healer | 3a4a4b5baa32485c2d6579208601c2b8b49fdc2c083bb3a5480f438025b74797

General

Target

3a4a4b5baa32485c2d6579208601c2b8b49fdc2c083bb3a5480f438025b74797.exe
Size

1.5MB
MD5

58a92bbd9c456d725891d83c3431ae39
SHA1

8399e05402ef6d3d94c41f1bb9e5768c3b94de9c
SHA256

3a4a4b5baa32485c2d6579208601c2b8b49fdc2c083bb3a5480f438025b74797
SHA512

5a10c38629f1321b46e051fdef795a444ff69c4fa75133eb89f868117fce31171337909f1766024da32f3466bccb388fa28ab32be539b354ce1b925704c25f2a
SSDEEP

24576:TySCahRRForpSyhDXRuolwi8q9aAuI2B6HwvwWwbgqDRofUL6rIpb/tc5O+ufm8Q:mSCahRfo9SUDhuoK9AqB+QvqVofUOI59

Score

10^/10

healer redline mazda discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes

auth_value
3d2870537d84a4c6d7aeecd002871c51

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2040-36-0x0000000002400000-0x000000000241A000-memory.dmp	healer
behavioral1/memory/2040-38-0x00000000025F0000-0x0000000002608000-memory.dmp	healer
behavioral1/memory/2040-60-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-66-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-64-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-62-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-58-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-57-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-54-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-52-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-50-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-48-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-46-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-44-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-42-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-40-0x00000000025F0000-0x0000000002602000-memory.dmp	healer
behavioral1/memory/2040-39-0x00000000025F0000-0x0000000002602000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9309188.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a9309188.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9309188.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9309188.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9309188.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9309188.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b82-70.dat	family_redline
behavioral1/memory/4572-73-0x0000000000440000-0x0000000000470000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
1096	v3077992.exe
1772	v9116505.exe
1788	v6099295.exe
2200	v3420768.exe
2040	a9309188.exe
4572	b2328853.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a9309188.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9309188.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3a4a4b5baa32485c2d6579208601c2b8b49fdc2c083bb3a5480f438025b74797.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3077992.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9116505.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6099295.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3420768.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
764	2040	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a4a4b5baa32485c2d6579208601c2b8b49fdc2c083bb3a5480f438025b74797.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v3077992.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v9116505.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6099295.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v3420768.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9309188.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b2328853.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2040	a9309188.exe
2040	a9309188.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	a9309188.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1096	2412	3a4a4b5baa32485c2d6579208601c2b8b49fdc2c083bb3a5480f438025b74797.exe	83
PID 2412 wrote to memory of 1096	2412	3a4a4b5baa32485c2d6579208601c2b8b49fdc2c083bb3a5480f438025b74797.exe	83
PID 2412 wrote to memory of 1096	2412	3a4a4b5baa32485c2d6579208601c2b8b49fdc2c083bb3a5480f438025b74797.exe	83
PID 1096 wrote to memory of 1772	1096	v3077992.exe	84
PID 1096 wrote to memory of 1772	1096	v3077992.exe	84
PID 1096 wrote to memory of 1772	1096	v3077992.exe	84
PID 1772 wrote to memory of 1788	1772	v9116505.exe	86
PID 1772 wrote to memory of 1788	1772	v9116505.exe	86
PID 1772 wrote to memory of 1788	1772	v9116505.exe	86
PID 1788 wrote to memory of 2200	1788	v6099295.exe	89
PID 1788 wrote to memory of 2200	1788	v6099295.exe	89
PID 1788 wrote to memory of 2200	1788	v6099295.exe	89
PID 2200 wrote to memory of 2040	2200	v3420768.exe	90
PID 2200 wrote to memory of 2040	2200	v3420768.exe	90
PID 2200 wrote to memory of 2040	2200	v3420768.exe	90
PID 2200 wrote to memory of 4572	2200	v3420768.exe	103
PID 2200 wrote to memory of 4572	2200	v3420768.exe	103
PID 2200 wrote to memory of 4572	2200	v3420768.exe	103

C:\Users\Admin\AppData\Local\Temp\3a4a4b5baa32485c2d6579208601c2b8b49fdc2c083bb3a5480f438025b74797.exe
"C:\Users\Admin\AppData\Local\Temp\3a4a4b5baa32485c2d6579208601c2b8b49fdc2c083bb3a5480f438025b74797.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3077992.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3077992.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9116505.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9116505.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6099295.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6099295.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3420768.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3420768.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9309188.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9309188.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 1016
        7⤵
        Program crash
        
        PID:764
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2328853.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2328853.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2040 -ip 2040
1⤵
PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3077992.exe

Filesize
1.3MB

MD5
6484365a5636373cb45ad0b342755c63

SHA1
99f50bc837b7bd58b653b6bea0ba1a4745c66287

SHA256
f4305b95e2079d242b850553cb10f74668b9154e43b5a0be71459f9fa2a5efc2

SHA512
18afd0d4eaf27e2d72b52bb8bed5925217b5a69b74c71e20119f603276e2c3c3729fdd403779b1b9d672ba7bfa2caf017e4e668783ceac4e7a550ffa8ad5fdcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9116505.exe

Filesize
867KB

MD5
ad246bce64a49161f3b8fe36cd743a51

SHA1
be3a6cacf968e8a8d72be0a550510bbf7ce7f3fd

SHA256
62f9417dad2e7ef5f515ac4bc25a66a72fc50fb52c9490dd987b010352a3c211

SHA512
2d134a419e725a46e13289267ced9f8222610f2e325bf3d6c7e83dbcc23d3a77910a1c956660150a9a96dfbe7ca9c744e697b0d413832c3be4c64ddac0408762

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6099295.exe

Filesize
663KB

MD5
13165b09aca64b59968b4cd00ceb0a2d

SHA1
62eb11add1d401eecf1870ee17fd8c66d49ffd72

SHA256
50855f652b9336dabfeb9da7e8d0b55c83cb30f9a45435e41bea1fc30721b515

SHA512
402812bbc28dca9d24ca4b70ee4e18057bcf7b37732141f66fe8a596d44879c12471d3daa71e6392b572c7d315604a41e797a80199b1a166ec542b32b2a1b2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3420768.exe

Filesize
394KB

MD5
779315d6fdff834e95664758e7b99ac2

SHA1
911bf8a2e4d5902d80a53d6bbabaea4f50dc9ff4

SHA256
9bb0a4e32dbde34693d7031ab65bff79133f007e1dce87839b2fd97ac707165c

SHA512
0130feb883eb278b8642092aad16d703ebde27b3761e040165e9a88e9a2c95883dc07ead1cd6226914c562c389608cdf5833c4bc3131dda19020d5cc6f93707d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9309188.exe

Filesize
315KB

MD5
b6e76b628aedb4c28438ba1b2ab0a4f5

SHA1
ad26aa193f64c8748ea8315e96da5c3d511f3f15

SHA256
75470c337fea5665cb3b0d68605ab78761421f9f2b38ee4e5ad3cf39e70b9ee4

SHA512
a4d64b1e750198e74045492f9dad6ec3d95d4b5a495f33c2dae759a57793072a66b495ef521891a005f0bc0b0914c5e183119630b4a69f9b0f4d9f32523af422

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2328853.exe

Filesize
168KB

MD5
f5a84bade5d7e93b50f8b17867accc85

SHA1
685af994e6c3d868c8e8d35dd3aa7a29c81f8e88

SHA256
f2b2d0d8200dbc53cffe3da184a1cebccbb79a8ab73b24ec0f403be7ff0d3e98

SHA512
a4fa5484a3d3443353f87874183a93035819f40521101a179c970ccf9d0de4d81e149788c03277ca4c71114d28b745f1bd1d90f9d27999a405099bc0667baf9a

Download Submit
memory/2040-50-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-44-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-60-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-66-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-64-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-62-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-58-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-57-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-54-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-52-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-37-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/2040-48-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-46-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-38-0x00000000025F0000-0x0000000002608000-memory.dmp

Filesize
96KB

Download
memory/2040-42-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-40-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-39-0x00000000025F0000-0x0000000002602000-memory.dmp

Filesize
72KB

Download
memory/2040-67-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2040-69-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2040-36-0x0000000002400000-0x000000000241A000-memory.dmp

Filesize
104KB

Download
memory/4572-73-0x0000000000440000-0x0000000000470000-memory.dmp

Filesize
192KB

Download
memory/4572-74-0x0000000004C60000-0x0000000004C66000-memory.dmp

Filesize
24KB

Download
memory/4572-75-0x000000000A790000-0x000000000ADA8000-memory.dmp

Filesize
6.1MB

Download
memory/4572-76-0x000000000A2B0000-0x000000000A3BA000-memory.dmp

Filesize
1.0MB

Download
memory/4572-77-0x000000000A1E0000-0x000000000A1F2000-memory.dmp

Filesize
72KB

Download
memory/4572-78-0x000000000A240000-0x000000000A27C000-memory.dmp

Filesize
240KB

Download
memory/4572-79-0x00000000026E0000-0x000000000272C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads