healer | cb84a03f862a465993f39d0fe0295e86fd29be1087f5a4520741370dea44531a

General

Target

NEAS.7261711d4f2c90a46ae8c035ce124af0.exe
Size

372KB
MD5

7261711d4f2c90a46ae8c035ce124af0
SHA1

9d2a01d52915c412e7a9c546b8f3b2380d1d5c49
SHA256

cb84a03f862a465993f39d0fe0295e86fd29be1087f5a4520741370dea44531a
SHA512

b0cd5fec35bd0ec021b7cbd9f993212883a1b45ff984f20f0cb5943f7eb4581fb3e7b27d6a83c1bc04e8b88dd8e150ee0385ef23e4895a698067ae3f939bf74d
SSDEEP

6144:Kly+bnr+Ep0yN90QE64WfV0ZMA16Lo2NW0wH9IQ7Cl2Q4ozApvO2SqY9F9BibS7t:zMrky90k0nio2gq2QzzSiquGamM

Score

10^/10

healer mystic redline stas dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

stas

C2

77.91.124.82:19071

Attributes

auth_value
db6d96c4eade05afc28c31d9ad73a73c

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000022d91-19.dat	family_mystic
behavioral1/files/0x0007000000022d91-20.dat	family_mystic

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000022d90-12.dat	healer
behavioral1/files/0x0008000000022d90-13.dat	healer
behavioral1/memory/2104-14-0x0000000000F40000-0x0000000000F4A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5105470.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5105470.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5105470.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5105470.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5105470.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5105470.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 4 IoCs

pid	Process
3380	v1619372.exe
2104	a5105470.exe
4740	b2106397.exe
2024	c3022989.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5105470.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.7261711d4f2c90a46ae8c035ce124af0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1619372.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2104	a5105470.exe
2104	a5105470.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	a5105470.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 3380	864	NEAS.7261711d4f2c90a46ae8c035ce124af0.exe	83
PID 864 wrote to memory of 3380	864	NEAS.7261711d4f2c90a46ae8c035ce124af0.exe	83
PID 864 wrote to memory of 3380	864	NEAS.7261711d4f2c90a46ae8c035ce124af0.exe	83
PID 3380 wrote to memory of 2104	3380	v1619372.exe	84
PID 3380 wrote to memory of 2104	3380	v1619372.exe	84
PID 3380 wrote to memory of 4740	3380	v1619372.exe	88
PID 3380 wrote to memory of 4740	3380	v1619372.exe	88
PID 3380 wrote to memory of 4740	3380	v1619372.exe	88
PID 864 wrote to memory of 2024	864	NEAS.7261711d4f2c90a46ae8c035ce124af0.exe	89
PID 864 wrote to memory of 2024	864	NEAS.7261711d4f2c90a46ae8c035ce124af0.exe	89
PID 864 wrote to memory of 2024	864	NEAS.7261711d4f2c90a46ae8c035ce124af0.exe	89

C:\Users\Admin\AppData\Local\Temp\NEAS.7261711d4f2c90a46ae8c035ce124af0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.7261711d4f2c90a46ae8c035ce124af0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:864
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1619372.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1619372.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3380
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5105470.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5105470.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2106397.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2106397.exe
    3⤵
    - Executes dropped EXE
    PID:4740
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3022989.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3022989.exe
  2⤵
  - Executes dropped EXE
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3022989.exe

Filesize
174KB

MD5
e6b8e5806b67ab3bc67054131bb6a4a0

SHA1
38c5fdcfcc10e4ac6c6f3a951e70e6e4967469a9

SHA256
e4828a31a370a2902f2896f1b9b0f72bede4f71981a1afe368efb1d4b9ea45ee

SHA512
860827056d760f92f8a8076e5783d5ed643180f7beb86aab8d2973fa2142b9e0b11d3911a333802038ce7ec26a0c1ef37bbb923f1f5095dc1f1bc0001a669d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c3022989.exe

Filesize
174KB

MD5
e6b8e5806b67ab3bc67054131bb6a4a0

SHA1
38c5fdcfcc10e4ac6c6f3a951e70e6e4967469a9

SHA256
e4828a31a370a2902f2896f1b9b0f72bede4f71981a1afe368efb1d4b9ea45ee

SHA512
860827056d760f92f8a8076e5783d5ed643180f7beb86aab8d2973fa2142b9e0b11d3911a333802038ce7ec26a0c1ef37bbb923f1f5095dc1f1bc0001a669d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1619372.exe

Filesize
217KB

MD5
5ac5347b78a882151eaa35ebf0610839

SHA1
8d0d66ab1c7cfe762161cad6d176ec3d6d9c31dc

SHA256
0b3282b7e76ea51965be7eb201a0e9e6c6f44a3ae08e8b99ae34bd51144cfbf7

SHA512
a4b47f7b235dec69716917687f881c28447f8931ab65df379b026434f62c465a6a73f1b7960415778f577b40d2a909b62393639e373abfc0581f8bdade1ed53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1619372.exe

Filesize
217KB

MD5
5ac5347b78a882151eaa35ebf0610839

SHA1
8d0d66ab1c7cfe762161cad6d176ec3d6d9c31dc

SHA256
0b3282b7e76ea51965be7eb201a0e9e6c6f44a3ae08e8b99ae34bd51144cfbf7

SHA512
a4b47f7b235dec69716917687f881c28447f8931ab65df379b026434f62c465a6a73f1b7960415778f577b40d2a909b62393639e373abfc0581f8bdade1ed53f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5105470.exe

Filesize
15KB

MD5
e8b654ed62ed813c48ae2816c1f35398

SHA1
daef847a8fcad3c671e96377f5747be1f8b71791

SHA256
ce41ae3b40d1f56da99216343f3094f230e742cdddecf60f16d61fe5703dca9b

SHA512
012a06ed877f9bf07da78b1800a61187c5dc12e4798b10b64822e786a792bbcd54982e79b658560e1222d14f105f3c2dc2257e91e7c79cac0958e84d5a29e892

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5105470.exe

Filesize
15KB

MD5
e8b654ed62ed813c48ae2816c1f35398

SHA1
daef847a8fcad3c671e96377f5747be1f8b71791

SHA256
ce41ae3b40d1f56da99216343f3094f230e742cdddecf60f16d61fe5703dca9b

SHA512
012a06ed877f9bf07da78b1800a61187c5dc12e4798b10b64822e786a792bbcd54982e79b658560e1222d14f105f3c2dc2257e91e7c79cac0958e84d5a29e892

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2106397.exe

Filesize
140KB

MD5
fcd6cbbaec48e6fa3010332c2b1bcc06

SHA1
b0b9cc1ad8d63fa8d6e35c5ae40d8026c046b6f9

SHA256
923ce2f85b02d95b6f72e6c62148514e0fa792d15fcb3cffcddbb9af11656d3e

SHA512
f1299735ec9298765c44255d14f7eae8f8a59cce1e8f0ccec97d9a65c8c55482b817bce5f96c431216d02e1634c899fbc7b8600d7b9f0f43dcbd1aaa346843c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2106397.exe

Filesize
140KB

MD5
fcd6cbbaec48e6fa3010332c2b1bcc06

SHA1
b0b9cc1ad8d63fa8d6e35c5ae40d8026c046b6f9

SHA256
923ce2f85b02d95b6f72e6c62148514e0fa792d15fcb3cffcddbb9af11656d3e

SHA512
f1299735ec9298765c44255d14f7eae8f8a59cce1e8f0ccec97d9a65c8c55482b817bce5f96c431216d02e1634c899fbc7b8600d7b9f0f43dcbd1aaa346843c6

Download Submit
memory/2024-28-0x000000000AF60000-0x000000000B06A000-memory.dmp

Filesize
1.0MB

Download
memory/2024-31-0x000000000AF00000-0x000000000AF3C000-memory.dmp

Filesize
240KB

Download
memory/2024-34-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download
memory/2024-24-0x0000000000FB0000-0x0000000000FE0000-memory.dmp

Filesize
192KB

Download
memory/2024-25-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/2024-26-0x0000000003290000-0x0000000003296000-memory.dmp

Filesize
24KB

Download
memory/2024-27-0x000000000B410000-0x000000000BA28000-memory.dmp

Filesize
6.1MB

Download
memory/2024-33-0x00000000744C0000-0x0000000074C70000-memory.dmp

Filesize
7.7MB

Download
memory/2024-30-0x000000000AEA0000-0x000000000AEB2000-memory.dmp

Filesize
72KB

Download
memory/2024-29-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download
memory/2024-32-0x000000000B070000-0x000000000B0BC000-memory.dmp

Filesize
304KB

Download
memory/2104-17-0x00007FFB108B0000-0x00007FFB11371000-memory.dmp

Filesize
10.8MB

Download
memory/2104-14-0x0000000000F40000-0x0000000000F4A000-memory.dmp

Filesize
40KB

Download
memory/2104-15-0x00007FFB108B0000-0x00007FFB11371000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads