healer | dba7d39f5876009a1752a42e1cb7dbd1a653b7530378b3833328ede89f0b0bc1

General

Target

dba7d39f5876009a1752a42e1cb7dbd1a653b7530378b3833328ede89f0b0bc1.exe
Size

479KB
MD5

69cf2deaa8e49a90956261ce5e595aa1
SHA1

e9bd6f1647c8e62f0581d8ae44717f7d3e2df50b
SHA256

dba7d39f5876009a1752a42e1cb7dbd1a653b7530378b3833328ede89f0b0bc1
SHA512

033f70ebb2be832128a33c9f11f09bbc2982abd78bfcabdcb815f648a796df77dcf4f0c4684d1bbc09a4bb5ada35cf3c8f0f5998e946730139b7992371af51e8
SSDEEP

6144:Kzy+bnr+Ip0yN90QEZAegHZeyRiui53ozaIyoXgEqlXAW0xSVkxjld2ZKjef78l:BMrAy90AeuPJLyWgzlXAWT2jlrji7A

Score

10^/10

healer redline dumud discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3552-15-0x0000000002340000-0x000000000235A000-memory.dmp	healer
behavioral1/memory/3552-19-0x0000000004980000-0x0000000004998000-memory.dmp	healer
behavioral1/memory/3552-37-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-35-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-33-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-31-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-29-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-27-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-25-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-23-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-47-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-45-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-43-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-21-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-20-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-41-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/3552-39-0x0000000004980000-0x0000000004992000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1910491.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1910491.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1910491.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1910491.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1910491.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k1910491.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b81-54.dat	family_redline
behavioral1/memory/2492-56-0x0000000000EE0000-0x0000000000F10000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
2136	y0919994.exe
3552	k1910491.exe
2492	l9948590.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k1910491.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1910491.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0919994.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dba7d39f5876009a1752a42e1cb7dbd1a653b7530378b3833328ede89f0b0bc1.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dba7d39f5876009a1752a42e1cb7dbd1a653b7530378b3833328ede89f0b0bc1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y0919994.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k1910491.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l9948590.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3552	k1910491.exe
3552	k1910491.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3552	k1910491.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 2136	3104	dba7d39f5876009a1752a42e1cb7dbd1a653b7530378b3833328ede89f0b0bc1.exe	83
PID 3104 wrote to memory of 2136	3104	dba7d39f5876009a1752a42e1cb7dbd1a653b7530378b3833328ede89f0b0bc1.exe	83
PID 3104 wrote to memory of 2136	3104	dba7d39f5876009a1752a42e1cb7dbd1a653b7530378b3833328ede89f0b0bc1.exe	83
PID 2136 wrote to memory of 3552	2136	y0919994.exe	84
PID 2136 wrote to memory of 3552	2136	y0919994.exe	84
PID 2136 wrote to memory of 3552	2136	y0919994.exe	84
PID 2136 wrote to memory of 2492	2136	y0919994.exe	92
PID 2136 wrote to memory of 2492	2136	y0919994.exe	92
PID 2136 wrote to memory of 2492	2136	y0919994.exe	92

C:\Users\Admin\AppData\Local\Temp\dba7d39f5876009a1752a42e1cb7dbd1a653b7530378b3833328ede89f0b0bc1.exe
"C:\Users\Admin\AppData\Local\Temp\dba7d39f5876009a1752a42e1cb7dbd1a653b7530378b3833328ede89f0b0bc1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0919994.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0919994.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1910491.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1910491.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9948590.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9948590.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0919994.exe

Filesize
307KB

MD5
d13ddbaa95266c803d0395814d871171

SHA1
0034eae1889def4a7bdaf4f102f4974cb15dc202

SHA256
ecbc4afe1312837e81c3a604f63e8576072803036f406a5fab687dc2280a4293

SHA512
ed321737825ddc9cba77fea04e83917db222a1535fd18d2af94a736347fee22af90c9dc0e1bd53aa4d836ce18546af9b2332d8670042f92cf32d70587ef8f231

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1910491.exe

Filesize
180KB

MD5
c6e9faf9a09c5be13035227ddda4a5dc

SHA1
6d48d00d083feeae6897f0a9253d18535a4c6044

SHA256
05d12a4dd67fa056e46a67179afc202166b4622e4da6d80f15965fa6cca650db

SHA512
72eb444358a8e66fc560ece2f4a72bdafe3209b6aea4839d0fd737591c78ff28a59d3a2f6958c12f016f6598b0c33bfd972bdc00b0fa7399a7ea3ae89117c502

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l9948590.exe

Filesize
168KB

MD5
2991187907889b2e26ec26f5c5088836

SHA1
c2f47dda2cb93344b1974e44c84e70983f5e22cc

SHA256
fa7f438e5aaedb30f17012ffc3123132bd8800cac6e5ce037d132419f49188ad

SHA512
c1ca7556785b832426419fcc2aea278071994200166fc3b6574dd8f8dcbf60fb39af123c99972f2b537d1e988b91ba29efc42b41e4523f469e8ccd1f0941d090

Download Submit
memory/2492-62-0x0000000005A50000-0x0000000005A9C000-memory.dmp

Filesize
304KB

Download
memory/2492-61-0x00000000059D0000-0x0000000005A0C000-memory.dmp

Filesize
240KB

Download
memory/2492-60-0x00000000059B0000-0x00000000059C2000-memory.dmp

Filesize
72KB

Download
memory/2492-59-0x0000000005AC0000-0x0000000005BCA000-memory.dmp

Filesize
1.0MB

Download
memory/2492-58-0x0000000005FD0000-0x00000000065E8000-memory.dmp

Filesize
6.1MB

Download
memory/2492-57-0x00000000031B0000-0x00000000031B6000-memory.dmp

Filesize
24KB

Download
memory/2492-56-0x0000000000EE0000-0x0000000000F10000-memory.dmp

Filesize
192KB

Download
memory/3552-47-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-48-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/3552-29-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-27-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-25-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-23-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-33-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-45-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-43-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-21-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-20-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-41-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-39-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-31-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-49-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download
memory/3552-50-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/3552-52-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/3552-35-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-37-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/3552-18-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/3552-19-0x0000000004980000-0x0000000004998000-memory.dmp

Filesize
96KB

Download
memory/3552-17-0x0000000004B20000-0x00000000050C4000-memory.dmp

Filesize
5.6MB

Download
memory/3552-16-0x0000000074080000-0x0000000074830000-memory.dmp

Filesize
7.7MB

Download
memory/3552-15-0x0000000002340000-0x000000000235A000-memory.dmp

Filesize
104KB

Download
memory/3552-14-0x000000007408E000-0x000000007408F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads