healer | 9b093029d88b2cf0ef3585e643a4e616d9b59bb8557cfbb72fbc83ba57e48c24

General

Target

9b093029d88b2cf0ef3585e643a4e616d9b59bb8557cfbb72fbc83ba57e48c24.exe
Size

1.5MB
MD5

47d241e28d7425af7214f892fdea3be9
SHA1

f66b2c1a0c919ffb14cf0483b67636f9baefb16d
SHA256

9b093029d88b2cf0ef3585e643a4e616d9b59bb8557cfbb72fbc83ba57e48c24
SHA512

20cefdf5747a7e97d54d80db8e65ec3e103e7b21dede5cb64cc7fd95e9f2dfd30faadbb1a011aaa289a1b4d8c1e6f96a4ce8d0f1a474cf6a3bfa4068de148d8d
SSDEEP

24576:8yyXvJ2JunFWNx+9XSm2KTJQ72oqrqezQLM+X9Wpx/r1CTdZAD4Ny034ZKZ5xJcK:r+vJ2knFEg9XPJQ72oCqO6X9Wv/rg7xb

Score

10^/10

healer redline mask discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mask

C2

217.196.96.56:4138

Attributes

auth_value
31aef25be0febb8e491794ef7f502c50

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4028-36-0x00000000022A0000-0x00000000022BA000-memory.dmp	healer
behavioral1/memory/4028-38-0x0000000004B50000-0x0000000004B68000-memory.dmp	healer
behavioral1/memory/4028-64-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-66-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-62-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-60-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-58-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-56-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-54-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-52-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-50-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-49-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-46-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-42-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-40-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-44-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer
behavioral1/memory/4028-39-0x0000000004B50000-0x0000000004B62000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4784208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4784208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4784208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4784208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4784208.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4784208.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b73-71.dat	family_redline
behavioral1/memory/4840-73-0x0000000000310000-0x0000000000340000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
3248	v1041272.exe
3924	v2665436.exe
1208	v1378647.exe
1824	v4838185.exe
4028	a4784208.exe
4840	b1659879.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4784208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4784208.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v4838185.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9b093029d88b2cf0ef3585e643a4e616d9b59bb8557cfbb72fbc83ba57e48c24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1041272.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2665436.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1378647.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1852	4028	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v1041272.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2665436.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v1378647.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v4838185.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4784208.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1659879.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9b093029d88b2cf0ef3585e643a4e616d9b59bb8557cfbb72fbc83ba57e48c24.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4028	a4784208.exe
4028	a4784208.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4028	a4784208.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3248	4956	9b093029d88b2cf0ef3585e643a4e616d9b59bb8557cfbb72fbc83ba57e48c24.exe	84
PID 4956 wrote to memory of 3248	4956	9b093029d88b2cf0ef3585e643a4e616d9b59bb8557cfbb72fbc83ba57e48c24.exe	84
PID 4956 wrote to memory of 3248	4956	9b093029d88b2cf0ef3585e643a4e616d9b59bb8557cfbb72fbc83ba57e48c24.exe	84
PID 3248 wrote to memory of 3924	3248	v1041272.exe	85
PID 3248 wrote to memory of 3924	3248	v1041272.exe	85
PID 3248 wrote to memory of 3924	3248	v1041272.exe	85
PID 3924 wrote to memory of 1208	3924	v2665436.exe	86
PID 3924 wrote to memory of 1208	3924	v2665436.exe	86
PID 3924 wrote to memory of 1208	3924	v2665436.exe	86
PID 1208 wrote to memory of 1824	1208	v1378647.exe	87
PID 1208 wrote to memory of 1824	1208	v1378647.exe	87
PID 1208 wrote to memory of 1824	1208	v1378647.exe	87
PID 1824 wrote to memory of 4028	1824	v4838185.exe	88
PID 1824 wrote to memory of 4028	1824	v4838185.exe	88
PID 1824 wrote to memory of 4028	1824	v4838185.exe	88
PID 1824 wrote to memory of 4840	1824	v4838185.exe	100
PID 1824 wrote to memory of 4840	1824	v4838185.exe	100
PID 1824 wrote to memory of 4840	1824	v4838185.exe	100

C:\Users\Admin\AppData\Local\Temp\9b093029d88b2cf0ef3585e643a4e616d9b59bb8557cfbb72fbc83ba57e48c24.exe
"C:\Users\Admin\AppData\Local\Temp\9b093029d88b2cf0ef3585e643a4e616d9b59bb8557cfbb72fbc83ba57e48c24.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1041272.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1041272.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3248
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2665436.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2665436.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1378647.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1378647.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4838185.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4838185.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4784208.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4784208.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 1080
        7⤵
        Program crash
        
        PID:1852
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1659879.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1659879.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4028 -ip 4028
1⤵
PID:3360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1041272.exe

Filesize
1.3MB

MD5
daec7bca2b4eaba64e159167f5ded87d

SHA1
fc9340acc0a39a47eea58761e1f990f55199afac

SHA256
9533a95b94d018f1c8e371f1584a0df7de2ff43e9afc680f1deebe10346f537f

SHA512
eb09f0a4b7085b2ac41b6cf751c3bf0b178a042fa8fca64a33a1ce9db826f94f9ed7553f1c57c75fa2b8688297797b723413d6b33d2980e1e159dd4c2ddd3b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2665436.exe

Filesize
848KB

MD5
d5db5df895861f0186f40702f7ac606f

SHA1
fa0a0208d1848af401496182201e5831e7c292b3

SHA256
de32fac52a19197aa16b138404faba6bce82e6f26e89f56768ea9fbd229f62bc

SHA512
2571cbf21a67cc0c4aa7188cd03d7e669940069cb6faf092d6664ffa116348fa9c14817d20eb3c4cde0577ad314e37bd11d7afd51a0f832014a255569479c421

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1378647.exe

Filesize
644KB

MD5
91b077330081bab7acb529878e9c8f51

SHA1
b9ae2a6914ccdbccab61d36918d2ab8dac95e281

SHA256
b6fac2089370b223042c837ba678fb8fc19e6f02b9543aaa8d9bd76a4702185a

SHA512
6697ea02e7a5623bddfb223de1783a7b0a8f8667622c69d7b3225b207ef5c1b4218672c117fc1c9c6ddd6edab4b4a3911d536ae48d0f4c311dcaa91723c9a21f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4838185.exe

Filesize
384KB

MD5
107d82266245dcb6691148ba12111900

SHA1
f98505f0dc6759fc5e73327a063013b1808d3a23

SHA256
35476dd09dfb551ad70fd0917ecc2f236a328a27b31bff2e24b00ea9b1b6597b

SHA512
ef975ab47ebc0bba71e93bd1d6c47c691f549fd231a06311cbae6759402cb8ccd306fb35afab0adf8fff85953e983649cb8944f91c55c3e1a70262d7741f47f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4784208.exe

Filesize
292KB

MD5
d4cc28717c1f32b1ff8e682e4e23f310

SHA1
7b23453ffa981d7fb50206426f9ff6b373d21b5b

SHA256
a610cc8449d62b470186c116f44ac7784cfeee453de9dc3ff838f5f0385edec3

SHA512
68cdf75a2008e38aa0e865da913ef12ef5f2dee34f01eb07843066204c02a0ff388aa309cc12d0bb81b66f9f7307fcf17be286875721d7822aa21e60a204ab43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1659879.exe

Filesize
168KB

MD5
c087c430e55fc1c20f293db20ff1aad5

SHA1
69d3b166bfcff230add0e0dc2148249437c2259e

SHA256
9c0e2f556c28322ed0509adaa12fda04c88930bf72644f463a239c4b9ac0ae5f

SHA512
a5ea5b44a5f43709b3a6564383480f50abd974af0a913e0bfccabe0ef7fb00a38d89c8f2482f019b8a301a02420f157719a969c0da238bf20aaae707c9d84fc5

Download Submit
memory/4028-50-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-42-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-64-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-66-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-62-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-60-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-58-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-56-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-54-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-52-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-37-0x0000000004CA0000-0x0000000005244000-memory.dmp

Filesize
5.6MB

Download
memory/4028-49-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-46-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-38-0x0000000004B50000-0x0000000004B68000-memory.dmp

Filesize
96KB

Download
memory/4028-40-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-44-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-39-0x0000000004B50000-0x0000000004B62000-memory.dmp

Filesize
72KB

Download
memory/4028-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4028-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/4028-36-0x00000000022A0000-0x00000000022BA000-memory.dmp

Filesize
104KB

Download
memory/4840-73-0x0000000000310000-0x0000000000340000-memory.dmp

Filesize
192KB

Download
memory/4840-74-0x0000000002570000-0x0000000002576000-memory.dmp

Filesize
24KB

Download
memory/4840-75-0x0000000005380000-0x0000000005998000-memory.dmp

Filesize
6.1MB

Download
memory/4840-76-0x0000000004EA0000-0x0000000004FAA000-memory.dmp

Filesize
1.0MB

Download
memory/4840-77-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/4840-78-0x0000000004E30000-0x0000000004E6C000-memory.dmp

Filesize
240KB

Download
memory/4840-79-0x0000000004FB0000-0x0000000004FFC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads