healer | 987759990122dd8c35170e69555a8ef2589eeaa4f629ad78401f195be948d6ce

General

Target

987759990122dd8c35170e69555a8ef2589eeaa4f629ad78401f195be948d6ce.exe
Size

1.5MB
MD5

5630ba3857a81cda5053846d7192d7ec
SHA1

5a787d7b3b62bfeb782c21a2209e65d8e5ebdeb8
SHA256

987759990122dd8c35170e69555a8ef2589eeaa4f629ad78401f195be948d6ce
SHA512

5eb8d478ce5677d643ffaaa7cc7641d660eadbe4fd707751ece176e76d602152c0398a7e05a26876c98083ef6ab7fa958be855324ea5ada72116a2aa98948b4e
SSDEEP

24576:nyFjloQGG+IGpDnh6u3GK0OqTN7wWEEj4386ChTrfYeVt1vbZZcxWtf2p9/d6TXe:yPoQu5ncu3BjTWEEj4sBY8LncYtf2LlU

Score

10^/10

healer redline mazda discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes

auth_value
3d2870537d84a4c6d7aeecd002871c51

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/2316-36-0x0000000000970000-0x000000000098A000-memory.dmp	healer
behavioral1/memory/2316-38-0x0000000002330000-0x0000000002348000-memory.dmp	healer
behavioral1/memory/2316-66-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-64-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-62-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-60-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-58-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-56-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-54-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-53-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-50-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-48-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-46-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-44-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-42-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-40-0x0000000002330000-0x0000000002342000-memory.dmp	healer
behavioral1/memory/2316-39-0x0000000002330000-0x0000000002342000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1954371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1954371.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a1954371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1954371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1954371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1954371.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b95-71.dat	family_redline
behavioral1/memory/2496-73-0x0000000000A50000-0x0000000000A80000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
5008	v9462110.exe
4872	v5164308.exe
3784	v7234298.exe
4556	v8984698.exe
2316	a1954371.exe
2496	b9540812.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a1954371.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1954371.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8984698.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	987759990122dd8c35170e69555a8ef2589eeaa4f629ad78401f195be948d6ce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9462110.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5164308.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v7234298.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4628	2316	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1954371.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9540812.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	987759990122dd8c35170e69555a8ef2589eeaa4f629ad78401f195be948d6ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v9462110.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v5164308.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v7234298.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v8984698.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	a1954371.exe
2316	a1954371.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	a1954371.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 5008	3948	987759990122dd8c35170e69555a8ef2589eeaa4f629ad78401f195be948d6ce.exe	83
PID 3948 wrote to memory of 5008	3948	987759990122dd8c35170e69555a8ef2589eeaa4f629ad78401f195be948d6ce.exe	83
PID 3948 wrote to memory of 5008	3948	987759990122dd8c35170e69555a8ef2589eeaa4f629ad78401f195be948d6ce.exe	83
PID 5008 wrote to memory of 4872	5008	v9462110.exe	84
PID 5008 wrote to memory of 4872	5008	v9462110.exe	84
PID 5008 wrote to memory of 4872	5008	v9462110.exe	84
PID 4872 wrote to memory of 3784	4872	v5164308.exe	86
PID 4872 wrote to memory of 3784	4872	v5164308.exe	86
PID 4872 wrote to memory of 3784	4872	v5164308.exe	86
PID 3784 wrote to memory of 4556	3784	v7234298.exe	88
PID 3784 wrote to memory of 4556	3784	v7234298.exe	88
PID 3784 wrote to memory of 4556	3784	v7234298.exe	88
PID 4556 wrote to memory of 2316	4556	v8984698.exe	89
PID 4556 wrote to memory of 2316	4556	v8984698.exe	89
PID 4556 wrote to memory of 2316	4556	v8984698.exe	89
PID 4556 wrote to memory of 2496	4556	v8984698.exe	103
PID 4556 wrote to memory of 2496	4556	v8984698.exe	103
PID 4556 wrote to memory of 2496	4556	v8984698.exe	103

C:\Users\Admin\AppData\Local\Temp\987759990122dd8c35170e69555a8ef2589eeaa4f629ad78401f195be948d6ce.exe
"C:\Users\Admin\AppData\Local\Temp\987759990122dd8c35170e69555a8ef2589eeaa4f629ad78401f195be948d6ce.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9462110.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9462110.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5164308.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5164308.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7234298.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7234298.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3784
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8984698.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8984698.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1954371.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1954371.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1084
        7⤵
        Program crash
        
        PID:4628
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9540812.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9540812.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2316 -ip 2316
1⤵
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9462110.exe

Filesize
1.3MB

MD5
84a614461c7fc7f9e49151adcffbac79

SHA1
74929d3b4e720f394ea4d7af380ed2b4df440483

SHA256
7f748a674d3ff16b061f344bd23e79a75a6b9f7c100d3715c13694719208a1cb

SHA512
a72829d9a7c6f2d7e6a9422e8f6c6eeec78cdef859c19446d512d26286bf56d58505de23835a3ac04323d88ca4f5bbc9ed29e4f4fdc6d2445a6a831a047da7a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5164308.exe

Filesize
867KB

MD5
168b6ebc7ad26a572c155982e9cf25a8

SHA1
3f1ef8a9edbb5e16419f308f2437983395bb17dd

SHA256
a541472d13c407a2e4303b423479f625df6967091b36469f5683f10a5ec19f52

SHA512
ed1717a3982751f104522d27f912d40550c855f5afbe690f56598d21dccae1dd874d5250396ec094572c3d336bc27913fdee8d597ac36f6eb4618c18578f44eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v7234298.exe

Filesize
663KB

MD5
36cbb6777de31dca4e0edc58decbd4b3

SHA1
c606bd5833a7b84587642b1b5890a2e94c2aa668

SHA256
438b8c9549050c7f51c357de80b33079d7df693f9b422237b15e4b5afd639acb

SHA512
1f7cea08593d7dc4db1baa611e5d8431392f112957e5f4419e7a53faa67ff024450cb8452167e85a8a61a78fff2cd5ed0d9fd95242bb46bcf7499ab1c88849fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8984698.exe

Filesize
394KB

MD5
4e6cd5e792435a3cd4e7f21c9cdbf950

SHA1
e022cd372e251aca87ae5fa7b879dc450fe75a89

SHA256
872dde8d7e4a55844bb79d9026da09430ff8c75e857a5cc98ca19d56be804253

SHA512
bf2802486ba083c647337dd8c704778b5a781ac8316717239830e70f9f244c67dac2b4cc678fbdb6c9f7601f0477fd404695990a543eac8058cb23de66512365

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1954371.exe

Filesize
315KB

MD5
8a5df314c8c50125f823bc60124404a5

SHA1
ae8a7de770059bea8b5755829a58aea146c942c3

SHA256
58d6d154606b639abd1d309730af8aa0a327f13e740b0058e75907ebefdebcc6

SHA512
318e67be80eb8ab960f9b4434c68f883867dceddaa56ef229b18583637f8cec90ca408b9c1ae938e45380fe5726f4974e7a5104be71b2950e2705a5c52bad74f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b9540812.exe

Filesize
168KB

MD5
43ca4de43eeb3fcc9ea660d02e7aacf0

SHA1
79cc03bdf3d00e3df73849b8d92f3c7e3a30619e

SHA256
d15b9472e55acfaa99bbaff7cf5d6bf7e4a74a3c931392a90d24b59f1b46a723

SHA512
da92862c3e154214c979dacaca4856a1914a291111df9e059e919706e3f918a574bf57c4fbe9bdab7bf75cb930b63cfc52c768c64861d0bdcfafb61604412c6b

Download Submit
memory/2316-50-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-44-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-66-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-64-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-62-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-60-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-58-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-56-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-54-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-53-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-38-0x0000000002330000-0x0000000002348000-memory.dmp

Filesize
96KB

Download
memory/2316-48-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-46-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-37-0x0000000004BF0000-0x0000000005194000-memory.dmp

Filesize
5.6MB

Download
memory/2316-42-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-40-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-39-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download
memory/2316-67-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2316-69-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/2316-36-0x0000000000970000-0x000000000098A000-memory.dmp

Filesize
104KB

Download
memory/2496-73-0x0000000000A50000-0x0000000000A80000-memory.dmp

Filesize
192KB

Download
memory/2496-74-0x00000000014E0000-0x00000000014E6000-memory.dmp

Filesize
24KB

Download
memory/2496-75-0x0000000005AF0000-0x0000000006108000-memory.dmp

Filesize
6.1MB

Download
memory/2496-76-0x00000000055E0000-0x00000000056EA000-memory.dmp

Filesize
1.0MB

Download
memory/2496-77-0x0000000005510000-0x0000000005522000-memory.dmp

Filesize
72KB

Download
memory/2496-78-0x0000000005570000-0x00000000055AC000-memory.dmp

Filesize
240KB

Download
memory/2496-79-0x00000000056F0000-0x000000000573C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads