healer | 6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04

General

Target

6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe
Size

500KB
MD5

d39a9f2eda16903129fa0c258553ad87
SHA1

902524360c2c19db5013ea2b71b9501e0cf331f7
SHA256

6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04
SHA512

b4af033e01db1d2f6f3b044886d0e3178d748083c548d0447cb0971ae6288992600ed8692677d03b1c9956508bccdc21775b873a3aaf2c97a8cb5d00d459eb36
SSDEEP

6144:Kmy+bnr+Qp0yN90QEtqybGrKyccUkS8S2pIk12u/VtSQsr40IVO6cdleaWRavXcZ:+Mrcy90vqMAy8pUu/VItNIFavrO9Nf

Score

10^/10

healer redline fukia discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

fukia

C2

193.233.20.13:4136

Attributes

auth_value
e5783636fbd9e4f0cf9a017bce02e67e

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b99-12.dat	healer
behavioral1/memory/4792-15-0x0000000000D10000-0x0000000000D1A000-memory.dmp	healer
behavioral1/memory/3044-22-0x0000000002350000-0x000000000236A000-memory.dmp	healer
behavioral1/memory/3044-24-0x0000000004B10000-0x0000000004B28000-memory.dmp	healer
behavioral1/memory/3044-25-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-32-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-52-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-50-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-48-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-46-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-44-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-42-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-40-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-38-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-36-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-34-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-30-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-28-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer
behavioral1/memory/3044-26-0x0000000004B10000-0x0000000004B22000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	dTO76QM.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	dTO76QM.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	eNb86CC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	eNb86CC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	eNb86CC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	dTO76QM.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	dTO76QM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	eNb86CC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	eNb86CC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	eNb86CC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	dTO76QM.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	dTO76QM.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b90-57.dat	family_redline
behavioral1/memory/1884-59-0x0000000000450000-0x0000000000482000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
2220	nVi09iX58.exe
4792	dTO76QM.exe
3044	eNb86CC.exe
1884	fSY55RP.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	dTO76QM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	eNb86CC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	eNb86CC.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	nVi09iX58.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4032	sc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1672	3044	WerFault.exe	96

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nVi09iX58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eNb86CC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fSY55RP.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4792	dTO76QM.exe
4792	dTO76QM.exe
3044	eNb86CC.exe
3044	eNb86CC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4792	dTO76QM.exe
Token: SeDebugPrivilege	3044	eNb86CC.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 2220	1064	6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe	83
PID 1064 wrote to memory of 2220	1064	6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe	83
PID 1064 wrote to memory of 2220	1064	6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe	83
PID 2220 wrote to memory of 4792	2220	nVi09iX58.exe	84
PID 2220 wrote to memory of 4792	2220	nVi09iX58.exe	84
PID 2220 wrote to memory of 3044	2220	nVi09iX58.exe	96
PID 2220 wrote to memory of 3044	2220	nVi09iX58.exe	96
PID 2220 wrote to memory of 3044	2220	nVi09iX58.exe	96
PID 1064 wrote to memory of 1884	1064	6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe	101
PID 1064 wrote to memory of 1884	1064	6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe	101
PID 1064 wrote to memory of 1884	1064	6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe	101

C:\Users\Admin\AppData\Local\Temp\6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe
"C:\Users\Admin\AppData\Local\Temp\6e9eebf8336cb6d607795685ad054e90a492d7f5ef77c469fe4d7c4eb8836e04.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nVi09iX58.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nVi09iX58.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTO76QM.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTO76QM.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eNb86CC.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eNb86CC.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3044 -s 1004
      4⤵
      Program crash
      PID:1672
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fSY55RP.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fSY55RP.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3044 -ip 3044
1⤵
PID:2244

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:4032

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

240.221.184.93.in-addr.arpa

Remote address:

8.8.8.8:53

Request

240.221.184.93.in-addr.arpa

IN PTR

Response
DNS

133.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

133.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

88.16.208.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

88.16.208.104.in-addr.arpa

IN PTR

Response

193.233.20.13:4136

fSY55RP.exe

260 B
5
193.233.20.13:4136

fSY55RP.exe

260 B
5
193.233.20.13:4136

fSY55RP.exe

260 B
5
193.233.20.13:4136

fSY55RP.exe

260 B
5
193.233.20.13:4136

fSY55RP.exe

260 B
5

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

240.221.184.93.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

240.221.184.93.in-addr.arpa
8.8.8.8:53

133.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

133.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

88.16.208.104.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

88.16.208.104.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fSY55RP.exe

Filesize
175KB

MD5
a5f5c5d6291c7ae9e1d1b7ed1e551490

SHA1
3d06413341893b838549939e15f8f1eec423d71a

SHA256
1a09ce1cb64219a5d88e57845dc9ba6631efa06fccc8867ccf94eb132947563e

SHA512
d9b3ba67bdd615ee2ce91a29cd9cf6723464be27bf45186fd0e9559ff2b0e7c51b423cfc3e32b5e90955046fb75a34c4a8528df7294b6c831ca254a65d2b8ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\nVi09iX58.exe

Filesize
356KB

MD5
8237dd2b977712104da744b69e4d8c72

SHA1
8641b14740222d7c931cc58006bd087d12024e0d

SHA256
d971031bba2fb45e5056cb4418491479d109e53a2b3ccdcfead6301bd9a2a58c

SHA512
b0d826ba11f67ed3024eb9d3f338a317884caff9535bc0a37abc005cf83833f306fcbd8669e52f269a53f91e98349ba34c3b66e4ee9c68196a8a39f4002ff4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dTO76QM.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\eNb86CC.exe

Filesize
295KB

MD5
2338c84711b756237e614c3869cf6100

SHA1
6146eace912945070cb084fe3839c8d2dc27c403

SHA256
fbfd8bd7e7ff54ce43c209c34a9959ad1abe7325209756decc04e3d9a44ff87b

SHA512
24bd3e70fc0ac61f6fcc432de5e93ac38c66eb3fb0e9b09337acc526873dd42f779f2741761ffb1677936e8f219f3c3b683c9476d8ab604803795fc323c7bae6

Download Submit
memory/1884-64-0x0000000004F00000-0x0000000004F4C000-memory.dmp

Filesize
304KB

Download
memory/1884-63-0x0000000004DA0000-0x0000000004DDC000-memory.dmp

Filesize
240KB

Download
memory/1884-62-0x0000000004D20000-0x0000000004D32000-memory.dmp

Filesize
72KB

Download
memory/1884-61-0x0000000004DF0000-0x0000000004EFA000-memory.dmp

Filesize
1.0MB

Download
memory/1884-60-0x0000000005270000-0x0000000005888000-memory.dmp

Filesize
6.1MB

Download
memory/1884-59-0x0000000000450000-0x0000000000482000-memory.dmp

Filesize
200KB

Download
memory/3044-42-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-30-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-50-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-48-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-46-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-44-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-32-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-40-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-38-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-36-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-34-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-52-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-28-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-26-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-53-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/3044-55-0x0000000000400000-0x000000000057B000-memory.dmp

Filesize
1.5MB

Download
memory/3044-25-0x0000000004B10000-0x0000000004B22000-memory.dmp

Filesize
72KB

Download
memory/3044-24-0x0000000004B10000-0x0000000004B28000-memory.dmp

Filesize
96KB

Download
memory/3044-23-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/3044-22-0x0000000002350000-0x000000000236A000-memory.dmp

Filesize
104KB

Download
memory/4792-16-0x00007FFA20813000-0x00007FFA20815000-memory.dmp

Filesize
8KB

Download
memory/4792-15-0x0000000000D10000-0x0000000000D1A000-memory.dmp

Filesize
40KB

Download
memory/4792-14-0x00007FFA20813000-0x00007FFA20815000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.