healer | 0d49c2d3cf9ae5c0f75d3a33f3bd5ce19228a8f2f6b8711a1dc207dbb1a75baf

General

Target

0d49c2d3cf9ae5c0f75d3a33f3bd5ce19228a8f2f6b8711a1dc207dbb1a75baf.exe
Size

1.4MB
MD5

7e4b05999f3157f1d3327cdde61620a5
SHA1

c4ebe871cb835699c8cd59f8182aa5b07ef6d560
SHA256

0d49c2d3cf9ae5c0f75d3a33f3bd5ce19228a8f2f6b8711a1dc207dbb1a75baf
SHA512

cf606c46712af6c25efe0b8b51f19442f1018a56c1b0c6551c40606f28d37d17d3f7075cc948200d2f2012b32685d661294f329c89ff138ce3675baddc67ac72
SSDEEP

24576:rydG19dotlhF9+4osbnMEqRGsPnK/KvzUWLdpim+Q1hw43XLLi/vp3mmz9vG:ew9dq3gt6NqK/WzUWLdJvh3XLM1

Score

10^/10

healer redline mask discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mask

C2

217.196.96.56:4138

Attributes

auth_value
31aef25be0febb8e491794ef7f502c50

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/5048-36-0x0000000002320000-0x000000000233A000-memory.dmp	healer
behavioral1/memory/5048-38-0x0000000002720000-0x0000000002738000-memory.dmp	healer
behavioral1/memory/5048-66-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-65-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-62-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-60-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-58-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-56-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-54-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-52-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-50-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-48-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-46-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-44-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-42-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-40-0x0000000002720000-0x0000000002732000-memory.dmp	healer
behavioral1/memory/5048-39-0x0000000002720000-0x0000000002732000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4916770.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4916770.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4916770.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4916770.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4916770.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4916770.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ccb-71.dat	family_redline
behavioral1/memory/908-73-0x00000000003F0000-0x0000000000420000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
3052	v3275785.exe
2016	v8384457.exe
184	v3869003.exe
3248	v5141468.exe
5048	a4916770.exe
908	b6824504.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4916770.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4916770.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3275785.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8384457.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v3869003.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v5141468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0d49c2d3cf9ae5c0f75d3a33f3bd5ce19228a8f2f6b8711a1dc207dbb1a75baf.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4528	5048	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v3869003.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v5141468.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4916770.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6824504.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d49c2d3cf9ae5c0f75d3a33f3bd5ce19228a8f2f6b8711a1dc207dbb1a75baf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v3275785.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v8384457.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5048	a4916770.exe
5048	a4916770.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	a4916770.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 3052	460	0d49c2d3cf9ae5c0f75d3a33f3bd5ce19228a8f2f6b8711a1dc207dbb1a75baf.exe	83
PID 460 wrote to memory of 3052	460	0d49c2d3cf9ae5c0f75d3a33f3bd5ce19228a8f2f6b8711a1dc207dbb1a75baf.exe	83
PID 460 wrote to memory of 3052	460	0d49c2d3cf9ae5c0f75d3a33f3bd5ce19228a8f2f6b8711a1dc207dbb1a75baf.exe	83
PID 3052 wrote to memory of 2016	3052	v3275785.exe	84
PID 3052 wrote to memory of 2016	3052	v3275785.exe	84
PID 3052 wrote to memory of 2016	3052	v3275785.exe	84
PID 2016 wrote to memory of 184	2016	v8384457.exe	87
PID 2016 wrote to memory of 184	2016	v8384457.exe	87
PID 2016 wrote to memory of 184	2016	v8384457.exe	87
PID 184 wrote to memory of 3248	184	v3869003.exe	88
PID 184 wrote to memory of 3248	184	v3869003.exe	88
PID 184 wrote to memory of 3248	184	v3869003.exe	88
PID 3248 wrote to memory of 5048	3248	v5141468.exe	89
PID 3248 wrote to memory of 5048	3248	v5141468.exe	89
PID 3248 wrote to memory of 5048	3248	v5141468.exe	89
PID 3248 wrote to memory of 908	3248	v5141468.exe	101
PID 3248 wrote to memory of 908	3248	v5141468.exe	101
PID 3248 wrote to memory of 908	3248	v5141468.exe	101

C:\Users\Admin\AppData\Local\Temp\0d49c2d3cf9ae5c0f75d3a33f3bd5ce19228a8f2f6b8711a1dc207dbb1a75baf.exe
"C:\Users\Admin\AppData\Local\Temp\0d49c2d3cf9ae5c0f75d3a33f3bd5ce19228a8f2f6b8711a1dc207dbb1a75baf.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:460
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275785.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275785.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8384457.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8384457.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3869003.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3869003.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:184
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5141468.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5141468.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3248
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4916770.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4916770.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 980
        7⤵
        Program crash
        
        PID:4528
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6824504.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6824504.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5048 -ip 5048
1⤵
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3275785.exe

Filesize
1.3MB

MD5
0cc9b555c42008198e1216bb2819845e

SHA1
91ad5388f37ac83b4f32d3e9da74219bad468e39

SHA256
b8bda71b02bbbb0bf09c6bf5009df9f9f6cee19ddab3a927e2ca0d800ed83459

SHA512
f614d983097b5ebd4d72db4a039fd1793843c350988201f506911c293034dc0a23e75c284834b6dcb9da291d5bbe176f40d63bd1108f98003002c986f0a92c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8384457.exe

Filesize
846KB

MD5
03ebec5cb7150c8748e8ad3022b55d68

SHA1
ed4da618385c4dbb40c229195b9d22346a6d3295

SHA256
2eac342772d2fbfb85770da38a9347eb9b8f7de85c9507853355d6f0c03d89e1

SHA512
615f84f740d3bba7e867c2dbc3d5efe467aee8aac9986bb3011a548d5c0804fd0f2ec7b6ed73d8ff805e158109ae17ce3d99a3922ea203ab8bca1744917c67c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v3869003.exe

Filesize
641KB

MD5
5c8dbcaea0525443417c9568c5bb38c3

SHA1
77e797a06a250c25cec4bb2294fd9e3660769b59

SHA256
bc0ec7fcfc363922ce696481b3189b0b0d93f66cb93feeb39dba0b85ce19cdfc

SHA512
e6bbab63a9319d6adfeeee0cc186ceb37e634fded156b4d30ae33bc0fa58b08c2fa8ce006b1a34fa522835e9c5137d25d047609b568a7378a018d99f0de493d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v5141468.exe

Filesize
383KB

MD5
605ed5a08182ad49d4d9c96dd2e5e538

SHA1
cbf8f4b2d26aff27e312ee628c63ca89e4b29fcb

SHA256
d71cceef5871c888dd7e25c8489244eae2370e16a02efb9362e21021793b9328

SHA512
1c2bf6f3a319d03ed69a6df4af91a9538949181264c1ea05bbeea5675d025f9fe603935bcfeee55576d466b39be1a81b8ed902229e43a4130f5beea966715731

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a4916770.exe

Filesize
289KB

MD5
8e9bc75fa0e95d5510e8e9fc28b632b6

SHA1
0100596a72502cadc38a3f30b9bee9847f76f27e

SHA256
01c1583aefd1e8a9ed9ca4c7294b98d337f660d333128e01c167a44155ba381c

SHA512
59cedbd9c93d5a0857859a5f4e45409e3d845b17f6c605ad68558e1b4bd9cf2d0cece9bea978c641c50d42adf09f18552ee6584f468a66d882cbe94adcc162eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6824504.exe

Filesize
168KB

MD5
0aad713cd9211fe224b57c281196a327

SHA1
44ae87ca4fdac573331b7d6411087dd10ada02d4

SHA256
3c7138348e087b9eedd619b611cd940acee4d275547cad4616ace37ffac9d3ed

SHA512
2172b3a0273d4442c4057dcd0b204a0f9928f6b8cc10a5a11416f8496e5e1dd3beaeb557faac85ec4fad7b1934658038427e397ad916f3a1657265b8022d6b14

Download Submit
memory/908-78-0x0000000004F10000-0x0000000004F4C000-memory.dmp

Filesize
240KB

Download
memory/908-77-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

Filesize
72KB

Download
memory/908-76-0x0000000004FC0000-0x00000000050CA000-memory.dmp

Filesize
1.0MB

Download
memory/908-75-0x00000000054D0000-0x0000000005AE8000-memory.dmp

Filesize
6.1MB

Download
memory/908-74-0x0000000000D00000-0x0000000000D06000-memory.dmp

Filesize
24KB

Download
memory/908-73-0x00000000003F0000-0x0000000000420000-memory.dmp

Filesize
192KB

Download
memory/908-79-0x0000000004F60000-0x0000000004FAC000-memory.dmp

Filesize
304KB

Download
memory/5048-50-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-39-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-52-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-56-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-48-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-46-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-44-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-42-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-40-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-54-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-67-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5048-69-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5048-58-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-60-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-62-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-65-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-66-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/5048-38-0x0000000002720000-0x0000000002738000-memory.dmp

Filesize
96KB

Download
memory/5048-37-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/5048-36-0x0000000002320000-0x000000000233A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads