healer | 7bc3b0a1101b903aca9dd843eeb7d7d3871ea5b537d09ec81c694ea337269c3f

Analysis

max time kernel
154s
max time network
166s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30/08/2023, 05:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bc3b0a1101b903aca9dd843eeb7d7d3871ea5b537d09ec81c694ea337269c3f.exe
Size

821KB
MD5

0d50bbff02b2f8906d0059e7776a17fa
SHA1

73386a78bc49831705d10002397ca03540906e92
SHA256

7bc3b0a1101b903aca9dd843eeb7d7d3871ea5b537d09ec81c694ea337269c3f
SHA512

38340907e37fded06f0dbe47f6022970daf0bc7ea2aaf352086bb3322e2c1cf4aa3ecd63f3224b87a8e68bb6752fee3585239a011f66c206420bc8c9d9ee8f47
SSDEEP

12288:mMrUy90MmsfaVnuDwmUm+KPFud8ovf4zDVal9o0VDky5:2ydjio5Ndud82AnVa80h5

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af36-33.dat	healer
behavioral1/files/0x000700000001af36-34.dat	healer
behavioral1/memory/2900-35-0x0000000000520000-0x000000000052A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2999103.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2999103.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2999103.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2999103.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2999103.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
5028	v8006489.exe
604	v5985372.exe
4172	v6120982.exe
4140	v9505643.exe
2900	a2999103.exe
1456	b3756872.exe
5112	c9983540.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2999103.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7bc3b0a1101b903aca9dd843eeb7d7d3871ea5b537d09ec81c694ea337269c3f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8006489.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5985372.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6120982.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9505643.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2900	a2999103.exe
2900	a2999103.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	a2999103.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 780 wrote to memory of 5028	780	7bc3b0a1101b903aca9dd843eeb7d7d3871ea5b537d09ec81c694ea337269c3f.exe	69
PID 780 wrote to memory of 5028	780	7bc3b0a1101b903aca9dd843eeb7d7d3871ea5b537d09ec81c694ea337269c3f.exe	69
PID 780 wrote to memory of 5028	780	7bc3b0a1101b903aca9dd843eeb7d7d3871ea5b537d09ec81c694ea337269c3f.exe	69
PID 5028 wrote to memory of 604	5028	v8006489.exe	70
PID 5028 wrote to memory of 604	5028	v8006489.exe	70
PID 5028 wrote to memory of 604	5028	v8006489.exe	70
PID 604 wrote to memory of 4172	604	v5985372.exe	71
PID 604 wrote to memory of 4172	604	v5985372.exe	71
PID 604 wrote to memory of 4172	604	v5985372.exe	71
PID 4172 wrote to memory of 4140	4172	v6120982.exe	72
PID 4172 wrote to memory of 4140	4172	v6120982.exe	72
PID 4172 wrote to memory of 4140	4172	v6120982.exe	72
PID 4140 wrote to memory of 2900	4140	v9505643.exe	73
PID 4140 wrote to memory of 2900	4140	v9505643.exe	73
PID 4140 wrote to memory of 1456	4140	v9505643.exe	74
PID 4140 wrote to memory of 1456	4140	v9505643.exe	74
PID 4140 wrote to memory of 1456	4140	v9505643.exe	74
PID 4172 wrote to memory of 5112	4172	v6120982.exe	75
PID 4172 wrote to memory of 5112	4172	v6120982.exe	75
PID 4172 wrote to memory of 5112	4172	v6120982.exe	75

C:\Users\Admin\AppData\Local\Temp\7bc3b0a1101b903aca9dd843eeb7d7d3871ea5b537d09ec81c694ea337269c3f.exe
"C:\Users\Admin\AppData\Local\Temp\7bc3b0a1101b903aca9dd843eeb7d7d3871ea5b537d09ec81c694ea337269c3f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:780
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8006489.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8006489.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5985372.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5985372.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:604
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6120982.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6120982.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4172
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9505643.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9505643.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4140
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2999103.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2999103.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3756872.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3756872.exe
        6⤵
        Executes dropped EXE
        
        PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9983540.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9983540.exe
        5⤵
        Executes dropped EXE
        
        PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8006489.exe

Filesize
723KB

MD5
a159563d5e48242938162642a7930c41

SHA1
11f0c18458d0ba9b13a885af496cd830f25fb767

SHA256
8161088e0880ba79a22fed5167963318d9b503431c0a3c552900f3e040c15636

SHA512
325a0742b3710280727f5f26c3e0b9caf0ac958531e763e057386d4f859c2240b665e4bc6019b2aea377c841d42b7ed718d5016a9b66fb3a977f1f638118c563

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8006489.exe

Filesize
723KB

MD5
a159563d5e48242938162642a7930c41

SHA1
11f0c18458d0ba9b13a885af496cd830f25fb767

SHA256
8161088e0880ba79a22fed5167963318d9b503431c0a3c552900f3e040c15636

SHA512
325a0742b3710280727f5f26c3e0b9caf0ac958531e763e057386d4f859c2240b665e4bc6019b2aea377c841d42b7ed718d5016a9b66fb3a977f1f638118c563

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5985372.exe

Filesize
497KB

MD5
5e0c5495f03101786668d8e6bd31cd62

SHA1
c9422f89fd4adaf95a0fe4844d3572e11157cf55

SHA256
65f96a5a326dfa2a2b82b1933e1982b87603207db0dc25a8c27312ad7b1f90d7

SHA512
a0c099b40f46bd3e17e02003e638d905641add229f45c17ecd03be76fde5cb6b6fef9429e5a703e86f494ca61d52f3b21ebe2f34ff925652042f206dd52ce922

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5985372.exe

Filesize
497KB

MD5
5e0c5495f03101786668d8e6bd31cd62

SHA1
c9422f89fd4adaf95a0fe4844d3572e11157cf55

SHA256
65f96a5a326dfa2a2b82b1933e1982b87603207db0dc25a8c27312ad7b1f90d7

SHA512
a0c099b40f46bd3e17e02003e638d905641add229f45c17ecd03be76fde5cb6b6fef9429e5a703e86f494ca61d52f3b21ebe2f34ff925652042f206dd52ce922

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6120982.exe

Filesize
372KB

MD5
efef2cde57bf0fd2df3fb213526a89d9

SHA1
8d37bd557208af5c24284203aac7ba3a5d12cb6d

SHA256
1a15f975668e261bc3b0d03ad976ef2c6c3c9ad6446f7889c0c95dc848089b1e

SHA512
370b82690e070da98106b5add4760debbab66a4b951c3d21f6b2b3de79e91c64fa828b4ca13a3d4e71fbecda78be8c05376cf8d9ac847396b095c3fca8d907a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6120982.exe

Filesize
372KB

MD5
efef2cde57bf0fd2df3fb213526a89d9

SHA1
8d37bd557208af5c24284203aac7ba3a5d12cb6d

SHA256
1a15f975668e261bc3b0d03ad976ef2c6c3c9ad6446f7889c0c95dc848089b1e

SHA512
370b82690e070da98106b5add4760debbab66a4b951c3d21f6b2b3de79e91c64fa828b4ca13a3d4e71fbecda78be8c05376cf8d9ac847396b095c3fca8d907a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9983540.exe

Filesize
174KB

MD5
30687ca104a3eb3e608bd4a10c423249

SHA1
9a2031a46e42e78f8ce2564dd5e871ae73cc8593

SHA256
1ca188506c68a4e6112c41911080edfcb221d4a162cb8e943c81ea20da7ad485

SHA512
93390d86021862de059ee4b650cbc9c38d3e7f4029b85d6ac965d0a2f1f7edd50d8ade2ba18baa5e7c612dcd6e72af16aa726031d1d07a1c6a60d510a1472e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9983540.exe

Filesize
174KB

MD5
30687ca104a3eb3e608bd4a10c423249

SHA1
9a2031a46e42e78f8ce2564dd5e871ae73cc8593

SHA256
1ca188506c68a4e6112c41911080edfcb221d4a162cb8e943c81ea20da7ad485

SHA512
93390d86021862de059ee4b650cbc9c38d3e7f4029b85d6ac965d0a2f1f7edd50d8ade2ba18baa5e7c612dcd6e72af16aa726031d1d07a1c6a60d510a1472e59

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9505643.exe

Filesize
217KB

MD5
5b2481f6ca1324b427c79e7905ef02df

SHA1
1dd834c6293905d27c37627b17c9c8d87848d90a

SHA256
2d1fffbfd74f61cc3943b02e805236f6856d637ad25d84f8ec456d3fd0dce8d3

SHA512
5598d90186e0b113c23f41411bc9cac814ffaa99b42de1fba77c8c6c9cbd4273b5f67b3dd710be9a62e0047f4114641f8d527d8aa61e6c0503f4d1fb27e1b7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9505643.exe

Filesize
217KB

MD5
5b2481f6ca1324b427c79e7905ef02df

SHA1
1dd834c6293905d27c37627b17c9c8d87848d90a

SHA256
2d1fffbfd74f61cc3943b02e805236f6856d637ad25d84f8ec456d3fd0dce8d3

SHA512
5598d90186e0b113c23f41411bc9cac814ffaa99b42de1fba77c8c6c9cbd4273b5f67b3dd710be9a62e0047f4114641f8d527d8aa61e6c0503f4d1fb27e1b7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2999103.exe

Filesize
17KB

MD5
8ece2db123286df5f7554901b8382436

SHA1
a682ca476723e0206cb1fb273fea566e9d5a1c01

SHA256
ea7eb7f082d5c6a50cd86ed79d6763b599f583dc8a5510c487fc5bd238514432

SHA512
d4eab5296f8a447bd5c07a6bb9d124cd44883755e6f56a8ea9f7f9b6418db75e2493171ff456a93bcc00af0fc79e9c4ba40444fd12991600daec3a3e004d4234

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2999103.exe

Filesize
17KB

MD5
8ece2db123286df5f7554901b8382436

SHA1
a682ca476723e0206cb1fb273fea566e9d5a1c01

SHA256
ea7eb7f082d5c6a50cd86ed79d6763b599f583dc8a5510c487fc5bd238514432

SHA512
d4eab5296f8a447bd5c07a6bb9d124cd44883755e6f56a8ea9f7f9b6418db75e2493171ff456a93bcc00af0fc79e9c4ba40444fd12991600daec3a3e004d4234

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3756872.exe

Filesize
141KB

MD5
7e1fbeb4f7d8aa4f77d1d37ee1b8438a

SHA1
ee1662c141494136506f7ad06cf2eaadca5939fa

SHA256
cdeae39126232b67ed0588383fbf685c86ad528bc924cdbd58dda2d4f8e100e4

SHA512
d34d0ed00d3110e6fbdbaf14e059c77d35b41b1173184d0f89f69642fb59a2b85c4e8bde2b663f85e6a69f2b62962aaef05ec99e2848774eb71d6f4cc477f0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3756872.exe

Filesize
141KB

MD5
7e1fbeb4f7d8aa4f77d1d37ee1b8438a

SHA1
ee1662c141494136506f7ad06cf2eaadca5939fa

SHA256
cdeae39126232b67ed0588383fbf685c86ad528bc924cdbd58dda2d4f8e100e4

SHA512
d34d0ed00d3110e6fbdbaf14e059c77d35b41b1173184d0f89f69642fb59a2b85c4e8bde2b663f85e6a69f2b62962aaef05ec99e2848774eb71d6f4cc477f0ad

Download Submit
memory/2900-38-0x00007FFC09880000-0x00007FFC0A26C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-36-0x00007FFC09880000-0x00007FFC0A26C000-memory.dmp

Filesize
9.9MB

Download
memory/2900-35-0x0000000000520000-0x000000000052A000-memory.dmp

Filesize
40KB

Download
memory/5112-45-0x00000000005A0000-0x00000000005D0000-memory.dmp

Filesize
192KB

Download
memory/5112-46-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download
memory/5112-47-0x00000000027D0000-0x00000000027D6000-memory.dmp

Filesize
24KB

Download
memory/5112-48-0x000000000A9A0000-0x000000000AFA6000-memory.dmp

Filesize
6.0MB

Download
memory/5112-49-0x000000000A4F0000-0x000000000A5FA000-memory.dmp

Filesize
1.0MB

Download
memory/5112-50-0x000000000A420000-0x000000000A432000-memory.dmp

Filesize
72KB

Download
memory/5112-51-0x000000000A480000-0x000000000A4BE000-memory.dmp

Filesize
248KB

Download
memory/5112-52-0x000000000A600000-0x000000000A64B000-memory.dmp

Filesize
300KB

Download
memory/5112-53-0x00000000737A0000-0x0000000073E8E000-memory.dmp

Filesize
6.9MB

Download