healer | 0b81d51d1e2dae904bdb2f755c6525fe717c7211cc4ff6c12a3cec794203070a

Analysis

max time kernel
150s
max time network
163s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
31-08-2023 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b81d51d1e2dae904bdb2f755c6525fe717c7211cc4ff6c12a3cec794203070a.exe
Size

829KB
MD5

5dc584de4e4d5a3691088f58c6830835
SHA1

0ae1e1dedcf9f5f7d2f4add3b83f15d5eb0a5dc2
SHA256

0b81d51d1e2dae904bdb2f755c6525fe717c7211cc4ff6c12a3cec794203070a
SHA512

0df4ace99620d3541928f5c24a3846659ce1d4d194103d0a7043ed983af946463c703aed70e4180f194d435d8d18a906dc8c3eb39a1928bdcacdfd18d9281f37
SSDEEP

12288:VMrfy90NSz4tBeykRL9LKgHXcRB1J5sNuoi3+du/HD+58sQc45MPPwDhDy+7/:ayd2LMMjz/K+sQcA4YDh3/

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af81-33.dat	healer
behavioral1/files/0x000700000001af81-34.dat	healer
behavioral1/memory/4268-35-0x0000000000D40000-0x0000000000D4A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a9764242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a9764242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a9764242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a9764242.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a9764242.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3820	v1306809.exe
1296	v2132610.exe
2160	v0877499.exe
4404	v1300038.exe
4268	a9764242.exe
1144	b0546001.exe
4852	c0905175.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a9764242.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0b81d51d1e2dae904bdb2f755c6525fe717c7211cc4ff6c12a3cec794203070a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v1306809.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v2132610.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0877499.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1300038.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4268	a9764242.exe
4268	a9764242.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	a9764242.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3820	4452	0b81d51d1e2dae904bdb2f755c6525fe717c7211cc4ff6c12a3cec794203070a.exe	69
PID 4452 wrote to memory of 3820	4452	0b81d51d1e2dae904bdb2f755c6525fe717c7211cc4ff6c12a3cec794203070a.exe	69
PID 4452 wrote to memory of 3820	4452	0b81d51d1e2dae904bdb2f755c6525fe717c7211cc4ff6c12a3cec794203070a.exe	69
PID 3820 wrote to memory of 1296	3820	v1306809.exe	70
PID 3820 wrote to memory of 1296	3820	v1306809.exe	70
PID 3820 wrote to memory of 1296	3820	v1306809.exe	70
PID 1296 wrote to memory of 2160	1296	v2132610.exe	71
PID 1296 wrote to memory of 2160	1296	v2132610.exe	71
PID 1296 wrote to memory of 2160	1296	v2132610.exe	71
PID 2160 wrote to memory of 4404	2160	v0877499.exe	72
PID 2160 wrote to memory of 4404	2160	v0877499.exe	72
PID 2160 wrote to memory of 4404	2160	v0877499.exe	72
PID 4404 wrote to memory of 4268	4404	v1300038.exe	73
PID 4404 wrote to memory of 4268	4404	v1300038.exe	73
PID 4404 wrote to memory of 1144	4404	v1300038.exe	74
PID 4404 wrote to memory of 1144	4404	v1300038.exe	74
PID 4404 wrote to memory of 1144	4404	v1300038.exe	74
PID 2160 wrote to memory of 4852	2160	v0877499.exe	75
PID 2160 wrote to memory of 4852	2160	v0877499.exe	75
PID 2160 wrote to memory of 4852	2160	v0877499.exe	75

C:\Users\Admin\AppData\Local\Temp\0b81d51d1e2dae904bdb2f755c6525fe717c7211cc4ff6c12a3cec794203070a.exe
"C:\Users\Admin\AppData\Local\Temp\0b81d51d1e2dae904bdb2f755c6525fe717c7211cc4ff6c12a3cec794203070a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1306809.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1306809.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2132610.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2132610.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1296
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0877499.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0877499.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1300038.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1300038.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9764242.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9764242.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4268
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0546001.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0546001.exe
        6⤵
        Executes dropped EXE
        
        PID:1144
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0905175.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0905175.exe
        5⤵
        Executes dropped EXE
        
        PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1306809.exe

Filesize
723KB

MD5
44d8455229808ac01080a6bd1e3d4c0f

SHA1
e87a479d69cc27f1d4665a92750970e514d2e0dd

SHA256
70b4ead3a9b530362dbcfb330b4b5ea12a6ebec95bd01bcb83190a7d118a96a6

SHA512
6f1b8edbee288ca3e6a795d073b359345d6e83b0f0e0b3f96637792209177469b0458775f7717651056ab2266c1190207992138026bfbca2f132f6f457029aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v1306809.exe

Filesize
723KB

MD5
44d8455229808ac01080a6bd1e3d4c0f

SHA1
e87a479d69cc27f1d4665a92750970e514d2e0dd

SHA256
70b4ead3a9b530362dbcfb330b4b5ea12a6ebec95bd01bcb83190a7d118a96a6

SHA512
6f1b8edbee288ca3e6a795d073b359345d6e83b0f0e0b3f96637792209177469b0458775f7717651056ab2266c1190207992138026bfbca2f132f6f457029aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2132610.exe

Filesize
497KB

MD5
547862af7f7c7cba903c0b1fd811f4cd

SHA1
6ea522c12790d59061196f316aeada2315efedce

SHA256
9a79326b878dda368134754c580ad8d5c5c95c65d62d4f677e533b3932ba5d77

SHA512
a60361a31162e8e6e821e9d980471f1870725710829c08ef3c6d5d545965d2804eb3ae1d05ed5e9f827dae87b080456936b65c9873d6db8122465348b4651c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v2132610.exe

Filesize
497KB

MD5
547862af7f7c7cba903c0b1fd811f4cd

SHA1
6ea522c12790d59061196f316aeada2315efedce

SHA256
9a79326b878dda368134754c580ad8d5c5c95c65d62d4f677e533b3932ba5d77

SHA512
a60361a31162e8e6e821e9d980471f1870725710829c08ef3c6d5d545965d2804eb3ae1d05ed5e9f827dae87b080456936b65c9873d6db8122465348b4651c8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0877499.exe

Filesize
373KB

MD5
2279eafcd51ca2814af98ba9756ecd66

SHA1
3baa1d7d2fc20159da198cc65bcb0c5a4c96282b

SHA256
1a5393f9b349725319847d0ebaee0e4b873dc1ea1efc9aec75750753457321ed

SHA512
41fdef4bdc3a0a27d92a93111b19b687f30c3638af01ec8c6ec59e4f19635d996dbde08b0b243794a11d3cff6e183a2b0cf9ca555307cb3d7336ff37288ed6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0877499.exe

Filesize
373KB

MD5
2279eafcd51ca2814af98ba9756ecd66

SHA1
3baa1d7d2fc20159da198cc65bcb0c5a4c96282b

SHA256
1a5393f9b349725319847d0ebaee0e4b873dc1ea1efc9aec75750753457321ed

SHA512
41fdef4bdc3a0a27d92a93111b19b687f30c3638af01ec8c6ec59e4f19635d996dbde08b0b243794a11d3cff6e183a2b0cf9ca555307cb3d7336ff37288ed6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0905175.exe

Filesize
176KB

MD5
6a9ac1c096fde126f7f1094773a518c9

SHA1
69bc56ebf5fda8297128915cc8b7eb51fb355a0d

SHA256
054e314c9bd23ccb1ad9df15f56b7c158bf9dcd38133c2baed175604bea198c5

SHA512
eb19536151e36b4c1281184b9129ef13cc71504a3ce2e69c602993910c0ef779941376197d93294451a2fd790ce9da86305ccd796613720eddb4f149ab0b36c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0905175.exe

Filesize
176KB

MD5
6a9ac1c096fde126f7f1094773a518c9

SHA1
69bc56ebf5fda8297128915cc8b7eb51fb355a0d

SHA256
054e314c9bd23ccb1ad9df15f56b7c158bf9dcd38133c2baed175604bea198c5

SHA512
eb19536151e36b4c1281184b9129ef13cc71504a3ce2e69c602993910c0ef779941376197d93294451a2fd790ce9da86305ccd796613720eddb4f149ab0b36c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1300038.exe

Filesize
217KB

MD5
3bb1c7594cd7b4eecbb3f771e9a4537e

SHA1
b7e8656114d26c351d4e0c4acba437637c394572

SHA256
499d98837f068c153984ae6626b8594e49ead10152c7af932088e2dfe8455a1a

SHA512
a38c4d205be27a3ba5a56372cea15c3f721bcbd2e3f84fdccaa0ee8cd1e5b6d94b2e60a32c5d8b33439db3cbc0c1bc84de5dc23572822a16201cea0d3a253308

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1300038.exe

Filesize
217KB

MD5
3bb1c7594cd7b4eecbb3f771e9a4537e

SHA1
b7e8656114d26c351d4e0c4acba437637c394572

SHA256
499d98837f068c153984ae6626b8594e49ead10152c7af932088e2dfe8455a1a

SHA512
a38c4d205be27a3ba5a56372cea15c3f721bcbd2e3f84fdccaa0ee8cd1e5b6d94b2e60a32c5d8b33439db3cbc0c1bc84de5dc23572822a16201cea0d3a253308

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9764242.exe

Filesize
18KB

MD5
738e62ae2e367964de43e0093e5bdf7b

SHA1
4c95f4e78e627eadebd2f5b10de9b19271e33275

SHA256
bd96a5c40146d6ae4f843281c9661536431b132ac0c26dd663173b91609d9b46

SHA512
fade6b19e6fc26c6ab0d3f7d1cea10c959108edd59cddc6e2aa289b616de79d35dae147c906d78ac9cc102cd4c9a89bc9f508e0f6145dc269d3295ae6c613c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a9764242.exe

Filesize
18KB

MD5
738e62ae2e367964de43e0093e5bdf7b

SHA1
4c95f4e78e627eadebd2f5b10de9b19271e33275

SHA256
bd96a5c40146d6ae4f843281c9661536431b132ac0c26dd663173b91609d9b46

SHA512
fade6b19e6fc26c6ab0d3f7d1cea10c959108edd59cddc6e2aa289b616de79d35dae147c906d78ac9cc102cd4c9a89bc9f508e0f6145dc269d3295ae6c613c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0546001.exe

Filesize
140KB

MD5
15ab0119560cfd062f25c127c712b243

SHA1
d2eca081dd4d11189441dcfb93844ebc8a82c7aa

SHA256
74780ad18959dcbab5c6ff296d6a5fb5204597b05bd097c6124b561e1c1f25e0

SHA512
ca937ded6072641d01db6f50f79ddfee97cd96aff857303bf6a7b1e34d92148008a792b68a62e8fd4a13029d014b00f96053e8bd08ed0ee4b9c0cfc73598dccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b0546001.exe

Filesize
140KB

MD5
15ab0119560cfd062f25c127c712b243

SHA1
d2eca081dd4d11189441dcfb93844ebc8a82c7aa

SHA256
74780ad18959dcbab5c6ff296d6a5fb5204597b05bd097c6124b561e1c1f25e0

SHA512
ca937ded6072641d01db6f50f79ddfee97cd96aff857303bf6a7b1e34d92148008a792b68a62e8fd4a13029d014b00f96053e8bd08ed0ee4b9c0cfc73598dccb

Download Submit
memory/4268-38-0x00007FFB7CDC0000-0x00007FFB7D7AC000-memory.dmp

Filesize
9.9MB

Download
memory/4268-36-0x00007FFB7CDC0000-0x00007FFB7D7AC000-memory.dmp

Filesize
9.9MB

Download
memory/4268-35-0x0000000000D40000-0x0000000000D4A000-memory.dmp

Filesize
40KB

Download
memory/4852-46-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download
memory/4852-45-0x0000000000FF0000-0x0000000001020000-memory.dmp

Filesize
192KB

Download
memory/4852-47-0x00000000058B0000-0x00000000058B6000-memory.dmp

Filesize
24KB

Download
memory/4852-48-0x000000000B2B0000-0x000000000B8B6000-memory.dmp

Filesize
6.0MB

Download
memory/4852-49-0x000000000AE00000-0x000000000AF0A000-memory.dmp

Filesize
1.0MB

Download
memory/4852-50-0x000000000AD30000-0x000000000AD42000-memory.dmp

Filesize
72KB

Download
memory/4852-51-0x000000000AD90000-0x000000000ADCE000-memory.dmp

Filesize
248KB

Download
memory/4852-52-0x000000000AF10000-0x000000000AF5B000-memory.dmp

Filesize
300KB

Download
memory/4852-53-0x0000000073A70000-0x000000007415E000-memory.dmp

Filesize
6.9MB

Download