healer | e60d16502d73b3b594e16b21488e4490f05a8809f65fe571966a9f620fe3d272

General

Target

e60d16502d73b3b594e16b21488e4490f05a8809f65fe571966a9f620fe3d272.exe
Size

480KB
MD5

8c7aa3c8b63b0a68c9717c388ed7a165
SHA1

81ff10cfb60d2ea2625f08924103fbd226baf325
SHA256

e60d16502d73b3b594e16b21488e4490f05a8809f65fe571966a9f620fe3d272
SHA512

99f7a2f15799fd495ee44bb94bae33a72459ea73bdb91c9835247c717b60f19e4be3a9cdc0115a4f5af5e2f6ac64fa4e9b86f9ccfc5746e691e2226cea14df28
SSDEEP

12288:wMrVy90iqwoXPOQlWXXga3NUlbaCgv3Q8q:1y7o/Jba3NU9/gv7q

Score

10^/10

healer redline douma discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

douma

C2

217.196.96.101:4132

Attributes

auth_value
e7c0659b5f9d26f2f97df8d25fefbb44

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2428-15-0x00000000023B0000-0x00000000023CA000-memory.dmp	healer
behavioral1/memory/2428-19-0x0000000004AC0000-0x0000000004AD8000-memory.dmp	healer
behavioral1/memory/2428-47-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-45-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-43-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer
behavioral1/memory/2428-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0474007.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0474007.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0474007.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0474007.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k0474007.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0474007.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b9f-54.dat	family_redline
behavioral1/memory/2360-55-0x00000000002F0000-0x000000000031E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4536	y9835051.exe
2428	k0474007.exe
2360	l2643101.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k0474007.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0474007.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y9835051.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e60d16502d73b3b594e16b21488e4490f05a8809f65fe571966a9f620fe3d272.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e60d16502d73b3b594e16b21488e4490f05a8809f65fe571966a9f620fe3d272.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y9835051.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k0474007.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l2643101.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2428	k0474007.exe
2428	k0474007.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	k0474007.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 4536	1180	e60d16502d73b3b594e16b21488e4490f05a8809f65fe571966a9f620fe3d272.exe	83
PID 1180 wrote to memory of 4536	1180	e60d16502d73b3b594e16b21488e4490f05a8809f65fe571966a9f620fe3d272.exe	83
PID 1180 wrote to memory of 4536	1180	e60d16502d73b3b594e16b21488e4490f05a8809f65fe571966a9f620fe3d272.exe	83
PID 4536 wrote to memory of 2428	4536	y9835051.exe	84
PID 4536 wrote to memory of 2428	4536	y9835051.exe	84
PID 4536 wrote to memory of 2428	4536	y9835051.exe	84
PID 4536 wrote to memory of 2360	4536	y9835051.exe	92
PID 4536 wrote to memory of 2360	4536	y9835051.exe	92
PID 4536 wrote to memory of 2360	4536	y9835051.exe	92

C:\Users\Admin\AppData\Local\Temp\e60d16502d73b3b594e16b21488e4490f05a8809f65fe571966a9f620fe3d272.exe
"C:\Users\Admin\AppData\Local\Temp\e60d16502d73b3b594e16b21488e4490f05a8809f65fe571966a9f620fe3d272.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9835051.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9835051.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0474007.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0474007.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2643101.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2643101.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9835051.exe

Filesize
309KB

MD5
54fa815aeb23f27d49c1dbc3ddf228d5

SHA1
c564bda1ca3c7e729f36fbed08aa01e7b0d4464f

SHA256
7475b061c3b3786615f5081cf07461a0a36f4d6b9e0e7d8444d33bf59efd6989

SHA512
55a004896163e1972df86f4cfe2f9a910c6cfe276dc00877984cb9c3c540a97cfdc8b567b0b4c800ebac952f4b546d6dc3ba51fdd4491d5ab75bae821a4f8188

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0474007.exe

Filesize
181KB

MD5
8609b73fa371d0a86d7990b1bb5e715f

SHA1
d8cd8069e3feb2481d3e5c2656869f2cb3b2efce

SHA256
b1f77353f33662cd66d59fbbf1643ccb686d28f018bc4c81319933b95306f5ee

SHA512
90aac2d0bafdcc6bd50f293e8edc5d906b97762f0bcdba0bdd1b4e9d557da48d9ea907d9a9e8de32b9de3e3f936ce95d5c652f463dac5aae6e4201999a4fdd48

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l2643101.exe

Filesize
168KB

MD5
e45424b260779b983ff2b0a1ff34bb6b

SHA1
396f3cc6a4bbfda559322735d6461d04fc6e4314

SHA256
b024d73232c4a7cf9df3c21b77ab0ab90054395031cac97ce9d16dcaf92eccf1

SHA512
74fc5e8ba152f79b3ed4b80a7dd64817e535f1e326fe450d44bd8608611db3e87eb9abf61549b5f1ef3b181d6705e73e13accca7ae8ab3b4ceefcbc4b4462b42

Download Submit
memory/2360-61-0x0000000004D20000-0x0000000004D6C000-memory.dmp

Filesize
304KB

Download
memory/2360-60-0x0000000004CD0000-0x0000000004D0C000-memory.dmp

Filesize
240KB

Download
memory/2360-59-0x0000000004C70000-0x0000000004C82000-memory.dmp

Filesize
72KB

Download
memory/2360-58-0x0000000004D80000-0x0000000004E8A000-memory.dmp

Filesize
1.0MB

Download
memory/2360-57-0x0000000005290000-0x00000000058A8000-memory.dmp

Filesize
6.1MB

Download
memory/2360-55-0x00000000002F0000-0x000000000031E000-memory.dmp

Filesize
184KB

Download
memory/2360-56-0x0000000002350000-0x0000000002356000-memory.dmp

Filesize
24KB

Download
memory/2428-31-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-21-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-39-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-37-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-35-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-33-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-43-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-29-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-27-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-25-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-23-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-41-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-20-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-48-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/2428-49-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/2428-51-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/2428-45-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-47-0x0000000004AC0000-0x0000000004AD2000-memory.dmp

Filesize
72KB

Download
memory/2428-18-0x0000000004C00000-0x00000000051A4000-memory.dmp

Filesize
5.6MB

Download
memory/2428-19-0x0000000004AC0000-0x0000000004AD8000-memory.dmp

Filesize
96KB

Download
memory/2428-17-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/2428-16-0x00000000749B0000-0x0000000075160000-memory.dmp

Filesize
7.7MB

Download
memory/2428-15-0x00000000023B0000-0x00000000023CA000-memory.dmp

Filesize
104KB

Download
memory/2428-14-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads