healer | 2539f36297cdff0893963834557ac15f38e9f4047b7077c80e13a714c7bef4e2

General

Target

2539f36297cdff0893963834557ac15f38e9f4047b7077c80e13a714c7bef4e2.exe
Size

478KB
MD5

a885ec977e3a8fce9094efb45b9eb2c9
SHA1

c7fb632e182fb17c5018b3d64f4ed32abd001fbd
SHA256

2539f36297cdff0893963834557ac15f38e9f4047b7077c80e13a714c7bef4e2
SHA512

3148d5cb4e8813d43dda01bab05fbd2721b6cc38a059199f84126e366a11ea43e9d6f5de441d84127e79fa2088819681fb0fdc52916151ff79f2f21052408f89
SSDEEP

12288:FMryy90JnK04HH8DeK74oyZZoqjlW8s8zTyPiyD:ryAK5uee4TZo2Tu

Score

10^/10

healer redline morty discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

morty

C2

217.196.96.101:4132

Attributes

auth_value
fe1a24c211cc8e5bf9ff11c737ce0e97

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4772-15-0x0000000002320000-0x000000000233A000-memory.dmp	healer
behavioral1/memory/4772-18-0x0000000004980000-0x0000000004998000-memory.dmp	healer
behavioral1/memory/4772-48-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-46-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-44-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-42-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-40-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-38-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-36-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-34-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-32-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-30-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-28-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-26-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-24-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-22-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4772-21-0x0000000004980000-0x0000000004992000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a5851699.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5851699.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5851699.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5851699.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5851699.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5851699.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ca8-54.dat	family_redline
behavioral1/memory/4604-56-0x0000000000650000-0x000000000067E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
628	v7964032.exe
4772	a5851699.exe
4604	b7925676.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a5851699.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5851699.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2539f36297cdff0893963834557ac15f38e9f4047b7077c80e13a714c7bef4e2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7964032.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1384	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2539f36297cdff0893963834557ac15f38e9f4047b7077c80e13a714c7bef4e2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v7964032.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5851699.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7925676.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4772	a5851699.exe
4772	a5851699.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	a5851699.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 628	1320	2539f36297cdff0893963834557ac15f38e9f4047b7077c80e13a714c7bef4e2.exe	83
PID 1320 wrote to memory of 628	1320	2539f36297cdff0893963834557ac15f38e9f4047b7077c80e13a714c7bef4e2.exe	83
PID 1320 wrote to memory of 628	1320	2539f36297cdff0893963834557ac15f38e9f4047b7077c80e13a714c7bef4e2.exe	83
PID 628 wrote to memory of 4772	628	v7964032.exe	84
PID 628 wrote to memory of 4772	628	v7964032.exe	84
PID 628 wrote to memory of 4772	628	v7964032.exe	84
PID 628 wrote to memory of 4604	628	v7964032.exe	94
PID 628 wrote to memory of 4604	628	v7964032.exe	94
PID 628 wrote to memory of 4604	628	v7964032.exe	94

C:\Users\Admin\AppData\Local\Temp\2539f36297cdff0893963834557ac15f38e9f4047b7077c80e13a714c7bef4e2.exe
"C:\Users\Admin\AppData\Local\Temp\2539f36297cdff0893963834557ac15f38e9f4047b7077c80e13a714c7bef4e2.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7964032.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7964032.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5851699.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5851699.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7925676.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7925676.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4604

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7964032.exe

Filesize
307KB

MD5
81809fac2ef22972bd71c025bc4b0028

SHA1
34b7b3236f599e35b3ad0a5ace40b210ba14f635

SHA256
9fb593a59f7cc4e5e431096bd71cfba916692f35e9ec2601a583cbba4eb79b35

SHA512
7bd582e9ab3643b724cdb2cc0d07241b264d723f3e9eae824ada4f2c1c752c5676fd034a72404def341afca66e1c82e9f8ad34800685d2b09bf90a1f83809b03

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a5851699.exe

Filesize
179KB

MD5
75b24cbbb5927b8118ef394a7bb6f5ae

SHA1
bab16b5cad866b28b0e09023cf8bbb625209f81e

SHA256
3c7112fbad7a8045f6dfa51ffca318c7aabd298875336015686364259aa23c03

SHA512
2cb2fb4fb994174ea727e26127f4b05fe7a19c726e289bfc497bba374f37cccd765b824b7928f9807b6e2e3241350d18a95faed2d9df7b6ae297d19b5389e64a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7925676.exe

Filesize
168KB

MD5
c1972b2f62d8971de9a187c08c2b8f52

SHA1
4f1085968fb1112f4e09279f8a084fdb5cef2ed1

SHA256
fc9a2ab4cf37300051f2ed626489bf4fbeb4085d6a518f56dbbddde510ce6dcf

SHA512
eca94cf5edd70d20571eeb0152b453584380229840b119433bf07aeeb0f7695eec54cf1658b11d82e6d558a756f37666fc6001cdce565ba1b9e1f933001506bc

Download Submit
memory/4604-62-0x0000000005070000-0x00000000050BC000-memory.dmp

Filesize
304KB

Download
memory/4604-61-0x00000000051D0000-0x000000000520C000-memory.dmp

Filesize
240KB

Download
memory/4604-60-0x00000000029B0000-0x00000000029C2000-memory.dmp

Filesize
72KB

Download
memory/4604-59-0x00000000052E0000-0x00000000053EA000-memory.dmp

Filesize
1.0MB

Download
memory/4604-58-0x00000000057F0000-0x0000000005E08000-memory.dmp

Filesize
6.1MB

Download
memory/4604-57-0x0000000000CF0000-0x0000000000CF6000-memory.dmp

Filesize
24KB

Download
memory/4604-56-0x0000000000650000-0x000000000067E000-memory.dmp

Filesize
184KB

Download
memory/4772-34-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-21-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-42-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-40-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-38-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-36-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-46-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-32-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-30-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-28-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-26-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-24-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-22-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-44-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-49-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/4772-50-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/4772-52-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/4772-48-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4772-20-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/4772-19-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/4772-18-0x0000000004980000-0x0000000004998000-memory.dmp

Filesize
96KB

Download
memory/4772-17-0x0000000004A40000-0x0000000004FE4000-memory.dmp

Filesize
5.6MB

Download
memory/4772-16-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/4772-15-0x0000000002320000-0x000000000233A000-memory.dmp

Filesize
104KB

Download
memory/4772-14-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads