healer | a46f30d95bf1e4d6998d6e1e9670e89071253e0e418201de919ecef360950d19

General

Target

a46f30d95bf1e4d6998d6e1e9670e89071253e0e418201de919ecef360950d19.exe
Size

389KB
MD5

becabbca0941778fb8f52ebcf672ad0a
SHA1

da72cfa309e64af3faac23d8a7896fd5d1ad8244
SHA256

a46f30d95bf1e4d6998d6e1e9670e89071253e0e418201de919ecef360950d19
SHA512

b15d5e51c2e4042114d1a9fa04457d67bf9c5cea5dd7fabef7c0b1ce79fc9ad802b40b452e93acf5698478be5db988d8aac62192a12d76a7e5ccb5375595c547
SSDEEP

6144:Koy+bnr+xp0yN90QENkSoTkaWu5VEzkW2PZNwGepXZpTBy15SlObUhqb96NLrx3:IMrpy902j5V0pbtyTawb9E3

Score

10^/10

healer redline nasa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

nasa

C2

77.91.68.68:19071

Attributes

auth_value
6da71218d8a9738ea3a9a78b5677589b

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023211-144.dat	healer
behavioral1/files/0x0007000000023211-146.dat	healer
behavioral1/memory/1908-147-0x00000000001E0000-0x00000000001EA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	p0399742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	p0399742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	p0399742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	p0399742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	p0399742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	p0399742.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 3 IoCs

pid	Process
1196	z3174339.exe
1908	p0399742.exe
1928	r0707251.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	p0399742.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	a46f30d95bf1e4d6998d6e1e9670e89071253e0e418201de919ecef360950d19.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a46f30d95bf1e4d6998d6e1e9670e89071253e0e418201de919ecef360950d19.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	z3174339.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3174339.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1908	p0399742.exe
1908	p0399742.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1908	p0399742.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 1196	4924	a46f30d95bf1e4d6998d6e1e9670e89071253e0e418201de919ecef360950d19.exe	85
PID 4924 wrote to memory of 1196	4924	a46f30d95bf1e4d6998d6e1e9670e89071253e0e418201de919ecef360950d19.exe	85
PID 4924 wrote to memory of 1196	4924	a46f30d95bf1e4d6998d6e1e9670e89071253e0e418201de919ecef360950d19.exe	85
PID 1196 wrote to memory of 1908	1196	z3174339.exe	86
PID 1196 wrote to memory of 1908	1196	z3174339.exe	86
PID 1196 wrote to memory of 1928	1196	z3174339.exe	88
PID 1196 wrote to memory of 1928	1196	z3174339.exe	88
PID 1196 wrote to memory of 1928	1196	z3174339.exe	88

C:\Users\Admin\AppData\Local\Temp\a46f30d95bf1e4d6998d6e1e9670e89071253e0e418201de919ecef360950d19.exe
"C:\Users\Admin\AppData\Local\Temp\a46f30d95bf1e4d6998d6e1e9670e89071253e0e418201de919ecef360950d19.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3174339.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3174339.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0399742.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0399742.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0707251.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0707251.exe
    3⤵
    - Executes dropped EXE
    PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3174339.exe

Filesize
206KB

MD5
182eb3ff5e5056a4b4acff1bce91d1f2

SHA1
8adb99c59ddd37286a27de271cb5d6d3d19e51c2

SHA256
8223b5fe2ede4b24373d1e832b38b22e18b785b361a27afc61fef90cd87627fa

SHA512
ad35005db48a92abc6c183a7a1daebc4dbbfea1b703e88c2159dd61c5f6863244f5ae66568a604cf42cf167f05d8d963ba15312d7fae473e8c3a17c5b67dd979

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3174339.exe

Filesize
206KB

MD5
182eb3ff5e5056a4b4acff1bce91d1f2

SHA1
8adb99c59ddd37286a27de271cb5d6d3d19e51c2

SHA256
8223b5fe2ede4b24373d1e832b38b22e18b785b361a27afc61fef90cd87627fa

SHA512
ad35005db48a92abc6c183a7a1daebc4dbbfea1b703e88c2159dd61c5f6863244f5ae66568a604cf42cf167f05d8d963ba15312d7fae473e8c3a17c5b67dd979

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0399742.exe

Filesize
15KB

MD5
cbafe7982b797fb29c8467b5133204db

SHA1
31c83dde04f2b9dc550c02457982403c87c6f5cc

SHA256
c0ffc2875105725511d220d881dccc4fbaa382bcdc849455e2049ae204a77918

SHA512
ff476a4436aaa23432843b717c39e7cfb76914223526b6a66a600f16c9de077447a76e383797f76e20d7475045eae162afc0f630b760faf375dfa2b17dd2fd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\p0399742.exe

Filesize
15KB

MD5
cbafe7982b797fb29c8467b5133204db

SHA1
31c83dde04f2b9dc550c02457982403c87c6f5cc

SHA256
c0ffc2875105725511d220d881dccc4fbaa382bcdc849455e2049ae204a77918

SHA512
ff476a4436aaa23432843b717c39e7cfb76914223526b6a66a600f16c9de077447a76e383797f76e20d7475045eae162afc0f630b760faf375dfa2b17dd2fd3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0707251.exe

Filesize
175KB

MD5
caa6b3eb8f4b2947c993942f297181a4

SHA1
f937bd50df0c71fc32c06f0a9f6a2ed7add19f80

SHA256
2717a3eceb5f0f1306b9ee18f72a615e37105d86093175370c2efbc9420dfb41

SHA512
15f88e88e94889f4a8e762b8d74cb8e76aedff4eb56a384925521be909779424536fbb04b3ab1ce5e7ebb69d709e3bf5adf9bb01c5b0d0c95e7f962b69270fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r0707251.exe

Filesize
175KB

MD5
caa6b3eb8f4b2947c993942f297181a4

SHA1
f937bd50df0c71fc32c06f0a9f6a2ed7add19f80

SHA256
2717a3eceb5f0f1306b9ee18f72a615e37105d86093175370c2efbc9420dfb41

SHA512
15f88e88e94889f4a8e762b8d74cb8e76aedff4eb56a384925521be909779424536fbb04b3ab1ce5e7ebb69d709e3bf5adf9bb01c5b0d0c95e7f962b69270fa1

Download Submit
memory/1908-147-0x00000000001E0000-0x00000000001EA000-memory.dmp

Filesize
40KB

Download
memory/1908-150-0x00007FFC2C370000-0x00007FFC2CE31000-memory.dmp

Filesize
10.8MB

Download
memory/1908-148-0x00007FFC2C370000-0x00007FFC2CE31000-memory.dmp

Filesize
10.8MB

Download
memory/1928-154-0x00000000007B0000-0x00000000007E0000-memory.dmp

Filesize
192KB

Download
memory/1928-155-0x0000000074120000-0x00000000748D0000-memory.dmp

Filesize
7.7MB

Download
memory/1928-156-0x000000000ABF0000-0x000000000B208000-memory.dmp

Filesize
6.1MB

Download
memory/1928-157-0x000000000A760000-0x000000000A86A000-memory.dmp

Filesize
1.0MB

Download
memory/1928-159-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download
memory/1928-158-0x000000000A6A0000-0x000000000A6B2000-memory.dmp

Filesize
72KB

Download
memory/1928-160-0x000000000A700000-0x000000000A73C000-memory.dmp

Filesize
240KB

Download
memory/1928-161-0x0000000074120000-0x00000000748D0000-memory.dmp

Filesize
7.7MB

Download
memory/1928-162-0x0000000005240000-0x0000000005250000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads