healer | 7838df9015a1fb254f8ebb76d50a0311f48cef47c1790fc33330d7034cb41e1b

General

Target

7838df9015a1fb254f8ebb76d50a0311f48cef47c1790fc33330d7034cb41e1b.exe
Size

479KB
MD5

9d45003bbd9cd2f80671082546ed872e
SHA1

64e6057f4ca9c2cf00fb83254aa523a2061adf43
SHA256

7838df9015a1fb254f8ebb76d50a0311f48cef47c1790fc33330d7034cb41e1b
SHA512

6c59091cde77a57156a3d4ff9920e9fc9cfaa0188cbb549b7dfa14e5788577f0f305c214ec7d9d8089e1fa15f1c03fd19e58fc082f9e8385bab693ca32734381
SSDEEP

12288:SMrxy90pYX2iHi5TxdLQ7ep9nX1XcBEMPPxtJGHu:DykEi5TjMmlXc9qu

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4260-15-0x00000000026B0000-0x00000000026CA000-memory.dmp	healer
behavioral1/memory/4260-18-0x0000000005080000-0x0000000005098000-memory.dmp	healer
behavioral1/memory/4260-46-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-44-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-42-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-40-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-38-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-36-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-22-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-20-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-19-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-34-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-32-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-30-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-28-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-26-0x0000000005080000-0x0000000005092000-memory.dmp	healer
behavioral1/memory/4260-24-0x0000000005080000-0x0000000005092000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7995171.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7995171.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7995171.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a7995171.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7995171.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7995171.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ca3-54.dat	family_redline
behavioral1/memory/2880-56-0x0000000000B10000-0x0000000000B38000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3480	v5535329.exe
4260	a7995171.exe
2880	b5681179.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a7995171.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7995171.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7838df9015a1fb254f8ebb76d50a0311f48cef47c1790fc33330d7034cb41e1b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5535329.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7995171.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5681179.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7838df9015a1fb254f8ebb76d50a0311f48cef47c1790fc33330d7034cb41e1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v5535329.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4260	a7995171.exe
4260	a7995171.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	a7995171.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3836 wrote to memory of 3480	3836	7838df9015a1fb254f8ebb76d50a0311f48cef47c1790fc33330d7034cb41e1b.exe	84
PID 3836 wrote to memory of 3480	3836	7838df9015a1fb254f8ebb76d50a0311f48cef47c1790fc33330d7034cb41e1b.exe	84
PID 3836 wrote to memory of 3480	3836	7838df9015a1fb254f8ebb76d50a0311f48cef47c1790fc33330d7034cb41e1b.exe	84
PID 3480 wrote to memory of 4260	3480	v5535329.exe	85
PID 3480 wrote to memory of 4260	3480	v5535329.exe	85
PID 3480 wrote to memory of 4260	3480	v5535329.exe	85
PID 3480 wrote to memory of 2880	3480	v5535329.exe	93
PID 3480 wrote to memory of 2880	3480	v5535329.exe	93
PID 3480 wrote to memory of 2880	3480	v5535329.exe	93

C:\Users\Admin\AppData\Local\Temp\7838df9015a1fb254f8ebb76d50a0311f48cef47c1790fc33330d7034cb41e1b.exe
"C:\Users\Admin\AppData\Local\Temp\7838df9015a1fb254f8ebb76d50a0311f48cef47c1790fc33330d7034cb41e1b.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3836
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5535329.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5535329.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7995171.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7995171.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4260
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5681179.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5681179.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5535329.exe

Filesize
307KB

MD5
9a1777e74e7256de94cc17a67c3d011d

SHA1
8d09c368f9e43122479ad9521a7b7fda67e621c4

SHA256
d70a834e3a0a31b85a2fc383d8bce06d1c762a1a8c04e1e10772bcda9882e84b

SHA512
d9590eb4f39c9cda9d09ef76624f943038eb68346c0e81955b6c1e6e04f59974431e4ce9b01930045d51f739adc98e38015a94bff3ae671fccf915e96e17a8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7995171.exe

Filesize
175KB

MD5
f05650acbe1e2704c4e878e4065b47a2

SHA1
078befd9ac75c178aa50e668147e7d14a70e296f

SHA256
b6993421fc08fbd992ddf2a7f27e1526a6522b017e18c2cdbf51d4db5c1da1cc

SHA512
5f1a3c987beec2034f1e1259da6b37f28eb3833996b1d2306381ce0ec2d3faef46566119605f82e2889b3fd3261746f15ed9e7b37b384ed69f009ad64bf43633

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b5681179.exe

Filesize
136KB

MD5
419778a45c1a817aaadefe381cc04f3e

SHA1
9b8fa4e93ce92c19433035eb9f19cc7bceb29013

SHA256
f15d177b2c6fa94ce115320d3ad0942fe6e141b8fc109a7452ddf184cc393b4e

SHA512
d752e47d5df80c92ace8d1174da84d67e7c2c0db649f2307aca3b3d15b58019edb177cc11dc335aa4cc91c58bbd9c8ad88a0e8621ba6ff37400607286a654607

Download Submit
memory/2880-61-0x0000000004D90000-0x0000000004DDC000-memory.dmp

Filesize
304KB

Download
memory/2880-60-0x00000000078E0000-0x000000000791C000-memory.dmp

Filesize
240KB

Download
memory/2880-59-0x00000000079A0000-0x0000000007AAA000-memory.dmp

Filesize
1.0MB

Download
memory/2880-58-0x0000000007870000-0x0000000007882000-memory.dmp

Filesize
72KB

Download
memory/2880-57-0x0000000007E00000-0x0000000008418000-memory.dmp

Filesize
6.1MB

Download
memory/2880-56-0x0000000000B10000-0x0000000000B38000-memory.dmp

Filesize
160KB

Download
memory/4260-48-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/4260-26-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-38-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-36-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-22-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-47-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/4260-20-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-42-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-19-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-34-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-32-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-30-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-28-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-40-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-24-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-49-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download
memory/4260-50-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/4260-52-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/4260-44-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-46-0x0000000005080000-0x0000000005092000-memory.dmp

Filesize
72KB

Download
memory/4260-18-0x0000000005080000-0x0000000005098000-memory.dmp

Filesize
96KB

Download
memory/4260-16-0x00000000741F0000-0x00000000749A0000-memory.dmp

Filesize
7.7MB

Download
memory/4260-17-0x0000000004A90000-0x0000000005034000-memory.dmp

Filesize
5.6MB

Download
memory/4260-15-0x00000000026B0000-0x00000000026CA000-memory.dmp

Filesize
104KB

Download
memory/4260-14-0x00000000741FE000-0x00000000741FF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads