healer | e7e4954d8f411c46c33c495fd91ed7245d450eaa11aeedeae6d2803e1b4f0a27

General

Target

e7e4954d8f411c46c33c495fd91ed7245d450eaa11aeedeae6d2803e1b4f0a27.exe
Size

1.5MB
MD5

90c3f42e2cf1cb426da2b881c39d1b61
SHA1

7084e463b5923af4863087c7ea53cd6507815962
SHA256

e7e4954d8f411c46c33c495fd91ed7245d450eaa11aeedeae6d2803e1b4f0a27
SHA512

710a757ab6d7a35fce9c234972075ddb2037ef2b718fa924316343de5c736b63473c52e78233c079c9765f0e5ecf640ef8edb2b98b64dcf96fee2b18faa46ea2
SSDEEP

24576:LyH6jEslKlOetW8yD8KDPkVVpysC8VjpSIu+Jnx4caTBrbmoeH4ecSa9ilUV9fBH:+zRg8yD6bl5jpm+Zx4ckbm7H4yU/zf

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2496-36-0x0000000002760000-0x000000000277A000-memory.dmp	healer
behavioral1/memory/2496-38-0x0000000002790000-0x00000000027A8000-memory.dmp	healer
behavioral1/memory/2496-46-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-66-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-64-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-62-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-60-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-58-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-56-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-54-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-52-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-50-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-48-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-44-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-40-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-39-0x0000000002790000-0x00000000027A2000-memory.dmp	healer
behavioral1/memory/2496-42-0x0000000002790000-0x00000000027A2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0877732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0877732.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0877732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0877732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0877732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0877732.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b8e-71.dat	family_redline
behavioral1/memory/2764-73-0x00000000008E0000-0x0000000000908000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
2596	v6286446.exe
3132	v4004599.exe
4596	v9222332.exe
1576	v9569847.exe
2496	a0877732.exe
2764	b1072774.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0877732.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0877732.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6286446.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4004599.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v9222332.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9569847.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e7e4954d8f411c46c33c495fd91ed7245d450eaa11aeedeae6d2803e1b4f0a27.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4588	2496	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0877732.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1072774.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7e4954d8f411c46c33c495fd91ed7245d450eaa11aeedeae6d2803e1b4f0a27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6286446.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v4004599.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v9222332.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v9569847.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2496	a0877732.exe
2496	a0877732.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2496	a0877732.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 2596	2120	e7e4954d8f411c46c33c495fd91ed7245d450eaa11aeedeae6d2803e1b4f0a27.exe	84
PID 2120 wrote to memory of 2596	2120	e7e4954d8f411c46c33c495fd91ed7245d450eaa11aeedeae6d2803e1b4f0a27.exe	84
PID 2120 wrote to memory of 2596	2120	e7e4954d8f411c46c33c495fd91ed7245d450eaa11aeedeae6d2803e1b4f0a27.exe	84
PID 2596 wrote to memory of 3132	2596	v6286446.exe	85
PID 2596 wrote to memory of 3132	2596	v6286446.exe	85
PID 2596 wrote to memory of 3132	2596	v6286446.exe	85
PID 3132 wrote to memory of 4596	3132	v4004599.exe	86
PID 3132 wrote to memory of 4596	3132	v4004599.exe	86
PID 3132 wrote to memory of 4596	3132	v4004599.exe	86
PID 4596 wrote to memory of 1576	4596	v9222332.exe	87
PID 4596 wrote to memory of 1576	4596	v9222332.exe	87
PID 4596 wrote to memory of 1576	4596	v9222332.exe	87
PID 1576 wrote to memory of 2496	1576	v9569847.exe	88
PID 1576 wrote to memory of 2496	1576	v9569847.exe	88
PID 1576 wrote to memory of 2496	1576	v9569847.exe	88
PID 1576 wrote to memory of 2764	1576	v9569847.exe	100
PID 1576 wrote to memory of 2764	1576	v9569847.exe	100
PID 1576 wrote to memory of 2764	1576	v9569847.exe	100

C:\Users\Admin\AppData\Local\Temp\e7e4954d8f411c46c33c495fd91ed7245d450eaa11aeedeae6d2803e1b4f0a27.exe
"C:\Users\Admin\AppData\Local\Temp\e7e4954d8f411c46c33c495fd91ed7245d450eaa11aeedeae6d2803e1b4f0a27.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6286446.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6286446.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4004599.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4004599.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9222332.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9222332.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9569847.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9569847.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0877732.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0877732.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1080
        7⤵
        Program crash
        
        PID:4588
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1072774.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1072774.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2496 -ip 2496
1⤵
PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6286446.exe

Filesize
1.4MB

MD5
503362037e790e6a5d52f01b11128668

SHA1
fa3ad80da0eb883d673a5d55d2268b4ccbf6bf28

SHA256
c46440a05b6f91cbdeae49213afd736f5b7ae1318cc434ca16c6701cfc05b178

SHA512
c31e6eced4753a4c8ee0b1d3cbd058300c328959aba9c04f74c367f2ea618b2c694c62bfc12ca83cf259417601fcdcbd707528d8843bb0f13c325663cd3bb05f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4004599.exe

Filesize
913KB

MD5
82194aa558560cf9124685f225905f1e

SHA1
17fd8f7d9377d957fc17dd1177ea46c95f703575

SHA256
390e67edcbd72dd2d75d676dd8a39307d042391c243a6763b8c729e1b77422ab

SHA512
d2bea2477abae41b21eff538b1deab94627120e3294c00c5d2f90e28fe67a80ec4d6213e842b2f9fd0c55f92060e9b7ca5ccaebe08ba7d85651f2d89ad26bcf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v9222332.exe

Filesize
709KB

MD5
c945e0c07a8f8274c0f6796dceac9393

SHA1
dcadd575d16606d51846476950ae063d2fad0d7e

SHA256
30d4eadaf93937ddb40fca82f61d064b1cbe677e9d7ae4f25be73a2a582362c2

SHA512
bac6f97b1fbce88c6face41ec1d198ee192b1da2586c59620f350375aad61b66e69a4b176c5174a0acfe629c746406fc84f340c623881cbbe6b88b2500476fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9569847.exe

Filesize
418KB

MD5
cdf3bb3360aa35e6fc3de0d5611d93bf

SHA1
8083c1a6abb61ecb375f2175607af046ac364b61

SHA256
57fc883f2a1d2689db4f30ebd1ccc57b6fde0f89faab1869507e30faaf3b5c5d

SHA512
381176561e761152807156f3a7c5f0fc705bc36e02c09042482e822154e44fed2e0a8452a7d1639c88483349ed0c4071583749725d44b550a2b8e0e815b6f41c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0877732.exe

Filesize
361KB

MD5
5e78cfff938eeff249af9b5f48ae8775

SHA1
eb5a66932765a03df0dddf163d81d43224a30493

SHA256
669e12ee03ecbfb9c273fec013cbcf4722c1c42f5952d4b09f4688632bdfef91

SHA512
90c0002bede1077f0642320e8a8c3760a21f8e1c9a90a6758394bec5e799ada6a96728d925fd1cc4c6d3c503fa6d52c5d7bdd02e8cbbe338bcf48184df43a80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1072774.exe

Filesize
136KB

MD5
b4659fa114d780924e2dd920d96fbfa2

SHA1
9607c4f25afd7578d71e97f4b2810a2dadc3b6d0

SHA256
6ceb918a3f1744c5848ea7847284f415ae72ff8fa58c4596b29ad278b8e15c78

SHA512
c6d9b46bcb101dea42827eb1e8d110374de817747b815a14331a935b31de30d05bb57d56bc3ced0258a70b05452180d7e35d17ae4afdb80186bae4e24f309588

Download Submit
memory/2496-52-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-44-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-46-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-66-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-64-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-62-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-60-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-58-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-56-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-54-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-37-0x0000000004DF0000-0x0000000005394000-memory.dmp

Filesize
5.6MB

Download
memory/2496-50-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-48-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-38-0x0000000002790000-0x00000000027A8000-memory.dmp

Filesize
96KB

Download
memory/2496-40-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-39-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-42-0x0000000002790000-0x00000000027A2000-memory.dmp

Filesize
72KB

Download
memory/2496-67-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2496-69-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2496-36-0x0000000002760000-0x000000000277A000-memory.dmp

Filesize
104KB

Download
memory/2764-73-0x00000000008E0000-0x0000000000908000-memory.dmp

Filesize
160KB

Download
memory/2764-74-0x0000000007B70000-0x0000000008188000-memory.dmp

Filesize
6.1MB

Download
memory/2764-75-0x0000000007600000-0x0000000007612000-memory.dmp

Filesize
72KB

Download
memory/2764-76-0x0000000007770000-0x000000000787A000-memory.dmp

Filesize
1.0MB

Download
memory/2764-77-0x00000000076A0000-0x00000000076DC000-memory.dmp

Filesize
240KB

Download
memory/2764-78-0x0000000002A20000-0x0000000002A6C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads