healer | f6157c064ecddee58a9650d1912c9b7f143b389121016aaf35ea56386b28a1dd

Analysis

max time kernel
146s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
31/08/2023, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6157c064ecddee58a9650d1912c9b7f143b389121016aaf35ea56386b28a1dd.exe
Size

930KB
MD5

be74152fea77c8c16369379ca5897b8e
SHA1

d90a68fbfeef87f426ece1b534f8330e56346eb3
SHA256

f6157c064ecddee58a9650d1912c9b7f143b389121016aaf35ea56386b28a1dd
SHA512

0c0fc58a8d289a025c6dc329d3673bf93583f328502e5e070b5a90064e2f77a43b6ffead9ba64c564abd235e1fe273944f0c6dc48169d8a5901d186ac3995193
SSDEEP

24576:/yHIRlA5c4ShnISiq7Kc7EdBm3Ax0woJbGhIm:KuAe9nracmBm3NwkG

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afb9-33.dat	healer
behavioral1/files/0x000700000001afb9-34.dat	healer
behavioral1/memory/4076-35-0x00000000003E0000-0x00000000003EA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q9567878.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q9567878.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q9567878.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q9567878.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q9567878.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4192	z1297750.exe
4912	z0113977.exe
3996	z5454327.exe
1492	z1523168.exe
4076	q9567878.exe
1716	r7809121.exe
4164	s6520956.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q9567878.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5454327.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z1523168.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	f6157c064ecddee58a9650d1912c9b7f143b389121016aaf35ea56386b28a1dd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z1297750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z0113977.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4076	q9567878.exe
4076	q9567878.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	q9567878.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 4192	748	f6157c064ecddee58a9650d1912c9b7f143b389121016aaf35ea56386b28a1dd.exe	69
PID 748 wrote to memory of 4192	748	f6157c064ecddee58a9650d1912c9b7f143b389121016aaf35ea56386b28a1dd.exe	69
PID 748 wrote to memory of 4192	748	f6157c064ecddee58a9650d1912c9b7f143b389121016aaf35ea56386b28a1dd.exe	69
PID 4192 wrote to memory of 4912	4192	z1297750.exe	70
PID 4192 wrote to memory of 4912	4192	z1297750.exe	70
PID 4192 wrote to memory of 4912	4192	z1297750.exe	70
PID 4912 wrote to memory of 3996	4912	z0113977.exe	71
PID 4912 wrote to memory of 3996	4912	z0113977.exe	71
PID 4912 wrote to memory of 3996	4912	z0113977.exe	71
PID 3996 wrote to memory of 1492	3996	z5454327.exe	72
PID 3996 wrote to memory of 1492	3996	z5454327.exe	72
PID 3996 wrote to memory of 1492	3996	z5454327.exe	72
PID 1492 wrote to memory of 4076	1492	z1523168.exe	73
PID 1492 wrote to memory of 4076	1492	z1523168.exe	73
PID 1492 wrote to memory of 1716	1492	z1523168.exe	74
PID 1492 wrote to memory of 1716	1492	z1523168.exe	74
PID 1492 wrote to memory of 1716	1492	z1523168.exe	74
PID 3996 wrote to memory of 4164	3996	z5454327.exe	75
PID 3996 wrote to memory of 4164	3996	z5454327.exe	75
PID 3996 wrote to memory of 4164	3996	z5454327.exe	75

C:\Users\Admin\AppData\Local\Temp\f6157c064ecddee58a9650d1912c9b7f143b389121016aaf35ea56386b28a1dd.exe
"C:\Users\Admin\AppData\Local\Temp\f6157c064ecddee58a9650d1912c9b7f143b389121016aaf35ea56386b28a1dd.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:748
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1297750.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1297750.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0113977.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0113977.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5454327.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5454327.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1523168.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1523168.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9567878.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9567878.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4076
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7809121.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7809121.exe
        6⤵
        Executes dropped EXE
        
        PID:1716
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6520956.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6520956.exe
        5⤵
        Executes dropped EXE
        
        PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1297750.exe

Filesize
824KB

MD5
45d8078fcab5fbce097ca59b945deebe

SHA1
0f3a7135bf136d34bced861f9a482460405d40a6

SHA256
6a70f5b04eac97f90704301a06b6ee831c320d373ecf43f2fa9440324c56c33c

SHA512
71a5728ca828446ac683324498c34d516ad14cfc1a65f434a807ce435c200eb1d21640e0225ba6298c0edfed7d54f763e3f67338ba60f9a999542b6502f33ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1297750.exe

Filesize
824KB

MD5
45d8078fcab5fbce097ca59b945deebe

SHA1
0f3a7135bf136d34bced861f9a482460405d40a6

SHA256
6a70f5b04eac97f90704301a06b6ee831c320d373ecf43f2fa9440324c56c33c

SHA512
71a5728ca828446ac683324498c34d516ad14cfc1a65f434a807ce435c200eb1d21640e0225ba6298c0edfed7d54f763e3f67338ba60f9a999542b6502f33ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0113977.exe

Filesize
598KB

MD5
fa4ce30413f8bd17721820ea8fbcc6bd

SHA1
f61dcda061208ff66d3c37c57ce0c36b30ff358e

SHA256
71bf191a8afda357d4c0b81d63c23e39964351a3f61443b945b89959e84cfdb9

SHA512
a1ae16d01d560b04465cfa8aa1e93aeed86a8e9a4c5edcedc2d8e9c3c00c2d3c8d860e2b8ba369a40d751ad2e5cd86e9178f975183226c89f5dc9e699c6a9cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z0113977.exe

Filesize
598KB

MD5
fa4ce30413f8bd17721820ea8fbcc6bd

SHA1
f61dcda061208ff66d3c37c57ce0c36b30ff358e

SHA256
71bf191a8afda357d4c0b81d63c23e39964351a3f61443b945b89959e84cfdb9

SHA512
a1ae16d01d560b04465cfa8aa1e93aeed86a8e9a4c5edcedc2d8e9c3c00c2d3c8d860e2b8ba369a40d751ad2e5cd86e9178f975183226c89f5dc9e699c6a9cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5454327.exe

Filesize
372KB

MD5
a76e7229bf0b24df5e2006a01eb6f1c3

SHA1
7bdb29fc76b29bb32fb8fa37d8dbf6986dfb70f8

SHA256
4e9a7d7306c50467f8f8bb17d3e936d31738c20cac93679aa45afe30942ebd8c

SHA512
43614dea575b2abc7d94ea7ba53ebcb1149834da82c8f396e8ad3832da4c81d99afa3814bc80ab79146931a3fd4d1248c110888f6cdc6541aa7ea20b47fe8ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5454327.exe

Filesize
372KB

MD5
a76e7229bf0b24df5e2006a01eb6f1c3

SHA1
7bdb29fc76b29bb32fb8fa37d8dbf6986dfb70f8

SHA256
4e9a7d7306c50467f8f8bb17d3e936d31738c20cac93679aa45afe30942ebd8c

SHA512
43614dea575b2abc7d94ea7ba53ebcb1149834da82c8f396e8ad3832da4c81d99afa3814bc80ab79146931a3fd4d1248c110888f6cdc6541aa7ea20b47fe8ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6520956.exe

Filesize
176KB

MD5
3b08b88dbff30baab68da63a080011e4

SHA1
1f69bc94deb9bf3b2bd0973702deea9aa8c53116

SHA256
e1c27b03cb473207ce91d191edb8a0571a09e29fe61e5d6d1ab3b7cde4302d1e

SHA512
3ae4cfa5eabe1439f6dd7e9a60ba1d0c22fbe48f3c00b12431d89f6017ed0dc6006ede1b5836c4b0365472acd8860b78667f67f54fc8aeed1fad2ca7f5107cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s6520956.exe

Filesize
176KB

MD5
3b08b88dbff30baab68da63a080011e4

SHA1
1f69bc94deb9bf3b2bd0973702deea9aa8c53116

SHA256
e1c27b03cb473207ce91d191edb8a0571a09e29fe61e5d6d1ab3b7cde4302d1e

SHA512
3ae4cfa5eabe1439f6dd7e9a60ba1d0c22fbe48f3c00b12431d89f6017ed0dc6006ede1b5836c4b0365472acd8860b78667f67f54fc8aeed1fad2ca7f5107cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1523168.exe

Filesize
217KB

MD5
4c82025839eded5d255d525baa648bb4

SHA1
c67b4f8a25792aecd93472afc17f1904e8ed342b

SHA256
25019a6f4f605582fabf3c51ef637397575c68a6c62f26d2d23844a18f6da6e7

SHA512
23ecd90e35d0d4da63c86d3da89446e4d20ef3b97ff00def878da44fefc0f7bd58a8386f38f9af12fb99f6e3e57608ea6c11d7000ce366851b203eb046cbc660

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1523168.exe

Filesize
217KB

MD5
4c82025839eded5d255d525baa648bb4

SHA1
c67b4f8a25792aecd93472afc17f1904e8ed342b

SHA256
25019a6f4f605582fabf3c51ef637397575c68a6c62f26d2d23844a18f6da6e7

SHA512
23ecd90e35d0d4da63c86d3da89446e4d20ef3b97ff00def878da44fefc0f7bd58a8386f38f9af12fb99f6e3e57608ea6c11d7000ce366851b203eb046cbc660

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9567878.exe

Filesize
18KB

MD5
60878d5f43cbc1015e8c6c2c41e6aa8d

SHA1
be12e6eaca4eb47fd080e8ac3cf00a0807668fb9

SHA256
3d469a08bd32dc3fd0d2a4bac9a0fe10204fa5dc69de895dab248e6560643def

SHA512
f700a035aae367d53635349391d78081f7b3eedfe7b0a04baf48cf7b520697ebd9b7756e23c5cb172cba7ce6f3ddddb31a5b680d18b613ade1b0549198eb1417

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9567878.exe

Filesize
18KB

MD5
60878d5f43cbc1015e8c6c2c41e6aa8d

SHA1
be12e6eaca4eb47fd080e8ac3cf00a0807668fb9

SHA256
3d469a08bd32dc3fd0d2a4bac9a0fe10204fa5dc69de895dab248e6560643def

SHA512
f700a035aae367d53635349391d78081f7b3eedfe7b0a04baf48cf7b520697ebd9b7756e23c5cb172cba7ce6f3ddddb31a5b680d18b613ade1b0549198eb1417

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7809121.exe

Filesize
140KB

MD5
07b8b64dc8fa1b8afd125f3fd83af3d9

SHA1
88833d5113576d18c5ee8c8fc72cc9a0bc45cd51

SHA256
a9fcdecaadae5a3e6ece4e2b5b2930a8daf13bc5419beb18edfb95d07bf87913

SHA512
2b615b3837679ff9716579cdba1f44aa97fabbdfad412d966d2cc12e6399151fc520b8dcac32c5120db2af0346fed4d748de77334cf4e2be120802e3628ff089

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7809121.exe

Filesize
140KB

MD5
07b8b64dc8fa1b8afd125f3fd83af3d9

SHA1
88833d5113576d18c5ee8c8fc72cc9a0bc45cd51

SHA256
a9fcdecaadae5a3e6ece4e2b5b2930a8daf13bc5419beb18edfb95d07bf87913

SHA512
2b615b3837679ff9716579cdba1f44aa97fabbdfad412d966d2cc12e6399151fc520b8dcac32c5120db2af0346fed4d748de77334cf4e2be120802e3628ff089

Download Submit
memory/4076-38-0x00007FFB6D010000-0x00007FFB6D9FC000-memory.dmp

Filesize
9.9MB

Download
memory/4076-36-0x00007FFB6D010000-0x00007FFB6D9FC000-memory.dmp

Filesize
9.9MB

Download
memory/4076-35-0x00000000003E0000-0x00000000003EA000-memory.dmp

Filesize
40KB

Download
memory/4164-45-0x0000000000750000-0x0000000000780000-memory.dmp

Filesize
192KB

Download
memory/4164-46-0x0000000072DC0000-0x00000000734AE000-memory.dmp

Filesize
6.9MB

Download
memory/4164-47-0x0000000001180000-0x0000000001186000-memory.dmp

Filesize
24KB

Download
memory/4164-48-0x000000000AA00000-0x000000000B006000-memory.dmp

Filesize
6.0MB

Download
memory/4164-49-0x000000000A560000-0x000000000A66A000-memory.dmp

Filesize
1.0MB

Download
memory/4164-50-0x000000000A490000-0x000000000A4A2000-memory.dmp

Filesize
72KB

Download
memory/4164-51-0x000000000A4F0000-0x000000000A52E000-memory.dmp

Filesize
248KB

Download
memory/4164-52-0x000000000A670000-0x000000000A6BB000-memory.dmp

Filesize
300KB

Download
memory/4164-53-0x0000000072DC0000-0x00000000734AE000-memory.dmp

Filesize
6.9MB

Download