healer | 25563c7555af75a79661e3b6958f065b6a27d2da4674767b374845ef5885ebb6

Analysis

max time kernel
145s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
30/08/2023, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25563c7555af75a79661e3b6958f065b6a27d2da4674767b374845ef5885ebb6.exe
Size

828KB
MD5

34192ca089e71e86ac8c8250813a8753
SHA1

e7abbdd690b7a434681acf7cbac5635f5dac6279
SHA256

25563c7555af75a79661e3b6958f065b6a27d2da4674767b374845ef5885ebb6
SHA512

46acc9d1062f3ddc790ade6069389b5228f58a0570b403eaca181b5cd044083115f4437d9fbc439bee98b68c0e51c217549a27f8b143dc5cc025c9915798af01
SSDEEP

12288:xMrAy90ligXX4joBg/HvGweJWjA94Rmlu8Vdz9S/aoX55uw8Sez9OuAt1D17eL/u:hyWDBg/HDeJ8RL811w1epEjhyL/u

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001b01b-33.dat	healer
behavioral1/files/0x000700000001b01b-34.dat	healer
behavioral1/memory/3584-35-0x0000000000BF0000-0x0000000000BFA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2711575.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2711575.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2711575.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2711575.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2711575.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4812	v8835927.exe
4464	v3483797.exe
4772	v8290346.exe
1316	v6900960.exe
3584	a2711575.exe
4512	b8085285.exe
2188	c0516058.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2711575.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	25563c7555af75a79661e3b6958f065b6a27d2da4674767b374845ef5885ebb6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8835927.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3483797.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v8290346.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6900960.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3584	a2711575.exe
3584	a2711575.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3584	a2711575.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4812	5048	25563c7555af75a79661e3b6958f065b6a27d2da4674767b374845ef5885ebb6.exe	70
PID 5048 wrote to memory of 4812	5048	25563c7555af75a79661e3b6958f065b6a27d2da4674767b374845ef5885ebb6.exe	70
PID 5048 wrote to memory of 4812	5048	25563c7555af75a79661e3b6958f065b6a27d2da4674767b374845ef5885ebb6.exe	70
PID 4812 wrote to memory of 4464	4812	v8835927.exe	71
PID 4812 wrote to memory of 4464	4812	v8835927.exe	71
PID 4812 wrote to memory of 4464	4812	v8835927.exe	71
PID 4464 wrote to memory of 4772	4464	v3483797.exe	72
PID 4464 wrote to memory of 4772	4464	v3483797.exe	72
PID 4464 wrote to memory of 4772	4464	v3483797.exe	72
PID 4772 wrote to memory of 1316	4772	v8290346.exe	73
PID 4772 wrote to memory of 1316	4772	v8290346.exe	73
PID 4772 wrote to memory of 1316	4772	v8290346.exe	73
PID 1316 wrote to memory of 3584	1316	v6900960.exe	74
PID 1316 wrote to memory of 3584	1316	v6900960.exe	74
PID 1316 wrote to memory of 4512	1316	v6900960.exe	75
PID 1316 wrote to memory of 4512	1316	v6900960.exe	75
PID 1316 wrote to memory of 4512	1316	v6900960.exe	75
PID 4772 wrote to memory of 2188	4772	v8290346.exe	76
PID 4772 wrote to memory of 2188	4772	v8290346.exe	76
PID 4772 wrote to memory of 2188	4772	v8290346.exe	76

C:\Users\Admin\AppData\Local\Temp\25563c7555af75a79661e3b6958f065b6a27d2da4674767b374845ef5885ebb6.exe
"C:\Users\Admin\AppData\Local\Temp\25563c7555af75a79661e3b6958f065b6a27d2da4674767b374845ef5885ebb6.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8835927.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8835927.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4812
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3483797.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3483797.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8290346.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8290346.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6900960.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6900960.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1316
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2711575.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2711575.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8085285.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8085285.exe
        6⤵
        Executes dropped EXE
        
        PID:4512
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0516058.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0516058.exe
        5⤵
        Executes dropped EXE
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8835927.exe

Filesize
723KB

MD5
f15a4d68c5083f2216a02c606102c585

SHA1
6885eab6334f382510b9f457ecb6867e90b24799

SHA256
2e81d1621f15e314230b2b93f24d638893e03a1455e601305430ad7d0e702fb1

SHA512
25338abab5ad339ae932dd7ea8e7a6744b95cb6f45a4d52de828658ac0110489478500b3080f054bfd5081a5d8d6a6835b1b6dd656928cfe89beed794c61f0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8835927.exe

Filesize
723KB

MD5
f15a4d68c5083f2216a02c606102c585

SHA1
6885eab6334f382510b9f457ecb6867e90b24799

SHA256
2e81d1621f15e314230b2b93f24d638893e03a1455e601305430ad7d0e702fb1

SHA512
25338abab5ad339ae932dd7ea8e7a6744b95cb6f45a4d52de828658ac0110489478500b3080f054bfd5081a5d8d6a6835b1b6dd656928cfe89beed794c61f0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3483797.exe

Filesize
497KB

MD5
e2f093802c3e7b8afd69ff786a9278fe

SHA1
e95d1a9346d3c4e773bac75a3ae05958a2b550b8

SHA256
b7099e3fe824338704306537cc3d4c3a21be35efeda94e6028452609b84d7203

SHA512
2d96f16f1ae3bd14ff48937642033de273f25728d15cebf8a93af0aabba275effd41d2536b969f1175b59d98c235f0912c3742098bbef3fb2e341a9bf0adb6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3483797.exe

Filesize
497KB

MD5
e2f093802c3e7b8afd69ff786a9278fe

SHA1
e95d1a9346d3c4e773bac75a3ae05958a2b550b8

SHA256
b7099e3fe824338704306537cc3d4c3a21be35efeda94e6028452609b84d7203

SHA512
2d96f16f1ae3bd14ff48937642033de273f25728d15cebf8a93af0aabba275effd41d2536b969f1175b59d98c235f0912c3742098bbef3fb2e341a9bf0adb6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8290346.exe

Filesize
372KB

MD5
8f20c76111ed96bd334c90b5f96a593e

SHA1
5fc116cc890e9d86a1dce4dd66c7bd6cb0210fe2

SHA256
f8f13e1c6dac06895df241dd383b1636f27acb653ce22b97192d3812627e4e22

SHA512
8d97b0fd6b24c1d6e4baac611149d69d712e69dbaffa9b30a6868b1a57bfdf2f05708525f02534920ad136170e0c740821e58052e451aa290e9f592d68fb3526

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v8290346.exe

Filesize
372KB

MD5
8f20c76111ed96bd334c90b5f96a593e

SHA1
5fc116cc890e9d86a1dce4dd66c7bd6cb0210fe2

SHA256
f8f13e1c6dac06895df241dd383b1636f27acb653ce22b97192d3812627e4e22

SHA512
8d97b0fd6b24c1d6e4baac611149d69d712e69dbaffa9b30a6868b1a57bfdf2f05708525f02534920ad136170e0c740821e58052e451aa290e9f592d68fb3526

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0516058.exe

Filesize
175KB

MD5
45e09130b0b65912a5603c3230b2c243

SHA1
0de329db7dec40fd70c38f5844b5b1819aa47c7f

SHA256
1f9e6b30fbb57fd21e017d68683f2d27ed9b3f9551e6e085373b281a5c4537a4

SHA512
b83a0943bd6bd927bd652aa0256cabd05bc35933e5477e7679751ca55cb343333f352290824210a8f9f30a39e1a9b8670718d98656432a4ab5a31311a5e5cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0516058.exe

Filesize
175KB

MD5
45e09130b0b65912a5603c3230b2c243

SHA1
0de329db7dec40fd70c38f5844b5b1819aa47c7f

SHA256
1f9e6b30fbb57fd21e017d68683f2d27ed9b3f9551e6e085373b281a5c4537a4

SHA512
b83a0943bd6bd927bd652aa0256cabd05bc35933e5477e7679751ca55cb343333f352290824210a8f9f30a39e1a9b8670718d98656432a4ab5a31311a5e5cfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6900960.exe

Filesize
217KB

MD5
8247591ecf3e792c306f74b60df5a927

SHA1
fedc58b4e6b047db59b45fa3371e0994833512e3

SHA256
31b3d343a27c9f1cc3fac6072776ae4945de60726a38c9c37acbb1db5d4ea3f3

SHA512
d4f1443ce1cca15c79169fc612307db9c7e0fe669825fac2eb188cbf6785fbd5cca67b8bc10c7ca8d8566c0364f5a5f61ed39cd26e0024751f67f46b2f3645fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6900960.exe

Filesize
217KB

MD5
8247591ecf3e792c306f74b60df5a927

SHA1
fedc58b4e6b047db59b45fa3371e0994833512e3

SHA256
31b3d343a27c9f1cc3fac6072776ae4945de60726a38c9c37acbb1db5d4ea3f3

SHA512
d4f1443ce1cca15c79169fc612307db9c7e0fe669825fac2eb188cbf6785fbd5cca67b8bc10c7ca8d8566c0364f5a5f61ed39cd26e0024751f67f46b2f3645fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2711575.exe

Filesize
18KB

MD5
dd167790108b51d11a2a0ad2c351ebe6

SHA1
4e43d66fd8309fecda5d12c262fa810c0d6372f9

SHA256
18e88f0e7c98efab1d5b92e9efcfb6c0ac03a88a1261671a1d9fa50337e6344a

SHA512
038472729464fb4bdf9556d2a8ced843c56d99db49e05e219244e80bf24f867d0f7c057c0c05c7ee2f61b454f26e1f607147e61891dc79d7919650927cf70cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2711575.exe

Filesize
18KB

MD5
dd167790108b51d11a2a0ad2c351ebe6

SHA1
4e43d66fd8309fecda5d12c262fa810c0d6372f9

SHA256
18e88f0e7c98efab1d5b92e9efcfb6c0ac03a88a1261671a1d9fa50337e6344a

SHA512
038472729464fb4bdf9556d2a8ced843c56d99db49e05e219244e80bf24f867d0f7c057c0c05c7ee2f61b454f26e1f607147e61891dc79d7919650927cf70cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8085285.exe

Filesize
141KB

MD5
15f41b9501f7efa6345940bc8baf9049

SHA1
b2bfe81b650ec84727b76389c38435b25283bbcd

SHA256
1295a8e9ea70846153611572acdde753cdc2d6c3aa7e4053087f578fb2fb1432

SHA512
2fc0f135588b5fa08d7a664dd32a5735762c3e57abdb516030bc70c4de1928522eefe5e01b7fab4067a4aa1ed5ed5dfd6f577d71a3422a3348350c3c365cbdb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8085285.exe

Filesize
141KB

MD5
15f41b9501f7efa6345940bc8baf9049

SHA1
b2bfe81b650ec84727b76389c38435b25283bbcd

SHA256
1295a8e9ea70846153611572acdde753cdc2d6c3aa7e4053087f578fb2fb1432

SHA512
2fc0f135588b5fa08d7a664dd32a5735762c3e57abdb516030bc70c4de1928522eefe5e01b7fab4067a4aa1ed5ed5dfd6f577d71a3422a3348350c3c365cbdb9

Download Submit
memory/2188-46-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/2188-45-0x0000000000B50000-0x0000000000B80000-memory.dmp

Filesize
192KB

Download
memory/2188-47-0x0000000002DC0000-0x0000000002DC6000-memory.dmp

Filesize
24KB

Download
memory/2188-48-0x000000000AF50000-0x000000000B556000-memory.dmp

Filesize
6.0MB

Download
memory/2188-49-0x000000000AAA0000-0x000000000ABAA000-memory.dmp

Filesize
1.0MB

Download
memory/2188-50-0x000000000A9D0000-0x000000000A9E2000-memory.dmp

Filesize
72KB

Download
memory/2188-51-0x000000000AA30000-0x000000000AA6E000-memory.dmp

Filesize
248KB

Download
memory/2188-52-0x000000000ABB0000-0x000000000ABFB000-memory.dmp

Filesize
300KB

Download
memory/2188-53-0x0000000072C90000-0x000000007337E000-memory.dmp

Filesize
6.9MB

Download
memory/3584-38-0x00007FF84E570000-0x00007FF84EF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3584-36-0x00007FF84E570000-0x00007FF84EF5C000-memory.dmp

Filesize
9.9MB

Download
memory/3584-35-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download