healer | dbe22a4274d202e97148ac13d817e66faadc94335373b71957f4554c567eb21a

Analysis

max time kernel
146s
max time network
154s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
31-08-2023 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbe22a4274d202e97148ac13d817e66faadc94335373b71957f4554c567eb21a.exe
Size

819KB
MD5

0046eaf045fd21f327619a307f19776a
SHA1

08d6f44321c23f442b164ada6a0eb5d3d26fb46e
SHA256

dbe22a4274d202e97148ac13d817e66faadc94335373b71957f4554c567eb21a
SHA512

e51181b29b948498bb8bfc2d85294ded9c1bfdba653c144eef46179ebf7de119b83d7dc0e6bc5a660d22e0030435a291aae1769d86e97c7c7f2c319dbdd08ed2
SSDEEP

24576:Ayti4J8ySs7lFWTUAIa9/w/g8yiE1pZeKvnrQ:Ht627lFWZ9Og881p3n

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x000700000001af76-33.dat	healer
behavioral1/files/0x000700000001af76-34.dat	healer
behavioral1/memory/3736-35-0x0000000000D00000-0x0000000000D0A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a3074590.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a3074590.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a3074590.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a3074590.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a3074590.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
876	v4750943.exe
828	v4549048.exe
2196	v4439664.exe
4604	v4656074.exe
3736	a3074590.exe
368	b8240745.exe
4876	c7448552.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a3074590.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v4549048.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v4439664.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v4656074.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	dbe22a4274d202e97148ac13d817e66faadc94335373b71957f4554c567eb21a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4750943.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3736	a3074590.exe
3736	a3074590.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	a3074590.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 876	1320	dbe22a4274d202e97148ac13d817e66faadc94335373b71957f4554c567eb21a.exe	70
PID 1320 wrote to memory of 876	1320	dbe22a4274d202e97148ac13d817e66faadc94335373b71957f4554c567eb21a.exe	70
PID 1320 wrote to memory of 876	1320	dbe22a4274d202e97148ac13d817e66faadc94335373b71957f4554c567eb21a.exe	70
PID 876 wrote to memory of 828	876	v4750943.exe	71
PID 876 wrote to memory of 828	876	v4750943.exe	71
PID 876 wrote to memory of 828	876	v4750943.exe	71
PID 828 wrote to memory of 2196	828	v4549048.exe	72
PID 828 wrote to memory of 2196	828	v4549048.exe	72
PID 828 wrote to memory of 2196	828	v4549048.exe	72
PID 2196 wrote to memory of 4604	2196	v4439664.exe	73
PID 2196 wrote to memory of 4604	2196	v4439664.exe	73
PID 2196 wrote to memory of 4604	2196	v4439664.exe	73
PID 4604 wrote to memory of 3736	4604	v4656074.exe	74
PID 4604 wrote to memory of 3736	4604	v4656074.exe	74
PID 4604 wrote to memory of 368	4604	v4656074.exe	75
PID 4604 wrote to memory of 368	4604	v4656074.exe	75
PID 4604 wrote to memory of 368	4604	v4656074.exe	75
PID 2196 wrote to memory of 4876	2196	v4439664.exe	76
PID 2196 wrote to memory of 4876	2196	v4439664.exe	76
PID 2196 wrote to memory of 4876	2196	v4439664.exe	76

C:\Users\Admin\AppData\Local\Temp\dbe22a4274d202e97148ac13d817e66faadc94335373b71957f4554c567eb21a.exe
"C:\Users\Admin\AppData\Local\Temp\dbe22a4274d202e97148ac13d817e66faadc94335373b71957f4554c567eb21a.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4750943.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4750943.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:876
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4549048.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4549048.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4439664.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4439664.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4656074.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4656074.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4604
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3074590.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3074590.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8240745.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8240745.exe
        6⤵
        Executes dropped EXE
        
        PID:368
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7448552.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7448552.exe
        5⤵
        Executes dropped EXE
        
        PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4750943.exe

Filesize
723KB

MD5
4b904a96061f0da509fcaa5212d142b8

SHA1
67386ef2210e7d60a97b855a9b469b1c7d43b2dc

SHA256
eb7b6f7bbf864ac2629d697dd676c6ea6bae30910b982e3b49e57d3eb9906d91

SHA512
9bfa5aa45e29701ae526bcd758467f6f7768540431a79b1570c35f128cd0842d7020e90f5c8e368b022d35c4bb76168f75275469acd868d2b8b51ef5c11c0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4750943.exe

Filesize
723KB

MD5
4b904a96061f0da509fcaa5212d142b8

SHA1
67386ef2210e7d60a97b855a9b469b1c7d43b2dc

SHA256
eb7b6f7bbf864ac2629d697dd676c6ea6bae30910b982e3b49e57d3eb9906d91

SHA512
9bfa5aa45e29701ae526bcd758467f6f7768540431a79b1570c35f128cd0842d7020e90f5c8e368b022d35c4bb76168f75275469acd868d2b8b51ef5c11c0bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4549048.exe

Filesize
497KB

MD5
ba5cea28c4993730dbba4af1192407ef

SHA1
9063305b571d92031c9ab8b386119a987f94db7f

SHA256
dc72efe6c7f96fbf3b04e989c02cd13c637a67f5418a48f773f1d21b6d9607c1

SHA512
6433f1237e2a6fc1aa7c01a89983e22bf3d47d815666543cd325ec15bc8df847f86ff1788738b37c47c26520d0b7961c2f8c3042b3d05a78923e8ddf702e022d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v4549048.exe

Filesize
497KB

MD5
ba5cea28c4993730dbba4af1192407ef

SHA1
9063305b571d92031c9ab8b386119a987f94db7f

SHA256
dc72efe6c7f96fbf3b04e989c02cd13c637a67f5418a48f773f1d21b6d9607c1

SHA512
6433f1237e2a6fc1aa7c01a89983e22bf3d47d815666543cd325ec15bc8df847f86ff1788738b37c47c26520d0b7961c2f8c3042b3d05a78923e8ddf702e022d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4439664.exe

Filesize
372KB

MD5
a0de739b6b9bb0a62934e2b813120c3d

SHA1
baa7b8426823872934693894d447b418e3a914c0

SHA256
4bd45e8f89dd16cc1f9d05a82cde3e6ccaa003215ceca5111330e863e1d8c4a9

SHA512
809e0b4cfdb1ee38a26cbbd120dd346a09bf0ddc48d61823cfd7e63c7d3fee83420787421dbb637e2096aaa738fb31ebd2f1c321246a009718ee73c389f1aca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v4439664.exe

Filesize
372KB

MD5
a0de739b6b9bb0a62934e2b813120c3d

SHA1
baa7b8426823872934693894d447b418e3a914c0

SHA256
4bd45e8f89dd16cc1f9d05a82cde3e6ccaa003215ceca5111330e863e1d8c4a9

SHA512
809e0b4cfdb1ee38a26cbbd120dd346a09bf0ddc48d61823cfd7e63c7d3fee83420787421dbb637e2096aaa738fb31ebd2f1c321246a009718ee73c389f1aca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7448552.exe

Filesize
176KB

MD5
468ff1daf6225aba5c38a4d209f1f5d2

SHA1
3171b220a665ee147043235b0ae71aef1ba81bda

SHA256
3406746e4fc6c18525f88c0f5502104f44065e5c1226efd6eddedc5baee3216b

SHA512
5b785ccbf61882c8c4bda6b4d6e610b346ddd1eb75a7a2f7342f202f6da1baf358780d0d22e41dea6bd4dc30809b4933ccd36f2bc2b839b75650b357743a6868

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c7448552.exe

Filesize
176KB

MD5
468ff1daf6225aba5c38a4d209f1f5d2

SHA1
3171b220a665ee147043235b0ae71aef1ba81bda

SHA256
3406746e4fc6c18525f88c0f5502104f44065e5c1226efd6eddedc5baee3216b

SHA512
5b785ccbf61882c8c4bda6b4d6e610b346ddd1eb75a7a2f7342f202f6da1baf358780d0d22e41dea6bd4dc30809b4933ccd36f2bc2b839b75650b357743a6868

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4656074.exe

Filesize
217KB

MD5
0b5414bd51a3814b7e616dacedc3d260

SHA1
6c31bbda8798aa39e16aaef1eff90bfd0476c985

SHA256
9cc89b791abcace1d0edfa40d856ea816397d4ae41579e8b5950324ae7dcead8

SHA512
6ac8fdb7599f022563572a22ad566e5c1628793aa1bb65fba9375e17c498f2726e03210c27f48e8c7fe0a257effbc5ae25622f86e43c0a7cc1125eefa80ff342

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v4656074.exe

Filesize
217KB

MD5
0b5414bd51a3814b7e616dacedc3d260

SHA1
6c31bbda8798aa39e16aaef1eff90bfd0476c985

SHA256
9cc89b791abcace1d0edfa40d856ea816397d4ae41579e8b5950324ae7dcead8

SHA512
6ac8fdb7599f022563572a22ad566e5c1628793aa1bb65fba9375e17c498f2726e03210c27f48e8c7fe0a257effbc5ae25622f86e43c0a7cc1125eefa80ff342

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3074590.exe

Filesize
18KB

MD5
252bb12e04714d69ebb8881a29a973d2

SHA1
7f15a1b4efd9614314ae56022e3c1a0f22cbe9fb

SHA256
7ee75b421b1e4808e6c127b4d5ef11f78ac75719d889b0507ae26f2fed1f58aa

SHA512
8515687ebc6ffd03a329cefee9580b498cd92f4b71530fedf6e990fbbd19bed58128380481e92ce61f74dc0493cfad71beb98f156bd9cadfb212376395344967

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a3074590.exe

Filesize
18KB

MD5
252bb12e04714d69ebb8881a29a973d2

SHA1
7f15a1b4efd9614314ae56022e3c1a0f22cbe9fb

SHA256
7ee75b421b1e4808e6c127b4d5ef11f78ac75719d889b0507ae26f2fed1f58aa

SHA512
8515687ebc6ffd03a329cefee9580b498cd92f4b71530fedf6e990fbbd19bed58128380481e92ce61f74dc0493cfad71beb98f156bd9cadfb212376395344967

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8240745.exe

Filesize
141KB

MD5
4fa0eef20f498c950f2b8b9588a2fc4a

SHA1
0de16203ad8b5997907c598536b44beb60305b5b

SHA256
567f4f770cfb4440a617be88296d430de924a92976646c95ce4771926f146cbf

SHA512
5737de571992216f25dcc4a1d472d57aece8f262e97f1d012a1f2378ff1a213f5f33dc5e83f7570776270f05a3ebaec639ef760c32b4a1f6e0833ed79da5216e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b8240745.exe

Filesize
141KB

MD5
4fa0eef20f498c950f2b8b9588a2fc4a

SHA1
0de16203ad8b5997907c598536b44beb60305b5b

SHA256
567f4f770cfb4440a617be88296d430de924a92976646c95ce4771926f146cbf

SHA512
5737de571992216f25dcc4a1d472d57aece8f262e97f1d012a1f2378ff1a213f5f33dc5e83f7570776270f05a3ebaec639ef760c32b4a1f6e0833ed79da5216e

Download Submit
memory/3736-38-0x00007FFC56CE0000-0x00007FFC576CC000-memory.dmp

Filesize
9.9MB

Download
memory/3736-36-0x00007FFC56CE0000-0x00007FFC576CC000-memory.dmp

Filesize
9.9MB

Download
memory/3736-35-0x0000000000D00000-0x0000000000D0A000-memory.dmp

Filesize
40KB

Download
memory/4876-45-0x0000000000E40000-0x0000000000E70000-memory.dmp

Filesize
192KB

Download
memory/4876-46-0x0000000073890000-0x0000000073F7E000-memory.dmp

Filesize
6.9MB

Download
memory/4876-47-0x0000000003080000-0x0000000003086000-memory.dmp

Filesize
24KB

Download
memory/4876-48-0x000000000B0E0000-0x000000000B6E6000-memory.dmp

Filesize
6.0MB

Download
memory/4876-49-0x000000000AC50000-0x000000000AD5A000-memory.dmp

Filesize
1.0MB

Download
memory/4876-50-0x000000000AB80000-0x000000000AB92000-memory.dmp

Filesize
72KB

Download
memory/4876-51-0x000000000ABE0000-0x000000000AC1E000-memory.dmp

Filesize
248KB

Download
memory/4876-52-0x000000000AD60000-0x000000000ADAB000-memory.dmp

Filesize
300KB

Download
memory/4876-53-0x0000000073890000-0x0000000073F7E000-memory.dmp

Filesize
6.9MB

Download