healer | ad919110ee13402451a9608b60f6f05c353c830b4d49d6bfd4fb723bb66421c7

General

Target

715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe
Size

479KB
MD5

715b0b4d5559bec60514dfe136a03460
SHA1

810829ff61a0824459c05191b3275040fbe4d54e
SHA256

ad919110ee13402451a9608b60f6f05c353c830b4d49d6bfd4fb723bb66421c7
SHA512

c0b31c7d6c7b24b29e9e3f2affbaf31cf94a3595b6bf054fdfda93fef04b7849dc46a509f414ac1f240d8b933cccc6a20bd71035604d3159ffdf3ce958fec8a3
SSDEEP

12288:HMrpy90/74H0pT9u5c1u311TnfdhlPv2u2sSDP2c5:ayw7A6YX7TfBPvZlSDP2a

Score

10^/10

healer redline morty dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

morty

C2

217.196.96.101:4132

Attributes

auth_value
fe1a24c211cc8e5bf9ff11c737ce0e97

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2204-15-0x0000000002190000-0x00000000021AA000-memory.dmp	healer
behavioral1/memory/2204-18-0x0000000002460000-0x0000000002478000-memory.dmp	healer
behavioral1/memory/2204-46-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-44-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-40-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-30-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-24-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-22-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-20-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-19-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-42-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-38-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-36-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-34-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-32-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-28-0x0000000002460000-0x0000000002472000-memory.dmp	healer
behavioral1/memory/2204-26-0x0000000002460000-0x0000000002472000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a8766803.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8766803.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8766803.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8766803.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8766803.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8766803.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023440-51.dat	family_redline
behavioral1/memory/1716-53-0x0000000000BD0000-0x0000000000BFE000-memory.dmp	family_redline

Executes dropped EXE 3 IoCs

pid	Process
940	v4270029.exe
2204	a8766803.exe
1716	b1814710.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a8766803.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8766803.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4270029.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2204	a8766803.exe
2204	a8766803.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	a8766803.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 940	2996	715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe	83
PID 2996 wrote to memory of 940	2996	715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe	83
PID 2996 wrote to memory of 940	2996	715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe	83
PID 940 wrote to memory of 2204	940	v4270029.exe	84
PID 940 wrote to memory of 2204	940	v4270029.exe	84
PID 940 wrote to memory of 2204	940	v4270029.exe	84
PID 940 wrote to memory of 1716	940	v4270029.exe	95
PID 940 wrote to memory of 1716	940	v4270029.exe	95
PID 940 wrote to memory of 1716	940	v4270029.exe	95

C:\Users\Admin\AppData\Local\Temp\715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\715b0b4d5559bec60514dfe136a03460_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2204
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe
    3⤵
    - Executes dropped EXE
    PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4270029.exe

Filesize
307KB

MD5
c72b51e9396e3560ee77227b3aca58e0

SHA1
5ed660f289156d0296490b4e42c94471db7f4330

SHA256
6e6113efb8d2ac46560561b1454f78d94894792d369632b1f2dbc3b0123aa683

SHA512
0f3769f9ac64ff3652e2630f1540d59cf70cab2c5624f017a09517895534254a018f6f978220e0888d5590aa8b811fa4f1520fc4860d7572e06e98b11b146ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a8766803.exe

Filesize
178KB

MD5
4e273ee54a407e84a6df1a8183727d35

SHA1
dfa0af2ef73ca96f24015aedc8cc2fc4bd189914

SHA256
1c486a6da10c5dad2478130c2613c816d903a1f441f8f950d63b13ebcc52448b

SHA512
a46d53a824724b050ce791b9122df29fbc05bc4c16ee5f16a41ec28c43e8ea51dd94e56a0ddc10b77e79dffc92346b8957ff6afbcd620514cbe71ffa32653375

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b1814710.exe

Filesize
168KB

MD5
2e700cbfaa9fc12b0ee21f829e859d6b

SHA1
f180b969f1f1cbabe6a64983ade51bcd7c1ef76b

SHA256
dfa7318a2783adfdfa039cb4980e151693218bef33f253ef38dc39173adfd408

SHA512
63d08aa792b5973147796b593fa6c0c193c1c439ebfa8e1a190d28e7752ade5a0a54d962f1333463ca9e4cafd2f20d9e7165dd6f8fb1e0ba16e5b202174cb5d1

Download Submit
memory/1716-59-0x0000000005600000-0x000000000564C000-memory.dmp

Filesize
304KB

Download
memory/1716-58-0x00000000055C0000-0x00000000055FC000-memory.dmp

Filesize
240KB

Download
memory/1716-57-0x0000000005560000-0x0000000005572000-memory.dmp

Filesize
72KB

Download
memory/1716-56-0x0000000005670000-0x000000000577A000-memory.dmp

Filesize
1.0MB

Download
memory/1716-55-0x0000000005B80000-0x0000000006198000-memory.dmp

Filesize
6.1MB

Download
memory/1716-54-0x00000000014E0000-0x00000000014E6000-memory.dmp

Filesize
24KB

Download
memory/1716-53-0x0000000000BD0000-0x0000000000BFE000-memory.dmp

Filesize
184KB

Download
memory/2204-44-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-28-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-24-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-22-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-20-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-19-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-42-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-38-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-36-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-34-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-32-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-30-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-26-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-49-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download
memory/2204-47-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download
memory/2204-40-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-46-0x0000000002460000-0x0000000002472000-memory.dmp

Filesize
72KB

Download
memory/2204-18-0x0000000002460000-0x0000000002478000-memory.dmp

Filesize
96KB

Download
memory/2204-16-0x0000000073F90000-0x0000000074740000-memory.dmp

Filesize
7.7MB

Download
memory/2204-17-0x00000000049A0000-0x0000000004F44000-memory.dmp

Filesize
5.6MB

Download
memory/2204-15-0x0000000002190000-0x00000000021AA000-memory.dmp

Filesize
104KB

Download
memory/2204-14-0x0000000073F9E000-0x0000000073F9F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads