healer | dc4881610aae65d50b42577b4bbc8c2ba598d759d5f5e817393923aa15279cb5

General

Target

dc4881610aae65d50b42577b4bbc8c2ba598d759d5f5e817393923aa15279cb5.exe
Size

389KB
MD5

f7d34b7643b7df4d83458c5f60559058
SHA1

0ca3f570fce4b8ec914c04101d97baec523ccaa2
SHA256

dc4881610aae65d50b42577b4bbc8c2ba598d759d5f5e817393923aa15279cb5
SHA512

e548c1bded97fd1a56b9ee702aa38f0811d86d9b67ef18b42babb11388fd9a749be2dc7b5e6c8ccafa2ca0d9e0440d69b17e5b22680aa777dc293897f5c9f8c2
SSDEEP

6144:Kwy+bnr+zp0yN90QEIn7RaewstBVjfqs5de1SnsRQHfmnZj5FX4harndRG3NACP:EMr/y90WNvVjfj5deoopV5yBNAi

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000800000002321d-145.dat	healer
behavioral1/files/0x000800000002321d-146.dat	healer
behavioral1/memory/4884-147-0x0000000000E40000-0x0000000000E4A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p3636958.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p3636958.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p3636958.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p3636958.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p3636958.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p3636958.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
2176	z3854126.exe
4884	p3636958.exe
2920	r6960198.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p3636958.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	dc4881610aae65d50b42577b4bbc8c2ba598d759d5f5e817393923aa15279cb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dc4881610aae65d50b42577b4bbc8c2ba598d759d5f5e817393923aa15279cb5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3854126.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3854126.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4884	p3636958.exe
4884	p3636958.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	p3636958.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 2176	884	dc4881610aae65d50b42577b4bbc8c2ba598d759d5f5e817393923aa15279cb5.exe	86
PID 884 wrote to memory of 2176	884	dc4881610aae65d50b42577b4bbc8c2ba598d759d5f5e817393923aa15279cb5.exe	86
PID 884 wrote to memory of 2176	884	dc4881610aae65d50b42577b4bbc8c2ba598d759d5f5e817393923aa15279cb5.exe	86
PID 2176 wrote to memory of 4884	2176	z3854126.exe	87
PID 2176 wrote to memory of 4884	2176	z3854126.exe	87
PID 2176 wrote to memory of 2920	2176	z3854126.exe	90
PID 2176 wrote to memory of 2920	2176	z3854126.exe	90
PID 2176 wrote to memory of 2920	2176	z3854126.exe	90

C:\Users\Admin\AppData\Local\Temp\dc4881610aae65d50b42577b4bbc8c2ba598d759d5f5e817393923aa15279cb5.exe
"C:\Users\Admin\AppData\Local\Temp\dc4881610aae65d50b42577b4bbc8c2ba598d759d5f5e817393923aa15279cb5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:884
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3854126.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3854126.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3636958.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3636958.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4884
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6960198.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6960198.exe
    3⤵
    - Executes dropped EXE
    PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3854126.exe

Filesize
206KB

MD5
176cd625c82bc47285c36236c2ea41f2

SHA1
9e2f3128079d743bcca4d649dbd064a2f9355335

SHA256
ae808c20a2399360625a2394ae073c91b5bf0919a5457ce36eacf00126c55fb1

SHA512
3a7dfbd318fe606584804ab9ce5c7016bd167a963442dea5697ccee2491d44c5d09b440e30b027a692a087952f2a1e7b6592d9fd4d738e2120c42e5e2d7b55a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3854126.exe

Filesize
206KB

MD5
176cd625c82bc47285c36236c2ea41f2

SHA1
9e2f3128079d743bcca4d649dbd064a2f9355335

SHA256
ae808c20a2399360625a2394ae073c91b5bf0919a5457ce36eacf00126c55fb1

SHA512
3a7dfbd318fe606584804ab9ce5c7016bd167a963442dea5697ccee2491d44c5d09b440e30b027a692a087952f2a1e7b6592d9fd4d738e2120c42e5e2d7b55a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3636958.exe

Filesize
15KB

MD5
c8da767166dbd2f115c8c7bd007a7df0

SHA1
f423d2a2373ec4956797193651dd004b19c8f502

SHA256
55b77d1608a1d006b3f9d10c12ecbe081888af27b3f8e64b245b0f092ed4dc08

SHA512
c5f12113cff8ec19cccc4a694d10c8178c738fae2d96e3afd55e53bcec016b07ff887b62242ee3be2d4bdd8c279e74733f11905e77171c3726c7d87cd93eabdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p3636958.exe

Filesize
15KB

MD5
c8da767166dbd2f115c8c7bd007a7df0

SHA1
f423d2a2373ec4956797193651dd004b19c8f502

SHA256
55b77d1608a1d006b3f9d10c12ecbe081888af27b3f8e64b245b0f092ed4dc08

SHA512
c5f12113cff8ec19cccc4a694d10c8178c738fae2d96e3afd55e53bcec016b07ff887b62242ee3be2d4bdd8c279e74733f11905e77171c3726c7d87cd93eabdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6960198.exe

Filesize
175KB

MD5
1b2b6cd22049d08aaa51bc3961fd5d74

SHA1
e7eccf685e65d3efc6e2a67018aed20eef9712e0

SHA256
d163ed454de83050197f2a420cff900714aa4bae23eece22e12c68a5e9ea172b

SHA512
87ced57cfc2884276bf87c14b77700bdf63abb4b32324b7baf77a0c0b295b02257b15b6933f9518b603384577f2a18aaf5708cc8e8c9643e56dd2baf798d9015

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r6960198.exe

Filesize
175KB

MD5
1b2b6cd22049d08aaa51bc3961fd5d74

SHA1
e7eccf685e65d3efc6e2a67018aed20eef9712e0

SHA256
d163ed454de83050197f2a420cff900714aa4bae23eece22e12c68a5e9ea172b

SHA512
87ced57cfc2884276bf87c14b77700bdf63abb4b32324b7baf77a0c0b295b02257b15b6933f9518b603384577f2a18aaf5708cc8e8c9643e56dd2baf798d9015

Download Submit
memory/2920-157-0x0000000004F20000-0x000000000502A000-memory.dmp

Filesize
1.0MB

Download
memory/2920-154-0x00000000002F0000-0x0000000000320000-memory.dmp

Filesize
192KB

Download
memory/2920-155-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2920-156-0x0000000005430000-0x0000000005A48000-memory.dmp

Filesize
6.1MB

Download
memory/2920-158-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/2920-159-0x0000000004DB0000-0x0000000004DC2000-memory.dmp

Filesize
72KB

Download
memory/2920-160-0x0000000004E50000-0x0000000004E8C000-memory.dmp

Filesize
240KB

Download
memory/2920-161-0x00000000744D0000-0x0000000074C80000-memory.dmp

Filesize
7.7MB

Download
memory/2920-162-0x0000000004E00000-0x0000000004E10000-memory.dmp

Filesize
64KB

Download
memory/4884-150-0x00007FFAE2E70000-0x00007FFAE3931000-memory.dmp

Filesize
10.8MB

Download
memory/4884-148-0x00007FFAE2E70000-0x00007FFAE3931000-memory.dmp

Filesize
10.8MB

Download
memory/4884-147-0x0000000000E40000-0x0000000000E4A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads