healer | 70b48c858d0b79042cd002f66c12d718e977f4d8f675ce31d3e145dea54f7afe

General

Target

70b48c858d0b79042cd002f66c12d718e977f4d8f675ce31d3e145dea54f7afe.exe
Size

479KB
MD5

847893b8c194c1540a97f093218e3d5f
SHA1

eba53cccbde31766a2bd92a076a749f3bb6ab168
SHA256

70b48c858d0b79042cd002f66c12d718e977f4d8f675ce31d3e145dea54f7afe
SHA512

f7d6578e97513412f27630793dd6384189eee9982433afc624d3ce33c5a5756ab57f8fdbfce67f9d5cfbb3a39ac082f3aa137bc77a3f9630c89fce819c1fd1c6
SSDEEP

12288:QMrKy90D3sgLA07C6rEd7PT7SEzHVpC8NK05hpze:KygpL7e6YNdHnhNe

Score

10^/10

healer redline maher discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maher

C2

217.196.96.101:4132

Attributes

auth_value
c57763165f68aabcf4874e661a1ffbac

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1500-15-0x0000000002190000-0x00000000021AA000-memory.dmp	healer
behavioral1/memory/1500-19-0x00000000023A0000-0x00000000023B8000-memory.dmp	healer
behavioral1/memory/1500-30-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-48-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-46-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-44-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-42-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-40-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-38-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-36-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-34-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-32-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-28-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-26-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-24-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-22-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer
behavioral1/memory/1500-21-0x00000000023A0000-0x00000000023B2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a3195859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3195859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3195859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3195859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3195859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3195859.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b6b-54.dat	family_redline
behavioral1/memory/2616-56-0x0000000000DF0000-0x0000000000E20000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1380	v7847846.exe
1500	a3195859.exe
2616	b6222326.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a3195859.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3195859.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	70b48c858d0b79042cd002f66c12d718e977f4d8f675ce31d3e145dea54f7afe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7847846.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70b48c858d0b79042cd002f66c12d718e977f4d8f675ce31d3e145dea54f7afe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v7847846.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a3195859.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6222326.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1500	a3195859.exe
1500	a3195859.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	a3195859.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 316 wrote to memory of 1380	316	70b48c858d0b79042cd002f66c12d718e977f4d8f675ce31d3e145dea54f7afe.exe	83
PID 316 wrote to memory of 1380	316	70b48c858d0b79042cd002f66c12d718e977f4d8f675ce31d3e145dea54f7afe.exe	83
PID 316 wrote to memory of 1380	316	70b48c858d0b79042cd002f66c12d718e977f4d8f675ce31d3e145dea54f7afe.exe	83
PID 1380 wrote to memory of 1500	1380	v7847846.exe	84
PID 1380 wrote to memory of 1500	1380	v7847846.exe	84
PID 1380 wrote to memory of 1500	1380	v7847846.exe	84
PID 1380 wrote to memory of 2616	1380	v7847846.exe	92
PID 1380 wrote to memory of 2616	1380	v7847846.exe	92
PID 1380 wrote to memory of 2616	1380	v7847846.exe	92

C:\Users\Admin\AppData\Local\Temp\70b48c858d0b79042cd002f66c12d718e977f4d8f675ce31d3e145dea54f7afe.exe
"C:\Users\Admin\AppData\Local\Temp\70b48c858d0b79042cd002f66c12d718e977f4d8f675ce31d3e145dea54f7afe.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7847846.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7847846.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3195859.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3195859.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6222326.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6222326.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7847846.exe

Filesize
307KB

MD5
3d37c9db5d139e1418cf18257e297a3f

SHA1
9c811bb25b9ddb9b55261ec7990720a1619c21a9

SHA256
1161bbd6ea5f6663b39ba6dcbe8a2ccf0bc2e6533570a87411f6533faf2159a3

SHA512
824ae18b9f61a0a941e587112c03f5bc69ef9292abce6cfb82ce566fd1fac000f54fbb197cf4357fa6dec2e72c01b6495028f6dcf1fb7de99890fb0a937e712b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a3195859.exe

Filesize
179KB

MD5
f8908ba74fd70aaebd90a1795f9eab9f

SHA1
d7d1c570911a6eacebe92b2a8ee8f367f8a856dd

SHA256
758af76733b81fca25569fe20629c8317df489c9182aeabee0436b8d01e0aa5a

SHA512
60d664366c41d1f9d224ba952f24026074ea0763b6f1ce33e87aae3c88a0597dc978415562de7fdb48cf74149443c0b26060ce1636e4c7d3562a28c23104f4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6222326.exe

Filesize
168KB

MD5
2fd58f1ded6f81c81f3407d697116291

SHA1
8ead16d9007ea6c725bf7d69c5121ae9609bc1ef

SHA256
7451311290e84094c77d21895c88b01180b37e71f252db3803cd34dec5e1a537

SHA512
272e50339a6a9a5c7ce71667b86c3d1d69ca887ebe5feeb627cf964accbd2829ab6e96ed093b013b38b269f752ccc2b0140289a00c99ecafd8239b682e365bf2

Download Submit
memory/1500-36-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-26-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-18-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/1500-17-0x00000000049D0000-0x0000000004F74000-memory.dmp

Filesize
5.6MB

Download
memory/1500-19-0x00000000023A0000-0x00000000023B8000-memory.dmp

Filesize
96KB

Download
memory/1500-20-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/1500-30-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-48-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-28-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-44-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-42-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-40-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-38-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-15-0x0000000002190000-0x00000000021AA000-memory.dmp

Filesize
104KB

Download
memory/1500-16-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/1500-34-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-46-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-32-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-24-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-22-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-21-0x00000000023A0000-0x00000000023B2000-memory.dmp

Filesize
72KB

Download
memory/1500-49-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/1500-50-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/1500-52-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/1500-14-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

Filesize
4KB

Download
memory/2616-56-0x0000000000DF0000-0x0000000000E20000-memory.dmp

Filesize
192KB

Download
memory/2616-57-0x0000000005700000-0x0000000005706000-memory.dmp

Filesize
24KB

Download
memory/2616-58-0x000000000B160000-0x000000000B778000-memory.dmp

Filesize
6.1MB

Download
memory/2616-59-0x000000000AC50000-0x000000000AD5A000-memory.dmp

Filesize
1.0MB

Download
memory/2616-60-0x000000000AB80000-0x000000000AB92000-memory.dmp

Filesize
72KB

Download
memory/2616-61-0x000000000ABE0000-0x000000000AC1C000-memory.dmp

Filesize
240KB

Download
memory/2616-62-0x0000000002FE0000-0x000000000302C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads