healer | b9be943caa6ba1f04fbb3cf2e724da13373fb5519c4e179f799f2cb12d2bab48

General

Target

b9be943caa6ba1f04fbb3cf2e724da13373fb5519c4e179f799f2cb12d2bab48.exe
Size

1.5MB
MD5

ab3083bbcf97ff1458e0ac05561265b8
SHA1

0196d620f0bbaa0fc41727a9e8af84a6d76663c7
SHA256

b9be943caa6ba1f04fbb3cf2e724da13373fb5519c4e179f799f2cb12d2bab48
SHA512

540d0780a3aa2071fc939992cdf6a6604a4f917edccbdca12115e221548efa7840a403357b103ee4ba177d650ffc8c96ea302298edf683c53395cd1ad61d2bda
SSDEEP

24576:yygZarBGTynGwT3egDGqod2Bgbp8qD1qUWJnOrAsp625QMxTbQtcRRjH17mbMPUT:ZgwrBGOGwjeQGSO9HQdOrAs/264cjrha

Score

10^/10

healer redline mazda discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes

auth_value
3d2870537d84a4c6d7aeecd002871c51

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3260-36-0x0000000002240000-0x000000000225A000-memory.dmp	healer
behavioral1/memory/3260-38-0x00000000025C0000-0x00000000025D8000-memory.dmp	healer
behavioral1/memory/3260-66-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-64-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-63-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-60-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-58-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-56-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-55-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-52-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-50-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-48-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-46-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-44-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-42-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-40-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer
behavioral1/memory/3260-39-0x00000000025C0000-0x00000000025D2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8842377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8842377.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a8842377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8842377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8842377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8842377.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cb0-71.dat	family_redline
behavioral1/memory/4800-73-0x00000000005C0000-0x00000000005F0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
388	v9891561.exe
1336	v6676259.exe
3020	v8421569.exe
4720	v4377293.exe
3260	a8842377.exe
4800	b9069175.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a8842377.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8842377.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9891561.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6676259.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8421569.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v4377293.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b9be943caa6ba1f04fbb3cf2e724da13373fb5519c4e179f799f2cb12d2bab48.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4888	3260	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6676259.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v8421569.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v4377293.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8842377.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9069175.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9be943caa6ba1f04fbb3cf2e724da13373fb5519c4e179f799f2cb12d2bab48.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v9891561.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3260	a8842377.exe
3260	a8842377.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	a8842377.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 388	3256	b9be943caa6ba1f04fbb3cf2e724da13373fb5519c4e179f799f2cb12d2bab48.exe	85
PID 3256 wrote to memory of 388	3256	b9be943caa6ba1f04fbb3cf2e724da13373fb5519c4e179f799f2cb12d2bab48.exe	85
PID 3256 wrote to memory of 388	3256	b9be943caa6ba1f04fbb3cf2e724da13373fb5519c4e179f799f2cb12d2bab48.exe	85
PID 388 wrote to memory of 1336	388	v9891561.exe	86
PID 388 wrote to memory of 1336	388	v9891561.exe	86
PID 388 wrote to memory of 1336	388	v9891561.exe	86
PID 1336 wrote to memory of 3020	1336	v6676259.exe	88
PID 1336 wrote to memory of 3020	1336	v6676259.exe	88
PID 1336 wrote to memory of 3020	1336	v6676259.exe	88
PID 3020 wrote to memory of 4720	3020	v8421569.exe	89
PID 3020 wrote to memory of 4720	3020	v8421569.exe	89
PID 3020 wrote to memory of 4720	3020	v8421569.exe	89
PID 4720 wrote to memory of 3260	4720	v4377293.exe	90
PID 4720 wrote to memory of 3260	4720	v4377293.exe	90
PID 4720 wrote to memory of 3260	4720	v4377293.exe	90
PID 4720 wrote to memory of 4800	4720	v4377293.exe	103
PID 4720 wrote to memory of 4800	4720	v4377293.exe	103
PID 4720 wrote to memory of 4800	4720	v4377293.exe	103

C:\Users\Admin\AppData\Local\Temp\b9be943caa6ba1f04fbb3cf2e724da13373fb5519c4e179f799f2cb12d2bab48.exe
"C:\Users\Admin\AppData\Local\Temp\b9be943caa6ba1f04fbb3cf2e724da13373fb5519c4e179f799f2cb12d2bab48.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9891561.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9891561.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6676259.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6676259.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8421569.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8421569.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4377293.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4377293.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4720
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8842377.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8842377.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3260 -s 1084
        7⤵
        Program crash
        
        PID:4888
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9069175.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9069175.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3260 -ip 3260
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9891561.exe

Filesize
1.3MB

MD5
ca3cfe98402ed33a5b0ab45d5524f15b

SHA1
93b9c5cf123bc726ec545ae22ea938c12eb9bfa6

SHA256
ab31728a7d53677bca94a9b61316ad45fa648430a1fff973335e3ecd97a3a1ad

SHA512
8760f3824449ce0adfdbaf0041a73beba3adc06da962afad4ebbf575d2ca5826b86afc70e10a3a4059f91a52154227b9266c07ac1b07843a32837249f69816ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6676259.exe

Filesize
866KB

MD5
81f06603f341f69d4d925b28c3648a28

SHA1
490ff52b1854847382d606616191955ae4e41fa5

SHA256
6d3fc2ac9124726d812356381f8f8aaf74ac6780b423f3c82157a29f313533da

SHA512
e55e8a2ea921254bf87f446154f36e550a1c63a934407f8177feff03ff93e088a329387015a82fcd7b9630fef3ad6f27e460762fbb2732f397ecacfebfdbb12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8421569.exe

Filesize
662KB

MD5
53ca6e24e945f4894d5668bc9e96f8e8

SHA1
acdd7bd7fbf4715a4ac90dd5a73f462b8d4947f4

SHA256
8c9be663872cea08f5aee92c8d6a88db90b3e8b4a7ab078d5107bbffa5efdeb7

SHA512
44eba8ec9c1e0c0be161a0c5abecf3be502c02462da321f1c597618d15ccadf21ce2695b7de32bc07e8f2d1f4fbbd0867b70c2375c0edd684532cc9f325bb705

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4377293.exe

Filesize
393KB

MD5
a8d37af984a75d9435e2a762e05e8b4c

SHA1
d7afb9b739a353482b9f7301ccc22de2ee36746a

SHA256
35aab35d8b725a76fa8255cc40f15d23cd99287654580ed3fb3ef15e6ac24415

SHA512
28fbb391210d2c485ed9d4ae8541b197f9d9b2f16e12f1eabf67592da460301c6ccd48c937b7a99ce8950855231fdc83b1ffae04228f950c21dca21b22f5c0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8842377.exe

Filesize
315KB

MD5
e088e1c55d7d8f75c6706837b0b6e889

SHA1
ac106450d1a55316182b38d624720662dc485c28

SHA256
6540409a80f7d9048b7c64efac9969f5d8bd1b7c64c86718700d3a6f89d56608

SHA512
bba55874c8cd77b25c9ec0fb80ffaa0c41fc9a5a63983e927548309274821490d61d4c5040853299a5958dbcdea937959780f25b69c8a9efb3a1047c5a21ebc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9069175.exe

Filesize
168KB

MD5
6936fbb48213bcb4d0fcd423a1c7a06e

SHA1
127de6c2485ea27473559a7041a5d58838f40d89

SHA256
cb295a2ce7fd4f0b8a53882708a421dcb1a564eae3837e9058e608d2e06d6aa8

SHA512
4b484c1502335f8bcdf02efbb3f9c0ac4ca40d95139c7d83e4f053188bbfa52e39fde12fd30a192c977bf95ea4d83ceeefa97379bb10c818b7df6f5494b55ee0

Download Submit
memory/3260-50-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-44-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-66-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-64-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-63-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-60-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-58-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-56-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-55-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-52-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-37-0x0000000004BA0000-0x0000000005144000-memory.dmp

Filesize
5.6MB

Download
memory/3260-48-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-46-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-38-0x00000000025C0000-0x00000000025D8000-memory.dmp

Filesize
96KB

Download
memory/3260-42-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-40-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-39-0x00000000025C0000-0x00000000025D2000-memory.dmp

Filesize
72KB

Download
memory/3260-67-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-69-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3260-36-0x0000000002240000-0x000000000225A000-memory.dmp

Filesize
104KB

Download
memory/4800-73-0x00000000005C0000-0x00000000005F0000-memory.dmp

Filesize
192KB

Download
memory/4800-74-0x0000000004D60000-0x0000000004D66000-memory.dmp

Filesize
24KB

Download
memory/4800-75-0x000000000AA00000-0x000000000B018000-memory.dmp

Filesize
6.1MB

Download
memory/4800-76-0x000000000A570000-0x000000000A67A000-memory.dmp

Filesize
1.0MB

Download
memory/4800-77-0x000000000A4A0000-0x000000000A4B2000-memory.dmp

Filesize
72KB

Download
memory/4800-78-0x000000000A500000-0x000000000A53C000-memory.dmp

Filesize
240KB

Download
memory/4800-79-0x0000000002730000-0x000000000277C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads