healer | 078b32e74b59d25e2c1029465c443e348f5ccce96ad38aefe084602e159bb269

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30/08/2023, 23:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

078b32e74b59d25e2c1029465c443e348f5ccce96ad38aefe084602e159bb269.exe
Size

829KB
MD5

9b4276a21214fc7cc06d4898e3fdd294
SHA1

ae56bb1e8b80061cece9435f9cd7fc192b1d7a2a
SHA256

078b32e74b59d25e2c1029465c443e348f5ccce96ad38aefe084602e159bb269
SHA512

7fac4108c61da9a59a2dfa615ddb4c35e41861e006b7a880801ea5ba310863dd163a25a087851dfe86d4e8203879dbcaabdcaf93220fe5cab788ddcb60c18d08
SSDEEP

12288:rMr/y90DxI7d8cA+viwMtP2GmEegMte+aGxAUxJtX49ggptIwBs8/JzTev5Bp27S:QyrRAdIGmZgMte+aGxAUu9gwKWz8Wfa

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b021-32.dat	healer
behavioral1/files/0x000700000001b021-34.dat	healer
behavioral1/memory/3268-35-0x0000000000300000-0x000000000030A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a0305907.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a0305907.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a0305907.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a0305907.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a0305907.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2128	v7674824.exe
4460	v1995668.exe
3924	v0000798.exe
2252	v9910508.exe
3268	a0305907.exe
1968	b3279509.exe
1748	c4624685.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a0305907.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	078b32e74b59d25e2c1029465c443e348f5ccce96ad38aefe084602e159bb269.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7674824.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1995668.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0000798.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9910508.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3268	a0305907.exe
3268	a0305907.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3268	a0305907.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2128	4848	078b32e74b59d25e2c1029465c443e348f5ccce96ad38aefe084602e159bb269.exe	70
PID 4848 wrote to memory of 2128	4848	078b32e74b59d25e2c1029465c443e348f5ccce96ad38aefe084602e159bb269.exe	70
PID 4848 wrote to memory of 2128	4848	078b32e74b59d25e2c1029465c443e348f5ccce96ad38aefe084602e159bb269.exe	70
PID 2128 wrote to memory of 4460	2128	v7674824.exe	71
PID 2128 wrote to memory of 4460	2128	v7674824.exe	71
PID 2128 wrote to memory of 4460	2128	v7674824.exe	71
PID 4460 wrote to memory of 3924	4460	v1995668.exe	72
PID 4460 wrote to memory of 3924	4460	v1995668.exe	72
PID 4460 wrote to memory of 3924	4460	v1995668.exe	72
PID 3924 wrote to memory of 2252	3924	v0000798.exe	73
PID 3924 wrote to memory of 2252	3924	v0000798.exe	73
PID 3924 wrote to memory of 2252	3924	v0000798.exe	73
PID 2252 wrote to memory of 3268	2252	v9910508.exe	74
PID 2252 wrote to memory of 3268	2252	v9910508.exe	74
PID 2252 wrote to memory of 1968	2252	v9910508.exe	75
PID 2252 wrote to memory of 1968	2252	v9910508.exe	75
PID 2252 wrote to memory of 1968	2252	v9910508.exe	75
PID 3924 wrote to memory of 1748	3924	v0000798.exe	76
PID 3924 wrote to memory of 1748	3924	v0000798.exe	76
PID 3924 wrote to memory of 1748	3924	v0000798.exe	76

C:\Users\Admin\AppData\Local\Temp\078b32e74b59d25e2c1029465c443e348f5ccce96ad38aefe084602e159bb269.exe
"C:\Users\Admin\AppData\Local\Temp\078b32e74b59d25e2c1029465c443e348f5ccce96ad38aefe084602e159bb269.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7674824.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7674824.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1995668.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1995668.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0000798.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0000798.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3924
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9910508.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9910508.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0305907.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0305907.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3279509.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3279509.exe
        6⤵
        Executes dropped EXE
        
        PID:1968
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4624685.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4624685.exe
        5⤵
        Executes dropped EXE
        
        PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7674824.exe

Filesize
723KB

MD5
a7a6b51b2ea0e08d5906112d41c0a37e

SHA1
c51a7ee814d6a6df9503b71b05689b2395c99100

SHA256
2f0a13a09677b565567043f223bbad0e791c9f3d9b594a5755efc6ddf9404ff9

SHA512
aa6379b28dd6c7a1546be72c3fa0b0534c797ad0e0a5d942d63797d73347895b4b293ef750ee79122e03ff957a868951393c8d3cdf340af94b9654a7e1ab7d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7674824.exe

Filesize
723KB

MD5
a7a6b51b2ea0e08d5906112d41c0a37e

SHA1
c51a7ee814d6a6df9503b71b05689b2395c99100

SHA256
2f0a13a09677b565567043f223bbad0e791c9f3d9b594a5755efc6ddf9404ff9

SHA512
aa6379b28dd6c7a1546be72c3fa0b0534c797ad0e0a5d942d63797d73347895b4b293ef750ee79122e03ff957a868951393c8d3cdf340af94b9654a7e1ab7d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1995668.exe

Filesize
497KB

MD5
64211de802ea3164ebbd54d77c2fc750

SHA1
6a7fbb36e224a102f39f59117ca21856f0c403ae

SHA256
c7e6cc48075846d92bfea5fead31de8dfa3d7953f61401ba947853055dd6499b

SHA512
146f634d011f8e3fdde99925d5dee1f3dba73a617e5671b2cece15d4257ce3583c3888aa4464ee8e97315653b7f586e31c47713e86805bb5d6bab65b12de5e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1995668.exe

Filesize
497KB

MD5
64211de802ea3164ebbd54d77c2fc750

SHA1
6a7fbb36e224a102f39f59117ca21856f0c403ae

SHA256
c7e6cc48075846d92bfea5fead31de8dfa3d7953f61401ba947853055dd6499b

SHA512
146f634d011f8e3fdde99925d5dee1f3dba73a617e5671b2cece15d4257ce3583c3888aa4464ee8e97315653b7f586e31c47713e86805bb5d6bab65b12de5e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0000798.exe

Filesize
373KB

MD5
f0e54b07635e8a8257a60469018aac5c

SHA1
849b609f4bf6990aedcb42fae40b7a0354476038

SHA256
9c38369019ac6d01f4c9f29370d36eb15a2a513085393f7e8d39622bc25e6a44

SHA512
6e802da08af501a68141abd17eb81a470b00930744bf217ecc0e60338235cbb96c2dd063d6da80a4d4d16e68294223d78fe46acdeb19d64155cf0c796680c5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0000798.exe

Filesize
373KB

MD5
f0e54b07635e8a8257a60469018aac5c

SHA1
849b609f4bf6990aedcb42fae40b7a0354476038

SHA256
9c38369019ac6d01f4c9f29370d36eb15a2a513085393f7e8d39622bc25e6a44

SHA512
6e802da08af501a68141abd17eb81a470b00930744bf217ecc0e60338235cbb96c2dd063d6da80a4d4d16e68294223d78fe46acdeb19d64155cf0c796680c5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4624685.exe

Filesize
175KB

MD5
9cf18f630bc013ea2c288b9fb4fcd6a4

SHA1
24078eedb9d1774218ee64ebdec9796880ac0125

SHA256
fffc9e75011272cea72619427a1ed111a08b7ce2d3c9c406fd55861dcd4559c9

SHA512
330bd6d654c6abcfc13f9b6b257a8aa70249ca8e68d088c63cf924fc0972091bc5fcce84310a3b9184f219d007995e4cbd417eed4785e3e355802b2083825231

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c4624685.exe

Filesize
175KB

MD5
9cf18f630bc013ea2c288b9fb4fcd6a4

SHA1
24078eedb9d1774218ee64ebdec9796880ac0125

SHA256
fffc9e75011272cea72619427a1ed111a08b7ce2d3c9c406fd55861dcd4559c9

SHA512
330bd6d654c6abcfc13f9b6b257a8aa70249ca8e68d088c63cf924fc0972091bc5fcce84310a3b9184f219d007995e4cbd417eed4785e3e355802b2083825231

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9910508.exe

Filesize
217KB

MD5
c7ff77aa749b384b89fbeb264398c75e

SHA1
8ebcd3d022cabd1d8bc65b4a45e35f0fd8a12a17

SHA256
4a88083625c48230b6ffab2ef5c8aba36c3d20b8993a62459d4b68fd08565b5f

SHA512
5481f1cc2acff51e033020537878b440f40c03db2c9730a058928b4159a4af86967c2a72eaa8dadaa127c087ae9d8cbd0c35130e118d660bd1623665f1007bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9910508.exe

Filesize
217KB

MD5
c7ff77aa749b384b89fbeb264398c75e

SHA1
8ebcd3d022cabd1d8bc65b4a45e35f0fd8a12a17

SHA256
4a88083625c48230b6ffab2ef5c8aba36c3d20b8993a62459d4b68fd08565b5f

SHA512
5481f1cc2acff51e033020537878b440f40c03db2c9730a058928b4159a4af86967c2a72eaa8dadaa127c087ae9d8cbd0c35130e118d660bd1623665f1007bf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0305907.exe

Filesize
18KB

MD5
f7612e9010fbb8f1b03d019a2db75a6b

SHA1
a9492b563fda17fb6d83347b169a83f47a3f6395

SHA256
720f54c95d95e491ba2a9cdbe637419870cb955856ec3db555423f6d22dd2380

SHA512
67bf2d7485c0404ef865e14b57bcc3a403192cfb7d2bbdae5f91d83667d9227e037136a8cc1e4a2c59b9933c278196a98bd9f00d3efcbea76c9694afbc35d73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a0305907.exe

Filesize
18KB

MD5
f7612e9010fbb8f1b03d019a2db75a6b

SHA1
a9492b563fda17fb6d83347b169a83f47a3f6395

SHA256
720f54c95d95e491ba2a9cdbe637419870cb955856ec3db555423f6d22dd2380

SHA512
67bf2d7485c0404ef865e14b57bcc3a403192cfb7d2bbdae5f91d83667d9227e037136a8cc1e4a2c59b9933c278196a98bd9f00d3efcbea76c9694afbc35d73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3279509.exe

Filesize
140KB

MD5
e2e61b8d433ad4a9f4f0bac71dfed955

SHA1
9a9d699e395f39bc3dab218535ed09ea2fdf76d1

SHA256
eaad94231b080c32817040ddda5d02a71d6edf7143a224a2e7b8fec21ec19bbc

SHA512
46fd2dad5c4b7f134094892f2616cfa9e4ee5ad44f56780c9f008a91a88f57f25d190125bb07a61b1fe736a23ed919bed0333328f243cf813a1d5947672b1098

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3279509.exe

Filesize
140KB

MD5
e2e61b8d433ad4a9f4f0bac71dfed955

SHA1
9a9d699e395f39bc3dab218535ed09ea2fdf76d1

SHA256
eaad94231b080c32817040ddda5d02a71d6edf7143a224a2e7b8fec21ec19bbc

SHA512
46fd2dad5c4b7f134094892f2616cfa9e4ee5ad44f56780c9f008a91a88f57f25d190125bb07a61b1fe736a23ed919bed0333328f243cf813a1d5947672b1098

Download Submit
memory/1748-46-0x0000000072D50000-0x000000007343E000-memory.dmp

Filesize
6.9MB

Download
memory/1748-45-0x0000000000950000-0x0000000000980000-memory.dmp

Filesize
192KB

Download
memory/1748-47-0x0000000002C20000-0x0000000002C26000-memory.dmp

Filesize
24KB

Download
memory/1748-48-0x000000000AD30000-0x000000000B336000-memory.dmp

Filesize
6.0MB

Download
memory/1748-49-0x000000000A830000-0x000000000A93A000-memory.dmp

Filesize
1.0MB

Download
memory/1748-50-0x0000000005300000-0x0000000005312000-memory.dmp

Filesize
72KB

Download
memory/1748-51-0x000000000A720000-0x000000000A75E000-memory.dmp

Filesize
248KB

Download
memory/1748-52-0x0000000005330000-0x000000000537B000-memory.dmp

Filesize
300KB

Download
memory/1748-53-0x0000000072D50000-0x000000007343E000-memory.dmp

Filesize
6.9MB

Download
memory/3268-38-0x00007FF91CC90000-0x00007FF91D67C000-memory.dmp

Filesize
9.9MB

Download
memory/3268-36-0x00007FF91CC90000-0x00007FF91D67C000-memory.dmp

Filesize
9.9MB

Download
memory/3268-35-0x0000000000300000-0x000000000030A000-memory.dmp

Filesize
40KB

Download