healer | 396b13a0a6cc1c09e169820a1fb8675f7df7198c18792dc14bf25df06dc6b26d

General

Target

396b13a0a6cc1c09e169820a1fb8675f7df7198c18792dc14bf25df06dc6b26d.exe
Size

479KB
MD5

d51dadc0354cf8f0192b3dcd2f00b4e3
SHA1

94156f83da9c16dc21aee1525973cfe268cfd38d
SHA256

396b13a0a6cc1c09e169820a1fb8675f7df7198c18792dc14bf25df06dc6b26d
SHA512

d73245c292ef8b207b91b03623cb1e46b5487dad5d7291a561d8fb3c770aad33938800514009a1e87ac93fd71ddd4715e808cbd8b5c74e5198d17751b8f17784
SSDEEP

12288:6Mr+y90yw6J4MGtbQR7PfXmyGvOnbd7Gdc:kyA6qZtUR7nWyVbb

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2152-15-0x0000000002040000-0x000000000205A000-memory.dmp	healer
behavioral1/memory/2152-19-0x0000000002520000-0x0000000002538000-memory.dmp	healer
behavioral1/memory/2152-26-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-48-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-47-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-44-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-42-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-40-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-38-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-36-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-34-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-32-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-30-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-28-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-24-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-22-0x0000000002520000-0x0000000002532000-memory.dmp	healer
behavioral1/memory/2152-21-0x0000000002520000-0x0000000002532000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9529822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9529822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9529822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9529822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9529822.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a9529822.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b8b-54.dat	family_redline
behavioral1/memory/3708-56-0x0000000000930000-0x0000000000958000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1480	v4239019.exe
2152	a9529822.exe
3708	b5382645.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a9529822.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9529822.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	396b13a0a6cc1c09e169820a1fb8675f7df7198c18792dc14bf25df06dc6b26d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4239019.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	396b13a0a6cc1c09e169820a1fb8675f7df7198c18792dc14bf25df06dc6b26d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v4239019.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9529822.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5382645.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2152	a9529822.exe
2152	a9529822.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	a9529822.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1136 wrote to memory of 1480	1136	396b13a0a6cc1c09e169820a1fb8675f7df7198c18792dc14bf25df06dc6b26d.exe	84
PID 1136 wrote to memory of 1480	1136	396b13a0a6cc1c09e169820a1fb8675f7df7198c18792dc14bf25df06dc6b26d.exe	84
PID 1136 wrote to memory of 1480	1136	396b13a0a6cc1c09e169820a1fb8675f7df7198c18792dc14bf25df06dc6b26d.exe	84
PID 1480 wrote to memory of 2152	1480	v4239019.exe	85
PID 1480 wrote to memory of 2152	1480	v4239019.exe	85
PID 1480 wrote to memory of 2152	1480	v4239019.exe	85
PID 1480 wrote to memory of 3708	1480	v4239019.exe	96
PID 1480 wrote to memory of 3708	1480	v4239019.exe	96
PID 1480 wrote to memory of 3708	1480	v4239019.exe	96

C:\Users\Admin\AppData\Local\Temp\396b13a0a6cc1c09e169820a1fb8675f7df7198c18792dc14bf25df06dc6b26d.exe
"C:\Users\Admin\AppData\Local\Temp\396b13a0a6cc1c09e169820a1fb8675f7df7198c18792dc14bf25df06dc6b26d.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4239019.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4239019.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9529822.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9529822.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2152
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5382645.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5382645.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4239019.exe

Filesize
307KB

MD5
a6cd56ff726ea65d281a56c01d288adb

SHA1
39d1e2c70237d1857b5e90ad79ee90b1fd68a938

SHA256
0c4442891d2acf3621360c3817a0d50b895524fa4e2d94e147805d8f3904f295

SHA512
c5605da4c07eb278b15d412b2f1c1ddd29fa85c98335319bde43eb9c304e87a1a845f8b46a569b16c07d73ff6c9e1820e20dc36de23b37f5c2254cf68cef9378

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a9529822.exe

Filesize
175KB

MD5
a5c214ff76db50be4a42f79d0d815525

SHA1
ec303e8dd8f83d16818b8d09c1dfdf45c8e13361

SHA256
5f761deab80ad2d9b9ae66652bc4eab9eef098f6b9230c1f4498848a8c4e872f

SHA512
80d594af1b09fabe2e1fe0840bc198f5a5e106467365d667ebce9d6c77c77564f8a685857dc61da3b68da0e58d6cb57bb97c305435c7a5ade7edeb17e33f6d54

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5382645.exe

Filesize
136KB

MD5
3b665c032b24f1302c82c9097a5255a6

SHA1
139c2a0e577c232ce6e5539dc9ef2a11ad1e8e67

SHA256
d8aea963df1d5132e377df18ae19ef47e9375c7cbefebf01a935ecc67655c8df

SHA512
bc0b667aed19167fc4864d8209c360dabde56af2f5a8c785d84c5f900649d59eb92f6f8de89f2be81d3e87b321129e05f72d65ce6ee4c27e1ba10f25878271e2

Download Submit
memory/2152-36-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-50-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2152-34-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-17-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2152-20-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2152-19-0x0000000002520000-0x0000000002538000-memory.dmp

Filesize
96KB

Download
memory/2152-26-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-48-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-47-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-44-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-42-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-40-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-38-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-15-0x0000000002040000-0x000000000205A000-memory.dmp

Filesize
104KB

Download
memory/2152-18-0x0000000004BC0000-0x0000000005164000-memory.dmp

Filesize
5.6MB

Download
memory/2152-32-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-16-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2152-28-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-24-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-22-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-21-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-49-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/2152-30-0x0000000002520000-0x0000000002532000-memory.dmp

Filesize
72KB

Download
memory/2152-52-0x0000000074660000-0x0000000074E10000-memory.dmp

Filesize
7.7MB

Download
memory/2152-14-0x000000007466E000-0x000000007466F000-memory.dmp

Filesize
4KB

Download
memory/3708-56-0x0000000000930000-0x0000000000958000-memory.dmp

Filesize
160KB

Download
memory/3708-57-0x0000000007BC0000-0x00000000081D8000-memory.dmp

Filesize
6.1MB

Download
memory/3708-58-0x0000000007640000-0x0000000007652000-memory.dmp

Filesize
72KB

Download
memory/3708-59-0x00000000077B0000-0x00000000078BA000-memory.dmp

Filesize
1.0MB

Download
memory/3708-60-0x00000000076E0000-0x000000000771C000-memory.dmp

Filesize
240KB

Download
memory/3708-61-0x0000000002930000-0x000000000297C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads