healer | 465c935f634bbfca9c79166a57fceba0eeabf691076bd97f57c4f7b4736abeea

General

Target

465c935f634bbfca9c79166a57fceba0eeabf691076bd97f57c4f7b4736abeea.exe
Size

478KB
MD5

d9c6d8ca56442aca754c3ebd6f8d5675
SHA1

8fca9a24a3a2dfceca89e8f3df3fe3dace2ec0ce
SHA256

465c935f634bbfca9c79166a57fceba0eeabf691076bd97f57c4f7b4736abeea
SHA512

eefc3fd50858ba417da560a4a3a79ee89b007a857b2aebe7fb5c0ef0597a848252580520b2246119b5f16025de3794b832b7ca50be5f227964507193ab1e987b
SSDEEP

12288:nMrGy90EHwIUJCagBW21FqWnGVQNVgQETv3:FyZQSayJ9GVEgrL

Score

10^/10

healer redline dumud discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dumud

C2

217.196.96.101:4132

Attributes

auth_value
3e18d4b90418aa3e78d8822e87c62f5c

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2860-15-0x00000000020E0000-0x00000000020FA000-memory.dmp	healer
behavioral1/memory/2860-18-0x0000000002490000-0x00000000024A8000-memory.dmp	healer
behavioral1/memory/2860-48-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-46-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-44-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-42-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-40-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-38-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-36-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-34-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-32-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-30-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-28-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-26-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-24-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-22-0x0000000002490000-0x00000000024A2000-memory.dmp	healer
behavioral1/memory/2860-21-0x0000000002490000-0x00000000024A2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k6459126.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k6459126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k6459126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k6459126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k6459126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k6459126.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023caf-54.dat	family_redline
behavioral1/memory/368-56-0x0000000000320000-0x0000000000350000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3956	y3846082.exe
2860	k6459126.exe
368	l8968319.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k6459126.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k6459126.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	465c935f634bbfca9c79166a57fceba0eeabf691076bd97f57c4f7b4736abeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3846082.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y3846082.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k6459126.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l8968319.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	465c935f634bbfca9c79166a57fceba0eeabf691076bd97f57c4f7b4736abeea.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2860	k6459126.exe
2860	k6459126.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	k6459126.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 3956	4784	465c935f634bbfca9c79166a57fceba0eeabf691076bd97f57c4f7b4736abeea.exe	83
PID 4784 wrote to memory of 3956	4784	465c935f634bbfca9c79166a57fceba0eeabf691076bd97f57c4f7b4736abeea.exe	83
PID 4784 wrote to memory of 3956	4784	465c935f634bbfca9c79166a57fceba0eeabf691076bd97f57c4f7b4736abeea.exe	83
PID 3956 wrote to memory of 2860	3956	y3846082.exe	85
PID 3956 wrote to memory of 2860	3956	y3846082.exe	85
PID 3956 wrote to memory of 2860	3956	y3846082.exe	85
PID 3956 wrote to memory of 368	3956	y3846082.exe	92
PID 3956 wrote to memory of 368	3956	y3846082.exe	92
PID 3956 wrote to memory of 368	3956	y3846082.exe	92

C:\Users\Admin\AppData\Local\Temp\465c935f634bbfca9c79166a57fceba0eeabf691076bd97f57c4f7b4736abeea.exe
"C:\Users\Admin\AppData\Local\Temp\465c935f634bbfca9c79166a57fceba0eeabf691076bd97f57c4f7b4736abeea.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4784
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3846082.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3846082.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6459126.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6459126.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8968319.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8968319.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3846082.exe

Filesize
307KB

MD5
7bc0ea02ff9019bff15f56d6572e571b

SHA1
41291f35e57b5e83c6b8bc11f1677c0e73e8e204

SHA256
c00baf3668c491fe023c44c43b2979ebc88d14eb292fad0059c580b601b9845c

SHA512
42a1beedad809b2ab021346d9698b29bcb858c5daf2d448be73a412c0d51c373d1f4ad0835b58555459e8780fab67e40e01e910b34cc5fddb3aceae3caf65e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k6459126.exe

Filesize
180KB

MD5
3c08ee21e5aaf9d86b02d1573229a918

SHA1
6c8976efec33efea0b456d8344529eb3f1e7966d

SHA256
8ec450ea06fa24faf8f8cb0da5c499625e760076d2e889f3c3f0dd7009ff25fc

SHA512
78b709e698f5c8622b27c1679ffe12114e576c3aeeef851a1d54d4745041eb510540ac970f1ecf963da770f5e6a4bf7f94e3b7b1180ea6f23284de780a3baa41

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8968319.exe

Filesize
168KB

MD5
74064b1000fcbb259441e6617421a2c0

SHA1
f40a2f94edbafbf4b3b2782051d07da6becc9af8

SHA256
e69a4d8d16b8d8dbe652b45be4e33cc2a5b3994290768db3c49acae18a00d28b

SHA512
54f4a34bf132f9674ad0f04eab0e3ee1d3f1af242cc4516016fd12fff8c365706370ec485d4b0f1a21dd785c0a752a44aeecdd25c66310c8c601a69e7e70b2dc

Download Submit
memory/368-62-0x0000000004FB0000-0x0000000004FFC000-memory.dmp

Filesize
304KB

Download
memory/368-61-0x0000000004E30000-0x0000000004E6C000-memory.dmp

Filesize
240KB

Download
memory/368-60-0x0000000004DD0000-0x0000000004DE2000-memory.dmp

Filesize
72KB

Download
memory/368-59-0x0000000004EA0000-0x0000000004FAA000-memory.dmp

Filesize
1.0MB

Download
memory/368-58-0x00000000053A0000-0x00000000059B8000-memory.dmp

Filesize
6.1MB

Download
memory/368-57-0x00000000026A0000-0x00000000026A6000-memory.dmp

Filesize
24KB

Download
memory/368-56-0x0000000000320000-0x0000000000350000-memory.dmp

Filesize
192KB

Download
memory/2860-34-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-21-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-42-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-40-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-38-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-36-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-46-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-32-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-30-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-28-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-26-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-24-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-22-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-44-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-49-0x0000000073E0E000-0x0000000073E0F000-memory.dmp

Filesize
4KB

Download
memory/2860-50-0x0000000073E00000-0x00000000745B0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-52-0x0000000073E00000-0x00000000745B0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-48-0x0000000002490000-0x00000000024A2000-memory.dmp

Filesize
72KB

Download
memory/2860-20-0x0000000073E00000-0x00000000745B0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-19-0x0000000073E00000-0x00000000745B0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-18-0x0000000002490000-0x00000000024A8000-memory.dmp

Filesize
96KB

Download
memory/2860-17-0x0000000004AD0000-0x0000000005074000-memory.dmp

Filesize
5.6MB

Download
memory/2860-16-0x0000000073E00000-0x00000000745B0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-15-0x00000000020E0000-0x00000000020FA000-memory.dmp

Filesize
104KB

Download
memory/2860-14-0x0000000073E0E000-0x0000000073E0F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads