healer | d3594ef796b899037cbc4834a55723b44948deee106c415aa61522cfe119e40a

General

Target

d3594ef796b899037cbc4834a55723b44948deee106c415aa61522cfe119e40a.exe
Size

563KB
MD5

07c820efb94c4708a9cf195e6f4b8157
SHA1

ecaf86b92abc299656f6e941d44923a49dfda841
SHA256

d3594ef796b899037cbc4834a55723b44948deee106c415aa61522cfe119e40a
SHA512

0491767f7e0f136bd322d5258faf72e34e4734165037c5ef8b6cc367cb876be0a211eb973feb49d9bcd2f2d809ab82691115d60f370a6c465e3ef7121c2ddeb7
SSDEEP

12288:8Mr6y90Pgdkp7NGMsq50HcIPzwN7VNGKsRtqyqaMEEb4C7NlkYOtXj:uyF+vJP0HcIchiBqa/iJfAj

Score

10^/10

healer redline dava dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dava

C2

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000002321c-153.dat	healer
behavioral1/files/0x000700000002321c-152.dat	healer
behavioral1/memory/4912-154-0x0000000000F50000-0x0000000000F5A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	r1003241.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r1003241.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r1003241.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r1003241.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r1003241.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r1003241.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3136	z6872401.exe
4684	z1631373.exe
4912	r1003241.exe
2236	s9288599.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	r1003241.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d3594ef796b899037cbc4834a55723b44948deee106c415aa61522cfe119e40a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6872401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1631373.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4912	r1003241.exe
4912	r1003241.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	r1003241.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 3136	1500	d3594ef796b899037cbc4834a55723b44948deee106c415aa61522cfe119e40a.exe	82
PID 1500 wrote to memory of 3136	1500	d3594ef796b899037cbc4834a55723b44948deee106c415aa61522cfe119e40a.exe	82
PID 1500 wrote to memory of 3136	1500	d3594ef796b899037cbc4834a55723b44948deee106c415aa61522cfe119e40a.exe	82
PID 3136 wrote to memory of 4684	3136	z6872401.exe	83
PID 3136 wrote to memory of 4684	3136	z6872401.exe	83
PID 3136 wrote to memory of 4684	3136	z6872401.exe	83
PID 4684 wrote to memory of 4912	4684	z1631373.exe	84
PID 4684 wrote to memory of 4912	4684	z1631373.exe	84
PID 4684 wrote to memory of 2236	4684	z1631373.exe	85
PID 4684 wrote to memory of 2236	4684	z1631373.exe	85
PID 4684 wrote to memory of 2236	4684	z1631373.exe	85

C:\Users\Admin\AppData\Local\Temp\d3594ef796b899037cbc4834a55723b44948deee106c415aa61522cfe119e40a.exe
"C:\Users\Admin\AppData\Local\Temp\d3594ef796b899037cbc4834a55723b44948deee106c415aa61522cfe119e40a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6872401.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6872401.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3136
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1631373.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1631373.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4684
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1003241.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1003241.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s9288599.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s9288599.exe
      4⤵
      Executes dropped EXE
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6872401.exe

Filesize
431KB

MD5
13da6cd61923a2ff6d9ec75d81a91acd

SHA1
5896addd3a9766622bb86254e315f8fbd2a086a0

SHA256
6aad63ca535a7a407ec236b612b37869b3d3437a75e8732509a25b973562be5c

SHA512
0e69ff13e388cc11b96f0024f2279ee1207085f3b96783915ce4b71282539597e44b63396618f1ad735b25e86c0f56ba6773a5c139d8a99d2ca34dac96abb840

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6872401.exe

Filesize
431KB

MD5
13da6cd61923a2ff6d9ec75d81a91acd

SHA1
5896addd3a9766622bb86254e315f8fbd2a086a0

SHA256
6aad63ca535a7a407ec236b612b37869b3d3437a75e8732509a25b973562be5c

SHA512
0e69ff13e388cc11b96f0024f2279ee1207085f3b96783915ce4b71282539597e44b63396618f1ad735b25e86c0f56ba6773a5c139d8a99d2ca34dac96abb840

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1631373.exe

Filesize
206KB

MD5
a3f1166e660e362018212064ec6c08b7

SHA1
ccaa3ba66e7ad5ca3b3a763c1b69452aa9860239

SHA256
75d4ec311d9494f52d7e6959c8bb0fdb0021011bf18d659ba73cd3691acf6464

SHA512
e8c60aac941ea7f3a03c6f68be592be591b0c243e62d75bc884690f779f41c72926e634f4dc53c49eb305df1129e424b71c71e3efa4a50076e684c1f27a2ca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1631373.exe

Filesize
206KB

MD5
a3f1166e660e362018212064ec6c08b7

SHA1
ccaa3ba66e7ad5ca3b3a763c1b69452aa9860239

SHA256
75d4ec311d9494f52d7e6959c8bb0fdb0021011bf18d659ba73cd3691acf6464

SHA512
e8c60aac941ea7f3a03c6f68be592be591b0c243e62d75bc884690f779f41c72926e634f4dc53c49eb305df1129e424b71c71e3efa4a50076e684c1f27a2ca3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1003241.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r1003241.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s9288599.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s9288599.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
memory/2236-162-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2236-161-0x0000000000910000-0x0000000000940000-memory.dmp

Filesize
192KB

Download
memory/2236-163-0x00000000059C0000-0x0000000005FD8000-memory.dmp

Filesize
6.1MB

Download
memory/2236-164-0x00000000054B0000-0x00000000055BA000-memory.dmp

Filesize
1.0MB

Download
memory/2236-165-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/2236-166-0x00000000053E0000-0x00000000053F2000-memory.dmp

Filesize
72KB

Download
memory/2236-167-0x0000000005440000-0x000000000547C000-memory.dmp

Filesize
240KB

Download
memory/2236-168-0x0000000074380000-0x0000000074B30000-memory.dmp

Filesize
7.7MB

Download
memory/2236-169-0x0000000005290000-0x00000000052A0000-memory.dmp

Filesize
64KB

Download
memory/4912-157-0x00007FF92CBA0000-0x00007FF92D661000-memory.dmp

Filesize
10.8MB

Download
memory/4912-155-0x00007FF92CBA0000-0x00007FF92D661000-memory.dmp

Filesize
10.8MB

Download
memory/4912-154-0x0000000000F50000-0x0000000000F5A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads