healer | 02f471ebd0b4aa842cbf4f645f03f73e0a7a14109851b3064791deeeaf99b0e9

Analysis

max time kernel
147s
max time network
156s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30/08/2023, 12:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

02f471ebd0b4aa842cbf4f645f03f73e0a7a14109851b3064791deeeaf99b0e9.exe
Size

930KB
MD5

cc6416c8bf573208099ad7d52c1a1a05
SHA1

c4a9836d6d4727487536006bf1fee3b02172c6eb
SHA256

02f471ebd0b4aa842cbf4f645f03f73e0a7a14109851b3064791deeeaf99b0e9
SHA512

afbae5de1dd56ab458b3f2245ea70c03d7de88ad3c59c1adc64e90d6ef7ddb8ae666f147c1ed4a407e70209f9dea7d31e04d21912e5ac5cb16e418a18ff396cc
SSDEEP

12288:yMr0y900EcOQLXtAuztgDPJSx7uhd6WGIeyF1/iq6UpMxQwxuB0sdDGRi+tr9F13:SyNuQiuxg9I7Ir5biypyQjui+DUBY

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afd3-34.dat	healer
behavioral1/files/0x000700000001afd3-33.dat	healer
behavioral1/memory/4164-35-0x00000000001B0000-0x00000000001BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q5393754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q5393754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q5393754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q5393754.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q5393754.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
5048	z6772651.exe
4244	z1750270.exe
3068	z5284060.exe
4060	z9521807.exe
4164	q5393754.exe
3860	r7265394.exe
3612	s7173788.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q5393754.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5284060.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9521807.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	02f471ebd0b4aa842cbf4f645f03f73e0a7a14109851b3064791deeeaf99b0e9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6772651.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1750270.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4164	q5393754.exe
4164	q5393754.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4164	q5393754.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 5048	5064	02f471ebd0b4aa842cbf4f645f03f73e0a7a14109851b3064791deeeaf99b0e9.exe	69
PID 5064 wrote to memory of 5048	5064	02f471ebd0b4aa842cbf4f645f03f73e0a7a14109851b3064791deeeaf99b0e9.exe	69
PID 5064 wrote to memory of 5048	5064	02f471ebd0b4aa842cbf4f645f03f73e0a7a14109851b3064791deeeaf99b0e9.exe	69
PID 5048 wrote to memory of 4244	5048	z6772651.exe	70
PID 5048 wrote to memory of 4244	5048	z6772651.exe	70
PID 5048 wrote to memory of 4244	5048	z6772651.exe	70
PID 4244 wrote to memory of 3068	4244	z1750270.exe	71
PID 4244 wrote to memory of 3068	4244	z1750270.exe	71
PID 4244 wrote to memory of 3068	4244	z1750270.exe	71
PID 3068 wrote to memory of 4060	3068	z5284060.exe	72
PID 3068 wrote to memory of 4060	3068	z5284060.exe	72
PID 3068 wrote to memory of 4060	3068	z5284060.exe	72
PID 4060 wrote to memory of 4164	4060	z9521807.exe	73
PID 4060 wrote to memory of 4164	4060	z9521807.exe	73
PID 4060 wrote to memory of 3860	4060	z9521807.exe	74
PID 4060 wrote to memory of 3860	4060	z9521807.exe	74
PID 4060 wrote to memory of 3860	4060	z9521807.exe	74
PID 3068 wrote to memory of 3612	3068	z5284060.exe	75
PID 3068 wrote to memory of 3612	3068	z5284060.exe	75
PID 3068 wrote to memory of 3612	3068	z5284060.exe	75

C:\Users\Admin\AppData\Local\Temp\02f471ebd0b4aa842cbf4f645f03f73e0a7a14109851b3064791deeeaf99b0e9.exe
"C:\Users\Admin\AppData\Local\Temp\02f471ebd0b4aa842cbf4f645f03f73e0a7a14109851b3064791deeeaf99b0e9.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6772651.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6772651.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1750270.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1750270.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5284060.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5284060.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9521807.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9521807.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5393754.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5393754.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7265394.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7265394.exe
        6⤵
        Executes dropped EXE
        
        PID:3860
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7173788.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7173788.exe
        5⤵
        Executes dropped EXE
        
        PID:3612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6772651.exe

Filesize
824KB

MD5
7ab886e2b704a2312e33cdcbc1e01430

SHA1
823a452128015e11b55684515763b41953400aea

SHA256
7a2d8f497b7468ad3b8d7d7159663eaa7b6306370a1fbb2b63b4aab7391536ac

SHA512
3bdb01e7a847762e8d81067759c1cd436e935cc5d65b41a8b0759f56b1aeca4e7db16b3da8806125f593ac94d6e338097a76699e9caab00e227c8517eed65d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6772651.exe

Filesize
824KB

MD5
7ab886e2b704a2312e33cdcbc1e01430

SHA1
823a452128015e11b55684515763b41953400aea

SHA256
7a2d8f497b7468ad3b8d7d7159663eaa7b6306370a1fbb2b63b4aab7391536ac

SHA512
3bdb01e7a847762e8d81067759c1cd436e935cc5d65b41a8b0759f56b1aeca4e7db16b3da8806125f593ac94d6e338097a76699e9caab00e227c8517eed65d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1750270.exe

Filesize
598KB

MD5
2d2d32ff9db25d89bc22c21f8b52a9f8

SHA1
1f7baf6548255a406de7cf0f65c14d66fcfa0c52

SHA256
3aeb4a52337ccc9bb96906c44171469c600a5cff807062a4077d02262efd3764

SHA512
b7e6e3e05055b8ed9d2d22be88629d5981cdd15c17f19b8bdfd3e5c45f226db90fb9805ad7387d8edbc786db6a5e67e0bee6368fd908ae51772356911189db56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1750270.exe

Filesize
598KB

MD5
2d2d32ff9db25d89bc22c21f8b52a9f8

SHA1
1f7baf6548255a406de7cf0f65c14d66fcfa0c52

SHA256
3aeb4a52337ccc9bb96906c44171469c600a5cff807062a4077d02262efd3764

SHA512
b7e6e3e05055b8ed9d2d22be88629d5981cdd15c17f19b8bdfd3e5c45f226db90fb9805ad7387d8edbc786db6a5e67e0bee6368fd908ae51772356911189db56

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5284060.exe

Filesize
372KB

MD5
718a0ab22d456a6ef1c04688315268c5

SHA1
84d05ccea383bae54a2e0c87acaa85ad66a4cf27

SHA256
28de2b2be7d8b0ec44e632e824a5e680f0727f1f83536ddf2840c46f836b17a1

SHA512
6f37561f5a0ed9868ebcbb139b1db29788b003edfb75dc0fe1ffca3340fe7b049a5709036a8dc9361b253b358dd029c7d9ea937999c12838547d173ed7d7c2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5284060.exe

Filesize
372KB

MD5
718a0ab22d456a6ef1c04688315268c5

SHA1
84d05ccea383bae54a2e0c87acaa85ad66a4cf27

SHA256
28de2b2be7d8b0ec44e632e824a5e680f0727f1f83536ddf2840c46f836b17a1

SHA512
6f37561f5a0ed9868ebcbb139b1db29788b003edfb75dc0fe1ffca3340fe7b049a5709036a8dc9361b253b358dd029c7d9ea937999c12838547d173ed7d7c2dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7173788.exe

Filesize
175KB

MD5
3cac501e5015d14ec5050ef4a8e4b76d

SHA1
daf739988822082cfb9200f693dc0128cc612864

SHA256
92500d43881c333718945c8e0747c6f6e079c1cb4fe5c9e989e8b142ebf1f79d

SHA512
b237dfe399ce1eadd5c796e47bbca3972ffb6028b559c117d0a3f49afbb0657490bbbe282e0f691f13c50b8421ca8b5989c9f0771c17e8294f68980ea3156bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7173788.exe

Filesize
175KB

MD5
3cac501e5015d14ec5050ef4a8e4b76d

SHA1
daf739988822082cfb9200f693dc0128cc612864

SHA256
92500d43881c333718945c8e0747c6f6e079c1cb4fe5c9e989e8b142ebf1f79d

SHA512
b237dfe399ce1eadd5c796e47bbca3972ffb6028b559c117d0a3f49afbb0657490bbbe282e0f691f13c50b8421ca8b5989c9f0771c17e8294f68980ea3156bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9521807.exe

Filesize
217KB

MD5
0fb590203aaef5fd7851c119811fcbdf

SHA1
855f4b03ac6967e6f57334d042ff2999ee150bd8

SHA256
366beb8c93f5d80bb402add4b2cabd86d889402d96df62d798a3b1b847ba0f5c

SHA512
2a1dbbd58aefb00de695ccc92575f93fc04e2d4224c1f29f0dae78f4d8832c4eb7bb8ab382a3954f1952ebfb11c3ecdddc06d996a1bebbe09a6ad5a6928ad8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9521807.exe

Filesize
217KB

MD5
0fb590203aaef5fd7851c119811fcbdf

SHA1
855f4b03ac6967e6f57334d042ff2999ee150bd8

SHA256
366beb8c93f5d80bb402add4b2cabd86d889402d96df62d798a3b1b847ba0f5c

SHA512
2a1dbbd58aefb00de695ccc92575f93fc04e2d4224c1f29f0dae78f4d8832c4eb7bb8ab382a3954f1952ebfb11c3ecdddc06d996a1bebbe09a6ad5a6928ad8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5393754.exe

Filesize
17KB

MD5
3276cb50649f44d66f40312a2f521551

SHA1
28cef74be3da98ae5b106345435fe24600c79ea4

SHA256
b2e705ea7f6a82b959cf34251b520c6e26e359fe1edf68eb890594335e8c0e50

SHA512
6cbd7868c85ca172a143d165c7c50912ca058e745e8079bedbc037ad1f77fd51a16d2b018d579af4166673322e5986b48c0f13d561e0cf6fd981e01da36373d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q5393754.exe

Filesize
17KB

MD5
3276cb50649f44d66f40312a2f521551

SHA1
28cef74be3da98ae5b106345435fe24600c79ea4

SHA256
b2e705ea7f6a82b959cf34251b520c6e26e359fe1edf68eb890594335e8c0e50

SHA512
6cbd7868c85ca172a143d165c7c50912ca058e745e8079bedbc037ad1f77fd51a16d2b018d579af4166673322e5986b48c0f13d561e0cf6fd981e01da36373d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7265394.exe

Filesize
140KB

MD5
1faad9a38a380ff035d251b2fd0d3aed

SHA1
53fcd853bc0b448a8e78e6598e64ed9f5903aa7f

SHA256
0011e8558f7545f7fce1cc6a452dcba194bbea581e5b4bd056f722e0259b765b

SHA512
09a2e71f77731564a1ce0a558f75683f05df9255018d9e3f514a4c8060ee4638067bce9fd5f24b51edee45b1973f728d9a9a605e941b69cb1bba3bb7819d005f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7265394.exe

Filesize
140KB

MD5
1faad9a38a380ff035d251b2fd0d3aed

SHA1
53fcd853bc0b448a8e78e6598e64ed9f5903aa7f

SHA256
0011e8558f7545f7fce1cc6a452dcba194bbea581e5b4bd056f722e0259b765b

SHA512
09a2e71f77731564a1ce0a558f75683f05df9255018d9e3f514a4c8060ee4638067bce9fd5f24b51edee45b1973f728d9a9a605e941b69cb1bba3bb7819d005f

Download Submit
memory/3612-46-0x0000000072FC0000-0x00000000736AE000-memory.dmp

Filesize
6.9MB

Download
memory/3612-45-0x0000000000EF0000-0x0000000000F20000-memory.dmp

Filesize
192KB

Download
memory/3612-47-0x0000000003070000-0x0000000003076000-memory.dmp

Filesize
24KB

Download
memory/3612-48-0x000000000B190000-0x000000000B796000-memory.dmp

Filesize
6.0MB

Download
memory/3612-49-0x000000000AD00000-0x000000000AE0A000-memory.dmp

Filesize
1.0MB

Download
memory/3612-50-0x000000000AC30000-0x000000000AC42000-memory.dmp

Filesize
72KB

Download
memory/3612-51-0x000000000AC90000-0x000000000ACCE000-memory.dmp

Filesize
248KB

Download
memory/3612-52-0x000000000AE10000-0x000000000AE5B000-memory.dmp

Filesize
300KB

Download
memory/3612-53-0x0000000072FC0000-0x00000000736AE000-memory.dmp

Filesize
6.9MB

Download
memory/4164-38-0x00007FFD0C440000-0x00007FFD0CE2C000-memory.dmp

Filesize
9.9MB

Download
memory/4164-36-0x00007FFD0C440000-0x00007FFD0CE2C000-memory.dmp

Filesize
9.9MB

Download
memory/4164-35-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download