healer | 3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3

General

Target

3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe
Size

480KB
MD5

dc3dc81717465339b41a5ac01f4bb7fb
SHA1

5d0a14047d2b0ed16e606af7eb8be2cf26cbdcf6
SHA256

3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3
SHA512

8d0354789a85dcb00924c5346a09464e7768e859fc10649f686762af93b4a1e57f9f2f8e005232add7767e84f1daa7da6e4fecc12b8b6df25d8310d4fcd81dcd
SSDEEP

12288:FMrVy90kN229NSD6ynkOjCVPMK093qQuhpyahSU6:8ySD6zOW5MH3puhpyakT

Score

10^/10

healer redline discovery dropper evasion infostealer persistence trojan

Malware Config

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4064-15-0x0000000002460000-0x000000000247A000-memory.dmp	healer
behavioral1/memory/4064-18-0x0000000004980000-0x0000000004998000-memory.dmp	healer
behavioral1/memory/4064-21-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-48-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-46-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-44-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-42-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-40-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-38-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-36-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-34-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-32-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-30-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-28-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-26-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-24-0x0000000004980000-0x0000000004992000-memory.dmp	healer
behavioral1/memory/4064-22-0x0000000004980000-0x0000000004992000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1948969.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1948969.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1948969.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1948969.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1948969.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k1948969.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ca6-54.dat	family_redline
behavioral1/memory/4296-56-0x0000000000B30000-0x0000000000B58000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1392	y0022135.exe
4064	k1948969.exe
4296	l3442420.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k1948969.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1948969.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0022135.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l3442420.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y0022135.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k1948969.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4064	k1948969.exe
4064	k1948969.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4064	k1948969.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 1392	3224	3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe	83
PID 3224 wrote to memory of 1392	3224	3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe	83
PID 3224 wrote to memory of 1392	3224	3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe	83
PID 1392 wrote to memory of 4064	1392	y0022135.exe	84
PID 1392 wrote to memory of 4064	1392	y0022135.exe	84
PID 1392 wrote to memory of 4064	1392	y0022135.exe	84
PID 1392 wrote to memory of 4296	1392	y0022135.exe	97
PID 1392 wrote to memory of 4296	1392	y0022135.exe	97
PID 1392 wrote to memory of 4296	1392	y0022135.exe	97

C:\Users\Admin\AppData\Local\Temp\3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe
"C:\Users\Admin\AppData\Local\Temp\3faf42b3531ff9b4f8c720d530343b65d6fd6819ecab96379deadccebdbdf1e3.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0022135.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0022135.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1948969.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1948969.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4064
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3442420.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3442420.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0022135.exe

Filesize
308KB

MD5
76877687e32b696b64a6658535948c7a

SHA1
44157b318d06c65e1c7e2490cd8faad6707137e0

SHA256
87b8512990ca512768bcb96642b8f4e39661d9eb20306cfc42f81428ef52e223

SHA512
13f23bff4ffa9385b5eb23a580e2ee03bf70000e0b34203be2e3153241b186d8d1445a31901e7ed6e5208fdab1ddbffa3ef1d34b2735509274fbff2518f064a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1948969.exe

Filesize
175KB

MD5
9a814cbdba57f622d601ea500ea5e859

SHA1
84c19bb79bbe66044c9777e2e3a72d73863b3b9c

SHA256
4e7e6d2d5666beff496993190e4263d9a44cbe3cd71c9551fbab203466df2a7c

SHA512
61ae720f3fca170ec172b9a59842ac455ebfb4b79bc844a658a4ec5348e342fe79f28f8063361a699b3130e80fa7842cd98e6450321b77e0cdfb2568e65052a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l3442420.exe

Filesize
136KB

MD5
899e585d287afa3aa77046536b099001

SHA1
4208b3423bb2f1056167498891f048b17c91a691

SHA256
3c9ad3868861f295faadf92684ed3278e70ff1893ffc0e4d6a6746d7d0c52363

SHA512
00779557d9a7183236230db60809d479cda8f069300f6aebb7aff724f82029c2780479b327d8713bbfc017c55feab4283bbbbedd1b4e98a0427d700575e31279

Download Submit
memory/4064-36-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-30-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-18-0x0000000004980000-0x0000000004998000-memory.dmp

Filesize
96KB

Download
memory/4064-17-0x0000000004AE0000-0x0000000005084000-memory.dmp

Filesize
5.6MB

Download
memory/4064-19-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/4064-20-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/4064-21-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-48-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-46-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-44-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-42-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-40-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-38-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-15-0x0000000002460000-0x000000000247A000-memory.dmp

Filesize
104KB

Download
memory/4064-16-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/4064-34-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-26-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-28-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-32-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-24-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-22-0x0000000004980000-0x0000000004992000-memory.dmp

Filesize
72KB

Download
memory/4064-49-0x000000007420E000-0x000000007420F000-memory.dmp

Filesize
4KB

Download
memory/4064-50-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/4064-52-0x0000000074200000-0x00000000749B0000-memory.dmp

Filesize
7.7MB

Download
memory/4064-14-0x000000007420E000-0x000000007420F000-memory.dmp

Filesize
4KB

Download
memory/4296-56-0x0000000000B30000-0x0000000000B58000-memory.dmp

Filesize
160KB

Download
memory/4296-57-0x0000000007DF0000-0x0000000008408000-memory.dmp

Filesize
6.1MB

Download
memory/4296-58-0x0000000007890000-0x00000000078A2000-memory.dmp

Filesize
72KB

Download
memory/4296-59-0x00000000079C0000-0x0000000007ACA000-memory.dmp

Filesize
1.0MB

Download
memory/4296-60-0x00000000078F0000-0x000000000792C000-memory.dmp

Filesize
240KB

Download
memory/4296-61-0x0000000004CF0000-0x0000000004D3C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads