healer | 608312e5a94be37df8805a0729a223eb5cbc5ed9d21225d617129a5cabb031d8

General

Target

608312e5a94be37df8805a0729a223eb5cbc5ed9d21225d617129a5cabb031d8.exe
Size

491KB
MD5

06c4bd51cbf51954b34d81b43bd144f2
SHA1

e924fad84cc93ea850f632291b7a1692efd391f5
SHA256

608312e5a94be37df8805a0729a223eb5cbc5ed9d21225d617129a5cabb031d8
SHA512

4beecaa4ac861556d927ce0fbf9275b2938f0934c6c0c7d93807f88c0878e660bc6e2b864ae6de58b88963b3feaef7da82e51f6507a4b54d84e34ea0335f8edb
SSDEEP

12288:hMryy90tNXA8J+H4kcg1msGSksfQ+Yy2LhROG:bywNm4eIsDkoQ+YUG

Score

10^/10

healer redline lade discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

lade

C2

217.196.96.101:4132

Attributes

auth_value
6e597bb53b7858f1eaca3f569cb16e1e

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2476-15-0x0000000002180000-0x000000000219A000-memory.dmp	healer
behavioral1/memory/2476-19-0x0000000002410000-0x0000000002428000-memory.dmp	healer
behavioral1/memory/2476-20-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-33-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-47-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-45-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-43-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-41-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-39-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-37-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-31-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-29-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-27-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-25-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-23-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-21-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/2476-35-0x0000000002410000-0x0000000002422000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	o3932238.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	o3932238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	o3932238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	o3932238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	o3932238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	o3932238.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b8b-53.dat	family_redline
behavioral1/memory/2756-55-0x0000000000C10000-0x0000000000C3E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4040	z1944079.exe
2476	o3932238.exe
2756	r4943099.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	o3932238.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	o3932238.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	608312e5a94be37df8805a0729a223eb5cbc5ed9d21225d617129a5cabb031d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1944079.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	608312e5a94be37df8805a0729a223eb5cbc5ed9d21225d617129a5cabb031d8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	z1944079.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	o3932238.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r4943099.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2476	o3932238.exe
2476	o3932238.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	o3932238.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4840 wrote to memory of 4040	4840	608312e5a94be37df8805a0729a223eb5cbc5ed9d21225d617129a5cabb031d8.exe	87
PID 4840 wrote to memory of 4040	4840	608312e5a94be37df8805a0729a223eb5cbc5ed9d21225d617129a5cabb031d8.exe	87
PID 4840 wrote to memory of 4040	4840	608312e5a94be37df8805a0729a223eb5cbc5ed9d21225d617129a5cabb031d8.exe	87
PID 4040 wrote to memory of 2476	4040	z1944079.exe	88
PID 4040 wrote to memory of 2476	4040	z1944079.exe	88
PID 4040 wrote to memory of 2476	4040	z1944079.exe	88
PID 4040 wrote to memory of 2756	4040	z1944079.exe	96
PID 4040 wrote to memory of 2756	4040	z1944079.exe	96
PID 4040 wrote to memory of 2756	4040	z1944079.exe	96

C:\Users\Admin\AppData\Local\Temp\608312e5a94be37df8805a0729a223eb5cbc5ed9d21225d617129a5cabb031d8.exe
"C:\Users\Admin\AppData\Local\Temp\608312e5a94be37df8805a0729a223eb5cbc5ed9d21225d617129a5cabb031d8.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1944079.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1944079.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3932238.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3932238.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4943099.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4943099.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1944079.exe

Filesize
309KB

MD5
42092990daea1da03845faa13f93c54d

SHA1
302194fe73568569dd4eb5aba37951cf46247b13

SHA256
68d9855f5efa5018ac846653d3a2d07e17fc1fcdfc0032c369f9a96e50c913aa

SHA512
1f0c3eeaf9f65dee1c15bc6e350c59bbf9d22f6b339d3d7c0b1e2b69a36a65675f325ed423f60a6dc0fa99fc4bef77f2a58f8b2ff8ce6059d983bc6fcaf8a746

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o3932238.exe

Filesize
177KB

MD5
d38bcad19c8593893c18f8fb870e1583

SHA1
427da7efe362534e6ef6c42737b8541435978644

SHA256
598a3a54f3b29a78865dd05e0fe15455f38e912d4f54a0ed100647dfa75af866

SHA512
acb1f8d7be4d5bda7ed53da3f854dd802cecae786a9cda7a346b208c9906737af52a02c04a6d1cf5c2e22390fb413b4c6c9d08052f7e1f02a9cd8da63b31b009

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r4943099.exe

Filesize
168KB

MD5
9f9190a8b5b86d984fef5ddc8372179b

SHA1
dc25417120a0c2ca7a4b505340d6d47b9b055c53

SHA256
7e8be0c8f2b311d37eda03f21d8be13e8686e8b95f952cf92ee994080a9bea48

SHA512
f5c12c1db4b94a1164abc18400f90d49d83c4c753deb682a314c9cedd1c24a8ff4b356e2ab15b5b959a76b7f4343bc1e481f4a80180b498777e3d73f4b3faebc

Download Submit
memory/2476-31-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-25-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-17-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2476-18-0x0000000004AC0000-0x0000000005064000-memory.dmp

Filesize
5.6MB

Download
memory/2476-19-0x0000000002410000-0x0000000002428000-memory.dmp

Filesize
96KB

Download
memory/2476-20-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-33-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-47-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-45-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-43-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-41-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-39-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-37-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-15-0x0000000002180000-0x000000000219A000-memory.dmp

Filesize
104KB

Download
memory/2476-16-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2476-29-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-21-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-23-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-27-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-35-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/2476-48-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/2476-49-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2476-51-0x0000000074190000-0x0000000074940000-memory.dmp

Filesize
7.7MB

Download
memory/2476-14-0x000000007419E000-0x000000007419F000-memory.dmp

Filesize
4KB

Download
memory/2756-55-0x0000000000C10000-0x0000000000C3E000-memory.dmp

Filesize
184KB

Download
memory/2756-56-0x0000000002ED0000-0x0000000002ED6000-memory.dmp

Filesize
24KB

Download
memory/2756-57-0x0000000005C30000-0x0000000006248000-memory.dmp

Filesize
6.1MB

Download
memory/2756-58-0x0000000005720000-0x000000000582A000-memory.dmp

Filesize
1.0MB

Download
memory/2756-59-0x0000000005470000-0x0000000005482000-memory.dmp

Filesize
72KB

Download
memory/2756-60-0x0000000005610000-0x000000000564C000-memory.dmp

Filesize
240KB

Download
memory/2756-61-0x0000000005650000-0x000000000569C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads