healer | 4cd01e7a04ce687e00d0a159f4fdac6d02f157ed5fa9abddc7644857a9a23111

Analysis

max time kernel
146s
max time network
155s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30/08/2023, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cd01e7a04ce687e00d0a159f4fdac6d02f157ed5fa9abddc7644857a9a23111.exe
Size

930KB
MD5

740b3e9e5599ca99725efb2a5c68467d
SHA1

abc35e650162c1c36c7461a803072ddd722eefc7
SHA256

4cd01e7a04ce687e00d0a159f4fdac6d02f157ed5fa9abddc7644857a9a23111
SHA512

fd30f2efd6287af823f299d1caf7fd6b508c96b80de5214ef71b51c5f4a0d09b0c928fb8a1a06081d2bc00bcb71ae8cdf0a332e89b30cc0f90a6b4fec985dc67
SSDEEP

24576:5yhcrQfqqzL0ONcq2IbBUPKz1tXxxbdjjQ:so+qqzQO51x

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afd5-33.dat	healer
behavioral1/files/0x000700000001afd5-34.dat	healer
behavioral1/memory/2500-35-0x0000000000920000-0x000000000092A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q0101662.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q0101662.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q0101662.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q0101662.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q0101662.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3676	z5704908.exe
4164	z8262924.exe
3112	z7051640.exe
5040	z0744694.exe
2500	q0101662.exe
2452	r2230640.exe
2400	s3939942.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q0101662.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4cd01e7a04ce687e00d0a159f4fdac6d02f157ed5fa9abddc7644857a9a23111.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z5704908.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z8262924.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z7051640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z0744694.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2500	q0101662.exe
2500	q0101662.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	q0101662.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 3676	4956	4cd01e7a04ce687e00d0a159f4fdac6d02f157ed5fa9abddc7644857a9a23111.exe	70
PID 4956 wrote to memory of 3676	4956	4cd01e7a04ce687e00d0a159f4fdac6d02f157ed5fa9abddc7644857a9a23111.exe	70
PID 4956 wrote to memory of 3676	4956	4cd01e7a04ce687e00d0a159f4fdac6d02f157ed5fa9abddc7644857a9a23111.exe	70
PID 3676 wrote to memory of 4164	3676	z5704908.exe	71
PID 3676 wrote to memory of 4164	3676	z5704908.exe	71
PID 3676 wrote to memory of 4164	3676	z5704908.exe	71
PID 4164 wrote to memory of 3112	4164	z8262924.exe	72
PID 4164 wrote to memory of 3112	4164	z8262924.exe	72
PID 4164 wrote to memory of 3112	4164	z8262924.exe	72
PID 3112 wrote to memory of 5040	3112	z7051640.exe	73
PID 3112 wrote to memory of 5040	3112	z7051640.exe	73
PID 3112 wrote to memory of 5040	3112	z7051640.exe	73
PID 5040 wrote to memory of 2500	5040	z0744694.exe	74
PID 5040 wrote to memory of 2500	5040	z0744694.exe	74
PID 5040 wrote to memory of 2452	5040	z0744694.exe	75
PID 5040 wrote to memory of 2452	5040	z0744694.exe	75
PID 5040 wrote to memory of 2452	5040	z0744694.exe	75
PID 3112 wrote to memory of 2400	3112	z7051640.exe	76
PID 3112 wrote to memory of 2400	3112	z7051640.exe	76
PID 3112 wrote to memory of 2400	3112	z7051640.exe	76

C:\Users\Admin\AppData\Local\Temp\4cd01e7a04ce687e00d0a159f4fdac6d02f157ed5fa9abddc7644857a9a23111.exe
"C:\Users\Admin\AppData\Local\Temp\4cd01e7a04ce687e00d0a159f4fdac6d02f157ed5fa9abddc7644857a9a23111.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5704908.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5704908.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8262924.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8262924.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7051640.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7051640.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3112
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0744694.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0744694.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5040
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0101662.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0101662.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2230640.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2230640.exe
        6⤵
        Executes dropped EXE
        
        PID:2452
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3939942.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3939942.exe
        5⤵
        Executes dropped EXE
        
        PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5704908.exe

Filesize
824KB

MD5
b42c46d4c9161eb3114dd5178c819be6

SHA1
612c4c05651ce2fecc8acd22c3e8fd4a4844d7a2

SHA256
701393374557eb244529e018dbeca12662988ba690bc417587b9d8c16f5eec80

SHA512
a6147b4c6e06dc9ad95589483c4681223e857e84cf212440311be25371b9e145cf6af10e0ce902c4ed3380b731af59e44a9cc5162c121ab6175fdab15322485d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5704908.exe

Filesize
824KB

MD5
b42c46d4c9161eb3114dd5178c819be6

SHA1
612c4c05651ce2fecc8acd22c3e8fd4a4844d7a2

SHA256
701393374557eb244529e018dbeca12662988ba690bc417587b9d8c16f5eec80

SHA512
a6147b4c6e06dc9ad95589483c4681223e857e84cf212440311be25371b9e145cf6af10e0ce902c4ed3380b731af59e44a9cc5162c121ab6175fdab15322485d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8262924.exe

Filesize
598KB

MD5
f378d6f2f6d546c9938bd7ea60cd06f0

SHA1
f6986bc226137bea5020700d15da8f8984db08b0

SHA256
78348bb0232164f7bea68ec5a2a5005c483185fbc8d482fc931cb1b7f13b4a68

SHA512
aa23ad3772b7941eb22d2af4e192a6298f3dcbe27fc7a28d50c4d305da93042f6736045435ed55f3d215cb5f705f322a070f7ade26b69d7fe4a35957ce7e7583

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8262924.exe

Filesize
598KB

MD5
f378d6f2f6d546c9938bd7ea60cd06f0

SHA1
f6986bc226137bea5020700d15da8f8984db08b0

SHA256
78348bb0232164f7bea68ec5a2a5005c483185fbc8d482fc931cb1b7f13b4a68

SHA512
aa23ad3772b7941eb22d2af4e192a6298f3dcbe27fc7a28d50c4d305da93042f6736045435ed55f3d215cb5f705f322a070f7ade26b69d7fe4a35957ce7e7583

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7051640.exe

Filesize
373KB

MD5
7603e839514d865e1f0efb3ef5cc36af

SHA1
6a5cc6a9a54e24dac7c1ef7d65c8d5c6096b6adc

SHA256
e5c37963e78f65cd0a0f476efe03d8e62434918a7eae4981a13b87dfbe2660b0

SHA512
c5a40a9c613c6ad72e65d72c3dc96e8e627168610c5dab05798f9227df48a0d46dacce7e32ed37a4252b3f5d1e58e031568f781bbb9561c1e37e3726adc75cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z7051640.exe

Filesize
373KB

MD5
7603e839514d865e1f0efb3ef5cc36af

SHA1
6a5cc6a9a54e24dac7c1ef7d65c8d5c6096b6adc

SHA256
e5c37963e78f65cd0a0f476efe03d8e62434918a7eae4981a13b87dfbe2660b0

SHA512
c5a40a9c613c6ad72e65d72c3dc96e8e627168610c5dab05798f9227df48a0d46dacce7e32ed37a4252b3f5d1e58e031568f781bbb9561c1e37e3726adc75cb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3939942.exe

Filesize
174KB

MD5
83ffca514baaf7a9f30f0023f21cda8e

SHA1
3ccb4043b5a6cb495630eba2939d1376796a2b49

SHA256
d29598a8c5b758a5ca9901969d4891c6925a941f05ff7a9863c1ec18e9554a8f

SHA512
490d7188d76ccbae1414495edd72af8915a0b0be49fbd0ae77a9d2c54d295c81e107cee50777af19d754060df48e494bccaad39f2913c0b89d3f9be3beed1d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3939942.exe

Filesize
174KB

MD5
83ffca514baaf7a9f30f0023f21cda8e

SHA1
3ccb4043b5a6cb495630eba2939d1376796a2b49

SHA256
d29598a8c5b758a5ca9901969d4891c6925a941f05ff7a9863c1ec18e9554a8f

SHA512
490d7188d76ccbae1414495edd72af8915a0b0be49fbd0ae77a9d2c54d295c81e107cee50777af19d754060df48e494bccaad39f2913c0b89d3f9be3beed1d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0744694.exe

Filesize
217KB

MD5
8142d2ff54f361f13fabe2e2831a8719

SHA1
e0532ae6c4a0f8f2a4a361aa12eae4f798c650b0

SHA256
f744658abc198991fe8da341b03e5aeb740218bed366cc0793b6530da2bbed85

SHA512
49184a8addc4e09eec70431215909d414771405136a5114d00eca3ceb89fbab988435d029addc50287c9b8f5077cd8bfafefb673aae184d0c684a78d94101b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0744694.exe

Filesize
217KB

MD5
8142d2ff54f361f13fabe2e2831a8719

SHA1
e0532ae6c4a0f8f2a4a361aa12eae4f798c650b0

SHA256
f744658abc198991fe8da341b03e5aeb740218bed366cc0793b6530da2bbed85

SHA512
49184a8addc4e09eec70431215909d414771405136a5114d00eca3ceb89fbab988435d029addc50287c9b8f5077cd8bfafefb673aae184d0c684a78d94101b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0101662.exe

Filesize
17KB

MD5
ca69f8de6729abbc685c1622918dbb8a

SHA1
a856f8d83346d108456e85ec64fec9cf4bfc7f57

SHA256
fd1c03f4c02b3677663cca2ae6c8d898ad2e852cd8a3d286ea3a36d0451cd7ca

SHA512
b37b84d95c22768b100104c099ec4d9b96de6e62725982c26852007937bf5a8b866f17569c7e48f09e56fb37c064afbbc265b23ad88846d2adb7bbdd27ba4df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0101662.exe

Filesize
17KB

MD5
ca69f8de6729abbc685c1622918dbb8a

SHA1
a856f8d83346d108456e85ec64fec9cf4bfc7f57

SHA256
fd1c03f4c02b3677663cca2ae6c8d898ad2e852cd8a3d286ea3a36d0451cd7ca

SHA512
b37b84d95c22768b100104c099ec4d9b96de6e62725982c26852007937bf5a8b866f17569c7e48f09e56fb37c064afbbc265b23ad88846d2adb7bbdd27ba4df8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2230640.exe

Filesize
141KB

MD5
e34971c0f0939e33c93f45439b54feb5

SHA1
8b33f6263d94c83310a412997d0c481c45f8f333

SHA256
eded4ed8863c39c42596fb042d38731aab145fefe423263f0bab8ad0d2d07e5f

SHA512
bed3729d8913d98814ade8050073d90d59b38163d34dda3e814683821b0a2c7ea2cfd0e6d2d7e34cf02cb856cad2ed970f65ad5c7c2bcd2438316199fe0f455c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2230640.exe

Filesize
141KB

MD5
e34971c0f0939e33c93f45439b54feb5

SHA1
8b33f6263d94c83310a412997d0c481c45f8f333

SHA256
eded4ed8863c39c42596fb042d38731aab145fefe423263f0bab8ad0d2d07e5f

SHA512
bed3729d8913d98814ade8050073d90d59b38163d34dda3e814683821b0a2c7ea2cfd0e6d2d7e34cf02cb856cad2ed970f65ad5c7c2bcd2438316199fe0f455c

Download Submit
memory/2400-46-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2400-45-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/2400-47-0x0000000002340000-0x0000000002346000-memory.dmp

Filesize
24KB

Download
memory/2400-48-0x000000000A590000-0x000000000AB96000-memory.dmp

Filesize
6.0MB

Download
memory/2400-49-0x000000000A110000-0x000000000A21A000-memory.dmp

Filesize
1.0MB

Download
memory/2400-50-0x000000000A040000-0x000000000A052000-memory.dmp

Filesize
72KB

Download
memory/2400-51-0x000000000A0A0000-0x000000000A0DE000-memory.dmp

Filesize
248KB

Download
memory/2400-52-0x000000000A220000-0x000000000A26B000-memory.dmp

Filesize
300KB

Download
memory/2400-53-0x00000000730C0000-0x00000000737AE000-memory.dmp

Filesize
6.9MB

Download
memory/2500-38-0x00007FFCB18E0000-0x00007FFCB22CC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-36-0x00007FFCB18E0000-0x00007FFCB22CC000-memory.dmp

Filesize
9.9MB

Download
memory/2500-35-0x0000000000920000-0x000000000092A000-memory.dmp

Filesize
40KB

Download