healer | 324a3aa441b3f140b52a413f37b191f274373f038f75f0ae6bea4a99a5923e97

General

Target

324a3aa441b3f140b52a413f37b191f274373f038f75f0ae6bea4a99a5923e97.exe
Size

479KB
MD5

a22184a8e2d8b75ad8cde28f31374c93
SHA1

d9e2cd2d12fcefa33dda1366a7101ca617ad1460
SHA256

324a3aa441b3f140b52a413f37b191f274373f038f75f0ae6bea4a99a5923e97
SHA512

1a903c54ade79cdd654697e2c2a7b4a70f2d1118e1eb574cbc86c61693e5b0b664e341ef40a7a42d34f1734bce55c38f3bdd1c43d6360ea1f3f5a5ddaffad846
SSDEEP

12288:eMr/y90aXkQIQnFMP5c1u31UTF0npCjBFGx/eB:RyZFX+BXWT+wBFAi

Score

10^/10

healer redline maher discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maher

C2

217.196.96.101:4132

Attributes

auth_value
c57763165f68aabcf4874e661a1ffbac

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2240-15-0x0000000002090000-0x00000000020AA000-memory.dmp	healer
behavioral1/memory/2240-18-0x00000000024B0000-0x00000000024C8000-memory.dmp	healer
behavioral1/memory/2240-28-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-38-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-46-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-44-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-42-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-40-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-36-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-34-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-32-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-30-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-24-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-22-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-20-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-19-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/2240-26-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4164137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4164137.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4164137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4164137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4164137.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4164137.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000023aa9-53.dat	family_redline
behavioral1/memory/4368-55-0x0000000000800000-0x0000000000830000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3256	v6886942.exe
2240	a4164137.exe
4368	b2711321.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4164137.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4164137.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	324a3aa441b3f140b52a413f37b191f274373f038f75f0ae6bea4a99a5923e97.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6886942.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	324a3aa441b3f140b52a413f37b191f274373f038f75f0ae6bea4a99a5923e97.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6886942.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4164137.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2711321.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2240	a4164137.exe
2240	a4164137.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	a4164137.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 3256	2520	324a3aa441b3f140b52a413f37b191f274373f038f75f0ae6bea4a99a5923e97.exe	84
PID 2520 wrote to memory of 3256	2520	324a3aa441b3f140b52a413f37b191f274373f038f75f0ae6bea4a99a5923e97.exe	84
PID 2520 wrote to memory of 3256	2520	324a3aa441b3f140b52a413f37b191f274373f038f75f0ae6bea4a99a5923e97.exe	84
PID 3256 wrote to memory of 2240	3256	v6886942.exe	85
PID 3256 wrote to memory of 2240	3256	v6886942.exe	85
PID 3256 wrote to memory of 2240	3256	v6886942.exe	85
PID 3256 wrote to memory of 4368	3256	v6886942.exe	97
PID 3256 wrote to memory of 4368	3256	v6886942.exe	97
PID 3256 wrote to memory of 4368	3256	v6886942.exe	97

C:\Users\Admin\AppData\Local\Temp\324a3aa441b3f140b52a413f37b191f274373f038f75f0ae6bea4a99a5923e97.exe
"C:\Users\Admin\AppData\Local\Temp\324a3aa441b3f140b52a413f37b191f274373f038f75f0ae6bea4a99a5923e97.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6886942.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6886942.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4164137.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4164137.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2711321.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2711321.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6886942.exe

Filesize
307KB

MD5
6237ed6952bd9208820ef5a30a49b107

SHA1
1c849e82a21d18fda908c647328558581cb49287

SHA256
0d62beb8da6fe927c2a4df25dea87f88e9089a78fdbae3b4c2334129b6cd9bf0

SHA512
679ab32475e9c6184c70ea6cf8734737acce47496c72a04c88b0d4fc739bdbfd9e1784d7f5d94815369d3bd1ced429b082d132c304b54d950de90ddc4a744a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a4164137.exe

Filesize
179KB

MD5
3483044fa10290838429a03020aee00c

SHA1
3b54a2b248900193794a3a86b282115f2bb603be

SHA256
7a5ee9bcaaf031266fa8e5ee2f6f5c8b75524e1dc95b3b36d56792681ed06f94

SHA512
553614b1f80fc38139f7d54f444de21fbd03fb97e90896743321871cffc31998fb3a7f143f786f1c2ce2e66979fb80ceb7a0e14af9a8676c3f1b2f7a8288d78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b2711321.exe

Filesize
168KB

MD5
3b89d02483bea9d236731e56a44ce807

SHA1
8ea3f5aec7d56b6e4cfda6941f0c9fa37213ba10

SHA256
464b6c4deacae64e1ac84b1e76ff3af9e3363ca69769ab67b5d8401705c056dd

SHA512
19f91d90e2d2fefb7f0eaf65388a24ab9b25338930fdc7402bc8fc6ded31838bc1ca6da60ac780115e85686927ead649260d2224e68402cccb5cdb2b9b65b702

Download Submit
memory/2240-30-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-51-0x0000000073B90000-0x0000000074340000-memory.dmp

Filesize
7.7MB

Download
memory/2240-24-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-18-0x00000000024B0000-0x00000000024C8000-memory.dmp

Filesize
96KB

Download
memory/2240-28-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-38-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-46-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-44-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-42-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-40-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-36-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-34-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-32-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-15-0x0000000002090000-0x00000000020AA000-memory.dmp

Filesize
104KB

Download
memory/2240-17-0x00000000049A0000-0x0000000004F44000-memory.dmp

Filesize
5.6MB

Download
memory/2240-22-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-16-0x0000000073B90000-0x0000000074340000-memory.dmp

Filesize
7.7MB

Download
memory/2240-19-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-26-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-47-0x0000000073B90000-0x0000000074340000-memory.dmp

Filesize
7.7MB

Download
memory/2240-48-0x0000000073B9E000-0x0000000073B9F000-memory.dmp

Filesize
4KB

Download
memory/2240-49-0x0000000073B90000-0x0000000074340000-memory.dmp

Filesize
7.7MB

Download
memory/2240-20-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/2240-14-0x0000000073B9E000-0x0000000073B9F000-memory.dmp

Filesize
4KB

Download
memory/4368-55-0x0000000000800000-0x0000000000830000-memory.dmp

Filesize
192KB

Download
memory/4368-56-0x00000000050E0000-0x00000000050E6000-memory.dmp

Filesize
24KB

Download
memory/4368-57-0x0000000005720000-0x0000000005D38000-memory.dmp

Filesize
6.1MB

Download
memory/4368-58-0x0000000005250000-0x000000000535A000-memory.dmp

Filesize
1.0MB

Download
memory/4368-59-0x0000000005180000-0x0000000005192000-memory.dmp

Filesize
72KB

Download
memory/4368-60-0x00000000051E0000-0x000000000521C000-memory.dmp

Filesize
240KB

Download
memory/4368-61-0x0000000005360000-0x00000000053AC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads