healer | aceb1b6ced445de4f5e1aa15ccb3978646510bbc372ec5eb5c33aa4f10e334a1

General

Target

aceb1b6ced445de4f5e1aa15ccb3978646510bbc372ec5eb5c33aa4f10e334a1.exe
Size

479KB
MD5

ca01f554db34ee365303356360acc510
SHA1

9d41e48da1d00c2330a9283212e735dbc02bed77
SHA256

aceb1b6ced445de4f5e1aa15ccb3978646510bbc372ec5eb5c33aa4f10e334a1
SHA512

6df230d6261f2e31ef5804ba2f6cb93f724f509ae12118b51450c9fc6090371d11231baf48ff5de0e1b8a036d71f778634ab1578bff811441ec17c00d56a9316
SSDEEP

12288:gMrxy9007XJckj9qnaQkMQA2ObbAv4u5Vn4:By3jJcvnLkm26OXh4

Score

10^/10

healer redline mauga discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mauga

C2

217.196.96.102:4132

Attributes

auth_value
36f5411cf117f54076fbbb9ea0631fee

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1676-15-0x0000000002010000-0x000000000202A000-memory.dmp	healer
behavioral1/memory/1676-18-0x0000000004980000-0x0000000004998000-memory.dmp	healer
behavioral1/memory/1676-40-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-48-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-46-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-44-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-42-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-38-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-36-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-34-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-30-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-28-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-26-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-24-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-22-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-21-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/1676-32-0x0000000004980000-0x0000000004992000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2609393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2609393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2609393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2609393.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a2609393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2609393.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b66-54.dat	family_redline
behavioral1/memory/4056-56-0x0000000000B40000-0x0000000000B6E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3964	v6420003.exe
1676	a2609393.exe
4056	b7657797.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a2609393.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2609393.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	aceb1b6ced445de4f5e1aa15ccb3978646510bbc372ec5eb5c33aa4f10e334a1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6420003.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7657797.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aceb1b6ced445de4f5e1aa15ccb3978646510bbc372ec5eb5c33aa4f10e334a1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6420003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a2609393.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1676	a2609393.exe
1676	a2609393.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1676	a2609393.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 3964	3144	aceb1b6ced445de4f5e1aa15ccb3978646510bbc372ec5eb5c33aa4f10e334a1.exe	83
PID 3144 wrote to memory of 3964	3144	aceb1b6ced445de4f5e1aa15ccb3978646510bbc372ec5eb5c33aa4f10e334a1.exe	83
PID 3144 wrote to memory of 3964	3144	aceb1b6ced445de4f5e1aa15ccb3978646510bbc372ec5eb5c33aa4f10e334a1.exe	83
PID 3964 wrote to memory of 1676	3964	v6420003.exe	84
PID 3964 wrote to memory of 1676	3964	v6420003.exe	84
PID 3964 wrote to memory of 1676	3964	v6420003.exe	84
PID 3964 wrote to memory of 4056	3964	v6420003.exe	89
PID 3964 wrote to memory of 4056	3964	v6420003.exe	89
PID 3964 wrote to memory of 4056	3964	v6420003.exe	89

C:\Users\Admin\AppData\Local\Temp\aceb1b6ced445de4f5e1aa15ccb3978646510bbc372ec5eb5c33aa4f10e334a1.exe
"C:\Users\Admin\AppData\Local\Temp\aceb1b6ced445de4f5e1aa15ccb3978646510bbc372ec5eb5c33aa4f10e334a1.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6420003.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6420003.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2609393.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2609393.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7657797.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7657797.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6420003.exe

Filesize
307KB

MD5
94dca97eed71f6706a22d64af9aa70f4

SHA1
58f5ab22a5e0cd596258c38387cfba6d012c8adf

SHA256
ce00ebbd1b5ca6266a6c96a8d7d6cb5efc6941faaebeb6c2d73d1b0a1e539f7b

SHA512
7ada35ab838bacea322edafd50a27081ec5ace7f466a0cf1664a1db002039da1a92268a383e5a7c8fa08c64d7fee3f03aeb5d21bbec52d0585e9086da2924508

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a2609393.exe

Filesize
182KB

MD5
4a779d5fa1ae2b60deb25da700cce180

SHA1
223c68853aef5d4cd8a695deb64a3e60fb09266c

SHA256
f30cf16f2eed0c1d78b577c93cce7b9840fbebc3296d1329c0dcd2593ba6ab9a

SHA512
f41d1b2daa72b746416b75aa0a124c006566228616a5ad7ee7e6627007e2083f1bd78c6e671b693da507724b12954fb73a7401124c0860605ca2efc0656ad460

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b7657797.exe

Filesize
168KB

MD5
0d5f460d4735949bc6ec1cdcaceda471

SHA1
a947e959139eac223a37f0500725b3a4ccad9578

SHA256
56007c2d332b246068744e68c1aa85e0f5f7ce4b259a470f9fb25c0fe745da18

SHA512
e5a4b30bc79e98ebb9766845285ca8c972d162047be5a5d012e318a481d14f2d95ae18151c2ba46b87db6bb959e0696d37c15f3d9d45456951047670d98e16b5

Download Submit
memory/1676-30-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-50-0x00000000741B0000-0x0000000074960000-memory.dmp

Filesize
7.7MB

Download
memory/1676-16-0x00000000741B0000-0x0000000074960000-memory.dmp

Filesize
7.7MB

Download
memory/1676-19-0x00000000741B0000-0x0000000074960000-memory.dmp

Filesize
7.7MB

Download
memory/1676-18-0x0000000004980000-0x0000000004998000-memory.dmp

Filesize
96KB

Download
memory/1676-40-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-24-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-46-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-44-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-42-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-38-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-36-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-34-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-15-0x0000000002010000-0x000000000202A000-memory.dmp

Filesize
104KB

Download
memory/1676-28-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-26-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-48-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-22-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-21-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-32-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/1676-20-0x00000000741B0000-0x0000000074960000-memory.dmp

Filesize
7.7MB

Download
memory/1676-49-0x00000000741BE000-0x00000000741BF000-memory.dmp

Filesize
4KB

Download
memory/1676-17-0x0000000004A80000-0x0000000005024000-memory.dmp

Filesize
5.6MB

Download
memory/1676-52-0x00000000741B0000-0x0000000074960000-memory.dmp

Filesize
7.7MB

Download
memory/1676-14-0x00000000741BE000-0x00000000741BF000-memory.dmp

Filesize
4KB

Download
memory/4056-56-0x0000000000B40000-0x0000000000B6E000-memory.dmp

Filesize
184KB

Download
memory/4056-57-0x0000000002ED0000-0x0000000002ED6000-memory.dmp

Filesize
24KB

Download
memory/4056-58-0x0000000005B70000-0x0000000006188000-memory.dmp

Filesize
6.1MB

Download
memory/4056-59-0x0000000005660000-0x000000000576A000-memory.dmp

Filesize
1.0MB

Download
memory/4056-60-0x00000000053B0000-0x00000000053C2000-memory.dmp

Filesize
72KB

Download
memory/4056-61-0x0000000005550000-0x000000000558C000-memory.dmp

Filesize
240KB

Download
memory/4056-62-0x0000000005590000-0x00000000055DC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads