healer | afc7fb767aa27e8db1d8648b4a08cdd7cc0c8078bb2cc1ff983dd754116c1a68

General

Target

afc7fb767aa27e8db1d8648b4a08cdd7cc0c8078bb2cc1ff983dd754116c1a68.exe
Size

479KB
MD5

b41e5631df84af8b96a3241fbf98ae19
SHA1

267ba75c3cc34575b218b7ce0e36c2a048b71ae4
SHA256

afc7fb767aa27e8db1d8648b4a08cdd7cc0c8078bb2cc1ff983dd754116c1a68
SHA512

13fbf49dc267cecfe1a57c9c1bbf6690014a4c71a034e09f4617423388c7fee7db34e22318d8a2afe4f6adc123c3dcfc90dc455736af6dfe0babe5c6a340497b
SSDEEP

12288:vMrzy90HNeGxaZZhoKYYWo5bpCfO1ZcopQlSk:8yKAZX1z1mopQlJ

Score

10^/10

healer redline maher discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maher

C2

217.196.96.101:4132

Attributes

auth_value
c57763165f68aabcf4874e661a1ffbac

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3620-15-0x00000000021B0000-0x00000000021CA000-memory.dmp	healer
behavioral1/memory/3620-19-0x00000000024B0000-0x00000000024C8000-memory.dmp	healer
behavioral1/memory/3620-44-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-48-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-46-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-42-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-40-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-36-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-34-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-32-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-30-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-28-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-26-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-24-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-22-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-21-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer
behavioral1/memory/3620-38-0x00000000024B0000-0x00000000024C2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a7995066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7995066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7995066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7995066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7995066.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7995066.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c9a-54.dat	family_redline
behavioral1/memory/3080-56-0x00000000003C0000-0x00000000003F0000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
3560	v0609381.exe
3620	a7995066.exe
3080	b8795806.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7995066.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a7995066.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	afc7fb767aa27e8db1d8648b4a08cdd7cc0c8078bb2cc1ff983dd754116c1a68.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0609381.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7995066.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8795806.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afc7fb767aa27e8db1d8648b4a08cdd7cc0c8078bb2cc1ff983dd754116c1a68.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v0609381.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3620	a7995066.exe
3620	a7995066.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3620	a7995066.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1604 wrote to memory of 3560	1604	afc7fb767aa27e8db1d8648b4a08cdd7cc0c8078bb2cc1ff983dd754116c1a68.exe	83
PID 1604 wrote to memory of 3560	1604	afc7fb767aa27e8db1d8648b4a08cdd7cc0c8078bb2cc1ff983dd754116c1a68.exe	83
PID 1604 wrote to memory of 3560	1604	afc7fb767aa27e8db1d8648b4a08cdd7cc0c8078bb2cc1ff983dd754116c1a68.exe	83
PID 3560 wrote to memory of 3620	3560	v0609381.exe	84
PID 3560 wrote to memory of 3620	3560	v0609381.exe	84
PID 3560 wrote to memory of 3620	3560	v0609381.exe	84
PID 3560 wrote to memory of 3080	3560	v0609381.exe	93
PID 3560 wrote to memory of 3080	3560	v0609381.exe	93
PID 3560 wrote to memory of 3080	3560	v0609381.exe	93

C:\Users\Admin\AppData\Local\Temp\afc7fb767aa27e8db1d8648b4a08cdd7cc0c8078bb2cc1ff983dd754116c1a68.exe
"C:\Users\Admin\AppData\Local\Temp\afc7fb767aa27e8db1d8648b4a08cdd7cc0c8078bb2cc1ff983dd754116c1a68.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1604
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0609381.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0609381.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7995066.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7995066.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3620
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8795806.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8795806.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0609381.exe

Filesize
307KB

MD5
5d7dd8ca7a033470c5e146042169ccf4

SHA1
28c5f215b35249bd2c8bacef7e21c6de20284059

SHA256
a7970f339efcb0c7f6e7301eb47a8079d62a07496df5944b850d079a1d07ee3e

SHA512
59ba37815d6414de0f5b478351547f9e5c61ab1072f33b25461bd33c3e1f9d1dab4d115b795936b98b02f54971da122810c91fa50fcdbe0f20a2024871c38f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7995066.exe

Filesize
179KB

MD5
c25c4b193b7217c4dd2e68df28b79e59

SHA1
12546de7a7b2554d22e88def6334e4d5a9b85de8

SHA256
37ee42edfd46d17af09d58707c5f875f8417e4b378ff88b304ff24b49d3b2925

SHA512
212dd32fb292f4cb53fb446a4924125d017aa8e24c7cebd19b2ee2c2e8d5ba909a578a005dbb0da65c46b084036a1158151ca6fbcb6917e919575e98f8b1f622

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8795806.exe

Filesize
168KB

MD5
99c533ee1935d90e8ce3146351472beb

SHA1
efa2d55c70340c9a7b2edd1804db67d7ad8e3529

SHA256
0281f7ceff567f957d32dc05ddc29325dd807040fbf4b2fcbbf0a983ffdde1b1

SHA512
a6d226c934f0a41832e5ed9e35e799312aa061e02eb08d7570f85bf6abfae0c22fca2b4ad70a0a2d631c272eeab5e353c1401b6bda35ead498b33ec23b9b67e2

Download Submit
memory/3080-62-0x0000000005040000-0x000000000508C000-memory.dmp

Filesize
304KB

Download
memory/3080-61-0x0000000004EC0000-0x0000000004EFC000-memory.dmp

Filesize
240KB

Download
memory/3080-60-0x0000000004E60000-0x0000000004E72000-memory.dmp

Filesize
72KB

Download
memory/3080-59-0x0000000004F30000-0x000000000503A000-memory.dmp

Filesize
1.0MB

Download
memory/3080-58-0x00000000053C0000-0x00000000059D8000-memory.dmp

Filesize
6.1MB

Download
memory/3080-57-0x0000000007020000-0x0000000007026000-memory.dmp

Filesize
24KB

Download
memory/3080-56-0x00000000003C0000-0x00000000003F0000-memory.dmp

Filesize
192KB

Download
memory/3620-32-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-38-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-42-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-40-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-36-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-34-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-48-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-30-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-28-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-26-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-24-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-22-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-21-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-46-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-49-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

Filesize
4KB

Download
memory/3620-50-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3620-52-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3620-44-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/3620-20-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3620-19-0x00000000024B0000-0x00000000024C8000-memory.dmp

Filesize
96KB

Download
memory/3620-18-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3620-17-0x0000000004960000-0x0000000004F04000-memory.dmp

Filesize
5.6MB

Download
memory/3620-16-0x0000000074AF0000-0x00000000752A0000-memory.dmp

Filesize
7.7MB

Download
memory/3620-15-0x00000000021B0000-0x00000000021CA000-memory.dmp

Filesize
104KB

Download
memory/3620-14-0x0000000074AFE000-0x0000000074AFF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads