healer | 3d5c97ff36b88551a9002a56b8b542f2d4824a87477c8f0bcc394298f73faa69

Analysis

max time kernel
145s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
31/08/2023, 05:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3d5c97ff36b88551a9002a56b8b542f2d4824a87477c8f0bcc394298f73faa69.exe
Size

829KB
MD5

7182a2f60b08040d8a583591c243257b
SHA1

33b7cb25f7fb793358d75d485fef4ebe039acce9
SHA256

3d5c97ff36b88551a9002a56b8b542f2d4824a87477c8f0bcc394298f73faa69
SHA512

831232568e27e1ab8eaff7a3674b62248ee2fd2b2e0412d60ce9aaa61c5af38d86e52323d3022663691c499fedf8d0193ac8db75638af7c9979873c9fdd27e9e
SSDEEP

24576:/yQFIX0BhcAW1bLQ2ROw9TXSck4OxQB4cH:KwIX0B6AW1PQiOIYQuc

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afb9-33.dat	healer
behavioral1/files/0x000700000001afb9-34.dat	healer
behavioral1/memory/4064-35-0x0000000000630000-0x000000000063A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a2827833.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a2827833.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a2827833.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a2827833.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a2827833.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3564	v1761840.exe
4204	v5531290.exe
4844	v0419066.exe
4880	v1760479.exe
4064	a2827833.exe
2492	b8231358.exe
3536	c9237042.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a2827833.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3d5c97ff36b88551a9002a56b8b542f2d4824a87477c8f0bcc394298f73faa69.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1761840.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v5531290.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0419066.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1760479.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4064	a2827833.exe
4064	a2827833.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4064	a2827833.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 3564	816	3d5c97ff36b88551a9002a56b8b542f2d4824a87477c8f0bcc394298f73faa69.exe	69
PID 816 wrote to memory of 3564	816	3d5c97ff36b88551a9002a56b8b542f2d4824a87477c8f0bcc394298f73faa69.exe	69
PID 816 wrote to memory of 3564	816	3d5c97ff36b88551a9002a56b8b542f2d4824a87477c8f0bcc394298f73faa69.exe	69
PID 3564 wrote to memory of 4204	3564	v1761840.exe	70
PID 3564 wrote to memory of 4204	3564	v1761840.exe	70
PID 3564 wrote to memory of 4204	3564	v1761840.exe	70
PID 4204 wrote to memory of 4844	4204	v5531290.exe	71
PID 4204 wrote to memory of 4844	4204	v5531290.exe	71
PID 4204 wrote to memory of 4844	4204	v5531290.exe	71
PID 4844 wrote to memory of 4880	4844	v0419066.exe	72
PID 4844 wrote to memory of 4880	4844	v0419066.exe	72
PID 4844 wrote to memory of 4880	4844	v0419066.exe	72
PID 4880 wrote to memory of 4064	4880	v1760479.exe	73
PID 4880 wrote to memory of 4064	4880	v1760479.exe	73
PID 4880 wrote to memory of 2492	4880	v1760479.exe	74
PID 4880 wrote to memory of 2492	4880	v1760479.exe	74
PID 4880 wrote to memory of 2492	4880	v1760479.exe	74
PID 4844 wrote to memory of 3536	4844	v0419066.exe	75
PID 4844 wrote to memory of 3536	4844	v0419066.exe	75
PID 4844 wrote to memory of 3536	4844	v0419066.exe	75

C:\Users\Admin\AppData\Local\Temp\3d5c97ff36b88551a9002a56b8b542f2d4824a87477c8f0bcc394298f73faa69.exe
"C:\Users\Admin\AppData\Local\Temp\3d5c97ff36b88551a9002a56b8b542f2d4824a87477c8f0bcc394298f73faa69.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1761840.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1761840.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5531290.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5531290.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0419066.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0419066.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4844
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1760479.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1760479.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4880
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2827833.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2827833.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8231358.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8231358.exe
        6⤵
        Executes dropped EXE
        
        PID:2492
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9237042.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9237042.exe
        5⤵
        Executes dropped EXE
        
        PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1761840.exe

Filesize
723KB

MD5
6b74818d9de06b97e87d05ad6bfd5d68

SHA1
e06e501b55af9c983c4d878196210323a79d2f14

SHA256
85b71bda6ab262635ce52a09155364f3a471c8f89b25b191250f7fc7d508788c

SHA512
3949d6cc5d63d862e3cfa5772849a6c890d7c3e007a2cfd8c4f3624d71c42bf89ba98524387c0824f55eb8a736d8e5ab70ac650a84182a180c73ef9580aad35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1761840.exe

Filesize
723KB

MD5
6b74818d9de06b97e87d05ad6bfd5d68

SHA1
e06e501b55af9c983c4d878196210323a79d2f14

SHA256
85b71bda6ab262635ce52a09155364f3a471c8f89b25b191250f7fc7d508788c

SHA512
3949d6cc5d63d862e3cfa5772849a6c890d7c3e007a2cfd8c4f3624d71c42bf89ba98524387c0824f55eb8a736d8e5ab70ac650a84182a180c73ef9580aad35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5531290.exe

Filesize
497KB

MD5
5a93e06140e7996810db55a6e79431e1

SHA1
57db19d7b0e43dd91b5295b77c0d16fa534f3b86

SHA256
1eb7001db3fe3260459cabbb6fe47546e7c26d87e1eb435d3ccf9c6f52b085a1

SHA512
965ac9fa6a45b518c8245c4e1e2da90dc5c98c4564540ab0213a089c80cb5d78805ad9abc450503987c4ceaded013840429b4b7dfbc504517541d456d1519ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v5531290.exe

Filesize
497KB

MD5
5a93e06140e7996810db55a6e79431e1

SHA1
57db19d7b0e43dd91b5295b77c0d16fa534f3b86

SHA256
1eb7001db3fe3260459cabbb6fe47546e7c26d87e1eb435d3ccf9c6f52b085a1

SHA512
965ac9fa6a45b518c8245c4e1e2da90dc5c98c4564540ab0213a089c80cb5d78805ad9abc450503987c4ceaded013840429b4b7dfbc504517541d456d1519ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0419066.exe

Filesize
373KB

MD5
1d770a56a8b0fe7fe62c46e618fc7327

SHA1
848800507abd78e21807ce448c9d1f584a6f21fe

SHA256
12d4f50939275058c83afa5639c12ba37f196200f0bdcd96dd81a61fa36fe5e9

SHA512
7c92f36f19fa33abd9e1c28b5540717d36ff0ad3b6109d34df438d98fbc203eb38636fe7f3e4046fadf7d0ca13a304cb86441df8aa66c54334ff5926b83388d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0419066.exe

Filesize
373KB

MD5
1d770a56a8b0fe7fe62c46e618fc7327

SHA1
848800507abd78e21807ce448c9d1f584a6f21fe

SHA256
12d4f50939275058c83afa5639c12ba37f196200f0bdcd96dd81a61fa36fe5e9

SHA512
7c92f36f19fa33abd9e1c28b5540717d36ff0ad3b6109d34df438d98fbc203eb38636fe7f3e4046fadf7d0ca13a304cb86441df8aa66c54334ff5926b83388d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9237042.exe

Filesize
176KB

MD5
5da833fca24916ee46203dfd48f4441f

SHA1
83a29408a93d69205fc9da40146c8c154580440e

SHA256
bcd8fc530125aaa4b5fdd55f82d5f9a997d6510af4dad1266a0e711ebbe569f1

SHA512
d1d17fead710c0be3012e52d0986fc40496082af4c3950b31188ef3e31529863c5e81d4d48878980a5925010de49c7094f6b4f9581077edc8cb1f6a9bf6106ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c9237042.exe

Filesize
176KB

MD5
5da833fca24916ee46203dfd48f4441f

SHA1
83a29408a93d69205fc9da40146c8c154580440e

SHA256
bcd8fc530125aaa4b5fdd55f82d5f9a997d6510af4dad1266a0e711ebbe569f1

SHA512
d1d17fead710c0be3012e52d0986fc40496082af4c3950b31188ef3e31529863c5e81d4d48878980a5925010de49c7094f6b4f9581077edc8cb1f6a9bf6106ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1760479.exe

Filesize
217KB

MD5
9f6f6e90d0f6f566699e19c73440d9e3

SHA1
eb346209276e98d49db33ec266e516a4e597c585

SHA256
03143956e1d08cfa8cd684788d60ee55a426af188bfcb1196af14346e54fdeb5

SHA512
082c07ecd85aafd8ece738b75374c2c719a8d5e92b669782e8cedff8a436e1fc6230bd1351b05d4a58d59be1bff669ff0df17daaa8654902eee36662edb3a8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1760479.exe

Filesize
217KB

MD5
9f6f6e90d0f6f566699e19c73440d9e3

SHA1
eb346209276e98d49db33ec266e516a4e597c585

SHA256
03143956e1d08cfa8cd684788d60ee55a426af188bfcb1196af14346e54fdeb5

SHA512
082c07ecd85aafd8ece738b75374c2c719a8d5e92b669782e8cedff8a436e1fc6230bd1351b05d4a58d59be1bff669ff0df17daaa8654902eee36662edb3a8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2827833.exe

Filesize
18KB

MD5
4c864da684813b589afc33541b32a717

SHA1
e39a9331386e05487fb2a45d2d3e9b648a88cd95

SHA256
8da7cecff747a63a223f9d382fac5173720042349215bc5debf9b5f3613fccc1

SHA512
048c61bf2f01fc9c1483c6b967bed1533faf2eb564940eefd50397d8dfb883027fb31459ef12d80a06a2700167d9c6a12dd606824d3a2ab29cec2645ccbafad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a2827833.exe

Filesize
18KB

MD5
4c864da684813b589afc33541b32a717

SHA1
e39a9331386e05487fb2a45d2d3e9b648a88cd95

SHA256
8da7cecff747a63a223f9d382fac5173720042349215bc5debf9b5f3613fccc1

SHA512
048c61bf2f01fc9c1483c6b967bed1533faf2eb564940eefd50397d8dfb883027fb31459ef12d80a06a2700167d9c6a12dd606824d3a2ab29cec2645ccbafad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8231358.exe

Filesize
140KB

MD5
191a9eda2e89eaec556e60fb22e791d9

SHA1
5d2f42fbf7bcd6294821967effe41c85473479ed

SHA256
6b0afa6b6c05cb061c479786509825e49eae06db0a43dcb9f4efd0bb4b92b312

SHA512
026e716dac5d0a61019683f3f88bb8f03165c7ad6b2846f8bf6ab28994fc59b0eef6fbedd04ecab48dbc1fdbd423962fb70c666353a3a21c6228fe82ffb5504c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8231358.exe

Filesize
140KB

MD5
191a9eda2e89eaec556e60fb22e791d9

SHA1
5d2f42fbf7bcd6294821967effe41c85473479ed

SHA256
6b0afa6b6c05cb061c479786509825e49eae06db0a43dcb9f4efd0bb4b92b312

SHA512
026e716dac5d0a61019683f3f88bb8f03165c7ad6b2846f8bf6ab28994fc59b0eef6fbedd04ecab48dbc1fdbd423962fb70c666353a3a21c6228fe82ffb5504c

Download Submit
memory/3536-45-0x0000000000770000-0x00000000007A0000-memory.dmp

Filesize
192KB

Download
memory/3536-46-0x0000000072DC0000-0x00000000734AE000-memory.dmp

Filesize
6.9MB

Download
memory/3536-47-0x0000000005030000-0x0000000005036000-memory.dmp

Filesize
24KB

Download
memory/3536-48-0x000000000AA80000-0x000000000B086000-memory.dmp

Filesize
6.0MB

Download
memory/3536-49-0x000000000A580000-0x000000000A68A000-memory.dmp

Filesize
1.0MB

Download
memory/3536-50-0x000000000A4B0000-0x000000000A4C2000-memory.dmp

Filesize
72KB

Download
memory/3536-51-0x000000000A510000-0x000000000A54E000-memory.dmp

Filesize
248KB

Download
memory/3536-52-0x000000000A690000-0x000000000A6DB000-memory.dmp

Filesize
300KB

Download
memory/3536-53-0x0000000072DC0000-0x00000000734AE000-memory.dmp

Filesize
6.9MB

Download
memory/4064-38-0x00007FFB6D010000-0x00007FFB6D9FC000-memory.dmp

Filesize
9.9MB

Download
memory/4064-36-0x00007FFB6D010000-0x00007FFB6D9FC000-memory.dmp

Filesize
9.9MB

Download
memory/4064-35-0x0000000000630000-0x000000000063A000-memory.dmp

Filesize
40KB

Download