHA1
a1e95fdc2bd24cdbd97e736835e853e3be8e81ff

SHA256
90428647d1e18e24e5bdac2c6694c77b861725dd76a4c1945e948ba5e3d7f4b9

SHA512
82d042d2f1722cc95a6d4e98e51814230ae9451e7180957443a3bb9ff5af356f4c061aade37b4afe4c423c15d0aa9ad88d15dd7ae7f314eaf68c4e558cb6c465

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r9974647.exe

Filesize
175KB

MD5
d0b48b96d3c6fa69dd75757f282ab14b

SHA1
a1e95fdc2bd24cdbd97e736835e853e3be8e81ff

SHA256
90428647d1e18e24e5bdac2c6694c77b861725dd76a4c1945e948ba5e3d7f4b9

SHA512
82d042d2f1722cc95a6d4e98e51814230ae9451e7180957443a3bb9ff5af356f4c061aade37b4afe4c423c15d0aa9ad88d15dd7ae7f314eaf68c4e558cb6c465

Download Submit
memory/4624-135-0x00000000003A0000-0x00000000003AA000-memory.dmp

Filesize
40KB

Download
memory/4624-138-0x00007FFD94AE0000-0x00007FFD954CC000-memory.dmp

Filesize
9.9MB

Download
memory/4624-136-0x00007FFD94AE0000-0x00007FFD954CC000-memory.dmp

Filesize
9.9MB

Download
memory/4988-142-0x0000000000880000-0x00000000008B0000-memory.dmp

Filesize
192KB

Download
memory/4988-143-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download
memory/4988-144-0x0000000002B00000-0x0000000002B06000-memory.dmp

Filesize
24KB

Download
memory/4988-145-0x000000000ABA0000-0x000000000B1A6000-memory.dmp

Filesize
6.0MB

Download
memory/4988-146-0x000000000A6A0000-0x000000000A7AA000-memory.dmp

Filesize
1.0MB

Download
memory/4988-147-0x000000000A5C0000-0x000000000A5D2000-memory.dmp

Filesize
72KB

Download
memory/4988-148-0x000000000A620000-0x000000000A65E000-memory.dmp

Filesize
248KB

Download
memory/4988-149-0x000000000A7B0000-0x000000000A7FB000-memory.dmp

Filesize
300KB

Download
memory/4988-150-0x0000000072BC0000-0x00000000732AE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads