healer | a0bae8fe80d551af70d02824598590bb46396c551d3d4cd2be076163ba87fa61

General

Target

a0bae8fe80d551af70d02824598590bb46396c551d3d4cd2be076163ba87fa61.exe
Size

1.5MB
MD5

4878591b5f1c9f3465061fa5aff8b2ae
SHA1

b40079e05f1b15d7d0541ab904cef5ff473cc3e7
SHA256

a0bae8fe80d551af70d02824598590bb46396c551d3d4cd2be076163ba87fa61
SHA512

a1596a353e2398809c6638e65bb156109057ec7d1fda27428a2f110c43d1254de98bd9f409d9dd18417c46983c3dba53ab81d51b377a69daf0742762f4cb447d
SSDEEP

24576:IyrRw9TqklmCZxv8Gq/9jHN8rW3Yy7grXmowsw8tZmXU6azrWCDGdc8N18R1Od:Pr0FDYVHN8rRFwsw856K1KdhW1

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2180-36-0x00000000025E0000-0x00000000025FA000-memory.dmp	healer
behavioral1/memory/2180-38-0x0000000002950000-0x0000000002968000-memory.dmp	healer
behavioral1/memory/2180-66-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-64-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-62-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-60-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-58-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-56-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-54-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-52-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-50-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-48-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-46-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-44-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-42-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-40-0x0000000002950000-0x0000000002962000-memory.dmp	healer
behavioral1/memory/2180-39-0x0000000002950000-0x0000000002962000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a6597208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6597208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6597208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6597208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6597208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6597208.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cb4-71.dat	family_redline
behavioral1/memory/3336-73-0x00000000009B0000-0x00000000009D8000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
4524	v0939089.exe
4808	v5842519.exe
1520	v4828117.exe
3836	v8945305.exe
2180	a6597208.exe
3336	b0375768.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a6597208.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6597208.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4828117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8945305.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a0bae8fe80d551af70d02824598590bb46396c551d3d4cd2be076163ba87fa61.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0939089.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5842519.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1528	2180	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a6597208.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0375768.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0bae8fe80d551af70d02824598590bb46396c551d3d4cd2be076163ba87fa61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v0939089.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v5842519.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v4828117.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v8945305.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2180	a6597208.exe
2180	a6597208.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	a6597208.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 4524	2624	a0bae8fe80d551af70d02824598590bb46396c551d3d4cd2be076163ba87fa61.exe	83
PID 2624 wrote to memory of 4524	2624	a0bae8fe80d551af70d02824598590bb46396c551d3d4cd2be076163ba87fa61.exe	83
PID 2624 wrote to memory of 4524	2624	a0bae8fe80d551af70d02824598590bb46396c551d3d4cd2be076163ba87fa61.exe	83
PID 4524 wrote to memory of 4808	4524	v0939089.exe	84
PID 4524 wrote to memory of 4808	4524	v0939089.exe	84
PID 4524 wrote to memory of 4808	4524	v0939089.exe	84
PID 4808 wrote to memory of 1520	4808	v5842519.exe	86
PID 4808 wrote to memory of 1520	4808	v5842519.exe	86
PID 4808 wrote to memory of 1520	4808	v5842519.exe	86
PID 1520 wrote to memory of 3836	1520	v4828117.exe	88
PID 1520 wrote to memory of 3836	1520	v4828117.exe	88
PID 1520 wrote to memory of 3836	1520	v4828117.exe	88
PID 3836 wrote to memory of 2180	3836	v8945305.exe	89
PID 3836 wrote to memory of 2180	3836	v8945305.exe	89
PID 3836 wrote to memory of 2180	3836	v8945305.exe	89
PID 3836 wrote to memory of 3336	3836	v8945305.exe	103
PID 3836 wrote to memory of 3336	3836	v8945305.exe	103
PID 3836 wrote to memory of 3336	3836	v8945305.exe	103

C:\Users\Admin\AppData\Local\Temp\a0bae8fe80d551af70d02824598590bb46396c551d3d4cd2be076163ba87fa61.exe
"C:\Users\Admin\AppData\Local\Temp\a0bae8fe80d551af70d02824598590bb46396c551d3d4cd2be076163ba87fa61.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0939089.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0939089.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5842519.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5842519.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4828117.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4828117.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8945305.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8945305.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3836
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6597208.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6597208.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 1080
        7⤵
        Program crash
        
        PID:1528
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0375768.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0375768.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2180 -ip 2180
1⤵
PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0939089.exe

Filesize
1.4MB

MD5
fc271b373891af68d91654179f70e808

SHA1
34a650a32738cdb2ea89f1b08e5223adf6652395

SHA256
cda11af229f526aff33c5f46a53a8385858bd0623bff92cc2230e26be75db60e

SHA512
7ef9c14aa9365e27ceded0367c6d788e39c5372d56f3ef2bbc0b723ed7ac4fd8baa610636164b64b68be88400308c6ad9caf62936daa5c7867a2108368b68891

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5842519.exe

Filesize
914KB

MD5
ec0a267e884b36883a5e6c34852d8ea1

SHA1
6633b2d333a602c72fde4670e551881dd176f0c6

SHA256
a4e42a70514eab2c7f1ca95267d168c33325d525c7e13ea939a1cb2dca461271

SHA512
3f8364777d18a48115c2666a1080a9dc3859224de5beab34d7c06e233dce18c4ed4f61dbe03eb1e1642f6a7ef7d542fe313dfdb26175ccec034f4edc2dbaf327

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4828117.exe

Filesize
708KB

MD5
ca529e64002c3d02302a57573bce9b6b

SHA1
e9ebd760ea84ca0aaba06fa9906c2a289eef08bb

SHA256
a963c55a82eb07b331009fd5958072c0f46224bda5d9d990d50cf9e642849f3d

SHA512
98575c2f0b85d096eaf42b47fadb0f5205150ae0b7c6beb2e6c828e048e8f09aedea38e6005781a27759a6778e67f4be1148d6e5e82782c3c7c20a7fa8044751

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8945305.exe

Filesize
417KB

MD5
c0a2f9a04e82de4a90057ccaa36b5adf

SHA1
36b88074a8d3d7e36c2679149636680dd83f2630

SHA256
18a21373f3559173ff93dd085a128feb6bb376baaf8dcb884b4b23440f41f76b

SHA512
062eb3a0a9adaceae766357696df3244cad71326a7801350a22a9816e39266e1611fe566f1e26fe26210218412b3d19a8980548bc9613797b86313ffacbc52c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6597208.exe

Filesize
360KB

MD5
7fe18921b15579085acbb086fd8f3048

SHA1
aef663ce145e01ed5fdc231000fba0d51756ed4c

SHA256
c00e4bf2d3cbf2b05765512626f7a59e554029a12895e6659054ee2b3e2695ef

SHA512
a9d1fa838f3c485e728de5928b4596fc637a8d5e89ae4b70c0fc3d55b3ad8af42b02ca50d9cfa529347872a22c3a0ff842364ad03700bda78c370ecb4634c4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0375768.exe

Filesize
136KB

MD5
eb1677aff3e77ffbbc5d9db044753d22

SHA1
664c98516394612ce3040f361bb558b8322f1f5a

SHA256
7d1a6291dbe28e4ced26fd7efe311ebfd7e8c7444ddd50b75d195c77c45d2da7

SHA512
42d94c9cdfed926be0f85a1ebbd44f14cf1601e09e90ff20fb89e8951bac8e5ae005ee60be726d221bfca527ec6918e38158419654584189f9417ba77e18fe85

Download Submit
memory/2180-50-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-44-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-66-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-64-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-62-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-60-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-58-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-56-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-54-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-52-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-37-0x0000000004E10000-0x00000000053B4000-memory.dmp

Filesize
5.6MB

Download
memory/2180-48-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-46-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-38-0x0000000002950000-0x0000000002968000-memory.dmp

Filesize
96KB

Download
memory/2180-42-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-40-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-39-0x0000000002950000-0x0000000002962000-memory.dmp

Filesize
72KB

Download
memory/2180-67-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2180-69-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/2180-36-0x00000000025E0000-0x00000000025FA000-memory.dmp

Filesize
104KB

Download
memory/3336-73-0x00000000009B0000-0x00000000009D8000-memory.dmp

Filesize
160KB

Download
memory/3336-74-0x0000000007C90000-0x00000000082A8000-memory.dmp

Filesize
6.1MB

Download
memory/3336-75-0x0000000007710000-0x0000000007722000-memory.dmp

Filesize
72KB

Download
memory/3336-76-0x0000000007840000-0x000000000794A000-memory.dmp

Filesize
1.0MB

Download
memory/3336-77-0x0000000007770000-0x00000000077AC000-memory.dmp

Filesize
240KB

Download
memory/3336-78-0x0000000004CE0000-0x0000000004D2C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads