healer | a5761aaa0cfd4db4b4e1c534a8e40d66160e2d711d68241af65b34084c68b503

General

Target

a5761aaa0cfd4db4b4e1c534a8e40d66160e2d711d68241af65b34084c68b503.exe
Size

479KB
MD5

e8324fbc7c9f55a71691d271d15244db
SHA1

477216916f3a2de1815233e8242d5e61aeee8ae4
SHA256

a5761aaa0cfd4db4b4e1c534a8e40d66160e2d711d68241af65b34084c68b503
SHA512

2268b11bc27f26ffe197dfaaee9df26db09a0d0437bc615f8d317799fefc3ef56f8899e16dddb96d4b9fba2b4f2b83f844c5dfeca7376e7ed513772a8c57f915
SSDEEP

12288:4Mrsy90PTIGksuf+PI0fPwaXLMpKzXm+NI:Uy+TIz8x7QN+NI

Score

10^/10

healer redline dumud discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3060-15-0x00000000008D0000-0x00000000008EA000-memory.dmp	healer
behavioral1/memory/3060-18-0x0000000004990000-0x00000000049A8000-memory.dmp	healer
behavioral1/memory/3060-38-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-42-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-46-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-44-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-40-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-36-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-34-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-32-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-30-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-28-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-26-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-24-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-22-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-20-0x0000000004990000-0x00000000049A2000-memory.dmp	healer
behavioral1/memory/3060-19-0x0000000004990000-0x00000000049A2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k7442162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k7442162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k7442162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k7442162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k7442162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k7442162.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023ba1-54.dat	family_redline
behavioral1/memory/4184-56-0x0000000000B90000-0x0000000000BC0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
116	y0038595.exe
3060	k7442162.exe
4184	l1830572.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k7442162.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k7442162.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0038595.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a5761aaa0cfd4db4b4e1c534a8e40d66160e2d711d68241af65b34084c68b503.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5761aaa0cfd4db4b4e1c534a8e40d66160e2d711d68241af65b34084c68b503.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y0038595.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k7442162.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l1830572.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3060	k7442162.exe
3060	k7442162.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	k7442162.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 116	2308	a5761aaa0cfd4db4b4e1c534a8e40d66160e2d711d68241af65b34084c68b503.exe	83
PID 2308 wrote to memory of 116	2308	a5761aaa0cfd4db4b4e1c534a8e40d66160e2d711d68241af65b34084c68b503.exe	83
PID 2308 wrote to memory of 116	2308	a5761aaa0cfd4db4b4e1c534a8e40d66160e2d711d68241af65b34084c68b503.exe	83
PID 116 wrote to memory of 3060	116	y0038595.exe	84
PID 116 wrote to memory of 3060	116	y0038595.exe	84
PID 116 wrote to memory of 3060	116	y0038595.exe	84
PID 116 wrote to memory of 4184	116	y0038595.exe	92
PID 116 wrote to memory of 4184	116	y0038595.exe	92
PID 116 wrote to memory of 4184	116	y0038595.exe	92

C:\Users\Admin\AppData\Local\Temp\a5761aaa0cfd4db4b4e1c534a8e40d66160e2d711d68241af65b34084c68b503.exe
"C:\Users\Admin\AppData\Local\Temp\a5761aaa0cfd4db4b4e1c534a8e40d66160e2d711d68241af65b34084c68b503.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0038595.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0038595.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7442162.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7442162.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1830572.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1830572.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0038595.exe

Filesize
307KB

MD5
48a57bbf807ef1355deaff59c6b2f01d

SHA1
32e47b3da8165b386ddaa41a7a948dcb2f50a217

SHA256
3021ba5ec59df94b92902d0d6daf4c9cf625c92a98e069dc4db444c1f61e3f89

SHA512
64d021d16bcfd7cb86611886e98a1dfb4481aed4aa91890a6b23acc286524166343b6236646b79291ff88a4286d6832d0fe15dd0535c41e78d6afb1d4ac00f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7442162.exe

Filesize
180KB

MD5
26d31a0f8b9f7166f57e2fe7a5e0fa69

SHA1
59c8062231633a2cefe16b2680895a3bdb476c09

SHA256
e553ee629875c0423295deb518a78f5a4cac6c44e223438dbd76a2bfc3bc5a25

SHA512
c12737ff092f6f07945361fec4631a55f38b17570d24634c624f415016d191761c0867ac13d40ac905fec38f506017a9371f97ce3a97ebd98f18db20d31c23f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1830572.exe

Filesize
168KB

MD5
5c178f77587ec00b5fb2ed2846dad86a

SHA1
d9cf753f887bfd103496d7956ef93adcb1a7dd02

SHA256
567ae0b9dcaffeee0a5ad2f867c4d5061d092999c14db3f6c3cbdc8beb7ceeea

SHA512
884b1ea0fc815975c3a56e0d9324741c62eaf3380c27b7ce42f40a1533618dfc12fdec7d9144f455a7afbdad54111ddad443448dc71dc941572477e512056526

Download Submit
memory/3060-30-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-50-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3060-16-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3060-18-0x0000000004990000-0x00000000049A8000-memory.dmp

Filesize
96KB

Download
memory/3060-38-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-42-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-26-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-47-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3060-44-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-40-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-36-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-34-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-32-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-15-0x00000000008D0000-0x00000000008EA000-memory.dmp

Filesize
104KB

Download
memory/3060-28-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-48-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3060-46-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-24-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-22-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-20-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-19-0x0000000004990000-0x00000000049A2000-memory.dmp

Filesize
72KB

Download
memory/3060-49-0x000000007417E000-0x000000007417F000-memory.dmp

Filesize
4KB

Download
memory/3060-17-0x0000000004B00000-0x00000000050A4000-memory.dmp

Filesize
5.6MB

Download
memory/3060-52-0x0000000074170000-0x0000000074920000-memory.dmp

Filesize
7.7MB

Download
memory/3060-14-0x000000007417E000-0x000000007417F000-memory.dmp

Filesize
4KB

Download
memory/4184-56-0x0000000000B90000-0x0000000000BC0000-memory.dmp

Filesize
192KB

Download
memory/4184-57-0x0000000002CF0000-0x0000000002CF6000-memory.dmp

Filesize
24KB

Download
memory/4184-58-0x0000000005C80000-0x0000000006298000-memory.dmp

Filesize
6.1MB

Download
memory/4184-59-0x0000000005770000-0x000000000587A000-memory.dmp

Filesize
1.0MB

Download
memory/4184-60-0x0000000005660000-0x0000000005672000-memory.dmp

Filesize
72KB

Download
memory/4184-61-0x0000000005680000-0x00000000056BC000-memory.dmp

Filesize
240KB

Download
memory/4184-62-0x0000000005700000-0x000000000574C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads