healer | 09a832576763ad06bbf2ad24072b042d29abe6b9793a9145dcc053cd61521f91

General

Target

09a832576763ad06bbf2ad24072b042d29abe6b9793a9145dcc053cd61521f91.exe
Size

992KB
MD5

7cce66c279273f8d7dbd29d20f03817d
SHA1

79300f28b97f9a663029d821d76dcc02a59d340d
SHA256

09a832576763ad06bbf2ad24072b042d29abe6b9793a9145dcc053cd61521f91
SHA512

73fc3cfa5b11d5bb1c91a7b4d53d0e6cdc2a51f2f486903c18b780596994409508cd0c93e3ce926aedde3deb0957b2c1c19889e21739f4fa95ff6157674bc4db
SSDEEP

12288:GMrWy90ew8Xq95Pm038RP/ZR0ulXgZgoY2hsZTKskybJ/zTcRwR1TME/I5AvraoT:kyPfy60xgWhe5nbJrTcwMd5Avr5B

Score

10^/10

healer redline diora discovery dropper infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

diora

C2

185.161.248.75:4132

Attributes

auth_value
4c17e0c4a574a5b11a6e41e692dedcb3

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/4544-22-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023ba1-26.dat	family_redline
behavioral1/memory/4084-28-0x0000000000FB0000-0x0000000000FDA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
2908	y9846138.exe
4688	y9314357.exe
2288	k0086957.exe
4544	k0086957.exe
4084	l7909842.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	09a832576763ad06bbf2ad24072b042d29abe6b9793a9145dcc053cd61521f91.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9846138.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y9314357.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 4544	2288	k0086957.exe	89

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09a832576763ad06bbf2ad24072b042d29abe6b9793a9145dcc053cd61521f91.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9846138.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9314357.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k0086957.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l7909842.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k0086957.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4544	k0086957.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	k0086957.exe
Token: SeDebugPrivilege	4544	k0086957.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2908	2008	09a832576763ad06bbf2ad24072b042d29abe6b9793a9145dcc053cd61521f91.exe	83
PID 2008 wrote to memory of 2908	2008	09a832576763ad06bbf2ad24072b042d29abe6b9793a9145dcc053cd61521f91.exe	83
PID 2008 wrote to memory of 2908	2008	09a832576763ad06bbf2ad24072b042d29abe6b9793a9145dcc053cd61521f91.exe	83
PID 2908 wrote to memory of 4688	2908	y9846138.exe	85
PID 2908 wrote to memory of 4688	2908	y9846138.exe	85
PID 2908 wrote to memory of 4688	2908	y9846138.exe	85
PID 4688 wrote to memory of 2288	4688	y9314357.exe	86
PID 4688 wrote to memory of 2288	4688	y9314357.exe	86
PID 4688 wrote to memory of 2288	4688	y9314357.exe	86
PID 2288 wrote to memory of 4544	2288	k0086957.exe	89
PID 2288 wrote to memory of 4544	2288	k0086957.exe	89
PID 2288 wrote to memory of 4544	2288	k0086957.exe	89
PID 2288 wrote to memory of 4544	2288	k0086957.exe	89
PID 2288 wrote to memory of 4544	2288	k0086957.exe	89
PID 2288 wrote to memory of 4544	2288	k0086957.exe	89
PID 2288 wrote to memory of 4544	2288	k0086957.exe	89
PID 2288 wrote to memory of 4544	2288	k0086957.exe	89
PID 4688 wrote to memory of 4084	4688	y9314357.exe	97
PID 4688 wrote to memory of 4084	4688	y9314357.exe	97
PID 4688 wrote to memory of 4084	4688	y9314357.exe	97

C:\Users\Admin\AppData\Local\Temp\09a832576763ad06bbf2ad24072b042d29abe6b9793a9145dcc053cd61521f91.exe
"C:\Users\Admin\AppData\Local\Temp\09a832576763ad06bbf2ad24072b042d29abe6b9793a9145dcc053cd61521f91.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9846138.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9846138.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9314357.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9314357.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0086957.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0086957.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0086957.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0086957.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7909842.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7909842.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\k0086957.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9846138.exe

Filesize
595KB

MD5
21a3ed64bb1bbb9f7b0878be7fa12ede

SHA1
6d44d509379af03d3d21c6212aecc4811fe7c2f1

SHA256
cec175635fc66044a68e418230542115b849b009b1b8161e1f57656a09920b0a

SHA512
3e503d1896e703e0de67c68a1eecadd469bf757afd1ebd73004264e576a9dc09df1e23a25da72b5c89b3df08ef3c1b91e52d63d12c6446f7a8d9bf0126e86f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y9314357.exe

Filesize
424KB

MD5
14a3b32d9928a7de064a59c0cbc68718

SHA1
671adb766c617cc96b634411f4e551129aef9117

SHA256
a5c7446ec4eec8ceef02e657d384a98cc937c8c4731140d9d091060ba35d8e1a

SHA512
09ffef99c065f58c939ea4a0410fc37af3bd0b41982d5f587fd9a8633045fd8514d83b145acb5ff20c0e8c4d3e02b9a927a2fcee14fe64c35567a89c6098eca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\k0086957.exe

Filesize
769KB

MD5
a363ae17ecfeb7945f5e02e2ce05035f

SHA1
50cb18976135aaa05d30229f6ad8f3a931a351aa

SHA256
118af2345d42c51b477cb4c5a359cda3c547ec08a8907204ec13ac47e59033ba

SHA512
533aa7ca169bca67d6f40b7388c99318cc403a1f6e966ebde770c2a7e2c9d5272a9786f5064252358aea787396dfe0deea469399acfaed81672b20bd97b0fd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7909842.exe

Filesize
145KB

MD5
fee3bdfaf14fa6646b5ef04ce0834a7d

SHA1
aaac44e9b3428fe8c6181e0ec6ee9a9226e2399d

SHA256
453c062ba100cc1099727060e75b7c27ea746b21519051419426f77953620e02

SHA512
14163658f446c9735832335a19b0170c4d64703d5afca744b2baecd7bd24e423f749cd6b7a7b6adfaca9622e24b37bf7a8abc083f30f8f4d87a2e6a55f635545

Download Submit
memory/2288-21-0x0000000000E80000-0x0000000000F46000-memory.dmp

Filesize
792KB

Download
memory/4084-28-0x0000000000FB0000-0x0000000000FDA000-memory.dmp

Filesize
168KB

Download
memory/4084-30-0x0000000005E10000-0x0000000006428000-memory.dmp

Filesize
6.1MB

Download
memory/4084-31-0x0000000005940000-0x0000000005A4A000-memory.dmp

Filesize
1.0MB

Download
memory/4084-32-0x0000000005870000-0x0000000005882000-memory.dmp

Filesize
72KB

Download
memory/4084-33-0x00000000058D0000-0x000000000590C000-memory.dmp

Filesize
240KB

Download
memory/4084-34-0x0000000005A50000-0x0000000005A9C000-memory.dmp

Filesize
304KB

Download
memory/4544-22-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads