healer | 1b59137bf547d9c54459c91f6242018a851638e31cd3e1b1ff7864f40096e05d

General

Target

b3fd93cdbb22498647bba224764a189c19d0d3226b63347e2fc10f7f8994facc.exe
Size

992KB
MD5

cedd2a204e4f2b1d19882d8800bad11b
SHA1

215e0d5275d567f4c1599364f6e5f5ab0e726cc8
SHA256

b3fd93cdbb22498647bba224764a189c19d0d3226b63347e2fc10f7f8994facc
SHA512

383374e1864e6008a0945afb5ba1c2b45240efd0f3e476416ad7a7fef8cac2eccf8d1017cff94aeb44b38fb365231b2e979cb3d59612c37b91f3be7d74b055dc
SSDEEP

24576:9yUtvrjcPD0GbgWSAg+Feg7Q+Yu2KsxUnWht0l:YUtTjcPDyWSAgKegbvLPWha

Score

10^/10

healer redline mixer discovery dropper infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

mixer

C2

185.161.248.75:4132

Attributes

auth_value
3668eba4f0cb1021a9e9ed55e76ed85e

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral1/memory/2900-22-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c7e-26.dat	family_redline
behavioral1/memory/4128-29-0x00000000001C0000-0x00000000001EA000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
2896	v3148335.exe
4912	v6825576.exe
3132	a9265009.exe
2900	a9265009.exe
4128	b8900180.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	b3fd93cdbb22498647bba224764a189c19d0d3226b63347e2fc10f7f8994facc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v3148335.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6825576.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3132 set thread context of 2900	3132	a9265009.exe	89

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3fd93cdbb22498647bba224764a189c19d0d3226b63347e2fc10f7f8994facc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v3148335.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6825576.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9265009.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a9265009.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8900180.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2900	a9265009.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3132	a9265009.exe
Token: SeDebugPrivilege	2900	a9265009.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 2896	3812	b3fd93cdbb22498647bba224764a189c19d0d3226b63347e2fc10f7f8994facc.exe	83
PID 3812 wrote to memory of 2896	3812	b3fd93cdbb22498647bba224764a189c19d0d3226b63347e2fc10f7f8994facc.exe	83
PID 3812 wrote to memory of 2896	3812	b3fd93cdbb22498647bba224764a189c19d0d3226b63347e2fc10f7f8994facc.exe	83
PID 2896 wrote to memory of 4912	2896	v3148335.exe	84
PID 2896 wrote to memory of 4912	2896	v3148335.exe	84
PID 2896 wrote to memory of 4912	2896	v3148335.exe	84
PID 4912 wrote to memory of 3132	4912	v6825576.exe	86
PID 4912 wrote to memory of 3132	4912	v6825576.exe	86
PID 4912 wrote to memory of 3132	4912	v6825576.exe	86
PID 3132 wrote to memory of 2900	3132	a9265009.exe	89
PID 3132 wrote to memory of 2900	3132	a9265009.exe	89
PID 3132 wrote to memory of 2900	3132	a9265009.exe	89
PID 3132 wrote to memory of 2900	3132	a9265009.exe	89
PID 3132 wrote to memory of 2900	3132	a9265009.exe	89
PID 3132 wrote to memory of 2900	3132	a9265009.exe	89
PID 3132 wrote to memory of 2900	3132	a9265009.exe	89
PID 3132 wrote to memory of 2900	3132	a9265009.exe	89
PID 4912 wrote to memory of 4128	4912	v6825576.exe	91
PID 4912 wrote to memory of 4128	4912	v6825576.exe	91
PID 4912 wrote to memory of 4128	4912	v6825576.exe	91

C:\Users\Admin\AppData\Local\Temp\b3fd93cdbb22498647bba224764a189c19d0d3226b63347e2fc10f7f8994facc.exe
"C:\Users\Admin\AppData\Local\Temp\b3fd93cdbb22498647bba224764a189c19d0d3226b63347e2fc10f7f8994facc.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3148335.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3148335.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6825576.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6825576.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9265009.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9265009.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3132
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9265009.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9265009.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8900180.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8900180.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a9265009.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v3148335.exe

Filesize
595KB

MD5
332efb31b4dda22e8c2b788da9a39983

SHA1
bdaa47ef3e8afbc1f4bfd0b2b67dd17d9a751552

SHA256
3b524c101dfd6cb9b0c0e11b4a580d6b9591806b28b7f100ea0642bbb14aa1d8

SHA512
0b0c3e16ab5a9fb8b6cd505985e597da41bc0cf18a053e6f4e1aa2b53b1dfbb231ece363a88e3bfa3af3f3ca39283ba5070da5f7c3f4554d260503b39da1edd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6825576.exe

Filesize
424KB

MD5
f12f4dbd69d03fe68b8df52f616ff5fd

SHA1
6f9727f6f0d3fb90d55a69f7aa446c8373720fe3

SHA256
437c3eb5372e15b3cfbdd677cc83f3cf855974b531486db7070c005adf80eac0

SHA512
0dbe8016dd696464efdd924fe163ae118bf996a8509e124770e298fd9a4e96d0a0581afda51f424d065524402ee1b9ebbc16e1bb849c3dd37e4e53fd0195bcdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a9265009.exe

Filesize
769KB

MD5
a363ae17ecfeb7945f5e02e2ce05035f

SHA1
50cb18976135aaa05d30229f6ad8f3a931a351aa

SHA256
118af2345d42c51b477cb4c5a359cda3c547ec08a8907204ec13ac47e59033ba

SHA512
533aa7ca169bca67d6f40b7388c99318cc403a1f6e966ebde770c2a7e2c9d5272a9786f5064252358aea787396dfe0deea469399acfaed81672b20bd97b0fd3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b8900180.exe

Filesize
145KB

MD5
abe63bd0857d5838286f9b65e71ac072

SHA1
2db9f71c6e2d17c4ad202d074e825c7db6902efa

SHA256
2315963f313588ab5b74471ee8448478005a68083614320cfe4c12632c5ff9fc

SHA512
64561f906cdd7758c777130080d57607e964649ad721bea9aa93e2dbbf8e150f3fd4e2bcbdd1da27ff64415acb838e967c9f64edb1b3aaa087d63378a483a2c6

Download Submit
memory/2900-22-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3132-21-0x0000000000ED0000-0x0000000000F96000-memory.dmp

Filesize
792KB

Download
memory/4128-29-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/4128-30-0x0000000004FD0000-0x00000000055E8000-memory.dmp

Filesize
6.1MB

Download
memory/4128-31-0x0000000004B50000-0x0000000004C5A000-memory.dmp

Filesize
1.0MB

Download
memory/4128-32-0x0000000004A90000-0x0000000004AA2000-memory.dmp

Filesize
72KB

Download
memory/4128-33-0x0000000004AF0000-0x0000000004B2C000-memory.dmp

Filesize
240KB

Download
memory/4128-34-0x0000000004C60000-0x0000000004CAC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads