healer | a500b971ebacac5bdf1d6a3c11a1a86ad1beb53f5d5c76734f6d02810edac9ac

General

Target

a500b971ebacac5bdf1d6a3c11a1a86ad1beb53f5d5c76734f6d02810edac9ac.exe
Size

754KB
MD5

828e0ed8997abebc44cdc8f2d330ff1b
SHA1

9155992b31a36d926ba400837e380dedb1793746
SHA256

a500b971ebacac5bdf1d6a3c11a1a86ad1beb53f5d5c76734f6d02810edac9ac
SHA512

5b4d8eff80d2f3ebe545c1470a5932e9094f8e9be0d3a9e553ae00c2c5e1a4a865c5eb11d2387ee14563088ed6aa521e43a7244134723b63e83627cf24250cf2
SSDEEP

12288:yMrsy90sbBONZtssZ+qgV/7z1FnasnGXIC4jVUUUlm6Elb6yDX:qytsgsZ+qg/RGGB0lIN6yDX

Score

10^/10

healer redline buben dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

buben

C2

77.91.124.82:19071

Attributes

auth_value
c62fa04aa45f5b78f62d2c21fcbefdec

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/2904-21-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
1136	x8401701.exe
1608	x0968766.exe
2820	g7801694.exe
3872	h7324244.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	x8401701.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	x0968766.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a500b971ebacac5bdf1d6a3c11a1a86ad1beb53f5d5c76734f6d02810edac9ac.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2820 set thread context of 2904	2820	g7801694.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2000	2820	WerFault.exe	84

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2904	AppLaunch.exe
2904	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	AppLaunch.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1136	1708	a500b971ebacac5bdf1d6a3c11a1a86ad1beb53f5d5c76734f6d02810edac9ac.exe	82
PID 1708 wrote to memory of 1136	1708	a500b971ebacac5bdf1d6a3c11a1a86ad1beb53f5d5c76734f6d02810edac9ac.exe	82
PID 1708 wrote to memory of 1136	1708	a500b971ebacac5bdf1d6a3c11a1a86ad1beb53f5d5c76734f6d02810edac9ac.exe	82
PID 1136 wrote to memory of 1608	1136	x8401701.exe	83
PID 1136 wrote to memory of 1608	1136	x8401701.exe	83
PID 1136 wrote to memory of 1608	1136	x8401701.exe	83
PID 1608 wrote to memory of 2820	1608	x0968766.exe	84
PID 1608 wrote to memory of 2820	1608	x0968766.exe	84
PID 1608 wrote to memory of 2820	1608	x0968766.exe	84
PID 2820 wrote to memory of 2904	2820	g7801694.exe	86
PID 2820 wrote to memory of 2904	2820	g7801694.exe	86
PID 2820 wrote to memory of 2904	2820	g7801694.exe	86
PID 2820 wrote to memory of 2904	2820	g7801694.exe	86
PID 2820 wrote to memory of 2904	2820	g7801694.exe	86
PID 2820 wrote to memory of 2904	2820	g7801694.exe	86
PID 2820 wrote to memory of 2904	2820	g7801694.exe	86
PID 2820 wrote to memory of 2904	2820	g7801694.exe	86
PID 1608 wrote to memory of 3872	1608	x0968766.exe	91
PID 1608 wrote to memory of 3872	1608	x0968766.exe	91
PID 1608 wrote to memory of 3872	1608	x0968766.exe	91

C:\Users\Admin\AppData\Local\Temp\a500b971ebacac5bdf1d6a3c11a1a86ad1beb53f5d5c76734f6d02810edac9ac.exe
"C:\Users\Admin\AppData\Local\Temp\a500b971ebacac5bdf1d6a3c11a1a86ad1beb53f5d5c76734f6d02810edac9ac.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8401701.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8401701.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0968766.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0968766.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7801694.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7801694.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 148
        5⤵
        Program crash
        
        PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7324244.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7324244.exe
      4⤵
      Executes dropped EXE
      PID:3872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2820 -ip 2820
1⤵
PID:456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8401701.exe

Filesize
652KB

MD5
4bb7ae935460f7c917f658614f4ebe56

SHA1
7959f2b8e1cc4dd03632b172927201cc5d0541d4

SHA256
7274f079b438a4c75db999714e9c9b881da444b35f58260b3ea05dfbb798f92b

SHA512
43aacd2e29c218a156ff02405e153872f7d8a04e06a6a808d5b292dfac7908394277fca3e4fc28d802cad192f335cae66cac216d68162b863bb8c71d816618fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x8401701.exe

Filesize
652KB

MD5
4bb7ae935460f7c917f658614f4ebe56

SHA1
7959f2b8e1cc4dd03632b172927201cc5d0541d4

SHA256
7274f079b438a4c75db999714e9c9b881da444b35f58260b3ea05dfbb798f92b

SHA512
43aacd2e29c218a156ff02405e153872f7d8a04e06a6a808d5b292dfac7908394277fca3e4fc28d802cad192f335cae66cac216d68162b863bb8c71d816618fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0968766.exe

Filesize
467KB

MD5
a7f4dd799db4bd8719441224a08c18c7

SHA1
8bb844618ae0145bad547b9e434c1e329857abc0

SHA256
934f703374d9513623146da91717a703f20c27a0f80e0da1ca0f8384b090b71b

SHA512
f5968a9c9c6eae09a80c577c3a41891d968ccb7348a0ab4bcc4a476c3eaa7f8384cf6892929da8887577bc95b2bc8b6c9191aec9ca5237b996a704cadd51d140

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x0968766.exe

Filesize
467KB

MD5
a7f4dd799db4bd8719441224a08c18c7

SHA1
8bb844618ae0145bad547b9e434c1e329857abc0

SHA256
934f703374d9513623146da91717a703f20c27a0f80e0da1ca0f8384b090b71b

SHA512
f5968a9c9c6eae09a80c577c3a41891d968ccb7348a0ab4bcc4a476c3eaa7f8384cf6892929da8887577bc95b2bc8b6c9191aec9ca5237b996a704cadd51d140

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7801694.exe

Filesize
899KB

MD5
a1abdb76b29f5bf7e1a9ecd0030ef1a7

SHA1
76d389becea05ef859273507951318326e83c6f5

SHA256
4ebc70142820830a1898175f1df6cba1df353cd6e176af8b53a7a40040220714

SHA512
ff48b8a263659f1ce6461e5558d1e93c8dad68557d9d6963e5779ec0c27b4b89373300ad483445b7d44e44d34440c9c659eec57f039f5b1919d3b5317eee884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7801694.exe

Filesize
899KB

MD5
a1abdb76b29f5bf7e1a9ecd0030ef1a7

SHA1
76d389becea05ef859273507951318326e83c6f5

SHA256
4ebc70142820830a1898175f1df6cba1df353cd6e176af8b53a7a40040220714

SHA512
ff48b8a263659f1ce6461e5558d1e93c8dad68557d9d6963e5779ec0c27b4b89373300ad483445b7d44e44d34440c9c659eec57f039f5b1919d3b5317eee884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7324244.exe

Filesize
174KB

MD5
4d2e38444f677f2e94f1ce9929b8ead3

SHA1
542be923940455241c1f8db4c78eea7e2b63d84d

SHA256
a77a8d9cdac77ddab660d0a63d6a91152305c8b6ec2bb4bdbc47a25cd851a1ce

SHA512
f9f132d1c36c746c9a91185f7ba2839e8c9b4d5d10992ceb65fe294dd66bcd3882b91fcdac7d614a06f5e4ba7535f10a934de0d48b6efa246df4679ba3387854

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h7324244.exe

Filesize
174KB

MD5
4d2e38444f677f2e94f1ce9929b8ead3

SHA1
542be923940455241c1f8db4c78eea7e2b63d84d

SHA256
a77a8d9cdac77ddab660d0a63d6a91152305c8b6ec2bb4bdbc47a25cd851a1ce

SHA512
f9f132d1c36c746c9a91185f7ba2839e8c9b4d5d10992ceb65fe294dd66bcd3882b91fcdac7d614a06f5e4ba7535f10a934de0d48b6efa246df4679ba3387854

Download Submit
memory/2904-35-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2904-21-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2904-22-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/2904-38-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3872-26-0x0000000000C40000-0x0000000000C70000-memory.dmp

Filesize
192KB

Download
memory/3872-29-0x0000000005D40000-0x0000000006358000-memory.dmp

Filesize
6.1MB

Download
memory/3872-30-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/3872-31-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/3872-32-0x0000000005720000-0x0000000005732000-memory.dmp

Filesize
72KB

Download
memory/3872-33-0x0000000005780000-0x00000000057BC000-memory.dmp

Filesize
240KB

Download
memory/3872-34-0x00000000057C0000-0x000000000580C000-memory.dmp

Filesize
304KB

Download
memory/3872-28-0x0000000002CA0000-0x0000000002CA6000-memory.dmp

Filesize
24KB

Download
memory/3872-36-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3872-27-0x0000000074820000-0x0000000074FD0000-memory.dmp

Filesize
7.7MB

Download
memory/3872-39-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads