healer | 2dd90e0d6050f73f9c95ea8236a9d4d83ce71108964c260e3a1195e8db2a54c6

General

Target

2dd90e0d6050f73f9c95ea8236a9d4d83ce71108964c260e3a1195e8db2a54c6.exe
Size

346KB
MD5

6f0085115ccf4fda77f4ba227986556c
SHA1

54374b9f9a8273fe0c41d8872da00bc9d4912bb9
SHA256

2dd90e0d6050f73f9c95ea8236a9d4d83ce71108964c260e3a1195e8db2a54c6
SHA512

ecf1851fa72e4f5fd760696a66f2a45981e60ce09f9125955e2fe1d50a38c9a26e26cc2d8c048a69869fe1ba63ff4c80e62ab049790da7c8d34f930655084e9c
SSDEEP

6144:KQy+bnr+jp0yN90QE1MGVZ8F/1XUkajrUJeioGIIWDUIKLw7NePX:oMrLy90wGg/mkdn7IIuUIK07Y

Score

10^/10

healer redline dubla discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dubla

C2

193.233.20.17:4139

Attributes

auth_value
c947a644b3fc57a1b3a1de810d9d8239

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca8-12.dat	healer
behavioral1/memory/2792-15-0x0000000000D40000-0x0000000000D4A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	kJV07uA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	kJV07uA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	kJV07uA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	kJV07uA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	kJV07uA.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	kJV07uA.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ca9-19.dat	family_redline
behavioral1/memory/3400-21-0x0000000000410000-0x0000000000442000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1696	dIx1811.exe
2792	kJV07uA.exe
3400	nxC26YW.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	kJV07uA.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dIx1811.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2dd90e0d6050f73f9c95ea8236a9d4d83ce71108964c260e3a1195e8db2a54c6.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2dd90e0d6050f73f9c95ea8236a9d4d83ce71108964c260e3a1195e8db2a54c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dIx1811.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nxC26YW.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2792	kJV07uA.exe
2792	kJV07uA.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	kJV07uA.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 1696	2332	2dd90e0d6050f73f9c95ea8236a9d4d83ce71108964c260e3a1195e8db2a54c6.exe	83
PID 2332 wrote to memory of 1696	2332	2dd90e0d6050f73f9c95ea8236a9d4d83ce71108964c260e3a1195e8db2a54c6.exe	83
PID 2332 wrote to memory of 1696	2332	2dd90e0d6050f73f9c95ea8236a9d4d83ce71108964c260e3a1195e8db2a54c6.exe	83
PID 1696 wrote to memory of 2792	1696	dIx1811.exe	84
PID 1696 wrote to memory of 2792	1696	dIx1811.exe	84
PID 1696 wrote to memory of 3400	1696	dIx1811.exe	96
PID 1696 wrote to memory of 3400	1696	dIx1811.exe	96
PID 1696 wrote to memory of 3400	1696	dIx1811.exe	96

C:\Users\Admin\AppData\Local\Temp\2dd90e0d6050f73f9c95ea8236a9d4d83ce71108964c260e3a1195e8db2a54c6.exe
"C:\Users\Admin\AppData\Local\Temp\2dd90e0d6050f73f9c95ea8236a9d4d83ce71108964c260e3a1195e8db2a54c6.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dIx1811.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dIx1811.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJV07uA.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJV07uA.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nxC26YW.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nxC26YW.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dIx1811.exe

Filesize
202KB

MD5
5f1886dd02b5af6d88294e6129d10be2

SHA1
93fb0e537b924a62d523404bcc940c3171a7cb90

SHA256
c76ffcb9d23091a7ca8ca6e867555c1a824a8f44fde15e57fabe06733e5272d8

SHA512
12e9e94f356fefbe371c41aede0d35e4024c7f8b6bc975c30996c1099467124f095ab0664d816e78543edf76232488d27206746b061a7bebba41e14bd2c9de02

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kJV07uA.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nxC26YW.exe

Filesize
175KB

MD5
3e279746c7e9f38cf3ed1080d1fb6351

SHA1
a28d5f4e362051fff61448725088ed0ef2664c4a

SHA256
f39bdc423133d37186ba4eaf1f6da21c375a2b84ae1da4f9e91afc3dd0b04683

SHA512
27d1dc4d57320115f440025715f3901ae1d7050569e6ac37f2e06c1c21472407426e3ec5f425ae588862f2de947932caa8c41c658114fafc9e0ef830392ce9de

Download Submit
memory/2792-15-0x0000000000D40000-0x0000000000D4A000-memory.dmp

Filesize
40KB

Download
memory/2792-14-0x00007FFF25F73000-0x00007FFF25F75000-memory.dmp

Filesize
8KB

Download
memory/2792-16-0x00007FFF25F73000-0x00007FFF25F75000-memory.dmp

Filesize
8KB

Download
memory/3400-21-0x0000000000410000-0x0000000000442000-memory.dmp

Filesize
200KB

Download
memory/3400-22-0x0000000005370000-0x0000000005988000-memory.dmp

Filesize
6.1MB

Download
memory/3400-23-0x0000000004EF0000-0x0000000004FFA000-memory.dmp

Filesize
1.0MB

Download
memory/3400-24-0x0000000004E40000-0x0000000004E52000-memory.dmp

Filesize
72KB

Download
memory/3400-25-0x0000000004E60000-0x0000000004E9C000-memory.dmp

Filesize
240KB

Download
memory/3400-26-0x0000000004EA0000-0x0000000004EEC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads