healer | 79d85cfdb4729a94363e93a8c7e51d9a705cb24f3732e0b41f45f75e4f7eaa67

General

Target

79d85cfdb4729a94363e93a8c7e51d9a705cb24f3732e0b41f45f75e4f7eaa67.exe
Size

1000KB
MD5

c13b2aeeb92c0aaef48f15334b131660
SHA1

9a5b21bbeb3add57e5e655501691463d306ae5b5
SHA256

79d85cfdb4729a94363e93a8c7e51d9a705cb24f3732e0b41f45f75e4f7eaa67
SHA512

ab87d3db7405efb40b5634d2a9720f9a6de42981a4328e25c62db27b0aaee87a9c7fdbcaf6d1b6dbd9141ffadb0cd982a132b59d48515456cea780e17713a470
SSDEEP

24576:DywLbhBQt5kuC+ye4Z1XaCB5mG+/VkkUd4CqvDKMCihnOjx:W29BQABec1KCBuVkWLKt

Score

10^/10

healer redline dubka discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dubka

C2

193.233.20.13:4136

Attributes

auth_value
e5a9421183a033f283b2f23139b471f0

Signatures

Detects Healer an antivirus disabler dropper 19 IoCs

resource	yara_rule
behavioral1/files/0x000b000000023b8c-26.dat	healer
behavioral1/memory/900-28-0x0000000000800000-0x000000000080A000-memory.dmp	healer
behavioral1/memory/4280-34-0x0000000002410000-0x000000000242A000-memory.dmp	healer
behavioral1/memory/4280-36-0x0000000002600000-0x0000000002618000-memory.dmp	healer
behavioral1/memory/4280-37-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-46-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-64-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-62-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-61-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-58-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-56-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-54-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-52-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-50-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-48-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-44-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-42-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-40-0x0000000002600000-0x0000000002612000-memory.dmp	healer
behavioral1/memory/4280-38-0x0000000002600000-0x0000000002612000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	kJY82iO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	mvA05xL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	mvA05xL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	mvA05xL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	mvA05xL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	kJY82iO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	kJY82iO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	kJY82iO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	kJY82iO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	kJY82iO.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	mvA05xL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	mvA05xL.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b8a-69.dat	family_redline
behavioral1/memory/4072-71-0x0000000000DC0000-0x0000000000DF2000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
5096	dOV2977.exe
3988	daX0303.exe
4668	dqK7863.exe
900	kJY82iO.exe
4280	mvA05xL.exe
4072	nfl55by.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	kJY82iO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	mvA05xL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	mvA05xL.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	79d85cfdb4729a94363e93a8c7e51d9a705cb24f3732e0b41f45f75e4f7eaa67.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dOV2977.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	daX0303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	dqK7863.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2268	4280	WerFault.exe	91

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	daX0303.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqK7863.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mvA05xL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfl55by.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79d85cfdb4729a94363e93a8c7e51d9a705cb24f3732e0b41f45f75e4f7eaa67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dOV2977.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
900	kJY82iO.exe
900	kJY82iO.exe
4280	mvA05xL.exe
4280	mvA05xL.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	900	kJY82iO.exe
Token: SeDebugPrivilege	4280	mvA05xL.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 5096	4704	79d85cfdb4729a94363e93a8c7e51d9a705cb24f3732e0b41f45f75e4f7eaa67.exe	83
PID 4704 wrote to memory of 5096	4704	79d85cfdb4729a94363e93a8c7e51d9a705cb24f3732e0b41f45f75e4f7eaa67.exe	83
PID 4704 wrote to memory of 5096	4704	79d85cfdb4729a94363e93a8c7e51d9a705cb24f3732e0b41f45f75e4f7eaa67.exe	83
PID 5096 wrote to memory of 3988	5096	dOV2977.exe	84
PID 5096 wrote to memory of 3988	5096	dOV2977.exe	84
PID 5096 wrote to memory of 3988	5096	dOV2977.exe	84
PID 3988 wrote to memory of 4668	3988	daX0303.exe	85
PID 3988 wrote to memory of 4668	3988	daX0303.exe	85
PID 3988 wrote to memory of 4668	3988	daX0303.exe	85
PID 4668 wrote to memory of 900	4668	dqK7863.exe	86
PID 4668 wrote to memory of 900	4668	dqK7863.exe	86
PID 4668 wrote to memory of 4280	4668	dqK7863.exe	91
PID 4668 wrote to memory of 4280	4668	dqK7863.exe	91
PID 4668 wrote to memory of 4280	4668	dqK7863.exe	91
PID 3988 wrote to memory of 4072	3988	daX0303.exe	96
PID 3988 wrote to memory of 4072	3988	daX0303.exe	96
PID 3988 wrote to memory of 4072	3988	daX0303.exe	96

C:\Users\Admin\AppData\Local\Temp\79d85cfdb4729a94363e93a8c7e51d9a705cb24f3732e0b41f45f75e4f7eaa67.exe
"C:\Users\Admin\AppData\Local\Temp\79d85cfdb4729a94363e93a8c7e51d9a705cb24f3732e0b41f45f75e4f7eaa67.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dOV2977.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dOV2977.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daX0303.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daX0303.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dqK7863.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dqK7863.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJY82iO.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJY82iO.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mvA05xL.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mvA05xL.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1008
        6⤵
        Program crash
        
        PID:2268
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nfl55by.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nfl55by.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4280 -ip 4280
1⤵
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dOV2977.exe

Filesize
855KB

MD5
785e89509a835710cd571ba7ec0e8730

SHA1
50fa8331a1e3232b7a1c1f257dd0f34af2d282b9

SHA256
fbed873ad9d8a90157afa4161fc7917ac15f2109509f685a30744f28c9ccfc65

SHA512
36457b6ca756a54398ec5b7038fa1eba98b4e53e84d6fd4dd6b7704f33a693f38020a2e1c9214f7aec05d762f15fcff0ac9a6991ce5829278223439d9b923ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\daX0303.exe

Filesize
500KB

MD5
ac7f1682d28ecaf4db7b01e1b021d197

SHA1
2ce80dd536f1a0faf98e1915b4b903caa49c7680

SHA256
45ee5cde78af04f131e14897d91b9327feab835b62418a9353a647d291f0b7ca

SHA512
cb1f086b91ac9861988abd335b5698b6561097d5ce5c533534d5332c5adb2ab1acc93de413307177944596ef03acc1a7f398348cd574d3dc450db977571e3d1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\dqK7863.exe

Filesize
355KB

MD5
ca6f58a3d69f7ba203aa294ba020b401

SHA1
69c0e726e8d787d88def2865bc87fa28ab465a55

SHA256
34664a030c3b18709d99140e8f600d14556f866daa5eb86c870d34202746b41a

SHA512
65e675ff295b51c19708ae3b9c05fadef31fbf6172ad05d94a27206b61aecea63871e67f45464a3b3783ec65e2b9dfe9e681587beae9b82bfc9ce4056ff74e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nfl55by.exe

Filesize
175KB

MD5
dd0c9e110c68ce1fa5308979ef718f7b

SHA1
473deb8069f0841d47b74b7f414dacc6f96eca78

SHA256
dc28c9d9ab3f30222ed59f3991c5981bec40604e725ece488d8599eef917a7b3

SHA512
29bd76da816b13b31c938a3f8699d2f5942a24c9ef61fddcac490e0a30f82c1a4a76ca9a6866a8d2c8e57566f66b3aea31e7f70646d3ebef63c63a06f8fe2236

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kJY82iO.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\mvA05xL.exe

Filesize
295KB

MD5
dd0adf92524d842b17843e3a38769564

SHA1
4b34fbf5dade2193630f92053be9f0dcfe563d3c

SHA256
489cdd40de47bde8a31100897afafb3213c01de9cab0bc656e3cbf01c48e3682

SHA512
7fbb9c9ad3df3bfd0ae3741bf76c92bdd9ea3f23e1316f4948a60e1efc3ff6dcbd4d37d7da725659fa38a0cbc0fc41d1dc85515d56b15af5cbf891bfe6853bc2

Download Submit
memory/900-28-0x0000000000800000-0x000000000080A000-memory.dmp

Filesize
40KB

Download
memory/4072-76-0x00000000059B0000-0x00000000059FC000-memory.dmp

Filesize
304KB

Download
memory/4072-74-0x00000000057D0000-0x00000000057E2000-memory.dmp

Filesize
72KB

Download
memory/4072-73-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/4072-72-0x0000000005D30000-0x0000000006348000-memory.dmp

Filesize
6.1MB

Download
memory/4072-71-0x0000000000DC0000-0x0000000000DF2000-memory.dmp

Filesize
200KB

Download
memory/4072-75-0x0000000005830000-0x000000000586C000-memory.dmp

Filesize
240KB

Download
memory/4280-54-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-40-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-56-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-61-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-52-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-50-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-48-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-44-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-42-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-58-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-38-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-65-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4280-67-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4280-62-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-64-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-46-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-37-0x0000000002600000-0x0000000002612000-memory.dmp

Filesize
72KB

Download
memory/4280-36-0x0000000002600000-0x0000000002618000-memory.dmp

Filesize
96KB

Download
memory/4280-35-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/4280-34-0x0000000002410000-0x000000000242A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads