healer | bdc94c688a45edd35d57b114679ba844194daf1026f3abf5b8f1223c8d6ff47c

Analysis

max time kernel
125s
max time network
138s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WEXTRACT.exe
Size

497KB
MD5

b86c688c83ea1a7fd4f3c0030ea16dd0
SHA1

f3f0c529bff95b9d8eab4b3b34255d056cac6952
SHA256

bdc94c688a45edd35d57b114679ba844194daf1026f3abf5b8f1223c8d6ff47c
SHA512

a140ce40462f355d721543e02a44cc759c9ae095b6b2f002046633dfa9fdeb48373d0cf945049379f5bcfe3df5ae04e2acd1ed36d68f6a28db3c66713fe79a30
SSDEEP

12288:3MrZy90oLn5mW+xggEhkbXsbF8QqVUbx3KE:+yL5mRxgGzKynVex3B

Score

10^/10

healer mystic redline stas dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

stas

77.91.124.82:19071

Attributes

auth_value
db6d96c4eade05afc28c31d9ad73a73c

Signatures

Detect Mystic stealer payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019313-31.dat	mystic_family
behavioral1/files/0x0005000000019313-35.dat	mystic_family

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/2772-28-0x0000000000D30000-0x0000000000D3A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7991102.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7991102.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7991102.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7991102.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7991102.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7991102.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 5 IoCs

pid	Process
2400	v8044467.exe
2428	v3607374.exe
2772	a7991102.exe
2296	b4104776.exe
2868	c5027616.exe

Loads dropped DLL 9 IoCs

pid	Process
2424	WEXTRACT.exe
2400	v8044467.exe
2400	v8044467.exe
2428	v3607374.exe
2428	v3607374.exe
2428	v3607374.exe
2296	b4104776.exe
2400	v8044467.exe
2868	c5027616.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	a7991102.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7991102.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	WEXTRACT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8044467.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3607374.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2772	a7991102.exe
2772	a7991102.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	a7991102.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2400	2424	WEXTRACT.exe	28
PID 2424 wrote to memory of 2400	2424	WEXTRACT.exe	28
PID 2424 wrote to memory of 2400	2424	WEXTRACT.exe	28
PID 2424 wrote to memory of 2400	2424	WEXTRACT.exe	28
PID 2424 wrote to memory of 2400	2424	WEXTRACT.exe	28
PID 2424 wrote to memory of 2400	2424	WEXTRACT.exe	28
PID 2424 wrote to memory of 2400	2424	WEXTRACT.exe	28
PID 2400 wrote to memory of 2428	2400	v8044467.exe	27
PID 2400 wrote to memory of 2428	2400	v8044467.exe	27
PID 2400 wrote to memory of 2428	2400	v8044467.exe	27
PID 2400 wrote to memory of 2428	2400	v8044467.exe	27
PID 2400 wrote to memory of 2428	2400	v8044467.exe	27
PID 2400 wrote to memory of 2428	2400	v8044467.exe	27
PID 2400 wrote to memory of 2428	2400	v8044467.exe	27
PID 2428 wrote to memory of 2772	2428	v3607374.exe	26
PID 2428 wrote to memory of 2772	2428	v3607374.exe	26
PID 2428 wrote to memory of 2772	2428	v3607374.exe	26
PID 2428 wrote to memory of 2772	2428	v3607374.exe	26
PID 2428 wrote to memory of 2772	2428	v3607374.exe	26
PID 2428 wrote to memory of 2772	2428	v3607374.exe	26
PID 2428 wrote to memory of 2772	2428	v3607374.exe	26
PID 2428 wrote to memory of 2296	2428	v3607374.exe	32
PID 2428 wrote to memory of 2296	2428	v3607374.exe	32
PID 2428 wrote to memory of 2296	2428	v3607374.exe	32
PID 2428 wrote to memory of 2296	2428	v3607374.exe	32
PID 2428 wrote to memory of 2296	2428	v3607374.exe	32
PID 2428 wrote to memory of 2296	2428	v3607374.exe	32
PID 2428 wrote to memory of 2296	2428	v3607374.exe	32
PID 2400 wrote to memory of 2868	2400	v8044467.exe	31
PID 2400 wrote to memory of 2868	2400	v8044467.exe	31
PID 2400 wrote to memory of 2868	2400	v8044467.exe	31
PID 2400 wrote to memory of 2868	2400	v8044467.exe	31
PID 2400 wrote to memory of 2868	2400	v8044467.exe	31
PID 2400 wrote to memory of 2868	2400	v8044467.exe	31
PID 2400 wrote to memory of 2868	2400	v8044467.exe	31

C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe
"C:\Users\Admin\AppData\Local\Temp\WEXTRACT.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8044467.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8044467.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5027616.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5027616.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2868

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7991102.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a7991102.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3607374.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3607374.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4104776.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4104776.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8044467.exe

Filesize
13KB

MD5
2390123f8a66d8bc0ecd79304b3ff7b5

SHA1
8270ebd9a7f722decc7ef174e59d82a330264ddf

SHA256
32513edb458fddeeb3a441d8b5ef1f56148ad367b88b24af5752194129a4d3c2

SHA512
710ffab81df89e74cc235d7a48daced3af93322f411d3dfc45106adabb38f975ebe34caa9ec6a63117bd090aa2917ee5e135fe3134c83eb9a1aa49a751fc0574

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8044467.exe

Filesize
11KB

MD5
c8f8e71476b0fae5784c2f060bda251c

SHA1
c1f4af53f2bc629c9d1e8c3e18a3dee8354ef4b1

SHA256
5ea0e5be7a9dfbced02fbd6a1fecf5218c88b3a81d96ad00808f9a19f8f4b0f1

SHA512
aeb9dc1dd6eb5152b1504d93a3ee97ab372035d944ef39ebe9b3dc5cae33a9dfe348f6eee968c9bc7b43051455635c2bcd8dcee6673adea60a615ddbf89a560d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5027616.exe

Filesize
45KB

MD5
24b89ec0a0616010cc200a0c6922de34

SHA1
72dc1f67d63020bfc16a268da840bb7b7e22076a

SHA256
5e283578853da6a7665d77d5cfbb7ccb4ebf48e680dfdd0529cc67ac2eaf1c05

SHA512
c6ae2ae1d5835a25dcbb0b8eac5e3eee59362a6b8480961da7a5a622b0a192d30ab25bed7be918ec4006e2e278b70807a5be107bf6a4295110cc687d2d2899bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5027616.exe

Filesize
175KB

MD5
c5c98861bd594722b1de2fe1c7cbb000

SHA1
3578cb1e411e0c33586366c4a82081b1fe99c581

SHA256
bd6bca395f568930b82e96af64290b94fd553cd8c0c111c44502ff104a5ea36f

SHA512
2fe36578dc8bed202c75646413bf2bc0c7858b3fa21b59e5bd80cc201147e9ccd2b55edce76c80f31a18130f91c069b7e442feb8bb1099974dc740b5bbe68cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3607374.exe

Filesize
2KB

MD5
93dbd6a8f40da4ef3e2e32260ba5dd16

SHA1
de19f3707d1de2b0723ce27c81427c5f504874ca

SHA256
9adcb5f1c3b39d073b5ed95feb7d54d9bcf5af2b2deb7234094ecc6719118bb1

SHA512
d2a7b99f995f280547d5dc1200f19b530242a81e7828c5a85ca4ac3849d9765c20ecfda47735a50033417bdd3c0275a666ab2f02afe07a7c0e3b4a408b3213e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4104776.exe

Filesize
141KB

MD5
279a30572ebf3acb076a15d3daaa1df6

SHA1
9421f40fefcc18ff6b30369195d0899eb268de58

SHA256
f5f82282696a6265a4c3f535f5e3e20ea6d459bff3ca77937ec7f6391634eb5c

SHA512
4547c697597397ebbe3e5c2e064b87b6605c71651f2e1affec8f19042dc0738a8791c9ad7bb8a00322b8c1023069df8887e376a548c6166b6b3f1110abe8889e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8044467.exe

Filesize
69KB

MD5
9acad8ea609fec5560e7802a42951922

SHA1
c57d620a7642d020047e6ca07ffd0cf0dd32f6f5

SHA256
22fdc0580f8a1fce1c58f86d6dff982863a529774dff79cf1985c8db2e238eba

SHA512
4af2c4d5f4d74127b3b345d98eb04256759fa48a2ba8a8aeb22180e7725329b98343e2ab584eb4a102bfb1dccd689b2852c81a3ecd4aae4f4761c3b2a398154e

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8044467.exe

Filesize
7KB

MD5
174e71bce18aaef2446ee4e1ffc0f01a

SHA1
bdaedb65704751c0d693f280a3fcdc236de473e4

SHA256
0f69fd08239b7d648ba5377fd8ce92c0c1c6a39f8dbae0c751b744677e98137e

SHA512
46d3b09fb7119b88b181e1b7b3f36681107aae1387bb0b632c325a284ff70e606076fea31053ba050fb3e087feda9a0f23da9e1f8507c81a8ea9b0f35e760dd4

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5027616.exe

Filesize
47KB

MD5
ce1773818962569c0c1c0549ce4ef835

SHA1
b0c8528b267290ae4fc0d8202931f93f9200c3db

SHA256
3f5935ac34894499bb8a3ab6faa01f7f161ab71dfbb2ddd757d1a3b90478dc9d

SHA512
ac4d01ff9a762ab5c60da39e5245b0ae500241ce6316900abbbde70553e77cf5677376884a29f35e281b9f8a6c6733f9c6f6d61fe21c1241cc34511672348115

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\c5027616.exe

Filesize
123KB

MD5
aea6f798361ec66131a25b00ca28308f

SHA1
32fb26ad95cbf4ab040aa8bfafd35cbec1e5b5f4

SHA256
340e35d766b4826dbd646a5bf24e0f83b10f5bf461d90382b7207f79f833fb11

SHA512
3523953636aaa84c54ed3568772c0d3a79803b4dd51c0b70a52a0d9173d204f8ee7301ee2baae931def3a24c7fb737e31ae0bfb6c199c0cd2d23bdd18c427d9c

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3607374.exe

Filesize
24KB

MD5
0569a7357f93ab0860ecf79b48928d07

SHA1
470fda26493e1937691469714d347e5a86f36684

SHA256
a2ba786fa0ce8c1d1b570305e4a2d0dcb8e88878f4b8e0ef034b66485a8c6892

SHA512
39fd66b9c30dd0e89144a5673bbe567ea82ed99b023d876b0e4573b97195fe36216061d7aa08981306ef59a713266d926fb37c532202f236c5faf38b392b7025

Download Submit
\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4104776.exe

Filesize
95KB

MD5
3af3e9d5c4e9e79c934126057951fa7d

SHA1
b77bcacba224e97e8d5c29460621404b5076f087

SHA256
d4abf35e818ab2f9493ea93f8a7ae9c8848b5192fe286173a425dc2cb8b22c84

SHA512
f24040789f227bbaf74f9da94ea9f96a89137463ad585dfdf4e2b69576e87277c249356bbadd4d64b4fac57bc63ae3e8cb7bb441841078ce9c5dbe8f7815d4fc

Download Submit
memory/2772-29-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2772-28-0x0000000000D30000-0x0000000000D3A000-memory.dmp

Filesize
40KB

Download
memory/2772-30-0x000007FEF5460000-0x000007FEF5E4C000-memory.dmp

Filesize
9.9MB

Download
memory/2868-43-0x0000000000D60000-0x0000000000D90000-memory.dmp

Filesize
192KB

Download
memory/2868-44-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download