healer | 2fa23fe74d8db262a3dfbd54895f3704eb81f9c53c8748f82ec72eda368c6adc

General

Target

2fa23fe74d8db262a3dfbd54895f3704eb81f9c53c8748f82ec72eda368c6adc.exe
Size

479KB
MD5

905d56a1faa52089369e7d36dc43f2ab
SHA1

4a0d9e22642e4457bf9b51e3701e90b4554d37a5
SHA256

2fa23fe74d8db262a3dfbd54895f3704eb81f9c53c8748f82ec72eda368c6adc
SHA512

1ee4a7f85df60896d9a6065fdab6eb392cb8ddddd0b3fbc663111a57606b1fde3ad9f9feb74575133d0ecbfc1a805b676487699ffb2fc53d1d4a2077e46a9e27
SSDEEP

12288:vMrwy90wRs0n5c1u31UTrO26Qb8te6J4TnVCxDn7hQ3dLV2:3yRCaX2TS2N8te6Jl78LA

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/464-15-0x00000000022A0000-0x00000000022BA000-memory.dmp	healer
behavioral1/memory/464-19-0x0000000004980000-0x0000000004998000-memory.dmp	healer
behavioral1/memory/464-48-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-46-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-44-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-42-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-40-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-38-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-36-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-34-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-32-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-30-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-28-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-26-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-24-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-22-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/464-21-0x0000000004980000-0x0000000004992000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k6708615.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k6708615.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k6708615.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k6708615.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k6708615.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k6708615.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c86-54.dat	family_redline
behavioral1/memory/1584-56-0x00000000000E0000-0x0000000000108000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3064	y1749817.exe
464	k6708615.exe
1584	l5121070.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k6708615.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k6708615.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2fa23fe74d8db262a3dfbd54895f3704eb81f9c53c8748f82ec72eda368c6adc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1749817.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2fa23fe74d8db262a3dfbd54895f3704eb81f9c53c8748f82ec72eda368c6adc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y1749817.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k6708615.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l5121070.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
464	k6708615.exe
464	k6708615.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	464	k6708615.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 3064	3300	2fa23fe74d8db262a3dfbd54895f3704eb81f9c53c8748f82ec72eda368c6adc.exe	84
PID 3300 wrote to memory of 3064	3300	2fa23fe74d8db262a3dfbd54895f3704eb81f9c53c8748f82ec72eda368c6adc.exe	84
PID 3300 wrote to memory of 3064	3300	2fa23fe74d8db262a3dfbd54895f3704eb81f9c53c8748f82ec72eda368c6adc.exe	84
PID 3064 wrote to memory of 464	3064	y1749817.exe	85
PID 3064 wrote to memory of 464	3064	y1749817.exe	85
PID 3064 wrote to memory of 464	3064	y1749817.exe	85
PID 3064 wrote to memory of 1584	3064	y1749817.exe	89
PID 3064 wrote to memory of 1584	3064	y1749817.exe	89
PID 3064 wrote to memory of 1584	3064	y1749817.exe	89

C:\Users\Admin\AppData\Local\Temp\2fa23fe74d8db262a3dfbd54895f3704eb81f9c53c8748f82ec72eda368c6adc.exe
"C:\Users\Admin\AppData\Local\Temp\2fa23fe74d8db262a3dfbd54895f3704eb81f9c53c8748f82ec72eda368c6adc.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1749817.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1749817.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6708615.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6708615.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:464
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5121070.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5121070.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1749817.exe

Filesize
307KB

MD5
8808802b207513d76a2bd65c50ea1394

SHA1
07d57e67fc16c225d5642b135c32bb4e73bd6a3e

SHA256
ffc7e886a2fe9e3261b4e0ddb48ad3aadf7edf3ccfdbd23e6ee2b2181da003ff

SHA512
9318f4ac4c783237fa5cf2bc71d2495f5adfd704c24ee028b2fc7f2a0a9697802b139b5c1f6415f7f934e21a6531ff1138abfbfcecc0a5ced8ca47ab5bfb592a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6708615.exe

Filesize
175KB

MD5
1605f718f74c8534e4d8a7a444f84e83

SHA1
71974c8c55826c185ac42f5c3d16a12246785629

SHA256
63e0759744094f8ca1c5fd1d7943eca521569abf99458ddfbf6f4d1ea112f9a3

SHA512
df33e74487998ccd4da1b461d94b2e3c57331775df658f6afe8998d309b525f018e57f13afcc943cec322f5a0d7d04f560774620cab25612723a0483438f7e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l5121070.exe

Filesize
136KB

MD5
313c2c890b3c4693523af09fb07d6683

SHA1
8f3c1fb521ff3d99d500afbd0a32b0ab4952261a

SHA256
65d8a8d4f144aefc11328650a4a0d3ae7d2c3893a602eff5928973da8d438fa1

SHA512
7468d1294753000bbcf7ae744880d50cb78bdaebe2bc25c285bcdabc12d4ee3586cc31d6bfe76e6918c8604000d80a2c5fa5b2e645b319e0e6b27e1370cb92a2

Download Submit
memory/464-34-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-50-0x00000000742D0000-0x0000000074A80000-memory.dmp

Filesize
7.7MB

Download
memory/464-32-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-18-0x00000000742D0000-0x0000000074A80000-memory.dmp

Filesize
7.7MB

Download
memory/464-20-0x00000000742D0000-0x0000000074A80000-memory.dmp

Filesize
7.7MB

Download
memory/464-19-0x0000000004980000-0x0000000004998000-memory.dmp

Filesize
96KB

Download
memory/464-48-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-46-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-44-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-42-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-40-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-38-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-36-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-15-0x00000000022A0000-0x00000000022BA000-memory.dmp

Filesize
104KB

Download
memory/464-17-0x0000000004AF0000-0x0000000005094000-memory.dmp

Filesize
5.6MB

Download
memory/464-30-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-16-0x00000000742D0000-0x0000000074A80000-memory.dmp

Filesize
7.7MB

Download
memory/464-26-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-24-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-22-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-21-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-49-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/464-28-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/464-52-0x00000000742D0000-0x0000000074A80000-memory.dmp

Filesize
7.7MB

Download
memory/464-14-0x00000000742DE000-0x00000000742DF000-memory.dmp

Filesize
4KB

Download
memory/1584-56-0x00000000000E0000-0x0000000000108000-memory.dmp

Filesize
160KB

Download
memory/1584-57-0x0000000007380000-0x0000000007998000-memory.dmp

Filesize
6.1MB

Download
memory/1584-58-0x0000000006E00000-0x0000000006E12000-memory.dmp

Filesize
72KB

Download
memory/1584-59-0x0000000006F70000-0x000000000707A000-memory.dmp

Filesize
1.0MB

Download
memory/1584-60-0x0000000006ED0000-0x0000000006F0C000-memory.dmp

Filesize
240KB

Download
memory/1584-61-0x0000000004410000-0x000000000445C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads