healer | dbdbf2d214befe3e34f94bd671f8c084af36d3bffdde93f942ee724311a24ecc

Analysis

max time kernel
156s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
21-10-2023 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e2537e7eee02e7684bee997333ab9d40_JC.exe
Size

828KB
MD5

e2537e7eee02e7684bee997333ab9d40
SHA1

39858ef8150a7a9afbca6175b18933453de5e980
SHA256

dbdbf2d214befe3e34f94bd671f8c084af36d3bffdde93f942ee724311a24ecc
SHA512

b0eec4c7ce306fafe7b8e364ec9f20c264b66e49b7cdc249724c4e799a47691aa2abbd03750de9fb537ad5cc722919a47c3c06a048024ce7f3ac4f04d0ac6760
SSDEEP

12288:nMrqy90dztUsrjECbMmlThIzh+Z0UPUQ1vj84A0/1or9KgETcaBbKOPvqL9VXP9K:pyotbjECbhZ0UZRttq9LyXI9VfR/eRh

Score

10^/10

healer mystic redline jaja dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

jaja

77.91.124.73:19071

Attributes

auth_value
3670179d176ca399ed08e7914610b43c

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000022dec-41.dat	family_mystic
behavioral2/files/0x0008000000022dec-42.dat	family_mystic

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x000a000000022de6-33.dat	healer
behavioral2/files/0x000a000000022de6-34.dat	healer
behavioral2/memory/1960-35-0x0000000000480000-0x000000000048A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0168194.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a0168194.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0168194.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0168194.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0168194.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0168194.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3856	v8660466.exe
1368	v1467285.exe
548	v5639748.exe
1460	v5740047.exe
1960	a0168194.exe
2176	b3784967.exe
1628	c5754882.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0168194.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.e2537e7eee02e7684bee997333ab9d40_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8660466.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1467285.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5639748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5740047.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1960	a0168194.exe
1960	a0168194.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1960	a0168194.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 3856	4584	NEAS.e2537e7eee02e7684bee997333ab9d40_JC.exe	88
PID 4584 wrote to memory of 3856	4584	NEAS.e2537e7eee02e7684bee997333ab9d40_JC.exe	88
PID 4584 wrote to memory of 3856	4584	NEAS.e2537e7eee02e7684bee997333ab9d40_JC.exe	88
PID 3856 wrote to memory of 1368	3856	v8660466.exe	89
PID 3856 wrote to memory of 1368	3856	v8660466.exe	89
PID 3856 wrote to memory of 1368	3856	v8660466.exe	89
PID 1368 wrote to memory of 548	1368	v1467285.exe	90
PID 1368 wrote to memory of 548	1368	v1467285.exe	90
PID 1368 wrote to memory of 548	1368	v1467285.exe	90
PID 548 wrote to memory of 1460	548	v5639748.exe	91
PID 548 wrote to memory of 1460	548	v5639748.exe	91
PID 548 wrote to memory of 1460	548	v5639748.exe	91
PID 1460 wrote to memory of 1960	1460	v5740047.exe	92
PID 1460 wrote to memory of 1960	1460	v5740047.exe	92
PID 1460 wrote to memory of 2176	1460	v5740047.exe	95
PID 1460 wrote to memory of 2176	1460	v5740047.exe	95
PID 1460 wrote to memory of 2176	1460	v5740047.exe	95
PID 548 wrote to memory of 1628	548	v5639748.exe	96
PID 548 wrote to memory of 1628	548	v5639748.exe	96
PID 548 wrote to memory of 1628	548	v5639748.exe	96

C:\Users\Admin\AppData\Local\Temp\NEAS.e2537e7eee02e7684bee997333ab9d40_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e2537e7eee02e7684bee997333ab9d40_JC.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8660466.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8660466.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1467285.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1467285.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5639748.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5639748.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5740047.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5740047.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0168194.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0168194.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3784967.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3784967.exe
        6⤵
        Executes dropped EXE
        
        PID:2176
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5754882.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5754882.exe
        5⤵
        Executes dropped EXE
        
        PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8660466.exe

Filesize
723KB

MD5
415555ba47944afaf563f9718977c7f8

SHA1
a05abed9f844bf2bcb069af169bdddec25a9d324

SHA256
58d4a4e267b5caa280c970a01c5c6a4b801e141599f479244c85f15a8436bb82

SHA512
69719c760cefd2f0659a40f1d43a7440c999bb23fd636dd8c332abd739a1cd465624a4aa950bdc60177bd464d64dc07716ac73b6e6f2528eaacd852e1cbc79cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8660466.exe

Filesize
723KB

MD5
415555ba47944afaf563f9718977c7f8

SHA1
a05abed9f844bf2bcb069af169bdddec25a9d324

SHA256
58d4a4e267b5caa280c970a01c5c6a4b801e141599f479244c85f15a8436bb82

SHA512
69719c760cefd2f0659a40f1d43a7440c999bb23fd636dd8c332abd739a1cd465624a4aa950bdc60177bd464d64dc07716ac73b6e6f2528eaacd852e1cbc79cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1467285.exe

Filesize
497KB

MD5
12cb47ab7180c56f1b4189139e71b6ae

SHA1
dd2dcbbe6a2f5c5f460bc571e17c796e44740b22

SHA256
139727d04692ae3e774bd83716c13a2a692600a9f72931a4a54fe11c49486dd1

SHA512
bfc42de1cbee3caa06f02cb4b767539f32f1395ecbe77ab38e2c8dfd110bcb2cfe1e6033881b3c23d6caecfe170bd47c7023d456ee64c859fd9f43874425f506

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1467285.exe

Filesize
497KB

MD5
12cb47ab7180c56f1b4189139e71b6ae

SHA1
dd2dcbbe6a2f5c5f460bc571e17c796e44740b22

SHA256
139727d04692ae3e774bd83716c13a2a692600a9f72931a4a54fe11c49486dd1

SHA512
bfc42de1cbee3caa06f02cb4b767539f32f1395ecbe77ab38e2c8dfd110bcb2cfe1e6033881b3c23d6caecfe170bd47c7023d456ee64c859fd9f43874425f506

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5639748.exe

Filesize
373KB

MD5
73a381513d9be2fce53f59c72894a463

SHA1
b3eac8b29e341f607fda66414d27c312a4a20f85

SHA256
b4a0d06b15d5133ac593febfde376d5fc63269e1ddbe06f770b6289650770b3a

SHA512
ee687da206136b7f72fe2837247780168de91b1a0a734727c10aff5b66bdc9c3704c38f5331943e988985974ffb112cd4ed6140975f2d123b2a8fb8dfd4fd4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5639748.exe

Filesize
373KB

MD5
73a381513d9be2fce53f59c72894a463

SHA1
b3eac8b29e341f607fda66414d27c312a4a20f85

SHA256
b4a0d06b15d5133ac593febfde376d5fc63269e1ddbe06f770b6289650770b3a

SHA512
ee687da206136b7f72fe2837247780168de91b1a0a734727c10aff5b66bdc9c3704c38f5331943e988985974ffb112cd4ed6140975f2d123b2a8fb8dfd4fd4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5754882.exe

Filesize
174KB

MD5
43265bcc005d9a1503337598df008d86

SHA1
4b486f9df4dc55196d239233f5b08730d707e2c2

SHA256
314d3100f41aae15aef90f5e94d62c4349fc0cf8004170a2f233a988d10eca00

SHA512
dd64761d11aaf380cccedff1d14f6e36284450d4edf8777940c24d3f4eb7f1ba1369dbc903247f7bf765d55ee596a993e8512aec763fce3da71e4d4365752214

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c5754882.exe

Filesize
174KB

MD5
43265bcc005d9a1503337598df008d86

SHA1
4b486f9df4dc55196d239233f5b08730d707e2c2

SHA256
314d3100f41aae15aef90f5e94d62c4349fc0cf8004170a2f233a988d10eca00

SHA512
dd64761d11aaf380cccedff1d14f6e36284450d4edf8777940c24d3f4eb7f1ba1369dbc903247f7bf765d55ee596a993e8512aec763fce3da71e4d4365752214

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5740047.exe

Filesize
217KB

MD5
81feecb848547342f5276e6ce9097966

SHA1
e5b8db9aa2d405bb8cd1a59948f482b2d4c6be70

SHA256
88285d094d03bacaa3fe9684832f4de049cc6607dbef8db6efda0d66c7325c10

SHA512
9c2bbe33a7f761b721944979a68c20c8febc91559a7ef99756df23c071f73b7476076950dfd8ab6826bf04fce44e29699f20fa3105ec32be33bf95798deca70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5740047.exe

Filesize
217KB

MD5
81feecb848547342f5276e6ce9097966

SHA1
e5b8db9aa2d405bb8cd1a59948f482b2d4c6be70

SHA256
88285d094d03bacaa3fe9684832f4de049cc6607dbef8db6efda0d66c7325c10

SHA512
9c2bbe33a7f761b721944979a68c20c8febc91559a7ef99756df23c071f73b7476076950dfd8ab6826bf04fce44e29699f20fa3105ec32be33bf95798deca70e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0168194.exe

Filesize
14KB

MD5
83361b313229ca02e56e354849c3dd6d

SHA1
f7deacf3acf99bddf7093174c4879cc8a6a7a557

SHA256
c2b87ae8a030650f91d000433ea144aa022fe4782cfba2cf8061dd31749a797a

SHA512
ecc4b4dda02679e0908fc3420ca776479bc688220fc5fa5c20a1d88670d6adc3c8c7335c132059928ab90fdb22813fea694ab42d9796d7e54441d1faa85374ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0168194.exe

Filesize
14KB

MD5
83361b313229ca02e56e354849c3dd6d

SHA1
f7deacf3acf99bddf7093174c4879cc8a6a7a557

SHA256
c2b87ae8a030650f91d000433ea144aa022fe4782cfba2cf8061dd31749a797a

SHA512
ecc4b4dda02679e0908fc3420ca776479bc688220fc5fa5c20a1d88670d6adc3c8c7335c132059928ab90fdb22813fea694ab42d9796d7e54441d1faa85374ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3784967.exe

Filesize
141KB

MD5
2a7607153562d2d5d1df279631aba1a7

SHA1
914a04e4cd0992bd88f8b533737e1ac96ba9f68f

SHA256
28652bf8e6fbac45ae8d1aa57f25ca24dec945acb6abc62a51833d75750ea6a0

SHA512
63de2e129e4b7b7b29cb7ea73e9c2fee97e9403832268ae1fe920b18d0fad7957ca3a325ede20f8188b0c49e97db1a8b52a668bc0ac405604bfbbfe0054389d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3784967.exe

Filesize
141KB

MD5
2a7607153562d2d5d1df279631aba1a7

SHA1
914a04e4cd0992bd88f8b533737e1ac96ba9f68f

SHA256
28652bf8e6fbac45ae8d1aa57f25ca24dec945acb6abc62a51833d75750ea6a0

SHA512
63de2e129e4b7b7b29cb7ea73e9c2fee97e9403832268ae1fe920b18d0fad7957ca3a325ede20f8188b0c49e97db1a8b52a668bc0ac405604bfbbfe0054389d2

Download Submit
memory/1628-53-0x000000000AC00000-0x000000000AC3C000-memory.dmp

Filesize
240KB

Download
memory/1628-50-0x000000000AC60000-0x000000000AD6A000-memory.dmp

Filesize
1.0MB

Download
memory/1628-56-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/1628-55-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1628-46-0x0000000000DF0000-0x0000000000E20000-memory.dmp

Filesize
192KB

Download
memory/1628-47-0x0000000074430000-0x0000000074BE0000-memory.dmp

Filesize
7.7MB

Download
memory/1628-54-0x000000000AD70000-0x000000000ADBC000-memory.dmp

Filesize
304KB

Download
memory/1628-49-0x000000000B0E0000-0x000000000B6F8000-memory.dmp

Filesize
6.1MB

Download
memory/1628-48-0x0000000005590000-0x0000000005596000-memory.dmp

Filesize
24KB

Download
memory/1628-52-0x000000000ABA0000-0x000000000ABB2000-memory.dmp

Filesize
72KB

Download
memory/1628-51-0x00000000055B0000-0x00000000055C0000-memory.dmp

Filesize
64KB

Download
memory/1960-39-0x00007FFBBCB80000-0x00007FFBBD641000-memory.dmp

Filesize
10.8MB

Download
memory/1960-37-0x00007FFBBCB80000-0x00007FFBBD641000-memory.dmp

Filesize
10.8MB

Download
memory/1960-35-0x0000000000480000-0x000000000048A000-memory.dmp

Filesize
40KB

Download
memory/1960-36-0x00007FFBBCB80000-0x00007FFBBD641000-memory.dmp

Filesize
10.8MB

Download