healer | 062ff4e9d95c6aec47fed228667eb31fe349288f6d99708c32bb7cf7d462063e

General

Target

062ff4e9d95c6aec47fed228667eb31fe349288f6d99708c32bb7cf7d462063e.exe
Size

481KB
MD5

c2cc8672da4238fe88decba6d3310bbe
SHA1

9f4cb4df278b3f1e02cafcdc67f344a232650f2b
SHA256

062ff4e9d95c6aec47fed228667eb31fe349288f6d99708c32bb7cf7d462063e
SHA512

8bdd2e37ed2fb89d32e80dfd4e85b7807a9b246cf446f6f52b050f2053d9b9e7eaf30b173f123869f5355233412b1ff6bde03b634d511b3367b24f72cd424200
SSDEEP

12288:VMrjy902SvGGTtpEMZ12HP2LDO/8y7MapLO0/p:SyGG6mfHaDO/8y7M2//p

Score

10^/10

healer redline mihan discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mihan

C2

217.196.96.101:4132

Attributes

auth_value
9a6a8fdae02ed7caa0a49a6ddc6d4520

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1268-15-0x0000000002360000-0x000000000237A000-memory.dmp	healer
behavioral1/memory/1268-18-0x0000000004F40000-0x0000000004F58000-memory.dmp	healer
behavioral1/memory/1268-33-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-47-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-45-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-43-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-41-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-39-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-37-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-35-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-31-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-29-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-27-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-25-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-23-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-21-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer
behavioral1/memory/1268-20-0x0000000004F40000-0x0000000004F52000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a7163452.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7163452.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7163452.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7163452.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7163452.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7163452.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b67-54.dat	family_redline
behavioral1/memory/1872-56-0x00000000009A0000-0x00000000009D0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3732	v2079672.exe
1268	a7163452.exe
1872	b6822095.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a7163452.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7163452.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	062ff4e9d95c6aec47fed228667eb31fe349288f6d99708c32bb7cf7d462063e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2079672.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6822095.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	062ff4e9d95c6aec47fed228667eb31fe349288f6d99708c32bb7cf7d462063e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v2079672.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7163452.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1268	a7163452.exe
1268	a7163452.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1268	a7163452.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 3732	1444	062ff4e9d95c6aec47fed228667eb31fe349288f6d99708c32bb7cf7d462063e.exe	84
PID 1444 wrote to memory of 3732	1444	062ff4e9d95c6aec47fed228667eb31fe349288f6d99708c32bb7cf7d462063e.exe	84
PID 1444 wrote to memory of 3732	1444	062ff4e9d95c6aec47fed228667eb31fe349288f6d99708c32bb7cf7d462063e.exe	84
PID 3732 wrote to memory of 1268	3732	v2079672.exe	85
PID 3732 wrote to memory of 1268	3732	v2079672.exe	85
PID 3732 wrote to memory of 1268	3732	v2079672.exe	85
PID 3732 wrote to memory of 1872	3732	v2079672.exe	95
PID 3732 wrote to memory of 1872	3732	v2079672.exe	95
PID 3732 wrote to memory of 1872	3732	v2079672.exe	95

C:\Users\Admin\AppData\Local\Temp\062ff4e9d95c6aec47fed228667eb31fe349288f6d99708c32bb7cf7d462063e.exe
"C:\Users\Admin\AppData\Local\Temp\062ff4e9d95c6aec47fed228667eb31fe349288f6d99708c32bb7cf7d462063e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2079672.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2079672.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7163452.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7163452.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6822095.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6822095.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2079672.exe

Filesize
309KB

MD5
01fcd7a27d7a52c5ccefde1ff4c15df9

SHA1
45e01767922f7ff8ab6c34f17f428301939e461b

SHA256
614c11fae98929bb5c8ae46b3fb3217ff964b7748e6754e9561e0e9eea419644

SHA512
87a71d46659208778af77c5cd51e782ef3d652eb68802dd035723eea63ab18e9f16ef33867ec23600b593f293b960d8656829383847efbcfe9f489f57539fa4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7163452.exe

Filesize
179KB

MD5
4682eaff79cff6e8efe4603d97d7efa2

SHA1
5dc5c18f48c3e39e29f26ce00518d777252be057

SHA256
7eb6d8cf1fbdbe5ee871a73659a105a3643b20c176310b036eaf0b437bdb2ce9

SHA512
03e431fb059e19335a05e686fcc8a09a5051f508b93412fc345165608ec28c8432a74017b18c787c7b43ed5516f69adbdc97fd496958a9e58c468f65424ca881

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b6822095.exe

Filesize
168KB

MD5
bc27238936db9fb9c061f3e581fb1a5f

SHA1
778c0ac2f5b76403691aff9a0ff08f919cdc1a6f

SHA256
1a2d58c15e28d694de166976220982bbea37c8ab07d3befac5d6621ce0d68acc

SHA512
895739bc842a4ee234002ed3e563f2881ee1a45be4a35d441ef6743bb882e9fa94cd1f8817cffc2a03ede54d9b4d65465417597b84480cf5ea97fe44e1595af9

Download Submit
memory/1268-31-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-50-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download
memory/1268-18-0x0000000004F40000-0x0000000004F58000-memory.dmp

Filesize
96KB

Download
memory/1268-17-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download
memory/1268-19-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download
memory/1268-33-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-25-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-45-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-43-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-41-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-39-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-37-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-35-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-15-0x0000000002360000-0x000000000237A000-memory.dmp

Filesize
104KB

Download
memory/1268-29-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-27-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-47-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-23-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-21-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-20-0x0000000004F40000-0x0000000004F52000-memory.dmp

Filesize
72KB

Download
memory/1268-48-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download
memory/1268-49-0x0000000073BFE000-0x0000000073BFF000-memory.dmp

Filesize
4KB

Download
memory/1268-16-0x0000000004970000-0x0000000004F14000-memory.dmp

Filesize
5.6MB

Download
memory/1268-52-0x0000000073BF0000-0x00000000743A0000-memory.dmp

Filesize
7.7MB

Download
memory/1268-14-0x0000000073BFE000-0x0000000073BFF000-memory.dmp

Filesize
4KB

Download
memory/1872-56-0x00000000009A0000-0x00000000009D0000-memory.dmp

Filesize
192KB

Download
memory/1872-57-0x0000000000FF0000-0x0000000000FF6000-memory.dmp

Filesize
24KB

Download
memory/1872-58-0x00000000059F0000-0x0000000006008000-memory.dmp

Filesize
6.1MB

Download
memory/1872-59-0x00000000054E0000-0x00000000055EA000-memory.dmp

Filesize
1.0MB

Download
memory/1872-60-0x0000000005210000-0x0000000005222000-memory.dmp

Filesize
72KB

Download
memory/1872-61-0x0000000005270000-0x00000000052AC000-memory.dmp

Filesize
240KB

Download
memory/1872-62-0x00000000053D0000-0x000000000541C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads