healer | fb05507c52c2e8f629b69a34d84727ea4642260cec6c837d5c5e06d66768868a

General

Target

fb05507c52c2e8f629b69a34d84727ea4642260cec6c837d5c5e06d66768868a.exe
Size

765KB
MD5

b2df5dec575c31441f14b4764b9158da
SHA1

d8ac94de573c64a6190f0519a629ae67b60f11bb
SHA256

fb05507c52c2e8f629b69a34d84727ea4642260cec6c837d5c5e06d66768868a
SHA512

36dba110cf53ed6ca6f496c8ce9dcaf366291997cc34dc62bdac6f0628e6f2aacc02871ecf1be05276dccd5bd21c49e8987c2a8eb4e219ae3f590fa41b3eeec9
SSDEEP

12288:+MrVy90ZgLLpmVfgeTwe6oTYHU2hl0NJvLS9slp1Ws/rrRWyfF7EpeyMsi/4:zy+gLLgVfNj6oTOU2hsJvLjlpLzX03Mu

Score

10^/10

healer redline dubna discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dubna

C2

193.233.20.11:4131

Attributes

auth_value
f324b1269094b7462e56bab025f032f4

Signatures

Detects Healer an antivirus disabler dropper 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023ca2-19.dat	healer
behavioral1/memory/404-22-0x00000000009B0000-0x00000000009BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	avava.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	avava.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	avava.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	avava.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	avava.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	avava.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ca3-26.dat	family_redline
behavioral1/memory/4756-28-0x00000000008F0000-0x0000000000922000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 4 IoCs

pid	Process
4404	dBJn.exe
5088	dLmn.exe
404	avava.exe
4756	bvava.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	avava.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	fb05507c52c2e8f629b69a34d84727ea4642260cec6c837d5c5e06d66768868a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	dBJn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	dLmn.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb05507c52c2e8f629b69a34d84727ea4642260cec6c837d5c5e06d66768868a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dBJn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dLmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvava.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
404	avava.exe
404	avava.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	404	avava.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 4404	3972	fb05507c52c2e8f629b69a34d84727ea4642260cec6c837d5c5e06d66768868a.exe	83
PID 3972 wrote to memory of 4404	3972	fb05507c52c2e8f629b69a34d84727ea4642260cec6c837d5c5e06d66768868a.exe	83
PID 3972 wrote to memory of 4404	3972	fb05507c52c2e8f629b69a34d84727ea4642260cec6c837d5c5e06d66768868a.exe	83
PID 4404 wrote to memory of 5088	4404	dBJn.exe	84
PID 4404 wrote to memory of 5088	4404	dBJn.exe	84
PID 4404 wrote to memory of 5088	4404	dBJn.exe	84
PID 5088 wrote to memory of 404	5088	dLmn.exe	85
PID 5088 wrote to memory of 404	5088	dLmn.exe	85
PID 5088 wrote to memory of 4756	5088	dLmn.exe	96
PID 5088 wrote to memory of 4756	5088	dLmn.exe	96
PID 5088 wrote to memory of 4756	5088	dLmn.exe	96

C:\Users\Admin\AppData\Local\Temp\fb05507c52c2e8f629b69a34d84727ea4642260cec6c837d5c5e06d66768868a.exe
"C:\Users\Admin\AppData\Local\Temp\fb05507c52c2e8f629b69a34d84727ea4642260cec6c837d5c5e06d66768868a.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dBJn.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dBJn.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dLmn.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dLmn.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\avava.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\avava.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:404
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bvava.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bvava.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dBJn.exe

Filesize
533KB

MD5
eebaec7253dccebb73d02cd9be7b74e2

SHA1
a9feef9d85a98f84e7c5d2b1df06fa24e1f04fc5

SHA256
08e1d1ebb39ff221663c5c174c9360ae7851ad8857dc8c5762670644cac85097

SHA512
5a12a612b1c9c1ae9f21bb012e5700a15c5e63aab609db9ebadf48eef05ea94a023f4194f008927397875051a19b184a67ed9aa61afbe9c40efbe9f1ad87ba80

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dLmn.exe

Filesize
202KB

MD5
9d77beebab806f322bae23fd7f9a0d29

SHA1
0672c8660abae4cd2f6a588803022900f305c673

SHA256
f940bd320f0a524cf721e25d866b0d07eb152343290beb11178ccb206bbe1cf6

SHA512
71f2c5a8cc89dcb4def6dd90f904636bb7f0c889ab9ce1826f0bf85f2bcb23144d9ad3fd590bbbd7db3ddc994c135a3179473acd8bb5456f2c334c8998e4a3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\avava.exe

Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\bvava.exe

Filesize
175KB

MD5
ef8079cf160510d0da7162bc08f753d8

SHA1
e786cc8bee83e4a37433ddccf9d3540e1f6533fe

SHA256
a6416ca607f03e7d02dd9c8b546113c71f421c0ba8438dafb941d25f8cf2c9e6

SHA512
959b08126358527b794a276f6e9f818250f888d9f108b46766f6c2e50186acc8f406acbeb94ca97b5f0e329b27f3851003446715d5d040b5c0fef4010011a2c3

Download Submit
memory/404-22-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/404-23-0x00007FFCD3A53000-0x00007FFCD3A55000-memory.dmp

Filesize
8KB

Download
memory/404-21-0x00007FFCD3A53000-0x00007FFCD3A55000-memory.dmp

Filesize
8KB

Download
memory/4756-28-0x00000000008F0000-0x0000000000922000-memory.dmp

Filesize
200KB

Download
memory/4756-29-0x0000000005710000-0x0000000005D28000-memory.dmp

Filesize
6.1MB

Download
memory/4756-30-0x0000000005290000-0x000000000539A000-memory.dmp

Filesize
1.0MB

Download
memory/4756-31-0x00000000051C0000-0x00000000051D2000-memory.dmp

Filesize
72KB

Download
memory/4756-32-0x0000000005220000-0x000000000525C000-memory.dmp

Filesize
240KB

Download
memory/4756-33-0x00000000053A0000-0x00000000053EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads