healer | a20ea0ab1ca65283cd9159a21f6ea1d68985284bd9238692a3dd365994b2ac85

General

Target

49111f64bed0ab901f9a2a7f547cba60_NEAS.exe
Size

1.3MB
MD5

49111f64bed0ab901f9a2a7f547cba60
SHA1

be2abdba42ca9e759cb5e4cb746f7dd93d5c858d
SHA256

a20ea0ab1ca65283cd9159a21f6ea1d68985284bd9238692a3dd365994b2ac85
SHA512

9ca7bdf2c762f072dc10dc81f7d807fa69bc11fc4ba240986caf13c2f08874529aa5e30fe72d937f49e872c6b415db82877bd7f25219d688d494378bdf52e882
SSDEEP

24576:+y8sfz+SJ60o1Jf4iprQ4Bpbco1sAw/hgLJTCnMRSAFFFwfy7y3Kkh:N8sLTJcLVM4BVcouZwCMlMpK

Score

10^/10

healer redline maxbi dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maxbi

C2

185.161.248.73:4164

Attributes

auth_value
6aa7dba884fe45693dfa04c91440daef

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1848-29-0x0000000002910000-0x000000000292A000-memory.dmp	healer
behavioral1/memory/1848-31-0x0000000002AB0000-0x0000000002AC8000-memory.dmp	healer
behavioral1/memory/1848-39-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-59-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-58-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-55-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-53-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-51-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-49-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-47-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-45-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-41-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-37-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-35-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-43-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-33-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer
behavioral1/memory/1848-32-0x0000000002AB0000-0x0000000002AC2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a73022169.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a73022169.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a73022169.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a73022169.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a73022169.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a73022169.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000002340e-64.dat	family_redline
behavioral1/memory/4560-66-0x0000000000F90000-0x0000000000FC0000-memory.dmp	family_redline

Executes dropped EXE 5 IoCs

pid	Process
4088	i58176064.exe
2152	i91071134.exe
1228	i87786345.exe
1848	a73022169.exe
4560	b14563787.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a73022169.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a73022169.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	49111f64bed0ab901f9a2a7f547cba60_NEAS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i58176064.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i91071134.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i87786345.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4008	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2224	1848	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1848	a73022169.exe
1848	a73022169.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1848	a73022169.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 4088	2488	49111f64bed0ab901f9a2a7f547cba60_NEAS.exe	83
PID 2488 wrote to memory of 4088	2488	49111f64bed0ab901f9a2a7f547cba60_NEAS.exe	83
PID 2488 wrote to memory of 4088	2488	49111f64bed0ab901f9a2a7f547cba60_NEAS.exe	83
PID 4088 wrote to memory of 2152	4088	i58176064.exe	84
PID 4088 wrote to memory of 2152	4088	i58176064.exe	84
PID 4088 wrote to memory of 2152	4088	i58176064.exe	84
PID 2152 wrote to memory of 1228	2152	i91071134.exe	85
PID 2152 wrote to memory of 1228	2152	i91071134.exe	85
PID 2152 wrote to memory of 1228	2152	i91071134.exe	85
PID 1228 wrote to memory of 1848	1228	i87786345.exe	86
PID 1228 wrote to memory of 1848	1228	i87786345.exe	86
PID 1228 wrote to memory of 1848	1228	i87786345.exe	86
PID 1228 wrote to memory of 4560	1228	i87786345.exe	96
PID 1228 wrote to memory of 4560	1228	i87786345.exe	96
PID 1228 wrote to memory of 4560	1228	i87786345.exe	96

C:\Users\Admin\AppData\Local\Temp\49111f64bed0ab901f9a2a7f547cba60_NEAS.exe
"C:\Users\Admin\AppData\Local\Temp\49111f64bed0ab901f9a2a7f547cba60_NEAS.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1848 -s 1080
        6⤵
        Program crash
        
        PID:2224
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe
        5⤵
        Executes dropped EXE
        
        PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1848 -ip 1848
1⤵
PID:3088

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i58176064.exe

Filesize
1.1MB

MD5
e8980977e58b9fd9c13f524fd8a658d5

SHA1
40febb2c8384b6e3426d13992368d20bd66791ce

SHA256
f9348f70f20678feb7d4580f7f2fb02f7c9d7f74d2a97a237e6e69fa2720d29a

SHA512
e7e7c41aa01e310e35a3654ca23f8d7e6b3359b7b1d8e6cad3be1ff90f145d4f0f7cec065558b16d587073f16e1e9ec472b33cd8605eaaf0f2289fb240c7fd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i91071134.exe

Filesize
684KB

MD5
6d28c016ec3bd44c24eaffbfd4f6594b

SHA1
e0be36cd101a2fbd2ffafb57df853010206f2219

SHA256
49d18927a5f28348ab021ec9d18614010944e23c2fadf6c433f0f6490fdfcd44

SHA512
dda126762aa8c98eacf65122ed652250065c02ec699d4500f712346cf98fd3f940326b2c425175ac3d0a634ba6850071ed98bf3386f6b8a6fe7de1403874eb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i87786345.exe

Filesize
405KB

MD5
37b5d514093f0f3d0172ca0cb12b33c7

SHA1
751d92e88bbe17ffd9305b411102e7bfbdcf661c

SHA256
d2f9e82d090720f093b0e932076e70d26c8a218ba8cff3b0c0ea2bce0685dae0

SHA512
260daf462895dd942274cd348c186c99ddf21e84bc8e05ee438050f989fb105afc6284074212c5050206138ead3921b81ceca89d9d3afe1b1fa425b0082788c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a73022169.exe

Filesize
345KB

MD5
62e9646d364ac3efb8354c701b3484e8

SHA1
78e60202c2bef0a5317d2c2f83cd89bffb9ae524

SHA256
169418cc1306e46283bdd82686d6474b9f19108980c3e414b6590ff9ddc8c9ab

SHA512
af2c9646ea81f710e79c9158d300c2107e6b95845e0412d4f0700e414665179eb188e7750855cefb6ba66492a4ca5a330b4bf7eec14a047cbd9187ea1d5c3fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b14563787.exe

Filesize
168KB

MD5
05b6d6ba56e96207d2e4e3a48bbb6e97

SHA1
5ee840ebdc955d2e3d8d5987db8dd061daedf012

SHA256
895cd5ebc24e7d4c97774f9ffdcdcbb5699c7303646204688a7d8a526ea38551

SHA512
05e6e94bc225ab93f93479c9d609f2901662ca5ae0c166802801e880df8565972f217e00711764bd50c1f54bf4c039636e72f997fb3c727888e6540f9c92667e

Download Submit
memory/1848-47-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-35-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-39-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-59-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-58-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-55-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-53-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-51-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-49-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-30-0x00000000051D0000-0x0000000005774000-memory.dmp

Filesize
5.6MB

Download
memory/1848-45-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-41-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-37-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-31-0x0000000002AB0000-0x0000000002AC8000-memory.dmp

Filesize
96KB

Download
memory/1848-43-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-33-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-32-0x0000000002AB0000-0x0000000002AC2000-memory.dmp

Filesize
72KB

Download
memory/1848-61-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/1848-29-0x0000000002910000-0x000000000292A000-memory.dmp

Filesize
104KB

Download
memory/4560-66-0x0000000000F90000-0x0000000000FC0000-memory.dmp

Filesize
192KB

Download
memory/4560-67-0x0000000003130000-0x0000000003136000-memory.dmp

Filesize
24KB

Download
memory/4560-68-0x000000000B2B0000-0x000000000B8C8000-memory.dmp

Filesize
6.1MB

Download
memory/4560-69-0x000000000AE00000-0x000000000AF0A000-memory.dmp

Filesize
1.0MB

Download
memory/4560-70-0x000000000AD30000-0x000000000AD42000-memory.dmp

Filesize
72KB

Download
memory/4560-71-0x000000000AD90000-0x000000000ADCC000-memory.dmp

Filesize
240KB

Download
memory/4560-72-0x0000000003180000-0x00000000031CC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads