healer | 97c409738750d5b75afb0a9ea5d752ac15787f7d51a097757bc3699bf3465f6d

Analysis

max time kernel
145s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30/08/2023, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97c409738750d5b75afb0a9ea5d752ac15787f7d51a097757bc3699bf3465f6d.exe
Size

928KB
MD5

7865506ed4e470d5e9235d8ec8921a15
SHA1

791cea5988b74e294dee922cdaf5f23b015387dd
SHA256

97c409738750d5b75afb0a9ea5d752ac15787f7d51a097757bc3699bf3465f6d
SHA512

6b6a1dbaa71508e0cb6790e10849269a2f90c2408b75be0e636a95c71bb536c679dba8e73ec26ec6a0451d7a2e769f534510a929a34eddbef3a716614d847fe0
SSDEEP

24576:WyZvx6gpXJ2xvDjeyLO3m5jqyzOkOzb5cPitK:lZvPXoxmOOlvHnci

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afc7-33.dat	healer
behavioral1/files/0x000700000001afc7-34.dat	healer
behavioral1/memory/2308-35-0x0000000000240000-0x000000000024A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q8050467.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q8050467.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q8050467.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q8050467.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q8050467.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4532	z7945916.exe
1504	z1511866.exe
4524	z1259996.exe
4432	z8668195.exe
2308	q8050467.exe
700	r8075445.exe
3176	s1819785.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q8050467.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	97c409738750d5b75afb0a9ea5d752ac15787f7d51a097757bc3699bf3465f6d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z7945916.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z1511866.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1259996.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z8668195.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2308	q8050467.exe
2308	q8050467.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2308	q8050467.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4532	4796	97c409738750d5b75afb0a9ea5d752ac15787f7d51a097757bc3699bf3465f6d.exe	70
PID 4796 wrote to memory of 4532	4796	97c409738750d5b75afb0a9ea5d752ac15787f7d51a097757bc3699bf3465f6d.exe	70
PID 4796 wrote to memory of 4532	4796	97c409738750d5b75afb0a9ea5d752ac15787f7d51a097757bc3699bf3465f6d.exe	70
PID 4532 wrote to memory of 1504	4532	z7945916.exe	71
PID 4532 wrote to memory of 1504	4532	z7945916.exe	71
PID 4532 wrote to memory of 1504	4532	z7945916.exe	71
PID 1504 wrote to memory of 4524	1504	z1511866.exe	72
PID 1504 wrote to memory of 4524	1504	z1511866.exe	72
PID 1504 wrote to memory of 4524	1504	z1511866.exe	72
PID 4524 wrote to memory of 4432	4524	z1259996.exe	73
PID 4524 wrote to memory of 4432	4524	z1259996.exe	73
PID 4524 wrote to memory of 4432	4524	z1259996.exe	73
PID 4432 wrote to memory of 2308	4432	z8668195.exe	74
PID 4432 wrote to memory of 2308	4432	z8668195.exe	74
PID 4432 wrote to memory of 700	4432	z8668195.exe	75
PID 4432 wrote to memory of 700	4432	z8668195.exe	75
PID 4432 wrote to memory of 700	4432	z8668195.exe	75
PID 4524 wrote to memory of 3176	4524	z1259996.exe	76
PID 4524 wrote to memory of 3176	4524	z1259996.exe	76
PID 4524 wrote to memory of 3176	4524	z1259996.exe	76

C:\Users\Admin\AppData\Local\Temp\97c409738750d5b75afb0a9ea5d752ac15787f7d51a097757bc3699bf3465f6d.exe
"C:\Users\Admin\AppData\Local\Temp\97c409738750d5b75afb0a9ea5d752ac15787f7d51a097757bc3699bf3465f6d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7945916.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7945916.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1511866.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1511866.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1259996.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1259996.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8668195.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8668195.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4432
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8050467.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8050467.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8075445.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8075445.exe
        6⤵
        Executes dropped EXE
        
        PID:700
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1819785.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1819785.exe
        5⤵
        Executes dropped EXE
        
        PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7945916.exe

Filesize
822KB

MD5
d356fbfd958abe382b5a712ca1da6402

SHA1
dc95d336085eee7dac4dcdd0dd0bd4cd2305836d

SHA256
18c8a0e2b68fdf2c2e94aef74b2a184f5f93637a68dd576fd88378e3e2f00844

SHA512
2219ba94283dbdcdc5b91922e4ad0e5a1708e3f16546b87f3c5b1bc29cb69d07a2c36ba20e69c9d0b4123787ac3e2ca941aefa58b964a394501750dd42985f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7945916.exe

Filesize
822KB

MD5
d356fbfd958abe382b5a712ca1da6402

SHA1
dc95d336085eee7dac4dcdd0dd0bd4cd2305836d

SHA256
18c8a0e2b68fdf2c2e94aef74b2a184f5f93637a68dd576fd88378e3e2f00844

SHA512
2219ba94283dbdcdc5b91922e4ad0e5a1708e3f16546b87f3c5b1bc29cb69d07a2c36ba20e69c9d0b4123787ac3e2ca941aefa58b964a394501750dd42985f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1511866.exe

Filesize
597KB

MD5
54f07558414219bc4ca839702365ce2f

SHA1
d58805870563e7b138e4a4271a0469fc11f5ccdf

SHA256
59ce15008febd81c53d9b1db93add9ba344739f70c411b4dc35c2489f1ae7c41

SHA512
21a954a36e31878f92ca16e9ed088dcaf7afc29b1f2814790663a821264acc0518bc4f47fd5dc9cfae5afe0736a9a07942b3084940bfa2c8e2657dca0eafb102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1511866.exe

Filesize
597KB

MD5
54f07558414219bc4ca839702365ce2f

SHA1
d58805870563e7b138e4a4271a0469fc11f5ccdf

SHA256
59ce15008febd81c53d9b1db93add9ba344739f70c411b4dc35c2489f1ae7c41

SHA512
21a954a36e31878f92ca16e9ed088dcaf7afc29b1f2814790663a821264acc0518bc4f47fd5dc9cfae5afe0736a9a07942b3084940bfa2c8e2657dca0eafb102

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1259996.exe

Filesize
372KB

MD5
4f6e087c4b7c8d00703c7cf4a251f8b9

SHA1
0b8474be1f0c07299c32f1fbd87369e03358116d

SHA256
736b57e71f166c0e67afd716ec43e80d4254e6d899121d4c0982d3ccadccbf92

SHA512
87234df26c51cefc4177f462313d03de5637c99b18010e20ec786ee36a0b881ed0877a2ce921dbec77e1d64ab256c6f8694872d72a99dc9373899cf3853051a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1259996.exe

Filesize
372KB

MD5
4f6e087c4b7c8d00703c7cf4a251f8b9

SHA1
0b8474be1f0c07299c32f1fbd87369e03358116d

SHA256
736b57e71f166c0e67afd716ec43e80d4254e6d899121d4c0982d3ccadccbf92

SHA512
87234df26c51cefc4177f462313d03de5637c99b18010e20ec786ee36a0b881ed0877a2ce921dbec77e1d64ab256c6f8694872d72a99dc9373899cf3853051a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1819785.exe

Filesize
175KB

MD5
07888ca195ed9172ade905504f41f57f

SHA1
fd2dc20a551a5ccc2aeed4d6f9d3e5c554e02313

SHA256
4cd2ae2697bb7e9e57cfa2c8a6141fbde51f1a1d332d06ecaa0ebd05c158c426

SHA512
bbb6e4c500cb5c51eea5189770530b47374590a298ddfa5f777b43312520b358c13e5915fee50bfdeeb62c1c78493b20b847e8f256ec6b63fa37afd5ab783694

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1819785.exe

Filesize
175KB

MD5
07888ca195ed9172ade905504f41f57f

SHA1
fd2dc20a551a5ccc2aeed4d6f9d3e5c554e02313

SHA256
4cd2ae2697bb7e9e57cfa2c8a6141fbde51f1a1d332d06ecaa0ebd05c158c426

SHA512
bbb6e4c500cb5c51eea5189770530b47374590a298ddfa5f777b43312520b358c13e5915fee50bfdeeb62c1c78493b20b847e8f256ec6b63fa37afd5ab783694

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8668195.exe

Filesize
217KB

MD5
fae09a1eadf8db14ae6f7ed2817c6b71

SHA1
c8ef8dc429e5d1a311937f637c75bf2104b128a3

SHA256
8411218893acd5353e08d7ed021a7db9d70b5ef0cfde9d51d485e02253b10bc8

SHA512
3c632f406fc2613bc2098fe86b286849bcd95b0ee9ee140f0704e2d7b9f7f042ac934c713f58ebf8db2c2b925241d2baad20d107eac85a4322c5285c4d944210

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8668195.exe

Filesize
217KB

MD5
fae09a1eadf8db14ae6f7ed2817c6b71

SHA1
c8ef8dc429e5d1a311937f637c75bf2104b128a3

SHA256
8411218893acd5353e08d7ed021a7db9d70b5ef0cfde9d51d485e02253b10bc8

SHA512
3c632f406fc2613bc2098fe86b286849bcd95b0ee9ee140f0704e2d7b9f7f042ac934c713f58ebf8db2c2b925241d2baad20d107eac85a4322c5285c4d944210

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8050467.exe

Filesize
18KB

MD5
ba34dd50359511f3db959704545e36da

SHA1
5888f8353ebb4b3716b4e01e0d0193164e35f21a

SHA256
f343fbe82030907188280097ad0f235d803f5dd35a4bbaa3e9297a9b2818b67a

SHA512
024ceeace1d1249c558df19b2edfc632dd4e1974865a84c1760e7f94df100d1b44ce348fe1e43a23787610212cfeb27a92dba6344c306fab555b2108714ca8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q8050467.exe

Filesize
18KB

MD5
ba34dd50359511f3db959704545e36da

SHA1
5888f8353ebb4b3716b4e01e0d0193164e35f21a

SHA256
f343fbe82030907188280097ad0f235d803f5dd35a4bbaa3e9297a9b2818b67a

SHA512
024ceeace1d1249c558df19b2edfc632dd4e1974865a84c1760e7f94df100d1b44ce348fe1e43a23787610212cfeb27a92dba6344c306fab555b2108714ca8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8075445.exe

Filesize
141KB

MD5
0d06de9461c27c323df0af511f28378d

SHA1
4288d77fa7d71723a63f5d22b0196e00229e9144

SHA256
3885e1fe5db62895c166f11b0c91d467d02bdd2f425471c36639ead2495707b5

SHA512
7b2e4b356b0ccc02606d1fd5bfe9d5bebfe45bf367da0cda3deab776ab02508ae6caa3792f6b10878a727f080af774c7e41a4894e8aead1c78ba97193833ad66

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r8075445.exe

Filesize
141KB

MD5
0d06de9461c27c323df0af511f28378d

SHA1
4288d77fa7d71723a63f5d22b0196e00229e9144

SHA256
3885e1fe5db62895c166f11b0c91d467d02bdd2f425471c36639ead2495707b5

SHA512
7b2e4b356b0ccc02606d1fd5bfe9d5bebfe45bf367da0cda3deab776ab02508ae6caa3792f6b10878a727f080af774c7e41a4894e8aead1c78ba97193833ad66

Download Submit
memory/2308-38-0x00007FFF7FC30000-0x00007FFF8061C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-36-0x00007FFF7FC30000-0x00007FFF8061C000-memory.dmp

Filesize
9.9MB

Download
memory/2308-35-0x0000000000240000-0x000000000024A000-memory.dmp

Filesize
40KB

Download
memory/3176-46-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download
memory/3176-45-0x0000000000DC0000-0x0000000000DF0000-memory.dmp

Filesize
192KB

Download
memory/3176-47-0x00000000056C0000-0x00000000056C6000-memory.dmp

Filesize
24KB

Download
memory/3176-48-0x000000000B1D0000-0x000000000B7D6000-memory.dmp

Filesize
6.0MB

Download
memory/3176-49-0x000000000AD10000-0x000000000AE1A000-memory.dmp

Filesize
1.0MB

Download
memory/3176-50-0x000000000AC40000-0x000000000AC52000-memory.dmp

Filesize
72KB

Download
memory/3176-51-0x000000000ACA0000-0x000000000ACDE000-memory.dmp

Filesize
248KB

Download
memory/3176-52-0x000000000AE20000-0x000000000AE6B000-memory.dmp

Filesize
300KB

Download
memory/3176-53-0x0000000073400000-0x0000000073AEE000-memory.dmp

Filesize
6.9MB

Download