healer | fb9c4be39a500c5512066a16779684c49f2319edd645a10f013066c62257d12e

General

Target

fb9c4be39a500c5512066a16779684c49f2319edd645a10f013066c62257d12e.exe
Size

479KB
MD5

b79b9d1de5560eed54b7278acd811e1b
SHA1

6d11607f8e2dbf0950920afc330b53a1b7f0e40d
SHA256

fb9c4be39a500c5512066a16779684c49f2319edd645a10f013066c62257d12e
SHA512

7acdfb54e3df68c777e2c9d4bcac2a4d8c7d7b55e14c51b826635725bd7b03705afb4111672bae1cb5a9e768f5234c4ad3a628e7e5542b28cb19669b06e0777a
SSDEEP

12288:DMrFy90c8Y84sKtBmbqXJxEELIKr41GWgJzycG6MnbYL:Gyn81BKfeCJKE8x1yzJG6mm

Score

10^/10

healer redline ditro discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

ditro

C2

217.196.96.101:4132

Attributes

auth_value
8f24ed370a9b24aa28d3d634ea57912e

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3096-15-0x0000000002280000-0x000000000229A000-memory.dmp	healer
behavioral1/memory/3096-19-0x0000000002410000-0x0000000002428000-memory.dmp	healer
behavioral1/memory/3096-47-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-45-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-43-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-41-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-39-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-37-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-35-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-33-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-31-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-29-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-27-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-25-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-23-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-21-0x0000000002410000-0x0000000002422000-memory.dmp	healer
behavioral1/memory/3096-20-0x0000000002410000-0x0000000002422000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k0899177.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0899177.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0899177.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0899177.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0899177.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0899177.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b5e-53.dat	family_redline
behavioral1/memory/3628-55-0x0000000000140000-0x0000000000170000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
4468	y1183441.exe
3096	k0899177.exe
3628	l6938896.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k0899177.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0899177.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fb9c4be39a500c5512066a16779684c49f2319edd645a10f013066c62257d12e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y1183441.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb9c4be39a500c5512066a16779684c49f2319edd645a10f013066c62257d12e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y1183441.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k0899177.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l6938896.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3096	k0899177.exe
3096	k0899177.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3096	k0899177.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 4468	2556	fb9c4be39a500c5512066a16779684c49f2319edd645a10f013066c62257d12e.exe	84
PID 2556 wrote to memory of 4468	2556	fb9c4be39a500c5512066a16779684c49f2319edd645a10f013066c62257d12e.exe	84
PID 2556 wrote to memory of 4468	2556	fb9c4be39a500c5512066a16779684c49f2319edd645a10f013066c62257d12e.exe	84
PID 4468 wrote to memory of 3096	4468	y1183441.exe	85
PID 4468 wrote to memory of 3096	4468	y1183441.exe	85
PID 4468 wrote to memory of 3096	4468	y1183441.exe	85
PID 4468 wrote to memory of 3628	4468	y1183441.exe	92
PID 4468 wrote to memory of 3628	4468	y1183441.exe	92
PID 4468 wrote to memory of 3628	4468	y1183441.exe	92

C:\Users\Admin\AppData\Local\Temp\fb9c4be39a500c5512066a16779684c49f2319edd645a10f013066c62257d12e.exe
"C:\Users\Admin\AppData\Local\Temp\fb9c4be39a500c5512066a16779684c49f2319edd645a10f013066c62257d12e.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1183441.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1183441.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0899177.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0899177.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6938896.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6938896.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1183441.exe

Filesize
307KB

MD5
8d04a973a4af457e06406fa6cb34b75f

SHA1
4784cabbbd92ed447385c871ed575537ad7ec6f0

SHA256
78f42ed8243412820b71554992006dc018a17646e6c10dd22a585fa5e52897a2

SHA512
042b592bebef69060602e7e10841e455b9566b71f86874f1d6453fd8a05af21313bf10a1f18da919b4e12ad58a6b1b550ea14fb8e5c51096f0dafc61068949a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0899177.exe

Filesize
178KB

MD5
3c71166af18204f8e7d5e2e4a4130d0e

SHA1
5f4b8fb3dcfefde7fa6895f70f6b80deededaa80

SHA256
5974d0e0fbd48de1dde06c077b51ea50b1760ace5617f9f11d7fcb833644e0cc

SHA512
8b401110fda6e4ecfd46c87d8b148cb94c94542cd90f3f0208ca29b67a8ba02a0b23d9e771f5b66a83589772ba6bb1527314e34fcaca3ed26dd10f29a2ce4de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l6938896.exe

Filesize
168KB

MD5
e7a286dbdd8198118e922ead82e32634

SHA1
ad29287c42db68548fc9e44bbd3fc49e4972e6aa

SHA256
9917d18e69374418a41dd4e9d129fe7b6a92d5b91c5bc6c0e77d86b9446c48c9

SHA512
1ab1d41f1c59fec10552109a98df9cc755558ca5be66927ffab09a8db688d61b4acdf3f0e6bd045ef4933eda0f0f5004e8c89853342135768364fb5da4955db6

Download Submit
memory/3096-31-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-51-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/3096-29-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-17-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/3096-19-0x0000000002410000-0x0000000002428000-memory.dmp

Filesize
96KB

Download
memory/3096-47-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-45-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-43-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-41-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-39-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-37-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-35-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-33-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-15-0x0000000002280000-0x000000000229A000-memory.dmp

Filesize
104KB

Download
memory/3096-18-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/3096-27-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-16-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/3096-23-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-21-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-20-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-48-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/3096-49-0x00000000743A0000-0x0000000074B50000-memory.dmp

Filesize
7.7MB

Download
memory/3096-25-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3096-14-0x00000000743AE000-0x00000000743AF000-memory.dmp

Filesize
4KB

Download
memory/3628-55-0x0000000000140000-0x0000000000170000-memory.dmp

Filesize
192KB

Download
memory/3628-56-0x00000000024C0000-0x00000000024C6000-memory.dmp

Filesize
24KB

Download
memory/3628-57-0x000000000A620000-0x000000000AC38000-memory.dmp

Filesize
6.1MB

Download
memory/3628-58-0x000000000A110000-0x000000000A21A000-memory.dmp

Filesize
1.0MB

Download
memory/3628-59-0x000000000A020000-0x000000000A032000-memory.dmp

Filesize
72KB

Download
memory/3628-60-0x000000000A080000-0x000000000A0BC000-memory.dmp

Filesize
240KB

Download
memory/3628-61-0x00000000023B0000-0x00000000023FC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads