healer | 636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312

General

Target

636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe
Size

564KB
MD5

0a35f9f79e11f242b6f7b188cb412889
SHA1

0dbefff228a0ae40ef3b48a747cefe0a79f8259d
SHA256

636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312
SHA512

a567244f44be5518f068babeedd87fbad34dd99890c83c9ce3d74b3e32fb7880ea93c71d0d74001a7325d83f5aff6709488b861bbd41b430957daba94c7179c1
SSDEEP

6144:Kdy+bnr+Pp0yN90QEUls0ZWQ4iXkW8nZNXcPE6Nsaimc58KteAXaLFdQ4/SshAV5:PMrry90KlVqiq6amg4x6shKJ4YWE5l

Score

10^/10

healer redline dava dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dava

C2

77.91.124.54:19071

Attributes

auth_value
3ce5222c1baaa06681dfe0012ce1de23

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000231db-152.dat	healer
behavioral1/files/0x00080000000231db-153.dat	healer
behavioral1/memory/2116-154-0x0000000000580000-0x000000000058A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	r5634742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	r5634742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	r5634742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	r5634742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	r5634742.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	r5634742.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1500	z4894357.exe
2360	z7400639.exe
2116	r5634742.exe
3596	s8920502.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	r5634742.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z4894357.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7400639.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2116	r5634742.exe
2116	r5634742.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	r5634742.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 1500	3508	636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe	81
PID 3508 wrote to memory of 1500	3508	636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe	81
PID 3508 wrote to memory of 1500	3508	636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe	81
PID 1500 wrote to memory of 2360	1500	z4894357.exe	82
PID 1500 wrote to memory of 2360	1500	z4894357.exe	82
PID 1500 wrote to memory of 2360	1500	z4894357.exe	82
PID 2360 wrote to memory of 2116	2360	z7400639.exe	83
PID 2360 wrote to memory of 2116	2360	z7400639.exe	83
PID 2360 wrote to memory of 3596	2360	z7400639.exe	92
PID 2360 wrote to memory of 3596	2360	z7400639.exe	92
PID 2360 wrote to memory of 3596	2360	z7400639.exe	92

C:\Users\Admin\AppData\Local\Temp\636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe
"C:\Users\Admin\AppData\Local\Temp\636c1baeefcbcdf9eb90eae5a7f87aa42a10bfeb67b39b55300f164d70196312.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4894357.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4894357.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7400639.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7400639.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r5634742.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r5634742.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2116
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s8920502.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s8920502.exe
      4⤵
      Executes dropped EXE
      PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4894357.exe

Filesize
431KB

MD5
11efa528c0a09577d61cbeccf8207969

SHA1
ed7f7aae19195a7b18dc7db56a2846b740b095c3

SHA256
d925b3391a6f6f3b7a82dcb99ecf5ae6ec1e545e824024b1526b12644c8ddc0a

SHA512
a493de3a054fa9ffa8a76ec29ec6d523ccb7cb30bee9813ab102b4e908b7faccc6dfd21562e3db50dc3e397d7730f77b4846dd5cfdebfcad691776129c33962b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4894357.exe

Filesize
431KB

MD5
11efa528c0a09577d61cbeccf8207969

SHA1
ed7f7aae19195a7b18dc7db56a2846b740b095c3

SHA256
d925b3391a6f6f3b7a82dcb99ecf5ae6ec1e545e824024b1526b12644c8ddc0a

SHA512
a493de3a054fa9ffa8a76ec29ec6d523ccb7cb30bee9813ab102b4e908b7faccc6dfd21562e3db50dc3e397d7730f77b4846dd5cfdebfcad691776129c33962b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7400639.exe

Filesize
206KB

MD5
e5529e0b6c75da8b8a72d2b83c425f24

SHA1
567e7a2ce9861873aaafef89b8a4345b3e3c1bdf

SHA256
2e1c01e207072f56b1cc3f84e451cad1a206834f2f7458eb12206253d9b854f0

SHA512
0ae818979d5940158c92e1452fba6dba2eec91f2b38a49b5719fbd1470bf3dd53b830b89f0418f32b23a14aa6ed6b0320247b6dcebe336b8b4773812ac9d67a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7400639.exe

Filesize
206KB

MD5
e5529e0b6c75da8b8a72d2b83c425f24

SHA1
567e7a2ce9861873aaafef89b8a4345b3e3c1bdf

SHA256
2e1c01e207072f56b1cc3f84e451cad1a206834f2f7458eb12206253d9b854f0

SHA512
0ae818979d5940158c92e1452fba6dba2eec91f2b38a49b5719fbd1470bf3dd53b830b89f0418f32b23a14aa6ed6b0320247b6dcebe336b8b4773812ac9d67a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r5634742.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\r5634742.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s8920502.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\s8920502.exe

Filesize
174KB

MD5
d6697deb3ae5b7fb32f56cbe43452459

SHA1
8e580e96222a22c2b5016be25a034f6e011c5e78

SHA256
fb2fd350a95db5d37f97c78da3386e8d7d31d4ce43122f9f030a3c3d20542a53

SHA512
020c9c9e9e5ac912d42d982871df494cce3d550b860da2eccf6e25ab5e4c7a8d77a924394a94f76a6cbc05ed506b91738832788804d06b7033e4cd49258c3ed1

Download Submit
memory/2116-157-0x00007FFED34E0000-0x00007FFED3FA1000-memory.dmp

Filesize
10.8MB

Download
memory/2116-155-0x00007FFED34E0000-0x00007FFED3FA1000-memory.dmp

Filesize
10.8MB

Download
memory/2116-154-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/3596-161-0x00000000004C0000-0x00000000004F0000-memory.dmp

Filesize
192KB

Download
memory/3596-162-0x0000000073FE0000-0x0000000074790000-memory.dmp

Filesize
7.7MB

Download
memory/3596-163-0x0000000005440000-0x0000000005A58000-memory.dmp

Filesize
6.1MB

Download
memory/3596-164-0x0000000004F30000-0x000000000503A000-memory.dmp

Filesize
1.0MB

Download
memory/3596-166-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/3596-165-0x0000000004E50000-0x0000000004E62000-memory.dmp

Filesize
72KB

Download
memory/3596-167-0x0000000004EB0000-0x0000000004EEC000-memory.dmp

Filesize
240KB

Download
memory/3596-168-0x0000000073FE0000-0x0000000074790000-memory.dmp

Filesize
7.7MB

Download
memory/3596-169-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads