healer | c25bb8b0d9f98ef173bb93c87e589431ed7acd884a5192678d72d9122a7d3fa7

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c25bb8b0d9f98ef173bb93c87e589431ed7acd884a5192678d72d9122a7d3fa7.exe
Size

828KB
MD5

d1b5697be6ef4af6f3a8c56fc655116e
SHA1

d02464b0abf4f646a6b91720a553e112d1aa1ffb
SHA256

c25bb8b0d9f98ef173bb93c87e589431ed7acd884a5192678d72d9122a7d3fa7
SHA512

d775b3723e139f5869abeb20402b8da638d8f32c95f6ccf83df74ac092260389c01e133ffa790366fd94c1953fabe867d0bc2db24f49f4d7938e00cbfbae60ac
SSDEEP

12288:+MrPy90r1XY5Ri91+pjGkaJC+h7CQEQjnEQ1cDu/gUkXHKWtlE8H:hyy1r+pG5trbEycrHXKCL

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x00070000000231d3-34.dat	healer
behavioral1/files/0x00070000000231d3-33.dat	healer
behavioral1/memory/3728-35-0x0000000000FC0000-0x0000000000FCA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2470362.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2470362.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a2470362.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2470362.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2470362.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2470362.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
2784	v2338555.exe
636	v3852961.exe
4376	v0962617.exe
3732	v1385854.exe
3728	a2470362.exe
4720	b1603984.exe
1456	c0811624.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2470362.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	c25bb8b0d9f98ef173bb93c87e589431ed7acd884a5192678d72d9122a7d3fa7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v2338555.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v3852961.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0962617.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1385854.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
496	sc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3728	a2470362.exe
3728	a2470362.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3728	a2470362.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2784	1992	c25bb8b0d9f98ef173bb93c87e589431ed7acd884a5192678d72d9122a7d3fa7.exe	82
PID 1992 wrote to memory of 2784	1992	c25bb8b0d9f98ef173bb93c87e589431ed7acd884a5192678d72d9122a7d3fa7.exe	82
PID 1992 wrote to memory of 2784	1992	c25bb8b0d9f98ef173bb93c87e589431ed7acd884a5192678d72d9122a7d3fa7.exe	82
PID 2784 wrote to memory of 636	2784	v2338555.exe	83
PID 2784 wrote to memory of 636	2784	v2338555.exe	83
PID 2784 wrote to memory of 636	2784	v2338555.exe	83
PID 636 wrote to memory of 4376	636	v3852961.exe	84
PID 636 wrote to memory of 4376	636	v3852961.exe	84
PID 636 wrote to memory of 4376	636	v3852961.exe	84
PID 4376 wrote to memory of 3732	4376	v0962617.exe	85
PID 4376 wrote to memory of 3732	4376	v0962617.exe	85
PID 4376 wrote to memory of 3732	4376	v0962617.exe	85
PID 3732 wrote to memory of 3728	3732	v1385854.exe	86
PID 3732 wrote to memory of 3728	3732	v1385854.exe	86
PID 3732 wrote to memory of 4720	3732	v1385854.exe	92
PID 3732 wrote to memory of 4720	3732	v1385854.exe	92
PID 3732 wrote to memory of 4720	3732	v1385854.exe	92
PID 4376 wrote to memory of 1456	4376	v0962617.exe	93
PID 4376 wrote to memory of 1456	4376	v0962617.exe	93
PID 4376 wrote to memory of 1456	4376	v0962617.exe	93

C:\Users\Admin\AppData\Local\Temp\c25bb8b0d9f98ef173bb93c87e589431ed7acd884a5192678d72d9122a7d3fa7.exe
"C:\Users\Admin\AppData\Local\Temp\c25bb8b0d9f98ef173bb93c87e589431ed7acd884a5192678d72d9122a7d3fa7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2338555.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2338555.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3852961.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3852961.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0962617.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0962617.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4376
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1385854.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1385854.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3732
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2470362.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2470362.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1603984.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1603984.exe
        6⤵
        Executes dropped EXE
        
        PID:4720
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0811624.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0811624.exe
        5⤵
        Executes dropped EXE
        
        PID:1456

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
1⤵
- Launches sc.exe
PID:496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2338555.exe

Filesize
722KB

MD5
079455d35a242ce18e23181ec245e260

SHA1
d3b9c502bd134a3886841c784a35df39af2fa560

SHA256
536bc20c2e7d2455d3d0390c4b76297527a6771e134e8757b6e0a03360829742

SHA512
18936f8d15df151380e0f6bbc22906ea55d918d1e24f037c858b36f6c99599a0608046deca9da495a3d09acdf304924198c27ed0434c5ebc95dc4a6695360d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v2338555.exe

Filesize
722KB

MD5
079455d35a242ce18e23181ec245e260

SHA1
d3b9c502bd134a3886841c784a35df39af2fa560

SHA256
536bc20c2e7d2455d3d0390c4b76297527a6771e134e8757b6e0a03360829742

SHA512
18936f8d15df151380e0f6bbc22906ea55d918d1e24f037c858b36f6c99599a0608046deca9da495a3d09acdf304924198c27ed0434c5ebc95dc4a6695360d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3852961.exe

Filesize
497KB

MD5
77970ed74cf94dd04dba8ae8034fbde9

SHA1
665cee1ed6ea76a065b348cc7f43800e2740d700

SHA256
fc8147b5cafa54e4823a0826d7897047dade285350db3b7a7879dc9daae93f9b

SHA512
b143b9e73b9909e40004bfb73bf519d49f1200b4249c80fc24f725ebb31cc4b2403314040edf2eace8343523edcd265102fea5db0d94e0429448137ec6a73144

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v3852961.exe

Filesize
497KB

MD5
77970ed74cf94dd04dba8ae8034fbde9

SHA1
665cee1ed6ea76a065b348cc7f43800e2740d700

SHA256
fc8147b5cafa54e4823a0826d7897047dade285350db3b7a7879dc9daae93f9b

SHA512
b143b9e73b9909e40004bfb73bf519d49f1200b4249c80fc24f725ebb31cc4b2403314040edf2eace8343523edcd265102fea5db0d94e0429448137ec6a73144

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0962617.exe

Filesize
372KB

MD5
d68fe287ff417730118f914c675965af

SHA1
791ffc53d29868b4a86fb7efe85f713191872db0

SHA256
68f517010c518c05d1666a4fbbd69fe52a20a26216adbe2927ecbb9f9d92fa07

SHA512
0e90d6f525ffecf69635bb1bca60d3b72411ac36748dd2dcc67764b709e742449fa5e6451020a08a5fcf3e0d739e41544046c38cb73b5f55a629b2193988e448

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0962617.exe

Filesize
372KB

MD5
d68fe287ff417730118f914c675965af

SHA1
791ffc53d29868b4a86fb7efe85f713191872db0

SHA256
68f517010c518c05d1666a4fbbd69fe52a20a26216adbe2927ecbb9f9d92fa07

SHA512
0e90d6f525ffecf69635bb1bca60d3b72411ac36748dd2dcc67764b709e742449fa5e6451020a08a5fcf3e0d739e41544046c38cb73b5f55a629b2193988e448

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0811624.exe

Filesize
175KB

MD5
a534419bc7366b3602dfafff4bd49075

SHA1
57d9ed525045f12f612a6facac584cbcbd03dff0

SHA256
6cd0b74755004b1a305c38d4bd8a84898cf409a6803d10510e07d2bbc6b29d80

SHA512
62a8c938cb210cabf4180c0341e5fca436231c25c984dd6ba7dc12c7c89b159087b279a07efd592f98dccee1aacb076287f600da22bdaaa96db15d4a91c8c3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0811624.exe

Filesize
175KB

MD5
a534419bc7366b3602dfafff4bd49075

SHA1
57d9ed525045f12f612a6facac584cbcbd03dff0

SHA256
6cd0b74755004b1a305c38d4bd8a84898cf409a6803d10510e07d2bbc6b29d80

SHA512
62a8c938cb210cabf4180c0341e5fca436231c25c984dd6ba7dc12c7c89b159087b279a07efd592f98dccee1aacb076287f600da22bdaaa96db15d4a91c8c3cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1385854.exe

Filesize
217KB

MD5
c54ce69593457fe594ec695a1f5688d0

SHA1
03770793a807dfa54cb0a5bfd37bedf0a2f0d1df

SHA256
685113e501fb885566a1c758ac6b13c0388543077925c83f974548b88745f72b

SHA512
7eda7dd589d44ee623c811970036d78d48ca347207f765312247d9ba94b914ee4a043b5081e27ae8d5b618b9057ed1b69e619a40678b7bb174c0119745a2bfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1385854.exe

Filesize
217KB

MD5
c54ce69593457fe594ec695a1f5688d0

SHA1
03770793a807dfa54cb0a5bfd37bedf0a2f0d1df

SHA256
685113e501fb885566a1c758ac6b13c0388543077925c83f974548b88745f72b

SHA512
7eda7dd589d44ee623c811970036d78d48ca347207f765312247d9ba94b914ee4a043b5081e27ae8d5b618b9057ed1b69e619a40678b7bb174c0119745a2bfdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2470362.exe

Filesize
18KB

MD5
96485607a6b6df4c7f35681b8fdfc4d5

SHA1
59be754c564334ddd5260fe215354489fcd21abc

SHA256
68662c02f4c93c717b7d2fb3805fa9fc8ca405328080ab541e2cd660c347167d

SHA512
7d891d028427b06405769b8efcf7c4f41de82a45afbc4067faa1ea0b43d0de3efc6230525ea98c6529c599c63287135c08389584228c5e1d2fdd739b1f4c8478

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2470362.exe

Filesize
18KB

MD5
96485607a6b6df4c7f35681b8fdfc4d5

SHA1
59be754c564334ddd5260fe215354489fcd21abc

SHA256
68662c02f4c93c717b7d2fb3805fa9fc8ca405328080ab541e2cd660c347167d

SHA512
7d891d028427b06405769b8efcf7c4f41de82a45afbc4067faa1ea0b43d0de3efc6230525ea98c6529c599c63287135c08389584228c5e1d2fdd739b1f4c8478

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1603984.exe

Filesize
140KB

MD5
50384f209c1d7f50385933d842483c0e

SHA1
087e6d8ea486c1cd6e0f96360e2f63269e9a2b6b

SHA256
7276ee1449c9fefaf4a675e2e8812f52132963cbfb65b8817630fc4e29811ec8

SHA512
fb65806c68f233683955e09c5d1a3f4b8bffd4c77db1aca1870dabc1a1c34508b72e41605fb016a4ae1ab55c3010d8989fea9bdceb86bba892f1ef2004ad26d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b1603984.exe

Filesize
140KB

MD5
50384f209c1d7f50385933d842483c0e

SHA1
087e6d8ea486c1cd6e0f96360e2f63269e9a2b6b

SHA256
7276ee1449c9fefaf4a675e2e8812f52132963cbfb65b8817630fc4e29811ec8

SHA512
fb65806c68f233683955e09c5d1a3f4b8bffd4c77db1aca1870dabc1a1c34508b72e41605fb016a4ae1ab55c3010d8989fea9bdceb86bba892f1ef2004ad26d1

Download Submit
memory/1456-46-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/1456-45-0x0000000000DB0000-0x0000000000DE0000-memory.dmp

Filesize
192KB

Download
memory/1456-47-0x0000000005EE0000-0x00000000064F8000-memory.dmp

Filesize
6.1MB

Download
memory/1456-48-0x00000000059D0000-0x0000000005ADA000-memory.dmp

Filesize
1.0MB

Download
memory/1456-50-0x0000000005870000-0x0000000005882000-memory.dmp

Filesize
72KB

Download
memory/1456-49-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/1456-51-0x0000000005900000-0x000000000593C000-memory.dmp

Filesize
240KB

Download
memory/1456-52-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/1456-53-0x00000000058B0000-0x00000000058C0000-memory.dmp

Filesize
64KB

Download
memory/3728-38-0x00007FFA1AC10000-0x00007FFA1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-36-0x00007FFA1AC10000-0x00007FFA1B6D1000-memory.dmp

Filesize
10.8MB

Download
memory/3728-35-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

Filesize
40KB

Download