healer | 1548b13b8b738661cb16dde74fea01a5bc06cfd7ad5ac50cd5cbcd9b2f943b8c

General

Target

1548b13b8b738661cb16dde74fea01a5bc06cfd7ad5ac50cd5cbcd9b2f943b8c.exe
Size

1.3MB
MD5

91c739341cf003575ce418c16c987269
SHA1

fe4050e43d92bc91b1cd3727cfb0a28e00bed098
SHA256

1548b13b8b738661cb16dde74fea01a5bc06cfd7ad5ac50cd5cbcd9b2f943b8c
SHA512

ac640974a4f5b8036eded0c49ed66293b5def0589ba7cb50c0f8d9aaf906d7895c753756a9b71b1c3b6bb67dead488ccbcf1287b6ab23f6887127168f3442a12
SSDEEP

24576:XyI1o/c4KcX6zrVp/VivQD0cCsjTlSuB6/+cSQcwXLLDhebW8:il04Kg6zlzD0Zsj5lBC+cvD3teb

Score

10^/10

healer redline maza discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

maza

C2

185.161.248.73:4164

Attributes

auth_value
474d54c1c2f5291290c53f8378acd684

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

resource	yara_rule
behavioral1/memory/4232-29-0x0000000002A50000-0x0000000002A6A000-memory.dmp	healer
behavioral1/memory/4232-31-0x0000000002BB0000-0x0000000002BC8000-memory.dmp	healer
behavioral1/memory/4232-59-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-57-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-56-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-53-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-51-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-50-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-47-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-45-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-43-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-41-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-39-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-37-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-35-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-33-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer
behavioral1/memory/4232-32-0x0000000002BB0000-0x0000000002BC2000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a29863503.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a29863503.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a29863503.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a29863503.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a29863503.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a29863503.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cd2-64.dat	family_redline
behavioral1/memory/4992-66-0x0000000000610000-0x000000000063E000-memory.dmp	family_redline

Redline family
redline

Executes dropped EXE 5 IoCs

pid	Process
2248	i62206334.exe
1888	i73840774.exe
4288	i40327850.exe
4232	a29863503.exe
4992	b42870982.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a29863503.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a29863503.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1548b13b8b738661cb16dde74fea01a5bc06cfd7ad5ac50cd5cbcd9b2f943b8c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	i62206334.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	i73840774.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	i40327850.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	4232	WerFault.exe	88

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1548b13b8b738661cb16dde74fea01a5bc06cfd7ad5ac50cd5cbcd9b2f943b8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i62206334.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i73840774.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	i40327850.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a29863503.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b42870982.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4232	a29863503.exe
4232	a29863503.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4232	a29863503.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 2248	3580	1548b13b8b738661cb16dde74fea01a5bc06cfd7ad5ac50cd5cbcd9b2f943b8c.exe	85
PID 3580 wrote to memory of 2248	3580	1548b13b8b738661cb16dde74fea01a5bc06cfd7ad5ac50cd5cbcd9b2f943b8c.exe	85
PID 3580 wrote to memory of 2248	3580	1548b13b8b738661cb16dde74fea01a5bc06cfd7ad5ac50cd5cbcd9b2f943b8c.exe	85
PID 2248 wrote to memory of 1888	2248	i62206334.exe	86
PID 2248 wrote to memory of 1888	2248	i62206334.exe	86
PID 2248 wrote to memory of 1888	2248	i62206334.exe	86
PID 1888 wrote to memory of 4288	1888	i73840774.exe	87
PID 1888 wrote to memory of 4288	1888	i73840774.exe	87
PID 1888 wrote to memory of 4288	1888	i73840774.exe	87
PID 4288 wrote to memory of 4232	4288	i40327850.exe	88
PID 4288 wrote to memory of 4232	4288	i40327850.exe	88
PID 4288 wrote to memory of 4232	4288	i40327850.exe	88
PID 4288 wrote to memory of 4992	4288	i40327850.exe	98
PID 4288 wrote to memory of 4992	4288	i40327850.exe	98
PID 4288 wrote to memory of 4992	4288	i40327850.exe	98

C:\Users\Admin\AppData\Local\Temp\1548b13b8b738661cb16dde74fea01a5bc06cfd7ad5ac50cd5cbcd9b2f943b8c.exe
"C:\Users\Admin\AppData\Local\Temp\1548b13b8b738661cb16dde74fea01a5bc06cfd7ad5ac50cd5cbcd9b2f943b8c.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i62206334.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i62206334.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i73840774.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i73840774.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i40327850.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i40327850.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4288
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a29863503.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a29863503.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4232
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 1080
        6⤵
        Program crash
        
        PID:2664
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b42870982.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b42870982.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4232 -ip 4232
1⤵
PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i62206334.exe

Filesize
1.1MB

MD5
5116066f4178c65f53ba9effa7eda17d

SHA1
53a24081a667eca1e1401c447cf7cd7d3c93fd9b

SHA256
e6f8ca10dc19a0509146185b12b355308a9778e934b12d9f9ae8e08d45adb0a4

SHA512
480a865b04effee56b52627fbc1aa173a970bbd18f122d4032ce8e519fa6560b14c5b991351143f053c6beeaae77a59d265976adbd6b5cc9be82b1a21b7aec86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i73840774.exe

Filesize
687KB

MD5
655b15d0449ca5dfdad81d3741cd9e95

SHA1
5df933f3de5fa1fb4d080e0403a6dabeb85fe9c1

SHA256
49c43951c69be72304e483376ba3b53794f702373dd61d1c64a3de5055a97b03

SHA512
895318cc3104a1427f6a4301da6dfb0c4b9b72793afa58c8b4b4438c75c54117386405bb50f5ee8e6eeecfb51e21e4515a117a3fbd0360a57b794f2b805ca0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i40327850.exe

Filesize
404KB

MD5
ce8cd6cd8eacac3c52c5cfbcfe02d252

SHA1
382073601064e94820adf81f94ee8afe05229db6

SHA256
a642e2b957504011ab4ea400a6cdc55789865189cebb4248083c6a7d3d18c396

SHA512
c94c30785d9295f853cac025c2688b75a284c1d957f2bbe43f0b6c24d54453ca0ee30c88f1a49b65d782031cd3df588f2410c7e1109d0323a6361ad53443e4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a29863503.exe

Filesize
344KB

MD5
1f50f62f38a5b748eb9d4da3a369fc80

SHA1
cb383ae4f6c463bfe45ade8b58d8f81ec9faaf9b

SHA256
8c2684709cc0159632971f6fcfd381b44aabc176e48c9c6aa3472f3b92826ad4

SHA512
b7fbb59910530f12da7dfc65b7754449f1c1f3f93eabc03969ba1309d1dce42370a5cd3de73d97957c5ea4936ce671ed24e34bcb1d247a513d3f41215f19f330

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b42870982.exe

Filesize
168KB

MD5
76e299bf43b90ee4882f29c7023545d4

SHA1
1171f37906b01d4935e5d3723db7a6a2b7870395

SHA256
00f5de9854c440f4c6f3031ac895474cf2f49efacda0ac810f87af964e3c3268

SHA512
295198650ebccfa238bb96507d9c2c91f13bdc7203318186005721bb3f1787d2b2f01ddd58ad44d2f57281c2505e8578f14ae54a60597350bbee17440196fd7e

Download Submit
memory/4232-57-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-37-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-59-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-30-0x00000000050D0000-0x0000000005674000-memory.dmp

Filesize
5.6MB

Download
memory/4232-56-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-53-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-51-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-50-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-47-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-45-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-43-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-41-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-39-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-31-0x0000000002BB0000-0x0000000002BC8000-memory.dmp

Filesize
96KB

Download
memory/4232-35-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-33-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-32-0x0000000002BB0000-0x0000000002BC2000-memory.dmp

Filesize
72KB

Download
memory/4232-60-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/4232-62-0x0000000000400000-0x0000000000A67000-memory.dmp

Filesize
6.4MB

Download
memory/4232-29-0x0000000002A50000-0x0000000002A6A000-memory.dmp

Filesize
104KB

Download
memory/4992-66-0x0000000000610000-0x000000000063E000-memory.dmp

Filesize
184KB

Download
memory/4992-67-0x0000000002660000-0x0000000002666000-memory.dmp

Filesize
24KB

Download
memory/4992-68-0x0000000005660000-0x0000000005C78000-memory.dmp

Filesize
6.1MB

Download
memory/4992-69-0x0000000005190000-0x000000000529A000-memory.dmp

Filesize
1.0MB

Download
memory/4992-70-0x00000000050C0000-0x00000000050D2000-memory.dmp

Filesize
72KB

Download
memory/4992-71-0x0000000005120000-0x000000000515C000-memory.dmp

Filesize
240KB

Download
memory/4992-72-0x00000000052A0000-0x00000000052EC000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads