healer | 1bddb22668d9cd4106ceeb39e98b78057ccbaaec1a9c730a7c9acba244751d65

General

Target

1bddb22668d9cd4106ceeb39e98b78057ccbaaec1a9c730a7c9acba244751d65.exe
Size

479KB
MD5

e8130ec8706aa9fed8e4df14b861c912
SHA1

502fe379b9b2b179541d656bc8621a586f88ae49
SHA256

1bddb22668d9cd4106ceeb39e98b78057ccbaaec1a9c730a7c9acba244751d65
SHA512

07d8b1267bd89b205a91a79117ac49fb541d8b75c4f60d4db016d12939432e6fc56313c047a8ed7b9bd414cca1e350936c61c328b2340b91f5c2c33be3dac726
SSDEEP

12288:OMr6y90eVbT20az7LtQ12NIek/bxytxvtTzWkN:4yfVbThY7LtQwTQN4vBT

Score

10^/10

healer redline dumud discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3512-15-0x0000000002240000-0x000000000225A000-memory.dmp	healer
behavioral1/memory/3512-18-0x0000000002650000-0x0000000002668000-memory.dmp	healer
behavioral1/memory/3512-43-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-45-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-47-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-35-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-33-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-31-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-29-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-27-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-25-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-23-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-21-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-20-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-41-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-39-0x0000000002650000-0x0000000002662000-memory.dmp	healer
behavioral1/memory/3512-37-0x0000000002650000-0x0000000002662000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k6866734.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k6866734.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k6866734.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k6866734.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k6866734.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k6866734.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cd6-54.dat	family_redline
behavioral1/memory/892-56-0x00000000004E0000-0x0000000000510000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
5064	y9302169.exe
3512	k6866734.exe
892	l9274640.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k6866734.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k6866734.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1bddb22668d9cd4106ceeb39e98b78057ccbaaec1a9c730a7c9acba244751d65.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9302169.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bddb22668d9cd4106ceeb39e98b78057ccbaaec1a9c730a7c9acba244751d65.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9302169.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k6866734.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l9274640.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3512	k6866734.exe
3512	k6866734.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3512	k6866734.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 5064	3688	1bddb22668d9cd4106ceeb39e98b78057ccbaaec1a9c730a7c9acba244751d65.exe	84
PID 3688 wrote to memory of 5064	3688	1bddb22668d9cd4106ceeb39e98b78057ccbaaec1a9c730a7c9acba244751d65.exe	84
PID 3688 wrote to memory of 5064	3688	1bddb22668d9cd4106ceeb39e98b78057ccbaaec1a9c730a7c9acba244751d65.exe	84
PID 5064 wrote to memory of 3512	5064	y9302169.exe	85
PID 5064 wrote to memory of 3512	5064	y9302169.exe	85
PID 5064 wrote to memory of 3512	5064	y9302169.exe	85
PID 5064 wrote to memory of 892	5064	y9302169.exe	92
PID 5064 wrote to memory of 892	5064	y9302169.exe	92
PID 5064 wrote to memory of 892	5064	y9302169.exe	92

C:\Users\Admin\AppData\Local\Temp\1bddb22668d9cd4106ceeb39e98b78057ccbaaec1a9c730a7c9acba244751d65.exe
"C:\Users\Admin\AppData\Local\Temp\1bddb22668d9cd4106ceeb39e98b78057ccbaaec1a9c730a7c9acba244751d65.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9302169.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9302169.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6866734.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6866734.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3512
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9274640.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9274640.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9302169.exe

Filesize
307KB

MD5
dadd6dbcb6019cdeec3609d606c50430

SHA1
c2038af22f34be6808789bcb5a858bc9c69d3af2

SHA256
e23fcd8bc0250d5d6ec5267f022f60fa300aaf2ad6bf955a9cb17dc996af79b3

SHA512
f2dcf3b6483efa288b9b8a0707d829365f835074406fb9e81ecd61c177211f39837bab74de9c09d8c0e18b6f18e3b477408c0759d9d8bf4a9cd20bd5b52a47c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6866734.exe

Filesize
180KB

MD5
97fbcd66cb79b1eca392cf0603375699

SHA1
eda27a2103258558810653595d942d3342850591

SHA256
82d5cc0169af6aa3471263d4175b690dafcb346ec7cdf3ff79aca32cddf30f96

SHA512
aa8d3517ad56bb7958f9c4cc9146ef02fed517016a3f7a7463f1c41928873dcc25751d3442f52afb99598b5c39148c69f6bd4aaaf118786affd42676e52c5ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9274640.exe

Filesize
168KB

MD5
b25023c517fe12e494a7716be90254cb

SHA1
e2b7523c93f6db70d580b439807a2c4980f8bf72

SHA256
8a31da3f20becfe59ac8cc3542520d4aaa95ded780cf7f74df8167258cc32afd

SHA512
cb07c25915e69c0c56b0c4039ff8362f480548229a08f59fc35f3de9eb1d20c0aff4ca28fe30b852595f65f2c2b6d7a8d77994b13166617d47b07ec019b4d5c0

Download Submit
memory/892-62-0x0000000005180000-0x00000000051CC000-memory.dmp

Filesize
304KB

Download
memory/892-61-0x0000000005000000-0x000000000503C000-memory.dmp

Filesize
240KB

Download
memory/892-60-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

Filesize
72KB

Download
memory/892-59-0x0000000005070000-0x000000000517A000-memory.dmp

Filesize
1.0MB

Download
memory/892-58-0x0000000005580000-0x0000000005B98000-memory.dmp

Filesize
6.1MB

Download
memory/892-57-0x0000000002870000-0x0000000002876000-memory.dmp

Filesize
24KB

Download
memory/892-56-0x00000000004E0000-0x0000000000510000-memory.dmp

Filesize
192KB

Download
memory/3512-25-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-37-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-33-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-31-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-29-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-27-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-48-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/3512-23-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-21-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-20-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-19-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/3512-41-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-39-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-35-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-49-0x000000007422E000-0x000000007422F000-memory.dmp

Filesize
4KB

Download
memory/3512-50-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/3512-52-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/3512-47-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-45-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-43-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/3512-18-0x0000000002650000-0x0000000002668000-memory.dmp

Filesize
96KB

Download
memory/3512-17-0x00000000049D0000-0x0000000004F74000-memory.dmp

Filesize
5.6MB

Download
memory/3512-16-0x0000000074220000-0x00000000749D0000-memory.dmp

Filesize
7.7MB

Download
memory/3512-15-0x0000000002240000-0x000000000225A000-memory.dmp

Filesize
104KB

Download
memory/3512-14-0x000000007422E000-0x000000007422F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads