healer | 17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a

General

Target

17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a.exe
Size

1001KB
MD5

39742638fabeb3020be7ec5c9892dd9d
SHA1

3fec0db807df472b3e8518464a9aec7e8fa603fb
SHA256

17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a
SHA512

82f48aa9a7ace708b9d18ede40f36083bc74ab2be70f5bed2770609c62ef34ba5634b043b980c57d95750991be24a10454b99134e9e379307765daffefc7b3f6
SSDEEP

24576:OyOTmUxmLGILy6+yhCklNjk+Bn1w8aKWaTRjw:dOTmUx9cy6VkkbjhOvW

Score

10^/10

healer redline dubka discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dubka

C2

193.233.20.13:4136

Attributes

auth_value
e5a9421183a033f283b2f23139b471f0

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

resource	yara_rule
behavioral3/files/0x0029000000045056-26.dat	healer
behavioral3/memory/1532-28-0x0000000000C30000-0x0000000000C3A000-memory.dmp	healer
behavioral3/memory/3912-34-0x0000000002460000-0x000000000247A000-memory.dmp	healer
behavioral3/memory/3912-36-0x0000000004C40000-0x0000000004C58000-memory.dmp	healer
behavioral3/memory/3912-37-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-46-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-64-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-62-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-60-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-58-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-56-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-55-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-52-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-50-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-49-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-44-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-42-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-40-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer
behavioral3/memory/3912-38-0x0000000004C40000-0x0000000004C52000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	kSC89Ro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	mna46vX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	mna46vX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	mna46vX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	mna46vX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	mna46vX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	kSC89Ro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	kSC89Ro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	kSC89Ro.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	kSC89Ro.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0028000000045054-69.dat	family_redline
behavioral3/memory/4536-71-0x0000000000B90000-0x0000000000BC2000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
1712	doJ5494.exe
3016	dgi6560.exe
5064	dGf7386.exe
1532	kSC89Ro.exe
3912	mna46vX.exe
4536	nxe83mj.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	mna46vX.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	kSC89Ro.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	mna46vX.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	doJ5494.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dgi6560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	dGf7386.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2192	3912	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nxe83mj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	doJ5494.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dgi6560.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dGf7386.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mna46vX.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1532	kSC89Ro.exe
1532	kSC89Ro.exe
3912	mna46vX.exe
3912	mna46vX.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1532	kSC89Ro.exe
Token: SeDebugPrivilege	3912	mna46vX.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 1712	760	17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a.exe	83
PID 760 wrote to memory of 1712	760	17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a.exe	83
PID 760 wrote to memory of 1712	760	17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a.exe	83
PID 1712 wrote to memory of 3016	1712	doJ5494.exe	84
PID 1712 wrote to memory of 3016	1712	doJ5494.exe	84
PID 1712 wrote to memory of 3016	1712	doJ5494.exe	84
PID 3016 wrote to memory of 5064	3016	dgi6560.exe	85
PID 3016 wrote to memory of 5064	3016	dgi6560.exe	85
PID 3016 wrote to memory of 5064	3016	dgi6560.exe	85
PID 5064 wrote to memory of 1532	5064	dGf7386.exe	86
PID 5064 wrote to memory of 1532	5064	dGf7386.exe	86
PID 5064 wrote to memory of 3912	5064	dGf7386.exe	88
PID 5064 wrote to memory of 3912	5064	dGf7386.exe	88
PID 5064 wrote to memory of 3912	5064	dGf7386.exe	88
PID 3016 wrote to memory of 4536	3016	dgi6560.exe	92
PID 3016 wrote to memory of 4536	3016	dgi6560.exe	92
PID 3016 wrote to memory of 4536	3016	dgi6560.exe	92

C:\Users\Admin\AppData\Local\Temp\17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a.exe
"C:\Users\Admin\AppData\Local\Temp\17d901b8553d4be1bb33e850e4deb1a3897fda3d5a85e41a1e0a3074964b3e8a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\doJ5494.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\doJ5494.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgi6560.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgi6560.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dGf7386.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dGf7386.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSC89Ro.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSC89Ro.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mna46vX.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mna46vX.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3912
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 1148
        6⤵
        Program crash
        
        PID:2192
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nxe83mj.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nxe83mj.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3912 -ip 3912
1⤵
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\doJ5494.exe

Filesize
856KB

MD5
f9dc829803856d6d7a8474aad32dd9b5

SHA1
6a390ba1369911cce72e939821289eae5c5c7b01

SHA256
9030053d0292a8f235f8b387e0c9ec1ccae5e21492c8c567c4d07888b69a2a9e

SHA512
51379874f016d933015bb25f7a28b556a79331e883c37dc37bff39da1b41157aeb598e3d5016327c9c10383cd29139808326be7d852702a032c98f2710913633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dgi6560.exe

Filesize
501KB

MD5
de872b15338d5fab4fadd1988d99df7c

SHA1
e966fae9e7cee76be7161627299882c61c75a3f4

SHA256
ecbc5cad08d36f5f07d60cb48663e54a0bea8cb56bc1bc707e5d6e67b0c0915b

SHA512
c1aa69752fa7541b48c4eddac2208a7daa5f9aa58a7a957ed28586ca2a95cfcae6e6007c821df50df644f115a26c7279e23c4729c7f9f972b41484e13bcb605a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dGf7386.exe

Filesize
356KB

MD5
6800300a4dc511788b6980b9112c91fc

SHA1
52e82d6d034c9805d91656a3bc547dd48719f9c2

SHA256
a1840f132b113618f8e9e9838b26269a9ebe8ba7e832025a2b72ef68387c605e

SHA512
5d87e11b27fafe69b9fea06b7705b7dae8ffe45e3043e2c7dc7509a14ce4c1436c23e660c351fd605b73fe0275f53463989eed54bdc5198601de86d5670f6635

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nxe83mj.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kSC89Ro.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mna46vX.exe

Filesize
295KB

MD5
2338c84711b756237e614c3869cf6100

SHA1
6146eace912945070cb084fe3839c8d2dc27c403

SHA256
fbfd8bd7e7ff54ce43c209c34a9959ad1abe7325209756decc04e3d9a44ff87b

SHA512
24bd3e70fc0ac61f6fcc432de5e93ac38c66eb3fb0e9b09337acc526873dd42f779f2741761ffb1677936e8f219f3c3b683c9476d8ab604803795fc323c7bae6

Download Submit
memory/1532-28-0x0000000000C30000-0x0000000000C3A000-memory.dmp

Filesize
40KB

Download
memory/3912-55-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-44-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-37-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-46-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-64-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-62-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-60-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-58-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-56-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-35-0x0000000004CB0000-0x0000000005256000-memory.dmp

Filesize
5.6MB

Download
memory/3912-52-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-50-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-49-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-36-0x0000000004C40000-0x0000000004C58000-memory.dmp

Filesize
96KB

Download
memory/3912-42-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-40-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-38-0x0000000004C40000-0x0000000004C52000-memory.dmp

Filesize
72KB

Download
memory/3912-65-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/3912-67-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/3912-34-0x0000000002460000-0x000000000247A000-memory.dmp

Filesize
104KB

Download
memory/4536-71-0x0000000000B90000-0x0000000000BC2000-memory.dmp

Filesize
200KB

Download
memory/4536-72-0x0000000005B00000-0x0000000006118000-memory.dmp

Filesize
6.1MB

Download
memory/4536-73-0x0000000005660000-0x000000000576A000-memory.dmp

Filesize
1.0MB

Download
memory/4536-74-0x0000000005590000-0x00000000055A2000-memory.dmp

Filesize
72KB

Download
memory/4536-75-0x0000000005620000-0x000000000565C000-memory.dmp

Filesize
240KB

Download
memory/4536-76-0x0000000005770000-0x00000000057BC000-memory.dmp

Filesize
304KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads