healer | 398d8015165d1530d33296c75a4562449f23c358c858a49a03ca38c6c42c1bda

Analysis

max time kernel
145s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30/08/2023, 16:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

398d8015165d1530d33296c75a4562449f23c358c858a49a03ca38c6c42c1bda.exe
Size

828KB
MD5

7b48991e6724dc11a24ca81296a6a686
SHA1

b042aec9833aab3bd00d362ad5c902e9f0100d13
SHA256

398d8015165d1530d33296c75a4562449f23c358c858a49a03ca38c6c42c1bda
SHA512

d361ac6f268f679092b7b65122b91f41af52a795da7ae5de1f814f343f0b5f7e98bdefd1e79df593dc3ff8772baa0459310154bbb0223e75bcb6d6f9c1e9f754
SSDEEP

12288:GMrky90cCexTNimoZbVfbam31iLaCPczwYgG7V3K+ndJm+ya7xds9+1iqPpYWM9W:yyLSmonfWc1iWWigshn3YEH

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b026-34.dat	healer
behavioral1/files/0x000700000001b026-33.dat	healer
behavioral1/memory/660-35-0x0000000000BA0000-0x0000000000BAA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8117100.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8117100.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8117100.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8117100.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8117100.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
5076	v9917895.exe
4380	v9324568.exe
3584	v8684044.exe
4496	v8096641.exe
660	a8117100.exe
2948	b1833195.exe
4744	c2951644.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8117100.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	398d8015165d1530d33296c75a4562449f23c358c858a49a03ca38c6c42c1bda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9917895.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v9324568.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8684044.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v8096641.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
660	a8117100.exe
660	a8117100.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	660	a8117100.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3996 wrote to memory of 5076	3996	398d8015165d1530d33296c75a4562449f23c358c858a49a03ca38c6c42c1bda.exe	70
PID 3996 wrote to memory of 5076	3996	398d8015165d1530d33296c75a4562449f23c358c858a49a03ca38c6c42c1bda.exe	70
PID 3996 wrote to memory of 5076	3996	398d8015165d1530d33296c75a4562449f23c358c858a49a03ca38c6c42c1bda.exe	70
PID 5076 wrote to memory of 4380	5076	v9917895.exe	71
PID 5076 wrote to memory of 4380	5076	v9917895.exe	71
PID 5076 wrote to memory of 4380	5076	v9917895.exe	71
PID 4380 wrote to memory of 3584	4380	v9324568.exe	72
PID 4380 wrote to memory of 3584	4380	v9324568.exe	72
PID 4380 wrote to memory of 3584	4380	v9324568.exe	72
PID 3584 wrote to memory of 4496	3584	v8684044.exe	73
PID 3584 wrote to memory of 4496	3584	v8684044.exe	73
PID 3584 wrote to memory of 4496	3584	v8684044.exe	73
PID 4496 wrote to memory of 660	4496	v8096641.exe	74
PID 4496 wrote to memory of 660	4496	v8096641.exe	74
PID 4496 wrote to memory of 2948	4496	v8096641.exe	75
PID 4496 wrote to memory of 2948	4496	v8096641.exe	75
PID 4496 wrote to memory of 2948	4496	v8096641.exe	75
PID 3584 wrote to memory of 4744	3584	v8684044.exe	76
PID 3584 wrote to memory of 4744	3584	v8684044.exe	76
PID 3584 wrote to memory of 4744	3584	v8684044.exe	76

C:\Users\Admin\AppData\Local\Temp\398d8015165d1530d33296c75a4562449f23c358c858a49a03ca38c6c42c1bda.exe
"C:\Users\Admin\AppData\Local\Temp\398d8015165d1530d33296c75a4562449f23c358c858a49a03ca38c6c42c1bda.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3996
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9917895.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9917895.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9324568.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9324568.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8684044.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8684044.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3584
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8096641.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8096641.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4496
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8117100.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8117100.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1833195.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1833195.exe
        6⤵
        Executes dropped EXE
        
        PID:2948
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2951644.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2951644.exe
        5⤵
        Executes dropped EXE
        
        PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9917895.exe

Filesize
723KB

MD5
2e72c15f907810b1c0df2bf6ad2331df

SHA1
918d3f14106b41f1458c1995b00469ca36ff22d0

SHA256
91e55c89c1d3425fc2d695cfd54c475a835d7620da036f10cdbca07e29ab1ef0

SHA512
3abae28646811592138497da11a7c51735c261ea34d49ff16a1c7f220e1f0d5d3b17ba81015433f942c65327ebcb00faeebc4aa26f88bb68ca0d74b0dd59ad95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9917895.exe

Filesize
723KB

MD5
2e72c15f907810b1c0df2bf6ad2331df

SHA1
918d3f14106b41f1458c1995b00469ca36ff22d0

SHA256
91e55c89c1d3425fc2d695cfd54c475a835d7620da036f10cdbca07e29ab1ef0

SHA512
3abae28646811592138497da11a7c51735c261ea34d49ff16a1c7f220e1f0d5d3b17ba81015433f942c65327ebcb00faeebc4aa26f88bb68ca0d74b0dd59ad95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9324568.exe

Filesize
497KB

MD5
34d043750c605ac2daf43c13e313847c

SHA1
b39b24e14f3ffbd2f1540b85f1161c3997e1d1d2

SHA256
386408420834f960eedf74a73ed72d42072bd455e57122cf914402cefc0164e5

SHA512
7b0e710f8d7e7871be9300af51141910d11bd37253b77c649e74eb6d3873dfd0bae0b11e60153a463bc7204dfc4c23c23b693317d2b7cb853ed8d74a5af1ce37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v9324568.exe

Filesize
497KB

MD5
34d043750c605ac2daf43c13e313847c

SHA1
b39b24e14f3ffbd2f1540b85f1161c3997e1d1d2

SHA256
386408420834f960eedf74a73ed72d42072bd455e57122cf914402cefc0164e5

SHA512
7b0e710f8d7e7871be9300af51141910d11bd37253b77c649e74eb6d3873dfd0bae0b11e60153a463bc7204dfc4c23c23b693317d2b7cb853ed8d74a5af1ce37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8684044.exe

Filesize
372KB

MD5
94cc8cffb8c7b350d0af6bc12224d853

SHA1
c9e7409415cbdfc54d0d645418ecabe6ba745e4b

SHA256
c9141a27f84c9444faefb90831b2d24320a7f5da06a50e1e44c3c7b40ef6f7cf

SHA512
513097123b369b89b91d843be8cf82ebfe4800deae8c217cc6e7d2081acf486122116211a4f3bbc1e9ba3e408792b559d12ad4acd077c30bd8f1a031271d84dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8684044.exe

Filesize
372KB

MD5
94cc8cffb8c7b350d0af6bc12224d853

SHA1
c9e7409415cbdfc54d0d645418ecabe6ba745e4b

SHA256
c9141a27f84c9444faefb90831b2d24320a7f5da06a50e1e44c3c7b40ef6f7cf

SHA512
513097123b369b89b91d843be8cf82ebfe4800deae8c217cc6e7d2081acf486122116211a4f3bbc1e9ba3e408792b559d12ad4acd077c30bd8f1a031271d84dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2951644.exe

Filesize
175KB

MD5
202f96280c6128e41e42e0177323e160

SHA1
6bc550f5f6aa4a7be8f02b49fb3b519c909c0bfb

SHA256
4074a9f1d959480f5744b3493d3734e1d76410055e1b35390f065f23ae15884a

SHA512
588dd0d6c94c47f0ce64d3a6ab8502d491571c84058d4b9e6026cdc53a013450232edc4e7dfb00cdaa311acf4c802cfa3eb39f47948740a2ac9c9f514f0dc136

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2951644.exe

Filesize
175KB

MD5
202f96280c6128e41e42e0177323e160

SHA1
6bc550f5f6aa4a7be8f02b49fb3b519c909c0bfb

SHA256
4074a9f1d959480f5744b3493d3734e1d76410055e1b35390f065f23ae15884a

SHA512
588dd0d6c94c47f0ce64d3a6ab8502d491571c84058d4b9e6026cdc53a013450232edc4e7dfb00cdaa311acf4c802cfa3eb39f47948740a2ac9c9f514f0dc136

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8096641.exe

Filesize
217KB

MD5
a24f11359541adc4c8948dc0b2b66523

SHA1
392b20664b21e55b1b93a469689920e045fb8151

SHA256
16a4342a623e41ca21ae37ffe8452ecf818f844776866df0119e181121cd348a

SHA512
1a86247493f4b20db90aa1095e14b2a3830cc68f4d1f2debebe6b525010aa8fcf70b9acf1e9b30c5f8d93361a0e5fdd5f0dc92103e95e4088037304ac509e3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v8096641.exe

Filesize
217KB

MD5
a24f11359541adc4c8948dc0b2b66523

SHA1
392b20664b21e55b1b93a469689920e045fb8151

SHA256
16a4342a623e41ca21ae37ffe8452ecf818f844776866df0119e181121cd348a

SHA512
1a86247493f4b20db90aa1095e14b2a3830cc68f4d1f2debebe6b525010aa8fcf70b9acf1e9b30c5f8d93361a0e5fdd5f0dc92103e95e4088037304ac509e3c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8117100.exe

Filesize
18KB

MD5
32f6d198d05ed58800923bb5b679b272

SHA1
dbbe6a5e83b7cc70a82c2799cd8409118f35f95d

SHA256
db8dde8d499de6a6b5e10cc0457de8d404ec7de3ce00b4e87711494c83ecb4fe

SHA512
2d0ca48c96bd125412d95576e819ca70018dfb3a0cffd1781d23481103667d8930c3a048c36ba752c2b9994f6bfc065c417e4e74b153dd404f26930365e314ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a8117100.exe

Filesize
18KB

MD5
32f6d198d05ed58800923bb5b679b272

SHA1
dbbe6a5e83b7cc70a82c2799cd8409118f35f95d

SHA256
db8dde8d499de6a6b5e10cc0457de8d404ec7de3ce00b4e87711494c83ecb4fe

SHA512
2d0ca48c96bd125412d95576e819ca70018dfb3a0cffd1781d23481103667d8930c3a048c36ba752c2b9994f6bfc065c417e4e74b153dd404f26930365e314ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1833195.exe

Filesize
140KB

MD5
e92c3fee65b6127f6802c523237450c5

SHA1
5599e7298e50d569323cd84966eeb3a462529811

SHA256
5d14e8f9a2f9cc34987e1b717a75fcffb2a21bb24e81f254784684e892ddb713

SHA512
8e75b3a90461b1a2c863aa3ad717f44a22896c34d040fb847a6bb29587e92920b0cd89e7682c13ba03096f78894dd3e481747f475fc29e66f13bf4526705d0c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1833195.exe

Filesize
140KB

MD5
e92c3fee65b6127f6802c523237450c5

SHA1
5599e7298e50d569323cd84966eeb3a462529811

SHA256
5d14e8f9a2f9cc34987e1b717a75fcffb2a21bb24e81f254784684e892ddb713

SHA512
8e75b3a90461b1a2c863aa3ad717f44a22896c34d040fb847a6bb29587e92920b0cd89e7682c13ba03096f78894dd3e481747f475fc29e66f13bf4526705d0c6

Download Submit
memory/660-38-0x00007FFB8BA70000-0x00007FFB8C45C000-memory.dmp

Filesize
9.9MB

Download
memory/660-36-0x00007FFB8BA70000-0x00007FFB8C45C000-memory.dmp

Filesize
9.9MB

Download
memory/660-35-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/4744-45-0x0000000000950000-0x0000000000980000-memory.dmp

Filesize
192KB

Download
memory/4744-46-0x0000000073510000-0x0000000073BFE000-memory.dmp

Filesize
6.9MB

Download
memory/4744-47-0x0000000002AE0000-0x0000000002AE6000-memory.dmp

Filesize
24KB

Download
memory/4744-48-0x000000000AC20000-0x000000000B226000-memory.dmp

Filesize
6.0MB

Download
memory/4744-49-0x000000000A760000-0x000000000A86A000-memory.dmp

Filesize
1.0MB

Download
memory/4744-50-0x000000000A690000-0x000000000A6A2000-memory.dmp

Filesize
72KB

Download
memory/4744-51-0x000000000A6F0000-0x000000000A72E000-memory.dmp

Filesize
248KB

Download
memory/4744-52-0x000000000A870000-0x000000000A8BB000-memory.dmp

Filesize
300KB

Download
memory/4744-53-0x0000000073510000-0x0000000073BFE000-memory.dmp

Filesize
6.9MB

Download