healer | b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b

General

Target

b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe
Size

1.5MB
MD5

243b009c520d4dd68e7330b87e64bb2a
SHA1

e5fe662fc9abb4f8972de891c85e1517c04f4175
SHA256

b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b
SHA512

ab168813c18dcc502aa956d8f274ae888eca81137b0c8d9e5fd64bcdfb6cc798b502b28d3c88d66ba4d31474db91b9f4079c6e61f3436c32802b9e176a9fe3cc
SSDEEP

24576:wyWI6j2oKRiqr6eWf/03ZPzi7wQjITPKxJubulMtJ9urcX7CU19TstCW:3bNr0YFUQu7DETP2uOAacrCU1Fs

Score

10^/10

healer redline mazda discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes

auth_value
3d2870537d84a4c6d7aeecd002871c51

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2020-36-0x0000000002340000-0x000000000235A000-memory.dmp	healer
behavioral1/memory/2020-38-0x00000000024E0000-0x00000000024F8000-memory.dmp	healer
behavioral1/memory/2020-66-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-64-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-62-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-60-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-58-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-56-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-54-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-52-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-50-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-48-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-46-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-44-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-42-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-41-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer
behavioral1/memory/2020-39-0x00000000024E0000-0x00000000024F2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8756253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8756253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8756253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8756253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8756253.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a8756253.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ced-71.dat	family_redline
behavioral1/memory/2948-73-0x0000000000E40000-0x0000000000E70000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
4636	v3900672.exe
1552	v3569271.exe
2672	v3574120.exe
2040	v8381177.exe
2020	a8756253.exe
2948	b5367079.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a8756253.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8756253.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3900672.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3569271.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3574120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8381177.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
372	2020	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v3900672.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v3569271.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v3574120.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v8381177.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8756253.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5367079.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2020	a8756253.exe
2020	a8756253.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	a8756253.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4636	4528	b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe	86
PID 4528 wrote to memory of 4636	4528	b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe	86
PID 4528 wrote to memory of 4636	4528	b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe	86
PID 4636 wrote to memory of 1552	4636	v3900672.exe	87
PID 4636 wrote to memory of 1552	4636	v3900672.exe	87
PID 4636 wrote to memory of 1552	4636	v3900672.exe	87
PID 1552 wrote to memory of 2672	1552	v3569271.exe	88
PID 1552 wrote to memory of 2672	1552	v3569271.exe	88
PID 1552 wrote to memory of 2672	1552	v3569271.exe	88
PID 2672 wrote to memory of 2040	2672	v3574120.exe	89
PID 2672 wrote to memory of 2040	2672	v3574120.exe	89
PID 2672 wrote to memory of 2040	2672	v3574120.exe	89
PID 2040 wrote to memory of 2020	2040	v8381177.exe	90
PID 2040 wrote to memory of 2020	2040	v8381177.exe	90
PID 2040 wrote to memory of 2020	2040	v8381177.exe	90
PID 2040 wrote to memory of 2948	2040	v8381177.exe	102
PID 2040 wrote to memory of 2948	2040	v8381177.exe	102
PID 2040 wrote to memory of 2948	2040	v8381177.exe	102

C:\Users\Admin\AppData\Local\Temp\b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe
"C:\Users\Admin\AppData\Local\Temp\b4864a53603aeb680aff9146fbf0bbe7f59dd0ca913a8ec0f9a55bdb94509c1b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 1092
        7⤵
        Program crash
        
        PID:372
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5367079.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5367079.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2020 -ip 2020
1⤵
PID:1424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3900672.exe

Filesize
1.3MB

MD5
b081f544c9e17030ff333fc8e8d3736d

SHA1
08b917bf3e058ae5a0460e89a8dfc5236d524512

SHA256
af3a30f681534110456b8dc0728c70c8ddd36e71a161402a41d7a5f0a4615c02

SHA512
ca270df6b170819d6a60aa2a9c31facb3b52b6482d00eec804296f938d692caef93ee9d152beed946c1f377a1b3857c7350946fa0b9c1b34ccb1f608c222e5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3569271.exe

Filesize
866KB

MD5
428d29fadb13f021df46bf96f97a2754

SHA1
448eb79b0d06b36a7c6ef672b62af3800fc34c9a

SHA256
19fdff5fa0020db4b841dd23e0be37055979607d77f797304e06e1adb90b0cac

SHA512
75a668cc91c1fd1a5df37d57d1314b7c710df84e1d2df39461af46cfd5ef55d1d601263188a5f3c0c35e4cccf9ec88dd42a2dab32e40fb8c311619558a06235e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3574120.exe

Filesize
662KB

MD5
00de60d4a49bb44dea9c7dd0debb5e2f

SHA1
48870a2d72f81dda4ab99a0e5cb6b552a14686a9

SHA256
96bd46766601793b6b5dfc74fb5d4e3b2df0c19b89fc30989b05135f394e3b56

SHA512
ea0fddc91198ba9aafad5f9c15db307b4a7649e2362acb4d5c004ba82b60c06acf73a8db06bef5d163571fa8bdec3bae1dfd5ae238822f70d797d0142489e153

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8381177.exe

Filesize
393KB

MD5
1bd69b4ba145898480aaeee8617b9fde

SHA1
f7ab62ced3f615cdba48b42f55331e876d5d6361

SHA256
a4f3a29f2624ca2abf419484cc695d83df3838c2e8061aacab90b5a110e27e0b

SHA512
5e07bcae35de1bdb3825e9d28218ccf1ddd2d50014f388125fb0dc719aca7c1ef830d29bc770ead5d9d359d154e5c442ebc56ffff620659912905d19daa972a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8756253.exe

Filesize
315KB

MD5
16ee1204825723b06bf92eaca8080da9

SHA1
ad2589153e1999f62318ad35a4edc649728490e0

SHA256
ba2baac21ed3ffedd46215e26a8ca0a5b62676123519c5f5820b7319261e9ab1

SHA512
67bb784e7596927472203f9183d0ac9e6f7cfcf10e5059151fd7987f59229180d63f54d49cf3377eb0eeec97cab8c707678442bf4256b398edb68a409d0aad26

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5367079.exe

Filesize
168KB

MD5
b5784f01167cf5707b0828d509ab8c73

SHA1
dd3e4a274d0a20c2c2ca948bb0af0b07198c3080

SHA256
ac6942c0828fea94f6aa2743d853940b8df92d4b0d95153a508f7e7acc5c2f23

SHA512
8290b0de1d6d22830424c8ac7f27f24941387db9b0b02aa828dd80df48a78b1d09bc2d009d74d114090b1e72320686dd78323d3e12206ed13692563dc5d9a5b0

Download Submit
memory/2020-50-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-44-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-66-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-64-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-62-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-60-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-58-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-56-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-54-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-52-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-37-0x0000000004BC0000-0x0000000005164000-memory.dmp

Filesize
5.6MB

Download
memory/2020-48-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-46-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-38-0x00000000024E0000-0x00000000024F8000-memory.dmp

Filesize
96KB

Download
memory/2020-42-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-41-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-39-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2020-67-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-69-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2020-36-0x0000000002340000-0x000000000235A000-memory.dmp

Filesize
104KB

Download
memory/2948-73-0x0000000000E40000-0x0000000000E70000-memory.dmp

Filesize
192KB

Download
memory/2948-74-0x00000000015B0000-0x00000000015B6000-memory.dmp

Filesize
24KB

Download
memory/2948-75-0x0000000005E00000-0x0000000006418000-memory.dmp

Filesize
6.1MB

Download
memory/2948-76-0x00000000058F0000-0x00000000059FA000-memory.dmp

Filesize
1.0MB

Download
memory/2948-77-0x00000000057B0000-0x00000000057C2000-memory.dmp

Filesize
72KB

Download
memory/2948-78-0x0000000005820000-0x000000000585C000-memory.dmp

Filesize
240KB

Download
memory/2948-79-0x0000000005870000-0x00000000058BC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads