healer | 3fb85dd28d41887e7d5344a2fc980fc3b20edf0af1eb1a9c17b5c12b85ff0f1a

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31-08-2023 11:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fb85dd28d41887e7d5344a2fc980fc3b20edf0af1eb1a9c17b5c12b85ff0f1a.exe
Size

828KB
MD5

2bf42c81013320f77eadd003c0c45e21
SHA1

8062b3d67b1ed3ac9e46cd35de0a1f7ab58ce4d1
SHA256

3fb85dd28d41887e7d5344a2fc980fc3b20edf0af1eb1a9c17b5c12b85ff0f1a
SHA512

4247533a3f086eb8c098c6e81e01a71481b2d0b4206e8a4ed9cc4008e0ea0bd73cd51d61361fe3e52a41a113c43cf5e61021b729dc3bd3585dc5342a98888a97
SSDEEP

24576:AyJhtsczA8Qfi8FUZw8859H1j9ns2uJ0W:HHGcMpq8Ew8859Hjns2q0

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000002321c-33.dat	healer
behavioral1/files/0x000700000002321c-34.dat	healer
behavioral1/memory/2508-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1133922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1133922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1133922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1133922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1133922.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1133922.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4480	v6288569.exe
4748	v1938377.exe
4560	v6607764.exe
3224	v6458338.exe
2508	a1133922.exe
2252	b3221261.exe
3372	c0097415.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1133922.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v1938377.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v6607764.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6458338.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	3fb85dd28d41887e7d5344a2fc980fc3b20edf0af1eb1a9c17b5c12b85ff0f1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v6288569.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2508	a1133922.exe
2508	a1133922.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2508	a1133922.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 4480	2360	3fb85dd28d41887e7d5344a2fc980fc3b20edf0af1eb1a9c17b5c12b85ff0f1a.exe	83
PID 2360 wrote to memory of 4480	2360	3fb85dd28d41887e7d5344a2fc980fc3b20edf0af1eb1a9c17b5c12b85ff0f1a.exe	83
PID 2360 wrote to memory of 4480	2360	3fb85dd28d41887e7d5344a2fc980fc3b20edf0af1eb1a9c17b5c12b85ff0f1a.exe	83
PID 4480 wrote to memory of 4748	4480	v6288569.exe	84
PID 4480 wrote to memory of 4748	4480	v6288569.exe	84
PID 4480 wrote to memory of 4748	4480	v6288569.exe	84
PID 4748 wrote to memory of 4560	4748	v1938377.exe	85
PID 4748 wrote to memory of 4560	4748	v1938377.exe	85
PID 4748 wrote to memory of 4560	4748	v1938377.exe	85
PID 4560 wrote to memory of 3224	4560	v6607764.exe	86
PID 4560 wrote to memory of 3224	4560	v6607764.exe	86
PID 4560 wrote to memory of 3224	4560	v6607764.exe	86
PID 3224 wrote to memory of 2508	3224	v6458338.exe	87
PID 3224 wrote to memory of 2508	3224	v6458338.exe	87
PID 3224 wrote to memory of 2252	3224	v6458338.exe	92
PID 3224 wrote to memory of 2252	3224	v6458338.exe	92
PID 3224 wrote to memory of 2252	3224	v6458338.exe	92
PID 4560 wrote to memory of 3372	4560	v6607764.exe	93
PID 4560 wrote to memory of 3372	4560	v6607764.exe	93
PID 4560 wrote to memory of 3372	4560	v6607764.exe	93

C:\Users\Admin\AppData\Local\Temp\3fb85dd28d41887e7d5344a2fc980fc3b20edf0af1eb1a9c17b5c12b85ff0f1a.exe
"C:\Users\Admin\AppData\Local\Temp\3fb85dd28d41887e7d5344a2fc980fc3b20edf0af1eb1a9c17b5c12b85ff0f1a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6288569.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6288569.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1938377.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1938377.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6607764.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6607764.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6458338.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6458338.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:3224
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1133922.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1133922.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3221261.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3221261.exe
        6⤵
        Executes dropped EXE
        
        PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0097415.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0097415.exe
        5⤵
        Executes dropped EXE
        
        PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6288569.exe

Filesize
722KB

MD5
db724ac1fe54cadbb97505382674bdf1

SHA1
e02f95ecb344f5d16fc9d0f7531a7dff249f509c

SHA256
c855209656fbf86db7c96e731cc9ae35eff8f60193cdbf0e59ee1c6f8cdb93f4

SHA512
29b18ab36a12876ded49c8bc22390d1f20f73b0a08deb9996711c55fd13a4e5316d199512dce12a4d68907e8c49d2dbb645cc17f7dd226550f198005941d004b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v6288569.exe

Filesize
722KB

MD5
db724ac1fe54cadbb97505382674bdf1

SHA1
e02f95ecb344f5d16fc9d0f7531a7dff249f509c

SHA256
c855209656fbf86db7c96e731cc9ae35eff8f60193cdbf0e59ee1c6f8cdb93f4

SHA512
29b18ab36a12876ded49c8bc22390d1f20f73b0a08deb9996711c55fd13a4e5316d199512dce12a4d68907e8c49d2dbb645cc17f7dd226550f198005941d004b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1938377.exe

Filesize
497KB

MD5
69629231ce94ba2f298b60ab3f24f419

SHA1
5674a16df9d0e9b109106fa271368f7e0bcfad4e

SHA256
4b02f2c72d1aa73e5089f65491e0a2263d536659f7a53e6962b32c54e09e4eec

SHA512
b4ae94ff0f041b31af791f18cbc99674abcd2e21db3c5c84aef0812a19357e0f7ba7593c5070757ba4f59254dec6b5d398f2fa6b1a79d33d75636c13d73d9414

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v1938377.exe

Filesize
497KB

MD5
69629231ce94ba2f298b60ab3f24f419

SHA1
5674a16df9d0e9b109106fa271368f7e0bcfad4e

SHA256
4b02f2c72d1aa73e5089f65491e0a2263d536659f7a53e6962b32c54e09e4eec

SHA512
b4ae94ff0f041b31af791f18cbc99674abcd2e21db3c5c84aef0812a19357e0f7ba7593c5070757ba4f59254dec6b5d398f2fa6b1a79d33d75636c13d73d9414

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6607764.exe

Filesize
372KB

MD5
25d1f1c66a0e17ae78f15452d53f9ff7

SHA1
e71005113efd46cf85e3035118ac14a4947d9b88

SHA256
f55fb1b1f3f4084d0eb7c7eac11834502f384e8d527d1c316e407b6b2491f19c

SHA512
3514be3d71633b23d9911adb702ab0de901f7e081272326e501c162dcca14c67a246e12dace9afcdb0d221e99d8e4a5e133a5bdf5fc13a9e32d044f2347f95fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6607764.exe

Filesize
372KB

MD5
25d1f1c66a0e17ae78f15452d53f9ff7

SHA1
e71005113efd46cf85e3035118ac14a4947d9b88

SHA256
f55fb1b1f3f4084d0eb7c7eac11834502f384e8d527d1c316e407b6b2491f19c

SHA512
3514be3d71633b23d9911adb702ab0de901f7e081272326e501c162dcca14c67a246e12dace9afcdb0d221e99d8e4a5e133a5bdf5fc13a9e32d044f2347f95fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0097415.exe

Filesize
176KB

MD5
1bf04219ae8b7c1679625bf2d9971b83

SHA1
c450c93e09d7cae85d579b197a7fd39e7c33db61

SHA256
68aeeab47a0ca61c0a19e01579c9c9c360ff06c49ebc3c34e9368dd4d51f41ee

SHA512
3cc5964ebbe917cd4bca1166b20cdb1f103374e9c4e4629364464df8c293afc2ce86af6fdbfc180e6af42c8e6d84a2b8d61abeca8adea4f046ee89ebdae11498

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c0097415.exe

Filesize
176KB

MD5
1bf04219ae8b7c1679625bf2d9971b83

SHA1
c450c93e09d7cae85d579b197a7fd39e7c33db61

SHA256
68aeeab47a0ca61c0a19e01579c9c9c360ff06c49ebc3c34e9368dd4d51f41ee

SHA512
3cc5964ebbe917cd4bca1166b20cdb1f103374e9c4e4629364464df8c293afc2ce86af6fdbfc180e6af42c8e6d84a2b8d61abeca8adea4f046ee89ebdae11498

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6458338.exe

Filesize
217KB

MD5
d2989f9dcbc388954f6e264a383ce530

SHA1
0d1c94d5b6fbeb8006bf7af5938d033599ed1030

SHA256
925fbf215ddf9a962422f83a88c15893bc37de34a006701408ae4765f91fbef7

SHA512
8e3407c3728955ca5d3f01b4d3ea19b8e380be7be24412b994199df2f617869f644d82cd91663e1595fa7c7fc5b6804f8452fa147428c73d7d950cf08b3bd8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6458338.exe

Filesize
217KB

MD5
d2989f9dcbc388954f6e264a383ce530

SHA1
0d1c94d5b6fbeb8006bf7af5938d033599ed1030

SHA256
925fbf215ddf9a962422f83a88c15893bc37de34a006701408ae4765f91fbef7

SHA512
8e3407c3728955ca5d3f01b4d3ea19b8e380be7be24412b994199df2f617869f644d82cd91663e1595fa7c7fc5b6804f8452fa147428c73d7d950cf08b3bd8b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1133922.exe

Filesize
18KB

MD5
124b5cb5ab6b554710cce5aace9ef897

SHA1
d923af2f590f761f1b3cd2aaeb991470fbc16e81

SHA256
4d6965d61d4b88591f1b95c02fc07e7fa1891597a436bee6f1f2cdfc4827bc49

SHA512
a69e262da290c6f4ddcc21d6ceb3566e11d9cef1377531d1420784d92bfa992702f256df0716c92667ec4c93036c6a0a341e1eee2f2e4f84ff8cc2a45ea4295d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1133922.exe

Filesize
18KB

MD5
124b5cb5ab6b554710cce5aace9ef897

SHA1
d923af2f590f761f1b3cd2aaeb991470fbc16e81

SHA256
4d6965d61d4b88591f1b95c02fc07e7fa1891597a436bee6f1f2cdfc4827bc49

SHA512
a69e262da290c6f4ddcc21d6ceb3566e11d9cef1377531d1420784d92bfa992702f256df0716c92667ec4c93036c6a0a341e1eee2f2e4f84ff8cc2a45ea4295d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3221261.exe

Filesize
141KB

MD5
e87bc0926fed26126f12664c857bbbf4

SHA1
ffdb47988cac2837ed3b8764c73f9c365ada943f

SHA256
b191b2e74a7c9bfe13e644a05d45fe8781cce8ab54f95aa2a43b8dc055b084dc

SHA512
dd45eee7cbd62e6e10be0c1bb06618c01423c035f1fbbb5d4dac7433f44a6658791d7698088c5cdcb8c3d5c343832dc6e887d89b90e476ed1510afbd310c4eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b3221261.exe

Filesize
141KB

MD5
e87bc0926fed26126f12664c857bbbf4

SHA1
ffdb47988cac2837ed3b8764c73f9c365ada943f

SHA256
b191b2e74a7c9bfe13e644a05d45fe8781cce8ab54f95aa2a43b8dc055b084dc

SHA512
dd45eee7cbd62e6e10be0c1bb06618c01423c035f1fbbb5d4dac7433f44a6658791d7698088c5cdcb8c3d5c343832dc6e887d89b90e476ed1510afbd310c4eb5

Download Submit
memory/2508-38-0x00007FF930430000-0x00007FF930EF1000-memory.dmp

Filesize
10.8MB

Download
memory/2508-36-0x00007FF930430000-0x00007FF930EF1000-memory.dmp

Filesize
10.8MB

Download
memory/2508-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3372-45-0x0000000000800000-0x0000000000830000-memory.dmp

Filesize
192KB

Download
memory/3372-46-0x0000000073D70000-0x0000000074520000-memory.dmp

Filesize
7.7MB

Download
memory/3372-47-0x0000000005890000-0x0000000005EA8000-memory.dmp

Filesize
6.1MB

Download
memory/3372-48-0x0000000005390000-0x000000000549A000-memory.dmp

Filesize
1.0MB

Download
memory/3372-49-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download
memory/3372-50-0x00000000052D0000-0x00000000052E2000-memory.dmp

Filesize
72KB

Download
memory/3372-51-0x0000000005330000-0x000000000536C000-memory.dmp

Filesize
240KB

Download
memory/3372-52-0x0000000073D70000-0x0000000074520000-memory.dmp

Filesize
7.7MB

Download
memory/3372-53-0x0000000005120000-0x0000000005130000-memory.dmp

Filesize
64KB

Download