healer | 15ff8149c53b8f98ecd34be297312c1f752e6b3d6a50359ded235086353b2020

General

Target

15ff8149c53b8f98ecd34be297312c1f752e6b3d6a50359ded235086353b2020.exe
Size

479KB
MD5

cf3159d8b8388ff6e4784ab68395f4c1
SHA1

01e4d4f7d8729fef912cb6d6a116e1b66d05028e
SHA256

15ff8149c53b8f98ecd34be297312c1f752e6b3d6a50359ded235086353b2020
SHA512

75daa3ac204215b50931782f0e9606d66cdf577eecbef01c585b5146cc91739fc47c8c2e0bc4a91842dd799634835bb896b2ccd20f2ee18905e3ab94c03cb712
SSDEEP

12288:YMrqy90bt2sU5S00C0dJLAad3iRNxfpJ:Cy2jUR0ndJLAa5iRNd

Score

10^/10

healer redline dona discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dona

C2

217.196.96.101:4132

Attributes

auth_value
9fbb198992bbc83a84ab1f21384813e3

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4552-15-0x0000000002360000-0x000000000237A000-memory.dmp	healer
behavioral1/memory/4552-18-0x0000000004980000-0x0000000004998000-memory.dmp	healer
behavioral1/memory/4552-28-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-48-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-46-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-44-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-42-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-40-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-38-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-36-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-34-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-32-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-30-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-26-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-24-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-22-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4552-21-0x0000000004980000-0x0000000004992000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k1879531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1879531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1879531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1879531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1879531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1879531.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cb1-54.dat	family_redline
behavioral1/memory/1580-56-0x0000000000630000-0x0000000000660000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3976	y5788126.exe
4552	k1879531.exe
1580	l0746136.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k1879531.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1879531.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5788126.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	15ff8149c53b8f98ecd34be297312c1f752e6b3d6a50359ded235086353b2020.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l0746136.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15ff8149c53b8f98ecd34be297312c1f752e6b3d6a50359ded235086353b2020.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y5788126.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k1879531.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4552	k1879531.exe
4552	k1879531.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4552	k1879531.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 3976	1712	15ff8149c53b8f98ecd34be297312c1f752e6b3d6a50359ded235086353b2020.exe	85
PID 1712 wrote to memory of 3976	1712	15ff8149c53b8f98ecd34be297312c1f752e6b3d6a50359ded235086353b2020.exe	85
PID 1712 wrote to memory of 3976	1712	15ff8149c53b8f98ecd34be297312c1f752e6b3d6a50359ded235086353b2020.exe	85
PID 3976 wrote to memory of 4552	3976	y5788126.exe	86
PID 3976 wrote to memory of 4552	3976	y5788126.exe	86
PID 3976 wrote to memory of 4552	3976	y5788126.exe	86
PID 3976 wrote to memory of 1580	3976	y5788126.exe	98
PID 3976 wrote to memory of 1580	3976	y5788126.exe	98
PID 3976 wrote to memory of 1580	3976	y5788126.exe	98

C:\Users\Admin\AppData\Local\Temp\15ff8149c53b8f98ecd34be297312c1f752e6b3d6a50359ded235086353b2020.exe
"C:\Users\Admin\AppData\Local\Temp\15ff8149c53b8f98ecd34be297312c1f752e6b3d6a50359ded235086353b2020.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5788126.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5788126.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1879531.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1879531.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0746136.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0746136.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5788126.exe

Filesize
307KB

MD5
a82ce844bc28ce230d5a4cb1f9dd24ea

SHA1
fbbc50a7ebccd9c58e8e2a64fd5b5f1adbd9e4b0

SHA256
6bc5ca4a14c1f01f4671395085914ea1fab350c5fbebfc2c04d6f176099c239b

SHA512
c44f55d256d8c09de36f4eb6263929e3d58ce4e3b71e47cd2397e14c796ae1d8a5057d211fb6af65bca342a0f41f9e3a9ad09ac2fb119b12661e4b756346012e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1879531.exe

Filesize
179KB

MD5
464282a02436b066470ff686e350698c

SHA1
6f68e1a956746660888a258d93555886fad1345a

SHA256
0f24b6b5302eed5bda42be771dceb8e4819bb523ca8796c1750fbb156b653931

SHA512
38eed1892c621791e84176d2c70d00362523ffb245f8396003914efe608602a0286abed7960834d44dda59e776878deabeb53be14018405ed9700767b460d498

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l0746136.exe

Filesize
168KB

MD5
7a2c512cfded81b6734333dda23653f2

SHA1
f2925ecf920241500c79c477f5a96f686b5233c4

SHA256
766a4dd333192894295269442a36106f066d8aabac8351726032277c5d02bedc

SHA512
1b1cfb3561cb0dc7172f9ad9ea19f8cb76ef43cae4610d255d26d723faf413cf9d983561230d2783ca9b6ef58b2e18a98e979566f61432b54d8df51ff5233df6

Download Submit
memory/1580-62-0x0000000002940000-0x000000000298C000-memory.dmp

Filesize
304KB

Download
memory/1580-61-0x000000000A570000-0x000000000A5AC000-memory.dmp

Filesize
240KB

Download
memory/1580-60-0x000000000A510000-0x000000000A522000-memory.dmp

Filesize
72KB

Download
memory/1580-59-0x000000000A5E0000-0x000000000A6EA000-memory.dmp

Filesize
1.0MB

Download
memory/1580-58-0x000000000AAE0000-0x000000000B0F8000-memory.dmp

Filesize
6.1MB

Download
memory/1580-57-0x0000000000F60000-0x0000000000F66000-memory.dmp

Filesize
24KB

Download
memory/1580-56-0x0000000000630000-0x0000000000660000-memory.dmp

Filesize
192KB

Download
memory/4552-36-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-21-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-44-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-42-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-40-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-38-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-48-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-34-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-32-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-30-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-26-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-24-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-22-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-46-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-49-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/4552-50-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4552-52-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4552-28-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4552-20-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4552-18-0x0000000004980000-0x0000000004998000-memory.dmp

Filesize
96KB

Download
memory/4552-19-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4552-17-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/4552-16-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/4552-15-0x0000000002360000-0x000000000237A000-memory.dmp

Filesize
104KB

Download
memory/4552-14-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads