healer | ffbd7d5aa1d717b0fcf0875e2311a229d5d9d3e98f11ba4841204a06f96ac5d0

Analysis

max time kernel
159s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2023, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffbd7d5aa1d717b0fcf0875e2311a229d5d9d3e98f11ba4841204a06f96ac5d0.exe
Size

930KB
MD5

261259abbeb9c8d4d09e7e3394abaf5c
SHA1

a78dc2446d7113a732cd093549ac6661a1836ec8
SHA256

ffbd7d5aa1d717b0fcf0875e2311a229d5d9d3e98f11ba4841204a06f96ac5d0
SHA512

9a52c60cca1713a2676b57d434f7732c36e4dce569f04223a5431ebd5c3134513dc45ff955c2bf64510687bf12d8179defd766bf1e71ee22cfbb356aca17dbd9
SSDEEP

24576:5ycM44syCTuN5E35c8WCmytzj76AGIfLI/:scMBlCaNUc8Wczn6GfL

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000231fb-34.dat	healer
behavioral1/files/0x00080000000231fb-33.dat	healer
behavioral1/memory/5088-35-0x0000000000490000-0x000000000049A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q2037989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q2037989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q2037989.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q2037989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q2037989.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q2037989.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1280	z9472976.exe
4692	z4177994.exe
2300	z2607753.exe
920	z2135467.exe
5088	q2037989.exe
1552	r5101379.exe
4776	s6572155.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q2037989.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2135467.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ffbd7d5aa1d717b0fcf0875e2311a229d5d9d3e98f11ba4841204a06f96ac5d0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9472976.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z4177994.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2607753.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5088	q2037989.exe
5088	q2037989.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5088	q2037989.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1280	1436	ffbd7d5aa1d717b0fcf0875e2311a229d5d9d3e98f11ba4841204a06f96ac5d0.exe	82
PID 1436 wrote to memory of 1280	1436	ffbd7d5aa1d717b0fcf0875e2311a229d5d9d3e98f11ba4841204a06f96ac5d0.exe	82
PID 1436 wrote to memory of 1280	1436	ffbd7d5aa1d717b0fcf0875e2311a229d5d9d3e98f11ba4841204a06f96ac5d0.exe	82
PID 1280 wrote to memory of 4692	1280	z9472976.exe	83
PID 1280 wrote to memory of 4692	1280	z9472976.exe	83
PID 1280 wrote to memory of 4692	1280	z9472976.exe	83
PID 4692 wrote to memory of 2300	4692	z4177994.exe	84
PID 4692 wrote to memory of 2300	4692	z4177994.exe	84
PID 4692 wrote to memory of 2300	4692	z4177994.exe	84
PID 2300 wrote to memory of 920	2300	z2607753.exe	85
PID 2300 wrote to memory of 920	2300	z2607753.exe	85
PID 2300 wrote to memory of 920	2300	z2607753.exe	85
PID 920 wrote to memory of 5088	920	z2135467.exe	86
PID 920 wrote to memory of 5088	920	z2135467.exe	86
PID 920 wrote to memory of 1552	920	z2135467.exe	91
PID 920 wrote to memory of 1552	920	z2135467.exe	91
PID 920 wrote to memory of 1552	920	z2135467.exe	91
PID 2300 wrote to memory of 4776	2300	z2607753.exe	92
PID 2300 wrote to memory of 4776	2300	z2607753.exe	92
PID 2300 wrote to memory of 4776	2300	z2607753.exe	92

C:\Users\Admin\AppData\Local\Temp\ffbd7d5aa1d717b0fcf0875e2311a229d5d9d3e98f11ba4841204a06f96ac5d0.exe
"C:\Users\Admin\AppData\Local\Temp\ffbd7d5aa1d717b0fcf0875e2311a229d5d9d3e98f11ba4841204a06f96ac5d0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9472976.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9472976.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4177994.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4177994.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4692
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2607753.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2607753.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2135467.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2135467.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:920
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2037989.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2037989.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5101379.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5101379.exe
        6⤵
        Executes dropped EXE
        
        PID:1552
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6572155.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6572155.exe
        5⤵
        Executes dropped EXE
        
        PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9472976.exe

Filesize
824KB

MD5
3e63961432e5f338965ac52066f6f254

SHA1
a8e5fa27d0dcccd04b353e6bb02d18c1bb55bace

SHA256
a20931ffe05f544a99e1dc52887df73faba472e53555533771a0bcf0ac63e245

SHA512
6993154165b09cc9302fd74505f9cb8837b1a908fba7d3081b95a2af1b6156b04681d5d48325d29added0ac93429525300c2c05f763264e2e10e4b449a93c9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9472976.exe

Filesize
824KB

MD5
3e63961432e5f338965ac52066f6f254

SHA1
a8e5fa27d0dcccd04b353e6bb02d18c1bb55bace

SHA256
a20931ffe05f544a99e1dc52887df73faba472e53555533771a0bcf0ac63e245

SHA512
6993154165b09cc9302fd74505f9cb8837b1a908fba7d3081b95a2af1b6156b04681d5d48325d29added0ac93429525300c2c05f763264e2e10e4b449a93c9fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4177994.exe

Filesize
598KB

MD5
d154e08b6616b7a676086101fb5f42e2

SHA1
64660e8fed15414f3a2977cf9787ea0c63a6021a

SHA256
983f50ca5f80be77de683ae66aa61860d79a9fe36bd4e7f42191444739854447

SHA512
4ebfecd47657b7728ec43870f756100f2e8e5238c8ebf5fd723b91854055c6d7ddcfdac9b2046d4b2504911cc219d52e584909a55a9b4c3f9fb389527b725e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z4177994.exe

Filesize
598KB

MD5
d154e08b6616b7a676086101fb5f42e2

SHA1
64660e8fed15414f3a2977cf9787ea0c63a6021a

SHA256
983f50ca5f80be77de683ae66aa61860d79a9fe36bd4e7f42191444739854447

SHA512
4ebfecd47657b7728ec43870f756100f2e8e5238c8ebf5fd723b91854055c6d7ddcfdac9b2046d4b2504911cc219d52e584909a55a9b4c3f9fb389527b725e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2607753.exe

Filesize
373KB

MD5
8816eff2a786e2f647040636770f83d1

SHA1
1c2a0c4c4fec26b9e858584fb29af70c358538d6

SHA256
2d7d6039476350d395fdd20990a7be6cd1a662ebf17c4cdd70da6aebfdefd6cf

SHA512
15d0fb60d2fa6f26ff48a7b0501f12ae4eed982c69311b9464b930dbc3c23614ba0f997654b0d8e76ac5e0ad60eb9c38979f70f0d97e52a744f16253c0294b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2607753.exe

Filesize
373KB

MD5
8816eff2a786e2f647040636770f83d1

SHA1
1c2a0c4c4fec26b9e858584fb29af70c358538d6

SHA256
2d7d6039476350d395fdd20990a7be6cd1a662ebf17c4cdd70da6aebfdefd6cf

SHA512
15d0fb60d2fa6f26ff48a7b0501f12ae4eed982c69311b9464b930dbc3c23614ba0f997654b0d8e76ac5e0ad60eb9c38979f70f0d97e52a744f16253c0294b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6572155.exe

Filesize
174KB

MD5
589599fcac5b8d427d373a74e0160ede

SHA1
f768f797162bd5434290af51c2ed817f1485a389

SHA256
88af98fa3d67af8fc080a74ca032e91557743117a9d82f2a3c8ef53747c9e5e1

SHA512
b8cd9777c185c6080960e44bb378c22bbdc09338a6c8eebfb7bfbff22f94510e007de12f4d88843e0ac248427b77426596d7827afa60d721fd207238d43f2d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6572155.exe

Filesize
174KB

MD5
589599fcac5b8d427d373a74e0160ede

SHA1
f768f797162bd5434290af51c2ed817f1485a389

SHA256
88af98fa3d67af8fc080a74ca032e91557743117a9d82f2a3c8ef53747c9e5e1

SHA512
b8cd9777c185c6080960e44bb378c22bbdc09338a6c8eebfb7bfbff22f94510e007de12f4d88843e0ac248427b77426596d7827afa60d721fd207238d43f2d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2135467.exe

Filesize
217KB

MD5
e2ebed865b5e3c51ef698725d8302905

SHA1
f4df87cdcf724cfeb0cf8aa9906684b3130b0a86

SHA256
eb825467039e078b49aa9fa0008a9b0378a294297b957f02e8288c7b733f4851

SHA512
5b3ec05028f4ed583e763417674c9be07526c251400bbf673645a1b73dbc5b1c7988a0a5f3e6344af9d458f9f100a8a8953835fe20ff4d13c7353c404d40b59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2135467.exe

Filesize
217KB

MD5
e2ebed865b5e3c51ef698725d8302905

SHA1
f4df87cdcf724cfeb0cf8aa9906684b3130b0a86

SHA256
eb825467039e078b49aa9fa0008a9b0378a294297b957f02e8288c7b733f4851

SHA512
5b3ec05028f4ed583e763417674c9be07526c251400bbf673645a1b73dbc5b1c7988a0a5f3e6344af9d458f9f100a8a8953835fe20ff4d13c7353c404d40b59a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2037989.exe

Filesize
17KB

MD5
e60af65459e07e7a110beb98ced82122

SHA1
c1810cb198b62a008a448e71df1a8da81dc4669e

SHA256
4afba16fb57e8932ff8ae7d3a73102360bb23a60240096ca3309cfca67b54e8f

SHA512
5492310b3acc8381d5ae527c7ff3a1536dc0d10608b48d2e17de60db5cf95491b9416a1dd425eaaee50e9d008ba69bcb307b14cb9bb85189f76a13d4cd0ee7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2037989.exe

Filesize
17KB

MD5
e60af65459e07e7a110beb98ced82122

SHA1
c1810cb198b62a008a448e71df1a8da81dc4669e

SHA256
4afba16fb57e8932ff8ae7d3a73102360bb23a60240096ca3309cfca67b54e8f

SHA512
5492310b3acc8381d5ae527c7ff3a1536dc0d10608b48d2e17de60db5cf95491b9416a1dd425eaaee50e9d008ba69bcb307b14cb9bb85189f76a13d4cd0ee7c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5101379.exe

Filesize
141KB

MD5
3951d942215d6880e9ed36243fe51cd3

SHA1
09e37759c39aded5cbdedf13209fbdf19ecdbe7e

SHA256
df2594011d49a97796e9278a49e580603f30a52ed45e76aefa116da151136527

SHA512
f9019eb03024d3ec9229163fff1e8daeed28a3bfc78043a7f9171bac65ccbcf9c37e90dba269d31ba76f47fc19927dfd0434479f839169a85064f0e687a811ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5101379.exe

Filesize
141KB

MD5
3951d942215d6880e9ed36243fe51cd3

SHA1
09e37759c39aded5cbdedf13209fbdf19ecdbe7e

SHA256
df2594011d49a97796e9278a49e580603f30a52ed45e76aefa116da151136527

SHA512
f9019eb03024d3ec9229163fff1e8daeed28a3bfc78043a7f9171bac65ccbcf9c37e90dba269d31ba76f47fc19927dfd0434479f839169a85064f0e687a811ee

Download Submit
memory/4776-46-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/4776-45-0x00000000003F0000-0x0000000000420000-memory.dmp

Filesize
192KB

Download
memory/4776-47-0x000000000A890000-0x000000000AEA8000-memory.dmp

Filesize
6.1MB

Download
memory/4776-48-0x000000000A3A0000-0x000000000A4AA000-memory.dmp

Filesize
1.0MB

Download
memory/4776-49-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/4776-50-0x000000000A2E0000-0x000000000A2F2000-memory.dmp

Filesize
72KB

Download
memory/4776-51-0x000000000A340000-0x000000000A37C000-memory.dmp

Filesize
240KB

Download
memory/4776-52-0x0000000073FB0000-0x0000000074760000-memory.dmp

Filesize
7.7MB

Download
memory/4776-53-0x0000000004EE0000-0x0000000004EF0000-memory.dmp

Filesize
64KB

Download
memory/5088-38-0x00007FFC854D0000-0x00007FFC85F91000-memory.dmp

Filesize
10.8MB

Download
memory/5088-36-0x00007FFC854D0000-0x00007FFC85F91000-memory.dmp

Filesize
10.8MB

Download
memory/5088-35-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download