healer | 787d60dab5879f2702243e0efe08eca04442cd5343475d8199499eacb4ac370e

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

787d60dab5879f2702243e0efe08eca04442cd5343475d8199499eacb4ac370e.exe
Size

828KB
MD5

28587527f31ab99bb8ae7dbb85945d46
SHA1

b9f02eb02b4dc4142e464484053ed6669337d2ee
SHA256

787d60dab5879f2702243e0efe08eca04442cd5343475d8199499eacb4ac370e
SHA512

0f2b808f17ea62ec8d37723287fb542d43690dbda3b496e419c2235d34524d942b99fbb4f20dc01c3f5084c40e191541acd3991b62037fa018bb97e97432526f
SSDEEP

24576:yy2MXC8ZbUWQSyiBdG1YRaFNAvlM5zosivwV:Z2spPQS2YSNANqZO

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000023229-33.dat	healer
behavioral1/files/0x0008000000023229-34.dat	healer
behavioral1/memory/568-35-0x0000000000DE0000-0x0000000000DEA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a9092945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9092945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9092945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9092945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9092945.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9092945.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3356	v4083439.exe
4072	v6784805.exe
820	v6536620.exe
2344	v9603816.exe
568	a9092945.exe
2888	b2809719.exe
3252	c7221269.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9092945.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6536620.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v9603816.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	787d60dab5879f2702243e0efe08eca04442cd5343475d8199499eacb4ac370e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4083439.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6784805.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
568	a9092945.exe
568	a9092945.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	568	a9092945.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 3356	2220	787d60dab5879f2702243e0efe08eca04442cd5343475d8199499eacb4ac370e.exe	81
PID 2220 wrote to memory of 3356	2220	787d60dab5879f2702243e0efe08eca04442cd5343475d8199499eacb4ac370e.exe	81
PID 2220 wrote to memory of 3356	2220	787d60dab5879f2702243e0efe08eca04442cd5343475d8199499eacb4ac370e.exe	81
PID 3356 wrote to memory of 4072	3356	v4083439.exe	82
PID 3356 wrote to memory of 4072	3356	v4083439.exe	82
PID 3356 wrote to memory of 4072	3356	v4083439.exe	82
PID 4072 wrote to memory of 820	4072	v6784805.exe	83
PID 4072 wrote to memory of 820	4072	v6784805.exe	83
PID 4072 wrote to memory of 820	4072	v6784805.exe	83
PID 820 wrote to memory of 2344	820	v6536620.exe	84
PID 820 wrote to memory of 2344	820	v6536620.exe	84
PID 820 wrote to memory of 2344	820	v6536620.exe	84
PID 2344 wrote to memory of 568	2344	v9603816.exe	85
PID 2344 wrote to memory of 568	2344	v9603816.exe	85
PID 2344 wrote to memory of 2888	2344	v9603816.exe	90
PID 2344 wrote to memory of 2888	2344	v9603816.exe	90
PID 2344 wrote to memory of 2888	2344	v9603816.exe	90
PID 820 wrote to memory of 3252	820	v6536620.exe	91
PID 820 wrote to memory of 3252	820	v6536620.exe	91
PID 820 wrote to memory of 3252	820	v6536620.exe	91

C:\Users\Admin\AppData\Local\Temp\787d60dab5879f2702243e0efe08eca04442cd5343475d8199499eacb4ac370e.exe
"C:\Users\Admin\AppData\Local\Temp\787d60dab5879f2702243e0efe08eca04442cd5343475d8199499eacb4ac370e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4083439.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4083439.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3356
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6784805.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6784805.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6536620.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6536620.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:820
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9603816.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9603816.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9092945.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9092945.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2809719.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2809719.exe
        6⤵
        Executes dropped EXE
        
        PID:2888
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7221269.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7221269.exe
        5⤵
        Executes dropped EXE
        
        PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4083439.exe

Filesize
723KB

MD5
2de4d70aeb5682952b6a880ba8b01a79

SHA1
9384f6da2f8864dbea702a7ea681b947a9d8aace

SHA256
6eb641dd98db02f0c644a05f8874971c2348fd0ed0e0007a4061e42f52c4e082

SHA512
50987ecca3f06d56a476109d9e53a1b08552e39bfe0cf7b9fc462bb5fcc065a108bc7b219a428ba386819a9c0a02f4c18629800d9fcae6e41db4547eb13aeccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4083439.exe

Filesize
723KB

MD5
2de4d70aeb5682952b6a880ba8b01a79

SHA1
9384f6da2f8864dbea702a7ea681b947a9d8aace

SHA256
6eb641dd98db02f0c644a05f8874971c2348fd0ed0e0007a4061e42f52c4e082

SHA512
50987ecca3f06d56a476109d9e53a1b08552e39bfe0cf7b9fc462bb5fcc065a108bc7b219a428ba386819a9c0a02f4c18629800d9fcae6e41db4547eb13aeccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6784805.exe

Filesize
497KB

MD5
4f305158faa3bf9da213dbe921e07e49

SHA1
84b1b1f63be23bb41548670827c3d0b6fa2ab0b5

SHA256
5d4f1d37ea957892adcf08229b5b5f55832f26387603fe986df5456a560e66a6

SHA512
3f6e5bf7c1ddf0e9a4e2e3d8711066c2fa0edefa860b94819fcba4a4efbd24d520fc6880431a59db834cb8327193102e84ecdc1bbcee016eeac6421b3752a208

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6784805.exe

Filesize
497KB

MD5
4f305158faa3bf9da213dbe921e07e49

SHA1
84b1b1f63be23bb41548670827c3d0b6fa2ab0b5

SHA256
5d4f1d37ea957892adcf08229b5b5f55832f26387603fe986df5456a560e66a6

SHA512
3f6e5bf7c1ddf0e9a4e2e3d8711066c2fa0edefa860b94819fcba4a4efbd24d520fc6880431a59db834cb8327193102e84ecdc1bbcee016eeac6421b3752a208

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6536620.exe

Filesize
372KB

MD5
3c1637d8ed82053f2edb117e85ad96ed

SHA1
07a72750a322eff2f590f5b91f7441b34c7351de

SHA256
8b04aa7e3f322acedd7565286cdaa4e43f960812f1744987b01c50352d4c0950

SHA512
4520f7c421fe16434ada5eefd68ae25b31883aa4e06161074c0f62f88cb3a2a168ec9d12cd9fe5a632c95d1a4dc4679ac29814922381ebe3ad9c678e5f7fadfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6536620.exe

Filesize
372KB

MD5
3c1637d8ed82053f2edb117e85ad96ed

SHA1
07a72750a322eff2f590f5b91f7441b34c7351de

SHA256
8b04aa7e3f322acedd7565286cdaa4e43f960812f1744987b01c50352d4c0950

SHA512
4520f7c421fe16434ada5eefd68ae25b31883aa4e06161074c0f62f88cb3a2a168ec9d12cd9fe5a632c95d1a4dc4679ac29814922381ebe3ad9c678e5f7fadfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7221269.exe

Filesize
175KB

MD5
0f9e93f835fd3662590fde0d4164dde6

SHA1
2588391dcb9605d8511342943116fe5bc16af0ee

SHA256
75022d379892fd1ee7ef860cc437a8004fa3f875e955b3e76185601bcc0fe62f

SHA512
e232989d0e2077fac862dd09320ff04792761e7a421a8ca36b873e0834768ad88fbe5a3f1c2548b26efcca1589def57d851cbd68f0ca99d0412d99c7cb91079d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7221269.exe

Filesize
175KB

MD5
0f9e93f835fd3662590fde0d4164dde6

SHA1
2588391dcb9605d8511342943116fe5bc16af0ee

SHA256
75022d379892fd1ee7ef860cc437a8004fa3f875e955b3e76185601bcc0fe62f

SHA512
e232989d0e2077fac862dd09320ff04792761e7a421a8ca36b873e0834768ad88fbe5a3f1c2548b26efcca1589def57d851cbd68f0ca99d0412d99c7cb91079d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9603816.exe

Filesize
217KB

MD5
727d3564e638eb934a310c82b3c17dab

SHA1
6fd746376e23fd4abef8d1fe18528933df6ad67c

SHA256
eb929b1c53bbf0a9cf38ede216022184a822e35f9718f6f687ea880ebd113453

SHA512
5ac857ff7ebdab9d8a738e1874d377c5babda7a3e2c97277cf5b36bd64f9a5e042c667215a4d8e95c6d3631530a3d1888c55dc2a5d8a3045e9ffbe3633383e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v9603816.exe

Filesize
217KB

MD5
727d3564e638eb934a310c82b3c17dab

SHA1
6fd746376e23fd4abef8d1fe18528933df6ad67c

SHA256
eb929b1c53bbf0a9cf38ede216022184a822e35f9718f6f687ea880ebd113453

SHA512
5ac857ff7ebdab9d8a738e1874d377c5babda7a3e2c97277cf5b36bd64f9a5e042c667215a4d8e95c6d3631530a3d1888c55dc2a5d8a3045e9ffbe3633383e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9092945.exe

Filesize
18KB

MD5
f3b59dd420a7548c32f029c85cacb664

SHA1
d7fef6b6f906ae5bcddae14ad6e0a25ed1275e8d

SHA256
05d7c98b5538a4bd945c4a6132c5f7ab06ddae6feff6fe8dc634306139e80ac5

SHA512
eab743a3d7ed5ee4f6d5152a7adac0a2db966d2b78c89afe1681c719db8d398432d8d47a38cb4b1642a781be6db3675e6ee23eae2b0c23b4b4cf916e90593848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9092945.exe

Filesize
18KB

MD5
f3b59dd420a7548c32f029c85cacb664

SHA1
d7fef6b6f906ae5bcddae14ad6e0a25ed1275e8d

SHA256
05d7c98b5538a4bd945c4a6132c5f7ab06ddae6feff6fe8dc634306139e80ac5

SHA512
eab743a3d7ed5ee4f6d5152a7adac0a2db966d2b78c89afe1681c719db8d398432d8d47a38cb4b1642a781be6db3675e6ee23eae2b0c23b4b4cf916e90593848

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2809719.exe

Filesize
141KB

MD5
c7d256f20a1a0ab76d05f792c75dfb21

SHA1
75155fdd07c09553f3bd7c2857576da5a90ce3f3

SHA256
97bdf4f8243f9f02d3bfbce231396d4a1c9db25320fd21147e00c3d79aad3309

SHA512
b4497e9dc2b174372e077df5e0424c73898c53665782eda5ed6a1f299818bc53beb566deabaf34405a8f003007610b7c8823aa2e9a6cb5a4804a49450ea05c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b2809719.exe

Filesize
141KB

MD5
c7d256f20a1a0ab76d05f792c75dfb21

SHA1
75155fdd07c09553f3bd7c2857576da5a90ce3f3

SHA256
97bdf4f8243f9f02d3bfbce231396d4a1c9db25320fd21147e00c3d79aad3309

SHA512
b4497e9dc2b174372e077df5e0424c73898c53665782eda5ed6a1f299818bc53beb566deabaf34405a8f003007610b7c8823aa2e9a6cb5a4804a49450ea05c28

Download Submit
memory/568-38-0x00007FF914D40000-0x00007FF915801000-memory.dmp

Filesize
10.8MB

Download
memory/568-36-0x00007FF914D40000-0x00007FF915801000-memory.dmp

Filesize
10.8MB

Download
memory/568-35-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/3252-45-0x0000000000750000-0x0000000000780000-memory.dmp

Filesize
192KB

Download
memory/3252-46-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3252-47-0x000000000ABC0000-0x000000000B1D8000-memory.dmp

Filesize
6.1MB

Download
memory/3252-48-0x000000000A700000-0x000000000A80A000-memory.dmp

Filesize
1.0MB

Download
memory/3252-49-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/3252-50-0x000000000A640000-0x000000000A652000-memory.dmp

Filesize
72KB

Download
memory/3252-51-0x000000000A6A0000-0x000000000A6DC000-memory.dmp

Filesize
240KB

Download
memory/3252-52-0x0000000074760000-0x0000000074F10000-memory.dmp

Filesize
7.7MB

Download
memory/3252-53-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download