healer | e286655ef9375e33a3f9ba2a7a6c63d13b32d2569741f68fdd439e426ed9cd56

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2023, 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e286655ef9375e33a3f9ba2a7a6c63d13b32d2569741f68fdd439e426ed9cd56.exe
Size

930KB
MD5

f30bde4684e6b77652d1699c08b122a7
SHA1

ede24b90415c59c26469368d14a41add29a52f77
SHA256

e286655ef9375e33a3f9ba2a7a6c63d13b32d2569741f68fdd439e426ed9cd56
SHA512

f21afe7acf338dec156cc131dba70779dd73fe1fea714e4df7acf4af5e63d0b8867332950a16fb4bf22291ff9d73cff9e83d627bfec6994a98e8f72416e4107d
SSDEEP

24576:Xynf1PJND+lm5S1eEo3/saCRG0HsE8n+FHyYGdiH09c:ixJND+lmkBovsBY0HwY3I

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023245-33.dat	healer
behavioral1/files/0x0007000000023245-34.dat	healer
behavioral1/memory/3004-35-0x0000000000DE0000-0x0000000000DEA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q2303402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q2303402.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q2303402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q2303402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q2303402.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q2303402.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2996	z0494201.exe
1776	z1133261.exe
2968	z2146589.exe
1480	z6259768.exe
3004	q2303402.exe
4724	r1788906.exe
404	s3643586.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q2303402.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z6259768.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e286655ef9375e33a3f9ba2a7a6c63d13b32d2569741f68fdd439e426ed9cd56.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z0494201.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1133261.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z2146589.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3004	q2303402.exe
3004	q2303402.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	q2303402.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1400 wrote to memory of 2996	1400	e286655ef9375e33a3f9ba2a7a6c63d13b32d2569741f68fdd439e426ed9cd56.exe	83
PID 1400 wrote to memory of 2996	1400	e286655ef9375e33a3f9ba2a7a6c63d13b32d2569741f68fdd439e426ed9cd56.exe	83
PID 1400 wrote to memory of 2996	1400	e286655ef9375e33a3f9ba2a7a6c63d13b32d2569741f68fdd439e426ed9cd56.exe	83
PID 2996 wrote to memory of 1776	2996	z0494201.exe	84
PID 2996 wrote to memory of 1776	2996	z0494201.exe	84
PID 2996 wrote to memory of 1776	2996	z0494201.exe	84
PID 1776 wrote to memory of 2968	1776	z1133261.exe	85
PID 1776 wrote to memory of 2968	1776	z1133261.exe	85
PID 1776 wrote to memory of 2968	1776	z1133261.exe	85
PID 2968 wrote to memory of 1480	2968	z2146589.exe	86
PID 2968 wrote to memory of 1480	2968	z2146589.exe	86
PID 2968 wrote to memory of 1480	2968	z2146589.exe	86
PID 1480 wrote to memory of 3004	1480	z6259768.exe	87
PID 1480 wrote to memory of 3004	1480	z6259768.exe	87
PID 1480 wrote to memory of 4724	1480	z6259768.exe	96
PID 1480 wrote to memory of 4724	1480	z6259768.exe	96
PID 1480 wrote to memory of 4724	1480	z6259768.exe	96
PID 2968 wrote to memory of 404	2968	z2146589.exe	97
PID 2968 wrote to memory of 404	2968	z2146589.exe	97
PID 2968 wrote to memory of 404	2968	z2146589.exe	97

C:\Users\Admin\AppData\Local\Temp\e286655ef9375e33a3f9ba2a7a6c63d13b32d2569741f68fdd439e426ed9cd56.exe
"C:\Users\Admin\AppData\Local\Temp\e286655ef9375e33a3f9ba2a7a6c63d13b32d2569741f68fdd439e426ed9cd56.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0494201.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0494201.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1133261.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1133261.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1776
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2146589.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2146589.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6259768.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6259768.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2303402.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2303402.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1788906.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1788906.exe
        6⤵
        Executes dropped EXE
        
        PID:4724
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3643586.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3643586.exe
        5⤵
        Executes dropped EXE
        
        PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0494201.exe

Filesize
824KB

MD5
21b2407d52571f03d6b205dcec9c647d

SHA1
ed6cdccadbb70ad72e333f13000839891ca5ff3e

SHA256
1ed6b475943e8f82a02d8819c7d2fefa004da7a4c90666d046de8d730e78f9c2

SHA512
bb7ceb35e778863ff07f4eb9e2529ece9076effc671e76dc6e2c4254ffde3e5f574b2a1e90b242fe6979b4244148b94b4340688f499b604fd7d5878bf4494a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0494201.exe

Filesize
824KB

MD5
21b2407d52571f03d6b205dcec9c647d

SHA1
ed6cdccadbb70ad72e333f13000839891ca5ff3e

SHA256
1ed6b475943e8f82a02d8819c7d2fefa004da7a4c90666d046de8d730e78f9c2

SHA512
bb7ceb35e778863ff07f4eb9e2529ece9076effc671e76dc6e2c4254ffde3e5f574b2a1e90b242fe6979b4244148b94b4340688f499b604fd7d5878bf4494a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1133261.exe

Filesize
598KB

MD5
1708189b5df83e87349cf5ab023b5093

SHA1
f3bcd89531abb94e2f1b5c8ee6749344d59b431e

SHA256
1bf1cd699a37e85083e5ad2a529d09f7055fd6f53e544e762a76c7baab31b3f9

SHA512
508e6d68c25e216ae300f0320cbf9fa57847b83c1acb7f63750289babddd8cb963577170026d5716a3dadb41991b05927cc92f1b3faca523105bd973b64a54d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1133261.exe

Filesize
598KB

MD5
1708189b5df83e87349cf5ab023b5093

SHA1
f3bcd89531abb94e2f1b5c8ee6749344d59b431e

SHA256
1bf1cd699a37e85083e5ad2a529d09f7055fd6f53e544e762a76c7baab31b3f9

SHA512
508e6d68c25e216ae300f0320cbf9fa57847b83c1acb7f63750289babddd8cb963577170026d5716a3dadb41991b05927cc92f1b3faca523105bd973b64a54d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2146589.exe

Filesize
373KB

MD5
300cdafb4de8ef414d3b43a9ee51d918

SHA1
ebd086362e74a65b5d7db510857689abf901a3b8

SHA256
24e2bcf536cfd883760904a23974a3a4a685e43bfe737a81277b938fcadb0bec

SHA512
e73dea68af72494e31e80bdcc8da714aad5b3aeceb9a5d97b50abb807bec055c786144ac5c9be0fe61fe8428cca608b7497a7611923f8023cb0461d1b7735457

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z2146589.exe

Filesize
373KB

MD5
300cdafb4de8ef414d3b43a9ee51d918

SHA1
ebd086362e74a65b5d7db510857689abf901a3b8

SHA256
24e2bcf536cfd883760904a23974a3a4a685e43bfe737a81277b938fcadb0bec

SHA512
e73dea68af72494e31e80bdcc8da714aad5b3aeceb9a5d97b50abb807bec055c786144ac5c9be0fe61fe8428cca608b7497a7611923f8023cb0461d1b7735457

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3643586.exe

Filesize
174KB

MD5
58ed3b25f56dc1e2bdbcf40f8f68dcc9

SHA1
164081c2336a8b443ad2bcde1542e6a003eff597

SHA256
7e77a90e757fd3c72eb54c2bea91344b0d951405ca80f7fffd2d4298ebf9a607

SHA512
83184a12f5d1ad7d54b1fb61aa25e4793dd9687aea52593945f35f3e1ab8b34d53e9fcc131afb4ee6489aaacd72605541a9ff46fec19e34cff69e5da720e06c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3643586.exe

Filesize
174KB

MD5
58ed3b25f56dc1e2bdbcf40f8f68dcc9

SHA1
164081c2336a8b443ad2bcde1542e6a003eff597

SHA256
7e77a90e757fd3c72eb54c2bea91344b0d951405ca80f7fffd2d4298ebf9a607

SHA512
83184a12f5d1ad7d54b1fb61aa25e4793dd9687aea52593945f35f3e1ab8b34d53e9fcc131afb4ee6489aaacd72605541a9ff46fec19e34cff69e5da720e06c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6259768.exe

Filesize
217KB

MD5
9d3b72cd338739a5ccce8bbff2c1cf1e

SHA1
5daa2fd8551ffb2828cd6dd7ba7c110a6776c4af

SHA256
e9f67a47270c2ba8888b1c46265c10a0a758224625b481de376423ee3cdfae55

SHA512
19c26db3785e6000ee1212d713b263ed3c211abb3f923418567d69231f37ddcb5202893366974742ea6198cb965c39cceb0c8cf797eedc44a9e10beeb584d571

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6259768.exe

Filesize
217KB

MD5
9d3b72cd338739a5ccce8bbff2c1cf1e

SHA1
5daa2fd8551ffb2828cd6dd7ba7c110a6776c4af

SHA256
e9f67a47270c2ba8888b1c46265c10a0a758224625b481de376423ee3cdfae55

SHA512
19c26db3785e6000ee1212d713b263ed3c211abb3f923418567d69231f37ddcb5202893366974742ea6198cb965c39cceb0c8cf797eedc44a9e10beeb584d571

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2303402.exe

Filesize
17KB

MD5
c5f6fde75afd74339de22f296c16df93

SHA1
0cf2bea9bd0666509c1fabce410f072608ddde33

SHA256
240f25058243a5dbab9303c6b675c4fe3578c394655175b48a33ad56d1bb4574

SHA512
9f43bd6e08333f58f40d418a1c2e805dbb0f0892948c2000e58d2fa103c0e2ed493b77f5df9ea635288f99e6070aa267b203d692284f39220202b0006a9a52e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2303402.exe

Filesize
17KB

MD5
c5f6fde75afd74339de22f296c16df93

SHA1
0cf2bea9bd0666509c1fabce410f072608ddde33

SHA256
240f25058243a5dbab9303c6b675c4fe3578c394655175b48a33ad56d1bb4574

SHA512
9f43bd6e08333f58f40d418a1c2e805dbb0f0892948c2000e58d2fa103c0e2ed493b77f5df9ea635288f99e6070aa267b203d692284f39220202b0006a9a52e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1788906.exe

Filesize
140KB

MD5
e0515aebb17e51c5761fcf58c22d9369

SHA1
b2cd6d0bf2427b2bd9a30ef2292c288ed24b8334

SHA256
c920ab9c7538c0bb5691dd4ad44fc46578e0c078c6f908a556e9d1454e7c176c

SHA512
f731daa82bfa03e061d84943e4af6ff4d68da68ff02fc3b85c4c84342ac85c0babf908a85ecc735af65c4980903bb31d4ea0866a50ac8d9f58ef2554d4edd364

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1788906.exe

Filesize
140KB

MD5
e0515aebb17e51c5761fcf58c22d9369

SHA1
b2cd6d0bf2427b2bd9a30ef2292c288ed24b8334

SHA256
c920ab9c7538c0bb5691dd4ad44fc46578e0c078c6f908a556e9d1454e7c176c

SHA512
f731daa82bfa03e061d84943e4af6ff4d68da68ff02fc3b85c4c84342ac85c0babf908a85ecc735af65c4980903bb31d4ea0866a50ac8d9f58ef2554d4edd364

Download Submit
memory/404-46-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/404-45-0x0000000000ED0000-0x0000000000F00000-memory.dmp

Filesize
192KB

Download
memory/404-47-0x000000000B2D0000-0x000000000B8E8000-memory.dmp

Filesize
6.1MB

Download
memory/404-48-0x000000000ADC0000-0x000000000AECA000-memory.dmp

Filesize
1.0MB

Download
memory/404-49-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/404-50-0x00000000058F0000-0x0000000005902000-memory.dmp

Filesize
72KB

Download
memory/404-51-0x000000000ACF0000-0x000000000AD2C000-memory.dmp

Filesize
240KB

Download
memory/404-52-0x0000000074100000-0x00000000748B0000-memory.dmp

Filesize
7.7MB

Download
memory/404-53-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/3004-38-0x00007FFA3D060000-0x00007FFA3DB21000-memory.dmp

Filesize
10.8MB

Download
memory/3004-36-0x00007FFA3D060000-0x00007FFA3DB21000-memory.dmp

Filesize
10.8MB

Download
memory/3004-35-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download