healer | 8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59

General

Target

8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe
Size

1.5MB
MD5

17a7c727159544e3404b6018e76a9e88
SHA1

0bd1100196e0fb336043604e117008356e981f3c
SHA256

8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59
SHA512

14838b86472b9eb0933205da842ee9e4d0266cf3f189452074fe457b39830e7918bb836544fb9ed5c23daf0f4414e61a069f41c2cc44fe2eaba1e250c41b46b8
SSDEEP

24576:OyoDfcoYTmyrS8zBzt4Ct3y5FotMmRRXWZwlt2L5UoJkATGeKuCWEcb:doDUv5zDHt3YOt/uwlt2+oKATxKg

Score

10^/10

healer redline mazda discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mazda

C2

217.196.96.56:4138

Attributes

auth_value
3d2870537d84a4c6d7aeecd002871c51

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/1344-36-0x0000000004D50000-0x0000000004D6A000-memory.dmp	healer
behavioral1/memory/1344-38-0x0000000005390000-0x00000000053A8000-memory.dmp	healer
behavioral1/memory/1344-66-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-64-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-62-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-60-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-58-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-56-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-55-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-52-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-50-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-48-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-46-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-45-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-42-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-40-0x0000000005390000-0x00000000053A2000-memory.dmp	healer
behavioral1/memory/1344-39-0x0000000005390000-0x00000000053A2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a0970329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0970329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0970329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0970329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0970329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0970329.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cca-71.dat	family_redline
behavioral1/memory/872-73-0x00000000005D0000-0x0000000000600000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 6 IoCs

pid	Process
4784	v6443129.exe
3288	v0281841.exe
3076	v5837216.exe
184	v8677913.exe
1344	a0970329.exe
872	b6739499.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a0970329.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0970329.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8677913.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6443129.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v0281841.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v5837216.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1732	1344	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v5837216.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v8677913.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a0970329.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6739499.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6443129.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v0281841.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1344	a0970329.exe
1344	a0970329.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	a0970329.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 4784	1108	8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe	83
PID 1108 wrote to memory of 4784	1108	8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe	83
PID 1108 wrote to memory of 4784	1108	8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe	83
PID 4784 wrote to memory of 3288	4784	v6443129.exe	84
PID 4784 wrote to memory of 3288	4784	v6443129.exe	84
PID 4784 wrote to memory of 3288	4784	v6443129.exe	84
PID 3288 wrote to memory of 3076	3288	v0281841.exe	85
PID 3288 wrote to memory of 3076	3288	v0281841.exe	85
PID 3288 wrote to memory of 3076	3288	v0281841.exe	85
PID 3076 wrote to memory of 184	3076	v5837216.exe	88
PID 3076 wrote to memory of 184	3076	v5837216.exe	88
PID 3076 wrote to memory of 184	3076	v5837216.exe	88
PID 184 wrote to memory of 1344	184	v8677913.exe	89
PID 184 wrote to memory of 1344	184	v8677913.exe	89
PID 184 wrote to memory of 1344	184	v8677913.exe	89
PID 184 wrote to memory of 872	184	v8677913.exe	101
PID 184 wrote to memory of 872	184	v8677913.exe	101
PID 184 wrote to memory of 872	184	v8677913.exe	101

C:\Users\Admin\AppData\Local\Temp\8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe
"C:\Users\Admin\AppData\Local\Temp\8e026466639da1c6bfbc2de6512a6ed5841f4279a01a3734b6219d7f5feb0b59.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3076
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:184
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 1084
        7⤵
        Program crash
        
        PID:1732
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6739499.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6739499.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1344 -ip 1344
1⤵
PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6443129.exe

Filesize
1.4MB

MD5
c1a5446c98f644c3065b1ff16dada540

SHA1
38dd3f76f26e6843487f20c8eebc458c48622cd8

SHA256
117e3f27b31180ec01d8045782cea955c7bdaaa42cdad90c71e3631707285601

SHA512
2a6f25acf537023855d3929a592d729410ca8f39c7c470f3418e033b7fd7246257f3b02cdad0ba1a7a535c7809ab82fc3f040f7ca9b742c012032fad4c29dc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0281841.exe

Filesize
912KB

MD5
5a5a88321a9855e4e0332c9c5adf4588

SHA1
4880656779da2c7605eab11f1dfe22e2e1566fa3

SHA256
9cb0c91f9f865101df89359c07ab32149de8f0001f57104f151a3489a72220a1

SHA512
2a255a41388f2668a33ffda0e56f32a1ba4ad8b0f75870e9a78f68acd02f9609e294dc264538183a9f85a951ead2687401be02c7a18270ad19e9eefbfb0e5dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v5837216.exe

Filesize
708KB

MD5
da3a2daf8f678b8736e0a4b3b45aba32

SHA1
2cae98a9991e594154787ff2fefac4586d93b59d

SHA256
71aaa630e14a04aca23e684867fc5cffa3c8f91d7bb84a4174440dddf97bbc5c

SHA512
36f088cb74d020a2cf709e41ac84530e4d8cf80295da1f24ea99f4bdd928cad160b8463e3d81ee4da7888d67284615c3a1e6beb969e47d68280a65f2e7e22acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8677913.exe

Filesize
416KB

MD5
1ee1e17e077d161c03cedc79b8065fdc

SHA1
05bda9d3e9b3b5558a0f4853d5b64d7b9c323827

SHA256
7281e30330185564815cdd0866a89a20ecb006fc144b167962d8720264f1432b

SHA512
a549b96144945509ecdba1f8666337f4a20786d2b14507bf32f82fc882bf114cb8d4130904b06f56cc11e6a3a3632c03cdb6280138a65c04ff171bfffa363944

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0970329.exe

Filesize
361KB

MD5
994cbfd6eb427096de5b7ae75430ae62

SHA1
1f3e664226df45c9a4e1eb4a76674d47d894af93

SHA256
b91324af2df66e0c50d991235a54cb43d4a6db4e183cf978b0980f5e0d24104e

SHA512
cfaa29000b5d750cf17698fb1a42a1d596b609d3eb682699275ac2f79f835b737541478127616b8c2008ada02e832aa78f6bbe624fc646e6ecde14f77e4ec3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b6739499.exe

Filesize
168KB

MD5
bec2367794b115f6e4fcfeb223fcd261

SHA1
36b460576d4f709ad077741b5a8bb1c95c5b0a56

SHA256
bc986e6c654452da46c85dfaa65c094529fe707d35119498addf2fc611e62d70

SHA512
4a406a4bb2486c3476106e444e9d58d6be7656088ebe004711279b23f0a24cfc5e5d5ef974908150109b1328817040546164da7952a5d748c5356c5629b36d73

Download Submit
memory/872-78-0x000000000A510000-0x000000000A54C000-memory.dmp

Filesize
240KB

Download
memory/872-77-0x000000000A4B0000-0x000000000A4C2000-memory.dmp

Filesize
72KB

Download
memory/872-76-0x000000000A580000-0x000000000A68A000-memory.dmp

Filesize
1.0MB

Download
memory/872-75-0x000000000AA00000-0x000000000B018000-memory.dmp

Filesize
6.1MB

Download
memory/872-74-0x0000000004DB0000-0x0000000004DB6000-memory.dmp

Filesize
24KB

Download
memory/872-73-0x00000000005D0000-0x0000000000600000-memory.dmp

Filesize
192KB

Download
memory/872-79-0x00000000047A0000-0x00000000047EC000-memory.dmp

Filesize
304KB

Download
memory/1344-50-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-39-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-52-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-56-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-48-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-46-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-45-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-42-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-40-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-55-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-67-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1344-69-0x0000000000400000-0x00000000006F4000-memory.dmp

Filesize
3.0MB

Download
memory/1344-58-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-60-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-62-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-64-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-66-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/1344-38-0x0000000005390000-0x00000000053A8000-memory.dmp

Filesize
96KB

Download
memory/1344-37-0x0000000004D80000-0x0000000005324000-memory.dmp

Filesize
5.6MB

Download
memory/1344-36-0x0000000004D50000-0x0000000004D6A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads