healer | 81351035242265551abfd74d6558be439b9a0fda0023edd0b23d962cc17c9552

Analysis

max time kernel
144s
max time network
153s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
31-08-2023 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81351035242265551abfd74d6558be439b9a0fda0023edd0b23d962cc17c9552.exe
Size

820KB
MD5

e9952b47e67d90d42185b237576fd750
SHA1

67883c32a977a8d18893b932a2f3d213e89a1324
SHA256

81351035242265551abfd74d6558be439b9a0fda0023edd0b23d962cc17c9552
SHA512

17a3141d3602a8462bdaba6809e6b3a73d006f642ae9591b5d05e3f2563894d863508e6f89a4add833ab19e3c1eb70285dec4a3760d914b1f07b896f8ed53e95
SSDEEP

12288:PMrDy90rXppLM+rdz8bEBNAKnU5pXVa61hZka+kU4UxngqWKyhb3/:oyQt98bOdnUTLJEdgqWpP

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001afc4-33.dat	healer
behavioral1/files/0x000700000001afc4-34.dat	healer
behavioral1/memory/1932-35-0x00000000002B0000-0x00000000002BA000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3661314.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3661314.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3661314.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3661314.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3661314.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
5012	v8367365.exe
5116	v8477140.exe
2128	v0281461.exe
5072	v6946801.exe
1932	a3661314.exe
512	b7213689.exe
2956	c3092871.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3661314.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v8477140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0281461.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v6946801.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	81351035242265551abfd74d6558be439b9a0fda0023edd0b23d962cc17c9552.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v8367365.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1932	a3661314.exe
1932	a3661314.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	a3661314.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 5012	4856	81351035242265551abfd74d6558be439b9a0fda0023edd0b23d962cc17c9552.exe	70
PID 4856 wrote to memory of 5012	4856	81351035242265551abfd74d6558be439b9a0fda0023edd0b23d962cc17c9552.exe	70
PID 4856 wrote to memory of 5012	4856	81351035242265551abfd74d6558be439b9a0fda0023edd0b23d962cc17c9552.exe	70
PID 5012 wrote to memory of 5116	5012	v8367365.exe	71
PID 5012 wrote to memory of 5116	5012	v8367365.exe	71
PID 5012 wrote to memory of 5116	5012	v8367365.exe	71
PID 5116 wrote to memory of 2128	5116	v8477140.exe	72
PID 5116 wrote to memory of 2128	5116	v8477140.exe	72
PID 5116 wrote to memory of 2128	5116	v8477140.exe	72
PID 2128 wrote to memory of 5072	2128	v0281461.exe	73
PID 2128 wrote to memory of 5072	2128	v0281461.exe	73
PID 2128 wrote to memory of 5072	2128	v0281461.exe	73
PID 5072 wrote to memory of 1932	5072	v6946801.exe	74
PID 5072 wrote to memory of 1932	5072	v6946801.exe	74
PID 5072 wrote to memory of 512	5072	v6946801.exe	75
PID 5072 wrote to memory of 512	5072	v6946801.exe	75
PID 5072 wrote to memory of 512	5072	v6946801.exe	75
PID 2128 wrote to memory of 2956	2128	v0281461.exe	76
PID 2128 wrote to memory of 2956	2128	v0281461.exe	76
PID 2128 wrote to memory of 2956	2128	v0281461.exe	76

C:\Users\Admin\AppData\Local\Temp\81351035242265551abfd74d6558be439b9a0fda0023edd0b23d962cc17c9552.exe
"C:\Users\Admin\AppData\Local\Temp\81351035242265551abfd74d6558be439b9a0fda0023edd0b23d962cc17c9552.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8367365.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8367365.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8477140.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8477140.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0281461.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0281461.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6946801.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6946801.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3661314.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3661314.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7213689.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7213689.exe
        6⤵
        Executes dropped EXE
        
        PID:512
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3092871.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3092871.exe
        5⤵
        Executes dropped EXE
        
        PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8367365.exe

Filesize
723KB

MD5
8a7e0c4e4f4d8c2d4b3c9cce30f15113

SHA1
b3ffa4a3385c5f5957791b1c1f549da35ed5a09a

SHA256
39329eb3e9f09e0cd1c3c3dee321bbb58297dbc26277e56b89892e8ea9f3543e

SHA512
21e0823dececfd2f422355faf61ef5728a1fafc2b32a2c962d996e92c027eadce90e9ff16b0b02743e6b973aaf5af0366f923bd4cbd5eb4cec61ab7b518b69c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v8367365.exe

Filesize
723KB

MD5
8a7e0c4e4f4d8c2d4b3c9cce30f15113

SHA1
b3ffa4a3385c5f5957791b1c1f549da35ed5a09a

SHA256
39329eb3e9f09e0cd1c3c3dee321bbb58297dbc26277e56b89892e8ea9f3543e

SHA512
21e0823dececfd2f422355faf61ef5728a1fafc2b32a2c962d996e92c027eadce90e9ff16b0b02743e6b973aaf5af0366f923bd4cbd5eb4cec61ab7b518b69c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8477140.exe

Filesize
497KB

MD5
cace86f3366bdb73c005521de7f0506d

SHA1
eb287361409bc920171e81bf77f7fbfdae362fba

SHA256
8665254c4dfb3fe01229cd499cc486df802ef3a9ab62d4361e666561406eab6e

SHA512
36b8c4473e0cac1e6c0f3a79dbdc7aadc438aca00adf7ab81c4c927c8113087f9b572bc8e292115e5a46394281788bfecca944be80615f75834abe0dc68f5106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v8477140.exe

Filesize
497KB

MD5
cace86f3366bdb73c005521de7f0506d

SHA1
eb287361409bc920171e81bf77f7fbfdae362fba

SHA256
8665254c4dfb3fe01229cd499cc486df802ef3a9ab62d4361e666561406eab6e

SHA512
36b8c4473e0cac1e6c0f3a79dbdc7aadc438aca00adf7ab81c4c927c8113087f9b572bc8e292115e5a46394281788bfecca944be80615f75834abe0dc68f5106

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0281461.exe

Filesize
372KB

MD5
b2efbed3110047bc679563891aeaef9f

SHA1
b1a6154f0443f02e3b9e7dfc3f79f1c98ea542aa

SHA256
3c3ede1c8d22138eb8d075b05b99b58eb4f50639ba1b8bb99d3fc822a716cafe

SHA512
db21eb3130b0663aabbb5c5882b9e74467b579ab02cec8ef1d3e6f212f2c0014e5931f31a15dc8238cfd8ba20d0e42b7181b3388eaab328c8055c75f0ed40cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0281461.exe

Filesize
372KB

MD5
b2efbed3110047bc679563891aeaef9f

SHA1
b1a6154f0443f02e3b9e7dfc3f79f1c98ea542aa

SHA256
3c3ede1c8d22138eb8d075b05b99b58eb4f50639ba1b8bb99d3fc822a716cafe

SHA512
db21eb3130b0663aabbb5c5882b9e74467b579ab02cec8ef1d3e6f212f2c0014e5931f31a15dc8238cfd8ba20d0e42b7181b3388eaab328c8055c75f0ed40cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3092871.exe

Filesize
176KB

MD5
7e185b2a1ff845442ca0a7c3669335e5

SHA1
3c89272f9d6af18935850525b741c8d20d3b118b

SHA256
e93dc1cc49c1021012c0753be8c2448546612ac69abd92e3f6dde5f0186bc4f7

SHA512
f67306485a7f04b75d89102be60f054fd280fb523f2235ee212aa687d231a2cf7710eca67e52f07520ab5139c08256866d7734cfabece915005b84b75c14ee27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c3092871.exe

Filesize
176KB

MD5
7e185b2a1ff845442ca0a7c3669335e5

SHA1
3c89272f9d6af18935850525b741c8d20d3b118b

SHA256
e93dc1cc49c1021012c0753be8c2448546612ac69abd92e3f6dde5f0186bc4f7

SHA512
f67306485a7f04b75d89102be60f054fd280fb523f2235ee212aa687d231a2cf7710eca67e52f07520ab5139c08256866d7734cfabece915005b84b75c14ee27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6946801.exe

Filesize
217KB

MD5
16830a607e87c22466330a491e68f5f6

SHA1
cd8beb397316554ea6889157879defb5fc3935ca

SHA256
fda6d3044f046cfd5986e6832487275aa47563d4751f2f665205ec53b21d6621

SHA512
de5c6dd2a0bf73326be81cc1573b805bed099e1d7cfe9daca3fa626650463fb46e19e085b41b3358a8e5ee9846fcbae24a0a69de3b01d48b0da17b5c56a141c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v6946801.exe

Filesize
217KB

MD5
16830a607e87c22466330a491e68f5f6

SHA1
cd8beb397316554ea6889157879defb5fc3935ca

SHA256
fda6d3044f046cfd5986e6832487275aa47563d4751f2f665205ec53b21d6621

SHA512
de5c6dd2a0bf73326be81cc1573b805bed099e1d7cfe9daca3fa626650463fb46e19e085b41b3358a8e5ee9846fcbae24a0a69de3b01d48b0da17b5c56a141c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3661314.exe

Filesize
18KB

MD5
bc2e26b1b67fd769e0c53da62f8ca5c9

SHA1
efb30b139d29127e6a809d16bfd06054ad126efc

SHA256
b1c0556cdd4a02ca025649dbb60ce28514b7ef27a4e4fe702113e5fb2d088656

SHA512
77cb7fc77d39149710ad8f96a3a2b1bc1bc8cfcbc05c0f60f78890980969735cd5d90db5fd21dd275225828a856c67cf0400db1b2992abf6bef2adc9c92dd5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3661314.exe

Filesize
18KB

MD5
bc2e26b1b67fd769e0c53da62f8ca5c9

SHA1
efb30b139d29127e6a809d16bfd06054ad126efc

SHA256
b1c0556cdd4a02ca025649dbb60ce28514b7ef27a4e4fe702113e5fb2d088656

SHA512
77cb7fc77d39149710ad8f96a3a2b1bc1bc8cfcbc05c0f60f78890980969735cd5d90db5fd21dd275225828a856c67cf0400db1b2992abf6bef2adc9c92dd5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7213689.exe

Filesize
141KB

MD5
c5a7349c23129d973c01451ea2e14fbf

SHA1
205db685e72e11d746af35536f01a61fdf7d8d91

SHA256
0337a87fa234b5e4d6c31716d57ed6462e2be5a1ef284ccec933433b710ce774

SHA512
153251d33fe7bc4e9ed6d3e1e271659b48628d5f9a5e288d7422198a05690746fc6cb68aa4ce73e68873cdda3428eb37ee0f362168519cb98eaac51844c9247b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7213689.exe

Filesize
141KB

MD5
c5a7349c23129d973c01451ea2e14fbf

SHA1
205db685e72e11d746af35536f01a61fdf7d8d91

SHA256
0337a87fa234b5e4d6c31716d57ed6462e2be5a1ef284ccec933433b710ce774

SHA512
153251d33fe7bc4e9ed6d3e1e271659b48628d5f9a5e288d7422198a05690746fc6cb68aa4ce73e68873cdda3428eb37ee0f362168519cb98eaac51844c9247b

Download Submit
memory/1932-38-0x00007FF9E0E10000-0x00007FF9E17FC000-memory.dmp

Filesize
9.9MB

Download
memory/1932-36-0x00007FF9E0E10000-0x00007FF9E17FC000-memory.dmp

Filesize
9.9MB

Download
memory/1932-35-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/2956-46-0x0000000072EC0000-0x00000000735AE000-memory.dmp

Filesize
6.9MB

Download
memory/2956-45-0x0000000000030000-0x0000000000060000-memory.dmp

Filesize
192KB

Download
memory/2956-47-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download
memory/2956-48-0x000000000A3B0000-0x000000000A9B6000-memory.dmp

Filesize
6.0MB

Download
memory/2956-49-0x0000000009EB0000-0x0000000009FBA000-memory.dmp

Filesize
1.0MB

Download
memory/2956-50-0x00000000049E0000-0x00000000049F2000-memory.dmp

Filesize
72KB

Download
memory/2956-51-0x0000000009DE0000-0x0000000009E1E000-memory.dmp

Filesize
248KB

Download
memory/2956-52-0x0000000009E20000-0x0000000009E6B000-memory.dmp

Filesize
300KB

Download
memory/2956-53-0x0000000072EC0000-0x00000000735AE000-memory.dmp

Filesize
6.9MB

Download