healer | 36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa

General

Target

36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa.exe
Size

1.5MB
MD5

2fe0e533f561429c504ef0f9e50186e8
SHA1

eceb77f83f56e03d8ff627b7ba085632ff4e4afd
SHA256

36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa
SHA512

6d52191f28b1c9ab687bd8d7413cf1140024b357a6478fca5acd3e7408e5b8276b3ba30fd93f007e6d605d379cb0ef4e5166d547bec12c27a9fb69c290c0c6a2
SSDEEP

49152:Kq2jxHbfAq71mGDUUkEQv/fs/a0hKJqO49cubL:v2jxH7X1mGDbI/fs2qX9cYL

Score

10^/10

healer redline mazda discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes

auth_value
3d2870537d84a4c6d7aeecd002871c51

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4836-36-0x0000000002740000-0x000000000275A000-memory.dmp	healer
behavioral1/memory/4836-38-0x0000000005390000-0x00000000053A8000-memory.dmp	healer
behavioral1/memory/4836-66-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-64-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-62-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-60-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-58-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-56-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-54-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-53-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-50-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-48-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-46-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-44-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-42-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-40-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/4836-39-0x0000000005390000-0x00000000053A2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a1195355.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1195355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1195355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1195355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1195355.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a1195355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1195355.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7742424.exe	family_redline
behavioral1/memory/2488-73-0x0000000000D60000-0x0000000000D90000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 6 IoCs

Processes:

v5200934.exev5092746.exev8675122.exev8023413.exea1195355.exeb7742424.exe

pid process

3504 v5200934.exe
4992 v5092746.exe
2464 v8675122.exe
5028 v8023413.exe
4836 a1195355.exe
2488 b7742424.exe

pid	process
3504	v5200934.exe
4992	v5092746.exe
2464	v8675122.exe
5028	v8023413.exe
4836	a1195355.exe
2488	b7742424.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

a1195355.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a1195355.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1195355.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

v8023413.exe36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa.exev5200934.exev5092746.exev8675122.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8023413.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5200934.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5092746.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8675122.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4968 4836 WerFault.exe a1195355.exe

pid	pid_target	process	target process
4968	4836	WerFault.exe	a1195355.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

v8023413.exea1195355.exeb7742424.exe36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa.exev5200934.exev5092746.exev8675122.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v8023413.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1195355.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7742424.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v5200934.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v5092746.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v8675122.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a1195355.exe

pid process

4836 a1195355.exe
4836 a1195355.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a1195355.exe

description pid process

Token: SeDebugPrivilege 4836 a1195355.exe

pid	process
4836	a1195355.exe
4836	a1195355.exe

description	pid	process
Token: SeDebugPrivilege	4836	a1195355.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa.exev5200934.exev5092746.exev8675122.exev8023413.exe

description	pid	process	target process
PID 3764 wrote to memory of 3504	3764	36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa.exe	v5200934.exe
PID 3764 wrote to memory of 3504	3764	36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa.exe	v5200934.exe
PID 3764 wrote to memory of 3504	3764	36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa.exe	v5200934.exe
PID 3504 wrote to memory of 4992	3504	v5200934.exe	v5092746.exe
PID 3504 wrote to memory of 4992	3504	v5200934.exe	v5092746.exe
PID 3504 wrote to memory of 4992	3504	v5200934.exe	v5092746.exe
PID 4992 wrote to memory of 2464	4992	v5092746.exe	v8675122.exe
PID 4992 wrote to memory of 2464	4992	v5092746.exe	v8675122.exe
PID 4992 wrote to memory of 2464	4992	v5092746.exe	v8675122.exe
PID 2464 wrote to memory of 5028	2464	v8675122.exe	v8023413.exe
PID 2464 wrote to memory of 5028	2464	v8675122.exe	v8023413.exe
PID 2464 wrote to memory of 5028	2464	v8675122.exe	v8023413.exe
PID 5028 wrote to memory of 4836	5028	v8023413.exe	a1195355.exe
PID 5028 wrote to memory of 4836	5028	v8023413.exe	a1195355.exe
PID 5028 wrote to memory of 4836	5028	v8023413.exe	a1195355.exe
PID 5028 wrote to memory of 2488	5028	v8023413.exe	b7742424.exe
PID 5028 wrote to memory of 2488	5028	v8023413.exe	b7742424.exe
PID 5028 wrote to memory of 2488	5028	v8023413.exe	b7742424.exe

C:\Users\Admin\AppData\Local\Temp\36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa.exe
"C:\Users\Admin\AppData\Local\Temp\36bc5deda8b8d28d1116780894a8894b5f8c6037e5214aa423c55a0c1e176efa.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5200934.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5200934.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5092746.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5092746.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4992
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8675122.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8675122.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8023413.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8023413.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5028
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1195355.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1195355.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 1080
        7⤵
        Program crash
        
        PID:4968
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7742424.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7742424.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4836 -ip 4836
1⤵
PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5200934.exe

Filesize
1.4MB

MD5
238f69a85a427fe7a169419a5ffb59d1

SHA1
5a3760a76c5613b580ec867e3605e04039e113cf

SHA256
c3b9ee9d515842f85b66008b50c4b33b1fce9c156ebc369dbe992920c5fb6d84

SHA512
87049666f2e5cd72cc55a79a2957659ab4de23f41dbb56a9bdb0cc44269036410d3cdfdf81a212676e77572d12bf4aea04e1c86810cea19a6873e4b40442dea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5092746.exe

Filesize
916KB

MD5
847bc866e62969e28638275b2250a9a2

SHA1
12ee44ca354231c2172b9f7d7e8ea9ad7308781a

SHA256
f26923cafb76da4ab5718b86337733c043b024884ddae06660aedf81c89a8737

SHA512
78e7e145cd86422e9d13456256825f7273b7a1591ee3b482cfbd4be7310bbce1a5ce899a2f975706bb133dcfdceb5084dbb9b89406b27054ca312dec54e996b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8675122.exe

Filesize
711KB

MD5
189f048e7207671de1af9a94a83eae40

SHA1
ae7c62cd930210dda98f218b649467152d0ec730

SHA256
c4f1667eb50a9599cda25881752ab7ec62bd5fed4d6fbf364ab4b07eb17ef072

SHA512
df7f096905b0afba0c9c92045120490c158c41d5366f22959e0f0a0b9b323651443f4a5dc84e82fa020d606640a5643056f4a778069158ff5a737a598d846752

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8023413.exe

Filesize
416KB

MD5
dbe9bde4a5f2a486bc3ce81ce7b21466

SHA1
d696f4e0d68e8994e6c3307efa01e3ffcfe02c24

SHA256
f53828dfbe6c891423c3a3850c7b0834b4d8d8951bdb97fef55aee0ff8e584e9

SHA512
6da4d58e48b0383f4343bf0d5dc97ec9bac90d339ddef1314ec3823f640283a5038116e3e3799908bd97c6df2d98083146371d5eac7def13ab0e56d23c568f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1195355.exe

Filesize
360KB

MD5
17c3f17b162c834aabf2ac88d0b13ea2

SHA1
674061e6de9d3215ad14cee54e495b9da1fac12b

SHA256
f37789060fdf4d0dfe8a974bf84e94f6abbdd0a9b74c9aafffdaf75e6d837251

SHA512
637135433f5c127c335337b6d2492ba9591cdea52650b33139cb4949b51097021c09399b7a9ee642b470fb22681902c3bbfd6d5dd1e9e6d8dff22dc5f3c3d677

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7742424.exe

Filesize
168KB

MD5
4c48cea4499a8c4202e7dc94b86af527

SHA1
cc0c85fe044d1976f2bcd90822512c14414c8b52

SHA256
3c618c9a35ca3c4320277a24a980c8852b113022bc4b8656ebef256795b128c1

SHA512
b27dde7de19d117e0ebcfd20f882c5e030f7c8161fd00a1a7fb4851e08699f1fadd3757aa2160eea74766b68f3ec2aa1aeb2e723b8b4ff0e2ea830784ee00ad4

Download Submit
memory/2488-78-0x0000000005750000-0x000000000578C000-memory.dmp

Filesize
240KB

Download
memory/2488-77-0x00000000056D0000-0x00000000056E2000-memory.dmp

Filesize
72KB

Download
memory/2488-76-0x0000000005820000-0x000000000592A000-memory.dmp

Filesize
1.0MB

Download
memory/2488-75-0x0000000005D30000-0x0000000006348000-memory.dmp

Filesize
6.1MB

Download
memory/2488-74-0x0000000005680000-0x0000000005686000-memory.dmp

Filesize
24KB

Download
memory/2488-73-0x0000000000D60000-0x0000000000D90000-memory.dmp

Filesize
192KB

Download
memory/2488-79-0x0000000005790000-0x00000000057DC000-memory.dmp

Filesize
304KB

Download
memory/4836-50-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-39-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-53-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-56-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-48-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-46-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-44-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-42-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-40-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-54-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-67-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4836-69-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/4836-58-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-60-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-62-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-64-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-66-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4836-38-0x0000000005390000-0x00000000053A8000-memory.dmp

Filesize
96KB

Download
memory/4836-37-0x0000000004D90000-0x0000000005334000-memory.dmp

Filesize
5.6MB

Download
memory/4836-36-0x0000000002740000-0x000000000275A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads