healer | be0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbc

General

Target

be0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbcN.exe
Size

848KB
MD5

4713b5bf0aeaaa3e55b97e4187367830
SHA1

aca8935697aaa69fa6b1ecb418d4df8cebe0faf6
SHA256

be0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbc
SHA512

9ed7a96596f391081960fc5415a81bf3869db1ba84961c43543d243f21af5fd80b99beaba9a42a8bdbcdd4710ef6df27edf399b3b93bd560ab666489cd508723
SSDEEP

24576:FypHbVgZ6Gl/SqOGIiokddVXz5cFFhd4C3cApMYS:gpHbkxlMiobFbd4C

Score

10^/10

healer redline mask discovery dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

mask

C2

217.196.96.56:4138

Attributes

auth_value
31aef25be0febb8e491794ef7f502c50

Signatures

Detects Healer an antivirus disabler dropper 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4828-25-0x0000000002160000-0x000000000217A000-memory.dmp	healer
behavioral1/memory/4828-27-0x0000000004A10000-0x0000000004A28000-memory.dmp	healer
behavioral1/memory/4828-28-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-35-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-55-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-53-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-51-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-49-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-47-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-45-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-43-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-41-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-39-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-37-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-33-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-31-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer
behavioral1/memory/4828-29-0x0000000004A10000-0x0000000004A22000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
Healer family
healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

a4355789.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	a4355789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a4355789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a4355789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a4355789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a4355789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a4355789.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1621089.exe	family_redline
behavioral1/memory/1940-66-0x0000000000CC0000-0x0000000000CF0000-memory.dmp	family_redline

Redline family
redline
Executes dropped EXE 4 IoCs

Processes:

v6346460.exev4286225.exea4355789.exeb1621089.exe

pid process

3900 v6346460.exe
1692 v4286225.exe
4828 a4355789.exe
1940 b1621089.exe

pid	process
3900	v6346460.exe
1692	v4286225.exe
4828	a4355789.exe
1940	b1621089.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

a4355789.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	a4355789.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	a4355789.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

be0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbcN.exev6346460.exev4286225.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	be0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbcN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6346460.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4286225.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3384 4828 WerFault.exe a4355789.exe

pid	pid_target	process	target process
3384	4828	WerFault.exe	a4355789.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b1621089.exebe0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbcN.exev6346460.exev4286225.exea4355789.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1621089.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbcN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v6346460.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	v4286225.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4355789.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a4355789.exe

pid process

4828 a4355789.exe
4828 a4355789.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a4355789.exe

description pid process

Token: SeDebugPrivilege 4828 a4355789.exe

pid	process
4828	a4355789.exe
4828	a4355789.exe

description	pid	process
Token: SeDebugPrivilege	4828	a4355789.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

be0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbcN.exev6346460.exev4286225.exe

description	pid	process	target process
PID 3284 wrote to memory of 3900	3284	be0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbcN.exe	v6346460.exe
PID 3284 wrote to memory of 3900	3284	be0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbcN.exe	v6346460.exe
PID 3284 wrote to memory of 3900	3284	be0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbcN.exe	v6346460.exe
PID 3900 wrote to memory of 1692	3900	v6346460.exe	v4286225.exe
PID 3900 wrote to memory of 1692	3900	v6346460.exe	v4286225.exe
PID 3900 wrote to memory of 1692	3900	v6346460.exe	v4286225.exe
PID 1692 wrote to memory of 4828	1692	v4286225.exe	a4355789.exe
PID 1692 wrote to memory of 4828	1692	v4286225.exe	a4355789.exe
PID 1692 wrote to memory of 4828	1692	v4286225.exe	a4355789.exe
PID 1692 wrote to memory of 1940	1692	v4286225.exe	b1621089.exe
PID 1692 wrote to memory of 1940	1692	v4286225.exe	b1621089.exe
PID 1692 wrote to memory of 1940	1692	v4286225.exe	b1621089.exe

C:\Users\Admin\AppData\Local\Temp\be0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbcN.exe
"C:\Users\Admin\AppData\Local\Temp\be0acc69829c9a8717ce82d479f831dd8035bfdc27658804c935d019a2b9cfbcN.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3284
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6346460.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6346460.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4286225.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4286225.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4355789.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4355789.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4828
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 1080
        5⤵
        Program crash
        
        PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1621089.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1621089.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4828 -ip 4828
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6346460.exe

Filesize
644KB

MD5
fa168db84d9c0e439d937e1790104d9d

SHA1
7d2813c55a7f90eeddb6d752953178ab124c3c56

SHA256
e4f5163b3f309a1b7ff1a87b9b6a92b2be62560665d9ecf13311b0ab1c35cd74

SHA512
bac3c747db94b7d1221fc779f7c3f9d09e1820544fdbc4847fad8abfc7b272eb6834e0e12b7be4fcffc302c9094720a67cc0d7a28fdea50121bbb9e10d710241

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4286225.exe

Filesize
384KB

MD5
79fd0e46e825c073b4ee57a7fb93137a

SHA1
de7ebe71a890c6b5be58fd8887afbb7c28801637

SHA256
74d4ca2026a891db3563c1dcd8a26491f5fff5cf51a9cafd4cce8f14b3488f77

SHA512
22176bab9204d49a75b84cf88ea06625fa2d672ce2dc9b9cffab5db0b854fb41ecbd7fe4ccda735c798672b27c5f6ea8583831abe79db40c3c279686e875cb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a4355789.exe

Filesize
291KB

MD5
f1888e049ab494a37ac7030e37e3333b

SHA1
dd3747ebf2e95978ef25634efee29f7e0a95fc8e

SHA256
f3053ab1474120a7230da3733c3e1a88d459b9ee8e5e99a88cd37a4a3d4d00ed

SHA512
346acbc1e2e5538a0b5c2503adbff9f48f11d92f5a7e18b2c713e5ffa8b179564171fe1f40f92ce260a00650ab46636cc2846c88faf0fff511622c2757742489

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1621089.exe

Filesize
168KB

MD5
35620838686248db8ec364009af4c40e

SHA1
a7e01f11d69c785d0a68ba9a0e7acca777a967ea

SHA256
fc01213ffbddc50a452fe272f8ea8f3313946f651c4db174eb8efa180c9bf225

SHA512
57e0a8c3d211dac115a308b06b69d3354d36f264929964280b23d365cdbc7d119b1b4ce5420be77eef6739cdfdb17fc9c375ffd2edc5f8aa82700cc388849f4e

Download Submit
memory/1940-72-0x0000000004FF0000-0x000000000503C000-memory.dmp

Filesize
304KB

Download
memory/1940-71-0x000000000AAC0000-0x000000000AAFC000-memory.dmp

Filesize
240KB

Download
memory/1940-70-0x000000000AA60000-0x000000000AA72000-memory.dmp

Filesize
72KB

Download
memory/1940-69-0x000000000AB30000-0x000000000AC3A000-memory.dmp

Filesize
1.0MB

Download
memory/1940-68-0x000000000B000000-0x000000000B618000-memory.dmp

Filesize
6.1MB

Download
memory/1940-67-0x0000000002FB0000-0x0000000002FB6000-memory.dmp

Filesize
24KB

Download
memory/1940-66-0x0000000000CC0000-0x0000000000CF0000-memory.dmp

Filesize
192KB

Download
memory/4828-41-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-56-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download
memory/4828-51-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-49-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-47-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-45-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-43-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-55-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-39-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-37-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-33-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-31-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-29-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-53-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-57-0x0000000000570000-0x000000000059D000-memory.dmp

Filesize
180KB

Download
memory/4828-58-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4828-59-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4828-61-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/4828-62-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4828-35-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-28-0x0000000004A10000-0x0000000004A22000-memory.dmp

Filesize
72KB

Download
memory/4828-27-0x0000000004A10000-0x0000000004A28000-memory.dmp

Filesize
96KB

Download
memory/4828-26-0x0000000004A70000-0x0000000005014000-memory.dmp

Filesize
5.6MB

Download
memory/4828-25-0x0000000002160000-0x000000000217A000-memory.dmp

Filesize
104KB

Download
memory/4828-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4828-23-0x0000000000570000-0x000000000059D000-memory.dmp

Filesize
180KB

Download
memory/4828-22-0x0000000000720000-0x0000000000820000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads