healer | 5eb1f9bfa6674b496dc91bb704ae98e167102cc0b6040aaa62e65cc6600f5dbf

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2023 13:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.248fe715c8c20dedc426433878766200.exe
Size

724KB
MD5

248fe715c8c20dedc426433878766200
SHA1

dc003580de3f7ce9742c4c3e5b32761d617e933d
SHA256

5eb1f9bfa6674b496dc91bb704ae98e167102cc0b6040aaa62e65cc6600f5dbf
SHA512

5a213c0e30519c9d8ecdf59ceafe70902de2d2c30f7a39a94815f33770ab2076e52738052d8013f5c89e4ba5b9bf8df7ac219fc986ce66041676530ae6399038
SSDEEP

12288:vMrBy90L8jxzmOmmtnXfivXI9SOkfTLVDCQcoc/D9uDCsHifCvtsDrh:myuMNZ+oSOsTLV+TBw6ctoh

Score

10^/10

healer mystic redline stas dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

stas

77.91.124.82:19071

Attributes

auth_value
db6d96c4eade05afc28c31d9ad73a73c

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000022de8-34.dat	family_mystic
behavioral1/files/0x0006000000022de8-35.dat	family_mystic

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000022de7-26.dat	healer
behavioral1/files/0x0007000000022de7-27.dat	healer
behavioral1/memory/5092-28-0x0000000000F70000-0x0000000000F7A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3374666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3374666.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a3374666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3374666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3374666.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3374666.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 6 IoCs

pid	Process
1536	v2010189.exe
1424	v1930413.exe
3588	v1389611.exe
5092	a3374666.exe
2740	b0883930.exe
1856	c7632903.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3374666.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	NEAS.248fe715c8c20dedc426433878766200.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2010189.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1930413.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1389611.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5092	a3374666.exe
5092	a3374666.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	a3374666.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 1536	3844	NEAS.248fe715c8c20dedc426433878766200.exe	88
PID 3844 wrote to memory of 1536	3844	NEAS.248fe715c8c20dedc426433878766200.exe	88
PID 3844 wrote to memory of 1536	3844	NEAS.248fe715c8c20dedc426433878766200.exe	88
PID 1536 wrote to memory of 1424	1536	v2010189.exe	89
PID 1536 wrote to memory of 1424	1536	v2010189.exe	89
PID 1536 wrote to memory of 1424	1536	v2010189.exe	89
PID 1424 wrote to memory of 3588	1424	v1930413.exe	90
PID 1424 wrote to memory of 3588	1424	v1930413.exe	90
PID 1424 wrote to memory of 3588	1424	v1930413.exe	90
PID 3588 wrote to memory of 5092	3588	v1389611.exe	91
PID 3588 wrote to memory of 5092	3588	v1389611.exe	91
PID 3588 wrote to memory of 2740	3588	v1389611.exe	96
PID 3588 wrote to memory of 2740	3588	v1389611.exe	96
PID 3588 wrote to memory of 2740	3588	v1389611.exe	96
PID 1424 wrote to memory of 1856	1424	v1930413.exe	97
PID 1424 wrote to memory of 1856	1424	v1930413.exe	97
PID 1424 wrote to memory of 1856	1424	v1930413.exe	97

C:\Users\Admin\AppData\Local\Temp\NEAS.248fe715c8c20dedc426433878766200.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.248fe715c8c20dedc426433878766200.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0883930.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0883930.exe
        5⤵
        Executes dropped EXE
        
        PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7632903.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7632903.exe
      4⤵
      Executes dropped EXE
      PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe

Filesize
497KB

MD5
0d972758853cdae72f1b2976385687a5

SHA1
5ee1ab71437ae74490220f525ddbec908b28e54e

SHA256
e2ecca7158be1f5e91230dec7fd6fa7feff355b77c4ea4fc4b8d8bde1c7c664e

SHA512
582c093dc592d4cbe06938769554b9eacb1acb096c2b82beb3e41a41f9f71d2053c0155d0318f44e0c1de7de08647dfa1ee80fa23443fd1c6fed306dfac0b0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2010189.exe

Filesize
497KB

MD5
0d972758853cdae72f1b2976385687a5

SHA1
5ee1ab71437ae74490220f525ddbec908b28e54e

SHA256
e2ecca7158be1f5e91230dec7fd6fa7feff355b77c4ea4fc4b8d8bde1c7c664e

SHA512
582c093dc592d4cbe06938769554b9eacb1acb096c2b82beb3e41a41f9f71d2053c0155d0318f44e0c1de7de08647dfa1ee80fa23443fd1c6fed306dfac0b0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe

Filesize
373KB

MD5
ff3f0e486464f3473a68d55da2ff926f

SHA1
01644a862d33c9fbf2abddad254975054d596c3a

SHA256
bfbc5549383ccaaf02378803c8ae60ecb8c347246e028a4920be7ff78a06b237

SHA512
eaf9af11e86da2dccd24890724799e775694bdb0c973c9c20b2efd364582650ea64654951b168e608d28e3a3547bdd26ec8b9d2e84672b43862c06c6e9ef58e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1930413.exe

Filesize
373KB

MD5
ff3f0e486464f3473a68d55da2ff926f

SHA1
01644a862d33c9fbf2abddad254975054d596c3a

SHA256
bfbc5549383ccaaf02378803c8ae60ecb8c347246e028a4920be7ff78a06b237

SHA512
eaf9af11e86da2dccd24890724799e775694bdb0c973c9c20b2efd364582650ea64654951b168e608d28e3a3547bdd26ec8b9d2e84672b43862c06c6e9ef58e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7632903.exe

Filesize
174KB

MD5
0bef73a2ce61299393cd0112160c10fd

SHA1
bf8b513969abb95563d2fb2b6129eae8af148796

SHA256
2834689c0ab1c01fa09e9caf3a770e546d8c102541c773d90c11d73e41998760

SHA512
b880eb7f53e441943eac2f7d078867b8e8b84fc6640317ee89adfb97547ae89b70347fc5160b4a3f4707b8d668140df32966ac53816ffd12af80b4c6ead92c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7632903.exe

Filesize
174KB

MD5
0bef73a2ce61299393cd0112160c10fd

SHA1
bf8b513969abb95563d2fb2b6129eae8af148796

SHA256
2834689c0ab1c01fa09e9caf3a770e546d8c102541c773d90c11d73e41998760

SHA512
b880eb7f53e441943eac2f7d078867b8e8b84fc6640317ee89adfb97547ae89b70347fc5160b4a3f4707b8d668140df32966ac53816ffd12af80b4c6ead92c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe

Filesize
217KB

MD5
63b4afe6a4129a54c8c435e9d9281a0e

SHA1
d2b46895d25b2d5a0c093765e57578c85add3590

SHA256
d99865d00425cf2cf13d223847a4cbe9833c60f63e93f3610adde1b59f538f88

SHA512
fe87dfcb43356295c7adccccd3a869ed9797f9328f58fbb00132bd8abaa14b8edb27978fa5f242b6f68c5d9db473b6b4a5e99a0f3ecf1f0e0faac6303f1b17f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1389611.exe

Filesize
217KB

MD5
63b4afe6a4129a54c8c435e9d9281a0e

SHA1
d2b46895d25b2d5a0c093765e57578c85add3590

SHA256
d99865d00425cf2cf13d223847a4cbe9833c60f63e93f3610adde1b59f538f88

SHA512
fe87dfcb43356295c7adccccd3a869ed9797f9328f58fbb00132bd8abaa14b8edb27978fa5f242b6f68c5d9db473b6b4a5e99a0f3ecf1f0e0faac6303f1b17f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe

Filesize
15KB

MD5
a4ef30681b5e1b73d464c09cdf52b776

SHA1
92bd836eb5e7382cdfa3c4e6918eaa6409683a04

SHA256
acadd7759e5eecf904f5552e464f07b1a517200c8483435e47ae4a12f9b9b8fe

SHA512
7bb5cbc2e43fbdd1deaa4b72d2b4ddb663803493ae2028484f015fe6b614bec537e3b057e0de9326881356937ea5bfd169f53ce2ee2a27049193c4695ab5d8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a3374666.exe

Filesize
15KB

MD5
a4ef30681b5e1b73d464c09cdf52b776

SHA1
92bd836eb5e7382cdfa3c4e6918eaa6409683a04

SHA256
acadd7759e5eecf904f5552e464f07b1a517200c8483435e47ae4a12f9b9b8fe

SHA512
7bb5cbc2e43fbdd1deaa4b72d2b4ddb663803493ae2028484f015fe6b614bec537e3b057e0de9326881356937ea5bfd169f53ce2ee2a27049193c4695ab5d8e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0883930.exe

Filesize
140KB

MD5
9c61af147b2b2f93b1ec4345cf438b2a

SHA1
425e86db29d9ae51a0f1fa73f2bf7b90e66ed6ab

SHA256
1febca12da614ace0014c0f69086730698ffa2d867b73feb561f3a9c81c52c83

SHA512
4be21d3bff22e86dff90f5e8e0caa98bf925d046c769bf5ce8bc6310c9eafb54d7613207a46e5c5e5e652db6a9d69cfb66c9c11b0f855c8debd74815b2f94817

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b0883930.exe

Filesize
140KB

MD5
9c61af147b2b2f93b1ec4345cf438b2a

SHA1
425e86db29d9ae51a0f1fa73f2bf7b90e66ed6ab

SHA256
1febca12da614ace0014c0f69086730698ffa2d867b73feb561f3a9c81c52c83

SHA512
4be21d3bff22e86dff90f5e8e0caa98bf925d046c769bf5ce8bc6310c9eafb54d7613207a46e5c5e5e652db6a9d69cfb66c9c11b0f855c8debd74815b2f94817

Download Submit
memory/1856-46-0x0000000005200000-0x000000000523C000-memory.dmp

Filesize
240KB

Download
memory/1856-43-0x0000000005310000-0x000000000541A000-memory.dmp

Filesize
1.0MB

Download
memory/1856-49-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/1856-48-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1856-39-0x00000000006B0000-0x00000000006E0000-memory.dmp

Filesize
192KB

Download
memory/1856-40-0x0000000074A10000-0x00000000751C0000-memory.dmp

Filesize
7.7MB

Download
memory/1856-47-0x0000000005240000-0x000000000528C000-memory.dmp

Filesize
304KB

Download
memory/1856-42-0x0000000005820000-0x0000000005E38000-memory.dmp

Filesize
6.1MB

Download
memory/1856-41-0x0000000002890000-0x0000000002896000-memory.dmp

Filesize
24KB

Download
memory/1856-44-0x00000000050F0000-0x0000000005100000-memory.dmp

Filesize
64KB

Download
memory/1856-45-0x0000000005070000-0x0000000005082000-memory.dmp

Filesize
72KB

Download
memory/5092-32-0x00007FFB30FC0000-0x00007FFB31A81000-memory.dmp

Filesize
10.8MB

Download
memory/5092-30-0x00007FFB30FC0000-0x00007FFB31A81000-memory.dmp

Filesize
10.8MB

Download
memory/5092-28-0x0000000000F70000-0x0000000000F7A000-memory.dmp

Filesize
40KB

Download
memory/5092-29-0x00007FFB30FC0000-0x00007FFB31A81000-memory.dmp

Filesize
10.8MB

Download