healer | 53283b806a423a5fc909fe35234b7c5f4a650a8676efacaa9dd3621fab69b4db

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53283b806a423a5fc909fe35234b7c5f4a650a8676efacaa9dd3621fab69b4db.exe
Size

929KB
MD5

2374304c8b913b85471f265eff608395
SHA1

4c084bfe25741b49dc120d621e1227d48a8edd69
SHA256

53283b806a423a5fc909fe35234b7c5f4a650a8676efacaa9dd3621fab69b4db
SHA512

9ad59ff82344ebd175f69b7dea7764dd5bcd28facaf17a2192d6ebfedd2ba4694d4cd9073aa0aa28fda73b6b220f0200403e611d5de7c834c7785c6b10452802
SSDEEP

24576:jyaBVHFS8TXCR6IeYkigW9ssbXQUuhgB:2a7LaeY1gEssTQU

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000a0000000231e4-34.dat	healer
behavioral1/files/0x000a0000000231e4-33.dat	healer
behavioral1/memory/4984-35-0x00000000005C0000-0x00000000005CA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q2279281.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q2279281.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q2279281.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q2279281.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q2279281.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q2279281.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
1148	z6163704.exe
4976	z9738360.exe
2060	z5668712.exe
2816	z4412704.exe
4984	q2279281.exe
3636	r5141111.exe
4800	s3594883.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q2279281.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z4412704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	53283b806a423a5fc909fe35234b7c5f4a650a8676efacaa9dd3621fab69b4db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z6163704.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z9738360.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5668712.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4984	q2279281.exe
4984	q2279281.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4984	q2279281.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 1148	4852	53283b806a423a5fc909fe35234b7c5f4a650a8676efacaa9dd3621fab69b4db.exe	82
PID 4852 wrote to memory of 1148	4852	53283b806a423a5fc909fe35234b7c5f4a650a8676efacaa9dd3621fab69b4db.exe	82
PID 4852 wrote to memory of 1148	4852	53283b806a423a5fc909fe35234b7c5f4a650a8676efacaa9dd3621fab69b4db.exe	82
PID 1148 wrote to memory of 4976	1148	z6163704.exe	83
PID 1148 wrote to memory of 4976	1148	z6163704.exe	83
PID 1148 wrote to memory of 4976	1148	z6163704.exe	83
PID 4976 wrote to memory of 2060	4976	z9738360.exe	84
PID 4976 wrote to memory of 2060	4976	z9738360.exe	84
PID 4976 wrote to memory of 2060	4976	z9738360.exe	84
PID 2060 wrote to memory of 2816	2060	z5668712.exe	85
PID 2060 wrote to memory of 2816	2060	z5668712.exe	85
PID 2060 wrote to memory of 2816	2060	z5668712.exe	85
PID 2816 wrote to memory of 4984	2816	z4412704.exe	86
PID 2816 wrote to memory of 4984	2816	z4412704.exe	86
PID 2816 wrote to memory of 3636	2816	z4412704.exe	92
PID 2816 wrote to memory of 3636	2816	z4412704.exe	92
PID 2816 wrote to memory of 3636	2816	z4412704.exe	92
PID 2060 wrote to memory of 4800	2060	z5668712.exe	93
PID 2060 wrote to memory of 4800	2060	z5668712.exe	93
PID 2060 wrote to memory of 4800	2060	z5668712.exe	93

C:\Users\Admin\AppData\Local\Temp\53283b806a423a5fc909fe35234b7c5f4a650a8676efacaa9dd3621fab69b4db.exe
"C:\Users\Admin\AppData\Local\Temp\53283b806a423a5fc909fe35234b7c5f4a650a8676efacaa9dd3621fab69b4db.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6163704.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6163704.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1148
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9738360.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9738360.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5668712.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5668712.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2060
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4412704.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4412704.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2279281.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2279281.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5141111.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5141111.exe
        6⤵
        Executes dropped EXE
        
        PID:3636
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3594883.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3594883.exe
        5⤵
        Executes dropped EXE
        
        PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6163704.exe

Filesize
824KB

MD5
772f4481a557a362710f7592c79aa274

SHA1
7e6d78cd0a15a35f3e4d9186485ef901ca37a48d

SHA256
b7549fe10e393eb81fcc4189504974408cc9275f1eab82ca2a344f0b94344968

SHA512
f188aab450abff433b899cdb9a8ed3526b55020bf1badac26403bcc4237b311d79808cf10194efd90007ce431dce30b418746c20b4209b6be45e6f87f91245aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z6163704.exe

Filesize
824KB

MD5
772f4481a557a362710f7592c79aa274

SHA1
7e6d78cd0a15a35f3e4d9186485ef901ca37a48d

SHA256
b7549fe10e393eb81fcc4189504974408cc9275f1eab82ca2a344f0b94344968

SHA512
f188aab450abff433b899cdb9a8ed3526b55020bf1badac26403bcc4237b311d79808cf10194efd90007ce431dce30b418746c20b4209b6be45e6f87f91245aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9738360.exe

Filesize
598KB

MD5
d48c72314a5df32cc475dfbfdb9f880c

SHA1
33e45149e60b9ee84d5e03ad8cf863889104b3a6

SHA256
18980a53d4c4d53153c40c08c24c690f91ba6345518a863b2a9037a7c1692884

SHA512
bc40e1ead6ecc27108502067c461c81f26730711d207b565012c6e6ae9bf6a1ae5faba5f5d4f536278303962147c0849b7a08e2d87fa52f5b18845776a2256cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z9738360.exe

Filesize
598KB

MD5
d48c72314a5df32cc475dfbfdb9f880c

SHA1
33e45149e60b9ee84d5e03ad8cf863889104b3a6

SHA256
18980a53d4c4d53153c40c08c24c690f91ba6345518a863b2a9037a7c1692884

SHA512
bc40e1ead6ecc27108502067c461c81f26730711d207b565012c6e6ae9bf6a1ae5faba5f5d4f536278303962147c0849b7a08e2d87fa52f5b18845776a2256cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5668712.exe

Filesize
372KB

MD5
a9062b969042128144c9df782dcccb21

SHA1
5eb15f638e60cc4fe2c91385fb1c30ee698a73ae

SHA256
c63c44854f24dc9f6c77ab0b91f23d040000a6cb7001d9c4a53f427bb33cf75d

SHA512
a2feb188bc8e33d3746ad70f8e3739532fd3aec56c8d2d967a59bf4e78b78f0e2e6deb39a32d1081d50c16757bd9a6c5f6adff46119b4f0ec3fd096d120ef209

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5668712.exe

Filesize
372KB

MD5
a9062b969042128144c9df782dcccb21

SHA1
5eb15f638e60cc4fe2c91385fb1c30ee698a73ae

SHA256
c63c44854f24dc9f6c77ab0b91f23d040000a6cb7001d9c4a53f427bb33cf75d

SHA512
a2feb188bc8e33d3746ad70f8e3739532fd3aec56c8d2d967a59bf4e78b78f0e2e6deb39a32d1081d50c16757bd9a6c5f6adff46119b4f0ec3fd096d120ef209

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3594883.exe

Filesize
176KB

MD5
8eeff21cfcf8273457d1c0da99cb11cc

SHA1
79a88862baebc646d60bdeb8d7914cd541cb0c34

SHA256
5769096aac6cf47972d3c917c3a03cdd025816a64d363012ad16d74d8ea46b51

SHA512
949f80e1b1cf9f2ecdb86b0a45d75a2963e40e33f25d27d3fbea7fa8d43e2f79c0a3cb959a7156d721a71bc9fc0931a2df6a77214c689d14d4bfeb336fd4cda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3594883.exe

Filesize
176KB

MD5
8eeff21cfcf8273457d1c0da99cb11cc

SHA1
79a88862baebc646d60bdeb8d7914cd541cb0c34

SHA256
5769096aac6cf47972d3c917c3a03cdd025816a64d363012ad16d74d8ea46b51

SHA512
949f80e1b1cf9f2ecdb86b0a45d75a2963e40e33f25d27d3fbea7fa8d43e2f79c0a3cb959a7156d721a71bc9fc0931a2df6a77214c689d14d4bfeb336fd4cda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4412704.exe

Filesize
217KB

MD5
03b38746916dd3482e1b5adfb1c1429a

SHA1
d9b176bf5e6dde0e02d5de9909d19ca1d4d0005f

SHA256
1fef917a22ba99a4bb2c47e177c980b11c79736a1679ecc6a276fb3486496097

SHA512
13f37eff1b8be49e969a40ade0d132cbcfe66607d7e8fc89372bf3d51ccba1b62f9fa2c12c0d5a262e4dbcba4fc866093efde9336971514c7e4e56cee16ca926

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z4412704.exe

Filesize
217KB

MD5
03b38746916dd3482e1b5adfb1c1429a

SHA1
d9b176bf5e6dde0e02d5de9909d19ca1d4d0005f

SHA256
1fef917a22ba99a4bb2c47e177c980b11c79736a1679ecc6a276fb3486496097

SHA512
13f37eff1b8be49e969a40ade0d132cbcfe66607d7e8fc89372bf3d51ccba1b62f9fa2c12c0d5a262e4dbcba4fc866093efde9336971514c7e4e56cee16ca926

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2279281.exe

Filesize
18KB

MD5
9175676dd25b77b26ff5964b682996a5

SHA1
2265b279d381084f6a28ff98fde359289bb74fe2

SHA256
13294c34b8b304947d557c49d17cea24a910c32cd351710e6520961e037ba662

SHA512
823c81eea334153a7403841ec4c2ab7363578b4d860694cd99684ace43d79dbe31e3b9816076a943c074e97b857673f48890703f43bd226a7b476bfc41ba283a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q2279281.exe

Filesize
18KB

MD5
9175676dd25b77b26ff5964b682996a5

SHA1
2265b279d381084f6a28ff98fde359289bb74fe2

SHA256
13294c34b8b304947d557c49d17cea24a910c32cd351710e6520961e037ba662

SHA512
823c81eea334153a7403841ec4c2ab7363578b4d860694cd99684ace43d79dbe31e3b9816076a943c074e97b857673f48890703f43bd226a7b476bfc41ba283a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5141111.exe

Filesize
140KB

MD5
1dbf8e0d368e148523d4607fc93a7cdb

SHA1
5bf6f0d380d7c8eb98ba2d9ac493e182bc072fd0

SHA256
ed9e93c860a8f83111db6b297206db6044ec4027ace0f29e6ac4dd1d6ba8d78b

SHA512
2ff3c2d37c981bc94c6bef6aace4b585785f08bd19ecf318c84b652fbfac3cde14457b3e9d7e85831d8cb349f7b6ac285f0cf45e56b13b7eb50cf7f5d16bd0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r5141111.exe

Filesize
140KB

MD5
1dbf8e0d368e148523d4607fc93a7cdb

SHA1
5bf6f0d380d7c8eb98ba2d9ac493e182bc072fd0

SHA256
ed9e93c860a8f83111db6b297206db6044ec4027ace0f29e6ac4dd1d6ba8d78b

SHA512
2ff3c2d37c981bc94c6bef6aace4b585785f08bd19ecf318c84b652fbfac3cde14457b3e9d7e85831d8cb349f7b6ac285f0cf45e56b13b7eb50cf7f5d16bd0fe

Download Submit
memory/4800-46-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4800-45-0x00000000006E0000-0x0000000000710000-memory.dmp

Filesize
192KB

Download
memory/4800-47-0x0000000005800000-0x0000000005E18000-memory.dmp

Filesize
6.1MB

Download
memory/4800-48-0x00000000052F0000-0x00000000053FA000-memory.dmp

Filesize
1.0MB

Download
memory/4800-50-0x00000000050A0000-0x00000000050B2000-memory.dmp

Filesize
72KB

Download
memory/4800-49-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4800-51-0x0000000005220000-0x000000000525C000-memory.dmp

Filesize
240KB

Download
memory/4800-52-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/4800-53-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/4984-38-0x00007FFF63CB0000-0x00007FFF64771000-memory.dmp

Filesize
10.8MB

Download
memory/4984-36-0x00007FFF63CB0000-0x00007FFF64771000-memory.dmp

Filesize
10.8MB

Download
memory/4984-35-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download