healer | 2eeb348e45b501b0f2c76b8eeb860f96943fad510751317d7eb523abd25f3de7

Analysis

max time kernel
145s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30-08-2023 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2eeb348e45b501b0f2c76b8eeb860f96943fad510751317d7eb523abd25f3de7.exe
Size

828KB
MD5

86b5445aeb97e754d2ec7aa3052fe722
SHA1

cc643de005e79820dc89cc8cd1267957f2adf772
SHA256

2eeb348e45b501b0f2c76b8eeb860f96943fad510751317d7eb523abd25f3de7
SHA512

64f28a855c672eaa4f1c3f25c84f2444659d4e77cc6efc2e984d1f7315b0ca471de7dc6aa157553ecb4c5e7f112027b295bb127bb419054b6ba51b7af8ca0a01
SSDEEP

12288:HMrpy90CXLPWbn2J3gbDJjEhBFqKnLHiqei8VnRbbkKjZnYL0/1xw8k:Ky7XL+b2J3axEhbqYp8VnRnnnYLP

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afb6-32.dat	healer
behavioral1/files/0x000700000001afb6-34.dat	healer
behavioral1/memory/4012-35-0x0000000000240000-0x000000000024A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a6904130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a6904130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a6904130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a6904130.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a6904130.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4924	v0023363.exe
2884	v2478524.exe
5092	v8833349.exe
4416	v3599489.exe
4012	a6904130.exe
4408	b5925482.exe
4512	c7535989.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a6904130.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2eeb348e45b501b0f2c76b8eeb860f96943fad510751317d7eb523abd25f3de7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v0023363.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2478524.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8833349.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v3599489.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4012	a6904130.exe
4012	a6904130.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4012	a6904130.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5012 wrote to memory of 4924	5012	2eeb348e45b501b0f2c76b8eeb860f96943fad510751317d7eb523abd25f3de7.exe	69
PID 5012 wrote to memory of 4924	5012	2eeb348e45b501b0f2c76b8eeb860f96943fad510751317d7eb523abd25f3de7.exe	69
PID 5012 wrote to memory of 4924	5012	2eeb348e45b501b0f2c76b8eeb860f96943fad510751317d7eb523abd25f3de7.exe	69
PID 4924 wrote to memory of 2884	4924	v0023363.exe	70
PID 4924 wrote to memory of 2884	4924	v0023363.exe	70
PID 4924 wrote to memory of 2884	4924	v0023363.exe	70
PID 2884 wrote to memory of 5092	2884	v2478524.exe	71
PID 2884 wrote to memory of 5092	2884	v2478524.exe	71
PID 2884 wrote to memory of 5092	2884	v2478524.exe	71
PID 5092 wrote to memory of 4416	5092	v8833349.exe	72
PID 5092 wrote to memory of 4416	5092	v8833349.exe	72
PID 5092 wrote to memory of 4416	5092	v8833349.exe	72
PID 4416 wrote to memory of 4012	4416	v3599489.exe	73
PID 4416 wrote to memory of 4012	4416	v3599489.exe	73
PID 4416 wrote to memory of 4408	4416	v3599489.exe	74
PID 4416 wrote to memory of 4408	4416	v3599489.exe	74
PID 4416 wrote to memory of 4408	4416	v3599489.exe	74
PID 5092 wrote to memory of 4512	5092	v8833349.exe	75
PID 5092 wrote to memory of 4512	5092	v8833349.exe	75
PID 5092 wrote to memory of 4512	5092	v8833349.exe	75

C:\Users\Admin\AppData\Local\Temp\2eeb348e45b501b0f2c76b8eeb860f96943fad510751317d7eb523abd25f3de7.exe
"C:\Users\Admin\AppData\Local\Temp\2eeb348e45b501b0f2c76b8eeb860f96943fad510751317d7eb523abd25f3de7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5012
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0023363.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0023363.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2478524.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2478524.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8833349.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8833349.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3599489.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3599489.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4416
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6904130.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6904130.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5925482.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5925482.exe
        6⤵
        Executes dropped EXE
        
        PID:4408
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7535989.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7535989.exe
        5⤵
        Executes dropped EXE
        
        PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0023363.exe

Filesize
724KB

MD5
884d4d023560ab7dab1140b4b7e97ec3

SHA1
509a4dec403fffae4ff86bd86945aed902dcfc1f

SHA256
066b1731f979b207cbee5210f1a4b7316d45b30b9de6f104a6766519fcc25ff5

SHA512
eee2314c19f0983af8d7409799e97386c37be76f200044c4f33319db54bd121e953da19e6467710dd20e6cf6f497e440f8a7266875c1ed50c3a0320918cf3e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0023363.exe

Filesize
724KB

MD5
884d4d023560ab7dab1140b4b7e97ec3

SHA1
509a4dec403fffae4ff86bd86945aed902dcfc1f

SHA256
066b1731f979b207cbee5210f1a4b7316d45b30b9de6f104a6766519fcc25ff5

SHA512
eee2314c19f0983af8d7409799e97386c37be76f200044c4f33319db54bd121e953da19e6467710dd20e6cf6f497e440f8a7266875c1ed50c3a0320918cf3e8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2478524.exe

Filesize
498KB

MD5
5f651d4172e97dda1ce74760d6d6a12f

SHA1
d1c1b34750325bd67483987aaaadc8bee07056cc

SHA256
7d44467a5e661af6850c9f534a5561f3747402c8826f7dbc8e4a1d3f14f2a868

SHA512
1761bb8531bc0272a8339c3ab24507804c955d61846b59c00c0bd5f8eff4a73af4f1a6cec6c3f056d24a8bc66a3a94f27ff11dc2d520531a414e381426647aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2478524.exe

Filesize
498KB

MD5
5f651d4172e97dda1ce74760d6d6a12f

SHA1
d1c1b34750325bd67483987aaaadc8bee07056cc

SHA256
7d44467a5e661af6850c9f534a5561f3747402c8826f7dbc8e4a1d3f14f2a868

SHA512
1761bb8531bc0272a8339c3ab24507804c955d61846b59c00c0bd5f8eff4a73af4f1a6cec6c3f056d24a8bc66a3a94f27ff11dc2d520531a414e381426647aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8833349.exe

Filesize
373KB

MD5
0d2a4f861da88449411044da7d1c720e

SHA1
347f23165e19cae682fea74985929e9377e24347

SHA256
f9562fe1f2228ea8cfe40f31ce7c64fd7d9111264f620db4e668ef215eccc74f

SHA512
536bf39c8fbc4a8b757fe423355b6e9fc5891189c8433158f3873acadb73c4c5e57caea359bed8827d8af5f26c23da166da62559d5a4a048bcec28f68a4d35e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8833349.exe

Filesize
373KB

MD5
0d2a4f861da88449411044da7d1c720e

SHA1
347f23165e19cae682fea74985929e9377e24347

SHA256
f9562fe1f2228ea8cfe40f31ce7c64fd7d9111264f620db4e668ef215eccc74f

SHA512
536bf39c8fbc4a8b757fe423355b6e9fc5891189c8433158f3873acadb73c4c5e57caea359bed8827d8af5f26c23da166da62559d5a4a048bcec28f68a4d35e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7535989.exe

Filesize
175KB

MD5
c8836baf9e635ba8e54dedd8e355c6bb

SHA1
bac8e5d672f8588de0b7d7c7addae949788f74d5

SHA256
82f5f3239a8ca87c6d1337f57bf93d115ea046c9440fd9908ad654d00d19d998

SHA512
cacfdffa8eb4fa40daa9a7fece624e36aced5605530b3d7f2d284cbc76dbb9747ae2503eae2c654a38914258bf223a0554a73a3fe264d7144c6af6b1c645e655

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7535989.exe

Filesize
175KB

MD5
c8836baf9e635ba8e54dedd8e355c6bb

SHA1
bac8e5d672f8588de0b7d7c7addae949788f74d5

SHA256
82f5f3239a8ca87c6d1337f57bf93d115ea046c9440fd9908ad654d00d19d998

SHA512
cacfdffa8eb4fa40daa9a7fece624e36aced5605530b3d7f2d284cbc76dbb9747ae2503eae2c654a38914258bf223a0554a73a3fe264d7144c6af6b1c645e655

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3599489.exe

Filesize
217KB

MD5
77be8d3054f1afc4bbd40cd8a2f8a11b

SHA1
64c65417495d8428d4ad24cf81765a0f0f12611e

SHA256
7f6ad2568338f45e57db7c4087d72424b901a09837d897fe718fdc7469d279e2

SHA512
122b393790f0d26aa623037e6ccece75c1b0b3f13e60988985dc84a9dbd63a987271cd8f8868d3290315b1ad3b5dc95044f63b80318ff472ba74efc5fff2262d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v3599489.exe

Filesize
217KB

MD5
77be8d3054f1afc4bbd40cd8a2f8a11b

SHA1
64c65417495d8428d4ad24cf81765a0f0f12611e

SHA256
7f6ad2568338f45e57db7c4087d72424b901a09837d897fe718fdc7469d279e2

SHA512
122b393790f0d26aa623037e6ccece75c1b0b3f13e60988985dc84a9dbd63a987271cd8f8868d3290315b1ad3b5dc95044f63b80318ff472ba74efc5fff2262d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6904130.exe

Filesize
17KB

MD5
9dfb85434850850dd0e2667b8be7eb56

SHA1
0500ec369a7dfc77046b1fc614654d9937a4a6a7

SHA256
97a296eaa4c71c23677be105679c645960ec7e5ac9473dc291bff2a402c754d2

SHA512
0e8fc6576c8f918582fbfa1193ca17a62d518952147157fd4f03d235b54d7a87c89467f0f9bcb4be0f3aa759b6bef06d2167151b7e68a609907557772ca9322f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a6904130.exe

Filesize
17KB

MD5
9dfb85434850850dd0e2667b8be7eb56

SHA1
0500ec369a7dfc77046b1fc614654d9937a4a6a7

SHA256
97a296eaa4c71c23677be105679c645960ec7e5ac9473dc291bff2a402c754d2

SHA512
0e8fc6576c8f918582fbfa1193ca17a62d518952147157fd4f03d235b54d7a87c89467f0f9bcb4be0f3aa759b6bef06d2167151b7e68a609907557772ca9322f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5925482.exe

Filesize
140KB

MD5
b6da4e9bdac3ec3960309b6ea5d3936c

SHA1
2a4446c35f769050c68be74625de21c846041bef

SHA256
a166e48b86cf92516d4be9e79b63d912558d651763e02ee69d4f77d70e13036e

SHA512
6e5b7c0b27cddea57d0278b2921945f8ecc0921c336d478c78c2ae98df7f722288b904b36747a2a59cbc22a86b74ee48876a4051177ee910954b191c26edff4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b5925482.exe

Filesize
140KB

MD5
b6da4e9bdac3ec3960309b6ea5d3936c

SHA1
2a4446c35f769050c68be74625de21c846041bef

SHA256
a166e48b86cf92516d4be9e79b63d912558d651763e02ee69d4f77d70e13036e

SHA512
6e5b7c0b27cddea57d0278b2921945f8ecc0921c336d478c78c2ae98df7f722288b904b36747a2a59cbc22a86b74ee48876a4051177ee910954b191c26edff4e

Download Submit
memory/4012-38-0x00007FFDD0E70000-0x00007FFDD185C000-memory.dmp

Filesize
9.9MB

Download
memory/4012-36-0x00007FFDD0E70000-0x00007FFDD185C000-memory.dmp

Filesize
9.9MB

Download
memory/4012-35-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/4512-45-0x0000000000B00000-0x0000000000B30000-memory.dmp

Filesize
192KB

Download
memory/4512-46-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download
memory/4512-47-0x0000000002D70000-0x0000000002D76000-memory.dmp

Filesize
24KB

Download
memory/4512-48-0x000000000ADC0000-0x000000000B3C6000-memory.dmp

Filesize
6.0MB

Download
memory/4512-49-0x000000000A910000-0x000000000AA1A000-memory.dmp

Filesize
1.0MB

Download
memory/4512-50-0x000000000A840000-0x000000000A852000-memory.dmp

Filesize
72KB

Download
memory/4512-51-0x000000000A8A0000-0x000000000A8DE000-memory.dmp

Filesize
248KB

Download
memory/4512-52-0x000000000AA20000-0x000000000AA6B000-memory.dmp

Filesize
300KB

Download
memory/4512-53-0x00000000735A0000-0x0000000073C8E000-memory.dmp

Filesize
6.9MB

Download