healer | c609341cff15114c10613d1c19a6a2ac8be530b620c8544ff56b712ea9adfc27

General

Target

c609341cff15114c10613d1c19a6a2ac8be530b620c8544ff56b712ea9adfc27.exe
Size

478KB
MD5

582fada8db6db4125811e30980a9810d
SHA1

444de13097d4b547da1f146d3b6c3214fda6ed36
SHA256

c609341cff15114c10613d1c19a6a2ac8be530b620c8544ff56b712ea9adfc27
SHA512

e02b507f3a8f42853ede5a8d848c773dd321f6ec0df207ce6e02796bf1e158503aa00eedf93558a3da9307762550df30e9ff036b2a3244fb6ead8d878ee97216
SSDEEP

12288:yMrsy90ObFn5B6X5c1u31zTJb8chrTd08:Kydbt2JXdT1Lm8

Score

10^/10

healer redline ditro discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

ditro

C2

217.196.96.101:4132

Attributes

auth_value
8f24ed370a9b24aa28d3d634ea57912e

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/3460-15-0x0000000002120000-0x000000000213A000-memory.dmp	healer
behavioral1/memory/3460-19-0x00000000022F0000-0x0000000002308000-memory.dmp	healer
behavioral1/memory/3460-47-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-45-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-43-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-41-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-39-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-37-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-35-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-33-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-31-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-29-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-27-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-25-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-23-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-21-0x00000000022F0000-0x0000000002302000-memory.dmp	healer
behavioral1/memory/3460-20-0x00000000022F0000-0x0000000002302000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0021587.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0021587.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0021587.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0021587.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0021587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	k0021587.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b9d-54.dat	family_redline
behavioral1/memory/3188-56-0x0000000000FF0000-0x0000000001020000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 3 IoCs

pid	Process
1332	y5113165.exe
3460	k0021587.exe
3188	l7260994.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0021587.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	k0021587.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c609341cff15114c10613d1c19a6a2ac8be530b620c8544ff56b712ea9adfc27.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5113165.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	l7260994.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c609341cff15114c10613d1c19a6a2ac8be530b620c8544ff56b712ea9adfc27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	y5113165.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	k0021587.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3460	k0021587.exe
3460	k0021587.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3460	k0021587.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3324 wrote to memory of 1332	3324	c609341cff15114c10613d1c19a6a2ac8be530b620c8544ff56b712ea9adfc27.exe	83
PID 3324 wrote to memory of 1332	3324	c609341cff15114c10613d1c19a6a2ac8be530b620c8544ff56b712ea9adfc27.exe	83
PID 3324 wrote to memory of 1332	3324	c609341cff15114c10613d1c19a6a2ac8be530b620c8544ff56b712ea9adfc27.exe	83
PID 1332 wrote to memory of 3460	1332	y5113165.exe	84
PID 1332 wrote to memory of 3460	1332	y5113165.exe	84
PID 1332 wrote to memory of 3460	1332	y5113165.exe	84
PID 1332 wrote to memory of 3188	1332	y5113165.exe	94
PID 1332 wrote to memory of 3188	1332	y5113165.exe	94
PID 1332 wrote to memory of 3188	1332	y5113165.exe	94

C:\Users\Admin\AppData\Local\Temp\c609341cff15114c10613d1c19a6a2ac8be530b620c8544ff56b712ea9adfc27.exe
"C:\Users\Admin\AppData\Local\Temp\c609341cff15114c10613d1c19a6a2ac8be530b620c8544ff56b712ea9adfc27.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5113165.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5113165.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0021587.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0021587.exe
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3460
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7260994.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7260994.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5113165.exe

Filesize
307KB

MD5
35e637cd2127e31815bce76d33355023

SHA1
3890c555d7f61d26b59030d6e7d83897b4b37ff4

SHA256
668ecc627f689938030407f4fcbb0e0fd2d856a8208e9992ab5d7a8bf180b838

SHA512
5c654cae9c7e357e27de705f1d265ca60f248831ebe7652a30cec248882cf76cfffacc31987ab730b39ba7feae929a132c1e66c74b14aa010d527c1f87745643

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k0021587.exe

Filesize
179KB

MD5
16f00b41f5616943ed71f06995ebcaef

SHA1
0ce4783b7e664c3c473990fe7a6ca77318ee19f4

SHA256
33731869df90cc3a30b95c10f5c8a26aa1c2011107254ac4b4e7960ec1edbfa0

SHA512
067ddce19f723e264af242cf10da4c2011caad09af0da8199cf19e162941b952cdea35cd18fbfed86c912d6e66b47cf34dafa8d8a8ebc13183570a44c442310b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7260994.exe

Filesize
168KB

MD5
ffac8bcf3040b970dabbb3ac023137df

SHA1
a123735873de2bac42729beac2d5f748783d91d1

SHA256
3cef6270a6bc0513b9bf8994ff86f6965c0757910d22ee5c898052c07028fdb6

SHA512
ac14825c4b3be08637c33833f36703a87a0e0a86a89bac6d758171c46e106c4f980deee1fe580605a6564ccaf933ed043744d7011a8f82798e8cad6ddd370196

Download Submit
memory/3188-62-0x0000000005B60000-0x0000000005BAC000-memory.dmp

Filesize
304KB

Download
memory/3188-61-0x00000000059D0000-0x0000000005A0C000-memory.dmp

Filesize
240KB

Download
memory/3188-60-0x0000000005970000-0x0000000005982000-memory.dmp

Filesize
72KB

Download
memory/3188-59-0x0000000005A50000-0x0000000005B5A000-memory.dmp

Filesize
1.0MB

Download
memory/3188-58-0x0000000005F60000-0x0000000006578000-memory.dmp

Filesize
6.1MB

Download
memory/3188-57-0x0000000001950000-0x0000000001956000-memory.dmp

Filesize
24KB

Download
memory/3188-56-0x0000000000FF0000-0x0000000001020000-memory.dmp

Filesize
192KB

Download
memory/3460-31-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-48-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3460-39-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-37-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-35-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-33-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-43-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-29-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-27-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-25-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-23-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-21-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-20-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-41-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-49-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download
memory/3460-50-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3460-52-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3460-45-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-47-0x00000000022F0000-0x0000000002302000-memory.dmp

Filesize
72KB

Download
memory/3460-18-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3460-19-0x00000000022F0000-0x0000000002308000-memory.dmp

Filesize
96KB

Download
memory/3460-16-0x0000000074440000-0x0000000074BF0000-memory.dmp

Filesize
7.7MB

Download
memory/3460-17-0x0000000004990000-0x0000000004F34000-memory.dmp

Filesize
5.6MB

Download
memory/3460-15-0x0000000002120000-0x000000000213A000-memory.dmp

Filesize
104KB

Download
memory/3460-14-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads