healer | 944875dfc9a3c8710b8d857dca02197821aca308953c59f76ed94a40b725f49b

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
29-08-2023 15:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

944875dfc9a3c8710b8d857dca02197821aca308953c59f76ed94a40b725f49b.exe
Size

930KB
MD5

e8b57516f0f4a5fc573bfa216c601b97
SHA1

ba4dd5cf2c134461b1066bd91924eb6a2c007167
SHA256

944875dfc9a3c8710b8d857dca02197821aca308953c59f76ed94a40b725f49b
SHA512

dee3127e6e3d4ede19df0b9a24b3ccbdccb73b5597322d0e240754bec5a768e80617e058efbdeb539333c956ef0b49c9ca3dba8e3918cb6ab187e84071fb03c6
SSDEEP

24576:Aymx+KnirOTfcFzKr713WKCyq4uIFLV/dnWLX:Hmx+OKKcFwB34XIJznw

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afee-33.dat	healer
behavioral1/files/0x000700000001afee-34.dat	healer
behavioral1/memory/4720-35-0x0000000000E70000-0x0000000000E7A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q1974472.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q1974472.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q1974472.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q1974472.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q1974472.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
360	z3081502.exe
788	z8793677.exe
4504	z1286541.exe
4332	z2247082.exe
4720	q1974472.exe
760	r5243837.exe
1720	s0956788.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q1974472.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8793677.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1286541.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z2247082.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	944875dfc9a3c8710b8d857dca02197821aca308953c59f76ed94a40b725f49b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z3081502.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4720	q1974472.exe
4720	q1974472.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4720	q1974472.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 360	2092	944875dfc9a3c8710b8d857dca02197821aca308953c59f76ed94a40b725f49b.exe	70
PID 2092 wrote to memory of 360	2092	944875dfc9a3c8710b8d857dca02197821aca308953c59f76ed94a40b725f49b.exe	70
PID 2092 wrote to memory of 360	2092	944875dfc9a3c8710b8d857dca02197821aca308953c59f76ed94a40b725f49b.exe	70
PID 360 wrote to memory of 788	360	z3081502.exe	71
PID 360 wrote to memory of 788	360	z3081502.exe	71
PID 360 wrote to memory of 788	360	z3081502.exe	71
PID 788 wrote to memory of 4504	788	z8793677.exe	72
PID 788 wrote to memory of 4504	788	z8793677.exe	72
PID 788 wrote to memory of 4504	788	z8793677.exe	72
PID 4504 wrote to memory of 4332	4504	z1286541.exe	73
PID 4504 wrote to memory of 4332	4504	z1286541.exe	73
PID 4504 wrote to memory of 4332	4504	z1286541.exe	73
PID 4332 wrote to memory of 4720	4332	z2247082.exe	74
PID 4332 wrote to memory of 4720	4332	z2247082.exe	74
PID 4332 wrote to memory of 760	4332	z2247082.exe	75
PID 4332 wrote to memory of 760	4332	z2247082.exe	75
PID 4332 wrote to memory of 760	4332	z2247082.exe	75
PID 4504 wrote to memory of 1720	4504	z1286541.exe	76
PID 4504 wrote to memory of 1720	4504	z1286541.exe	76
PID 4504 wrote to memory of 1720	4504	z1286541.exe	76

C:\Users\Admin\AppData\Local\Temp\944875dfc9a3c8710b8d857dca02197821aca308953c59f76ed94a40b725f49b.exe
"C:\Users\Admin\AppData\Local\Temp\944875dfc9a3c8710b8d857dca02197821aca308953c59f76ed94a40b725f49b.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3081502.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3081502.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:360
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8793677.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8793677.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1286541.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1286541.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2247082.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2247082.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4332
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1974472.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1974472.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4720
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5243837.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5243837.exe
        6⤵
        Executes dropped EXE
        
        PID:760
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0956788.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0956788.exe
        5⤵
        Executes dropped EXE
        
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3081502.exe

Filesize
824KB

MD5
6f7212680ca24f79c40c8f4f7104fc9d

SHA1
34bcc74de278ac947b98ddfda1bb5fa19c7436d7

SHA256
c8d02f37e8b6354975a3c9abefe673814a6822614bd3a557eeb528f0a9c93713

SHA512
46c34aefc2641f6f7b30e5cd7a6122979acb757435da2ac06586ce7ee2fa8c352752d10565624b1e4d26f3d4e64a50d3ab9092c4f4cf17a02f2ac7478877c085

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z3081502.exe

Filesize
824KB

MD5
6f7212680ca24f79c40c8f4f7104fc9d

SHA1
34bcc74de278ac947b98ddfda1bb5fa19c7436d7

SHA256
c8d02f37e8b6354975a3c9abefe673814a6822614bd3a557eeb528f0a9c93713

SHA512
46c34aefc2641f6f7b30e5cd7a6122979acb757435da2ac06586ce7ee2fa8c352752d10565624b1e4d26f3d4e64a50d3ab9092c4f4cf17a02f2ac7478877c085

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8793677.exe

Filesize
598KB

MD5
ee04532f0c6ba198c63ca4f20b4e0c2f

SHA1
073c2f2861d0daa7e064f101a7dd5af14558512d

SHA256
0ff2be83b8886d9ab9854f9def1abe1aeb1b495514ea91e9c74ed52425c53a20

SHA512
f986772428df39bb91c5475b80a3bc12d971943826e176fee7634e9d5f937032107c0a66a5928a6f2dcbf630aa982274f2b3cb145005016ef08dcd693cb1cfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8793677.exe

Filesize
598KB

MD5
ee04532f0c6ba198c63ca4f20b4e0c2f

SHA1
073c2f2861d0daa7e064f101a7dd5af14558512d

SHA256
0ff2be83b8886d9ab9854f9def1abe1aeb1b495514ea91e9c74ed52425c53a20

SHA512
f986772428df39bb91c5475b80a3bc12d971943826e176fee7634e9d5f937032107c0a66a5928a6f2dcbf630aa982274f2b3cb145005016ef08dcd693cb1cfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1286541.exe

Filesize
373KB

MD5
93967e98654b0b0d0fcd95d71f56d8f0

SHA1
8fb49510fe4f4d7380f4cdc55b37203a428928b4

SHA256
8c378ca7bf996d1ff93c5dd7d9bd051dcd52052b8bd619c88a483a2d6fe6cae1

SHA512
1785903785322874132140fe6e649be80f33a59447885fe1f426efbd797121d1766059ce1cd9f52f65ce0121b48b733207316606db9fbddecb7943220c896ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1286541.exe

Filesize
373KB

MD5
93967e98654b0b0d0fcd95d71f56d8f0

SHA1
8fb49510fe4f4d7380f4cdc55b37203a428928b4

SHA256
8c378ca7bf996d1ff93c5dd7d9bd051dcd52052b8bd619c88a483a2d6fe6cae1

SHA512
1785903785322874132140fe6e649be80f33a59447885fe1f426efbd797121d1766059ce1cd9f52f65ce0121b48b733207316606db9fbddecb7943220c896ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0956788.exe

Filesize
174KB

MD5
1c48b3f4e652ef7d6bda42b2141e75f4

SHA1
e9e9b35740a683c6d478b231ac27dd1bc2b6ecde

SHA256
f1b3e6dbee32500849c8526538c0cad31d7b40f314b36494cf61800ca85b3480

SHA512
87597e3c2aafcee6f8cdbbfc169bd6ee23db175c88dba953638a70a0966852f8cd138c1391b4d58b33280c354114f53b2801163dd892c83a9cf7b03a455ca5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0956788.exe

Filesize
174KB

MD5
1c48b3f4e652ef7d6bda42b2141e75f4

SHA1
e9e9b35740a683c6d478b231ac27dd1bc2b6ecde

SHA256
f1b3e6dbee32500849c8526538c0cad31d7b40f314b36494cf61800ca85b3480

SHA512
87597e3c2aafcee6f8cdbbfc169bd6ee23db175c88dba953638a70a0966852f8cd138c1391b4d58b33280c354114f53b2801163dd892c83a9cf7b03a455ca5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2247082.exe

Filesize
217KB

MD5
24cb28663f779c58d5645ca60e5c59b2

SHA1
73135b005422f7cf7123eb82aaa137a713e3533a

SHA256
682736cee55f9bdff36776de849e3b75ff402a3ea85f0ffe45c87bd8b309846d

SHA512
a9da1a40a4c589bea20b30aa7a23e97513cde5c8a428039c94c4b10aca702417b9b93ae904e2584a1450c7759dca8f7a2ce80dbb17d860f7a9bc62fa48460cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z2247082.exe

Filesize
217KB

MD5
24cb28663f779c58d5645ca60e5c59b2

SHA1
73135b005422f7cf7123eb82aaa137a713e3533a

SHA256
682736cee55f9bdff36776de849e3b75ff402a3ea85f0ffe45c87bd8b309846d

SHA512
a9da1a40a4c589bea20b30aa7a23e97513cde5c8a428039c94c4b10aca702417b9b93ae904e2584a1450c7759dca8f7a2ce80dbb17d860f7a9bc62fa48460cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1974472.exe

Filesize
17KB

MD5
d1d38e32cd491354ad975a49a23091ee

SHA1
ef2f6deeb2af5ec72708a6a9037ba49d33023a7d

SHA256
115be5b2bbf62f4077a701e69c0c4db68a6060381d8b312b10c3427e4a66ca62

SHA512
b1e72e2fe2c9846daf1748739526b01d7608c86d042e0859b6ac4b758341ca6c41616a52a56e5f2c9f083e48e1d8e725a77e826300a5dbbb80a270750ba19521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1974472.exe

Filesize
17KB

MD5
d1d38e32cd491354ad975a49a23091ee

SHA1
ef2f6deeb2af5ec72708a6a9037ba49d33023a7d

SHA256
115be5b2bbf62f4077a701e69c0c4db68a6060381d8b312b10c3427e4a66ca62

SHA512
b1e72e2fe2c9846daf1748739526b01d7608c86d042e0859b6ac4b758341ca6c41616a52a56e5f2c9f083e48e1d8e725a77e826300a5dbbb80a270750ba19521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5243837.exe

Filesize
140KB

MD5
90bb78a4f9ff55fb1b1f5454020e2368

SHA1
af551ea747cb3bd9c7efba60835d1f905adae616

SHA256
1a6a62015a8bc4c475b6022721f37cd7351ae4cdec530085f87f3ff184a0e444

SHA512
cc119b0ccc675aeb3b497b6ee91f81d8a638cb2d0f680ccace1b1f993cb510ad4f8cdcdfcf478dd6bd9426a416e15ce97f2837344cc0671cab58d9b1ffcaf5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5243837.exe

Filesize
140KB

MD5
90bb78a4f9ff55fb1b1f5454020e2368

SHA1
af551ea747cb3bd9c7efba60835d1f905adae616

SHA256
1a6a62015a8bc4c475b6022721f37cd7351ae4cdec530085f87f3ff184a0e444

SHA512
cc119b0ccc675aeb3b497b6ee91f81d8a638cb2d0f680ccace1b1f993cb510ad4f8cdcdfcf478dd6bd9426a416e15ce97f2837344cc0671cab58d9b1ffcaf5d5

Download Submit
memory/1720-46-0x0000000072BE0000-0x00000000732CE000-memory.dmp

Filesize
6.9MB

Download
memory/1720-45-0x0000000000120000-0x0000000000150000-memory.dmp

Filesize
192KB

Download
memory/1720-47-0x0000000000940000-0x0000000000946000-memory.dmp

Filesize
24KB

Download
memory/1720-48-0x000000000A440000-0x000000000AA46000-memory.dmp

Filesize
6.0MB

Download
memory/1720-49-0x0000000009F40000-0x000000000A04A000-memory.dmp

Filesize
1.0MB

Download
memory/1720-50-0x0000000009E60000-0x0000000009E72000-memory.dmp

Filesize
72KB

Download
memory/1720-51-0x0000000009EC0000-0x0000000009EFE000-memory.dmp

Filesize
248KB

Download
memory/1720-52-0x000000000A050000-0x000000000A09B000-memory.dmp

Filesize
300KB

Download
memory/1720-53-0x0000000072BE0000-0x00000000732CE000-memory.dmp

Filesize
6.9MB

Download
memory/4720-38-0x00007FFE788F0000-0x00007FFE792DC000-memory.dmp

Filesize
9.9MB

Download
memory/4720-36-0x00007FFE788F0000-0x00007FFE792DC000-memory.dmp

Filesize
9.9MB

Download
memory/4720-35-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download