healer | 0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe
Size

930KB
MD5

8eb730276ea7aac10a9a71c46e15fb5c
SHA1

94852ebe01d80cb0ee62d76c0ae23dc3eb4144ef
SHA256

0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c
SHA512

92f27ae7c6fa20951044097051a05ebdc06adfb11321f940716c4fe94b2e6ac63e4ea296f2317549aaca47d6e8623207ee967f57f9e811abae3fa8076344bbd4
SSDEEP

24576:MygGcgjs/2ex/n6EuVh0uBZXfYGNdrST:7Cgjs/2E/nq2uvfZNdrS

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023239-34.dat	healer
behavioral1/files/0x0007000000023239-33.dat	healer
behavioral1/memory/3928-35-0x0000000000220000-0x000000000022A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	q7861507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q7861507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q7861507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q7861507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q7861507.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q7861507.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
4576	z2211842.exe
2472	z6961747.exe
1608	z5853863.exe
844	z6675446.exe
3928	q7861507.exe
4620	r3095229.exe
4504	s0661561.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	q7861507.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z2211842.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z6961747.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z5853863.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z6675446.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3928	q7861507.exe
3928	q7861507.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3928	q7861507.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 492 wrote to memory of 4576	492	0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe	82
PID 492 wrote to memory of 4576	492	0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe	82
PID 492 wrote to memory of 4576	492	0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe	82
PID 4576 wrote to memory of 2472	4576	z2211842.exe	83
PID 4576 wrote to memory of 2472	4576	z2211842.exe	83
PID 4576 wrote to memory of 2472	4576	z2211842.exe	83
PID 2472 wrote to memory of 1608	2472	z6961747.exe	84
PID 2472 wrote to memory of 1608	2472	z6961747.exe	84
PID 2472 wrote to memory of 1608	2472	z6961747.exe	84
PID 1608 wrote to memory of 844	1608	z5853863.exe	85
PID 1608 wrote to memory of 844	1608	z5853863.exe	85
PID 1608 wrote to memory of 844	1608	z5853863.exe	85
PID 844 wrote to memory of 3928	844	z6675446.exe	86
PID 844 wrote to memory of 3928	844	z6675446.exe	86
PID 844 wrote to memory of 4620	844	z6675446.exe	95
PID 844 wrote to memory of 4620	844	z6675446.exe	95
PID 844 wrote to memory of 4620	844	z6675446.exe	95
PID 1608 wrote to memory of 4504	1608	z5853863.exe	97
PID 1608 wrote to memory of 4504	1608	z5853863.exe	97
PID 1608 wrote to memory of 4504	1608	z5853863.exe	97

C:\Users\Admin\AppData\Local\Temp\0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe
"C:\Users\Admin\AppData\Local\Temp\0047034ae90772403d49aa5de1041a6f9bb3d64adaf42466dc58fc2e36bcec3c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:492
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2211842.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2211842.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6961747.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6961747.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5853863.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5853863.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6675446.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6675446.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:844
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7861507.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7861507.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3095229.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3095229.exe
        6⤵
        Executes dropped EXE
        
        PID:4620
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0661561.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0661561.exe
        5⤵
        Executes dropped EXE
        
        PID:4504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2211842.exe

Filesize
824KB

MD5
f3bde9dc7c966bd5eca0083f423143e9

SHA1
00d7df58bbf92b4252c13877a26ae91fb5071834

SHA256
48501d1bbc489fa08fa42be0f2b8295aa1fef3cf59d913ae929980b0a2fb75da

SHA512
384dcbbb82bbc45db53beb186a4e94b681371617a6aed6ad6ec8006ab2899346d2aa5b1ea86513d95a2b7715a0a6a79c697bba68d5b7cb42c653e2f6632d4fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2211842.exe

Filesize
824KB

MD5
f3bde9dc7c966bd5eca0083f423143e9

SHA1
00d7df58bbf92b4252c13877a26ae91fb5071834

SHA256
48501d1bbc489fa08fa42be0f2b8295aa1fef3cf59d913ae929980b0a2fb75da

SHA512
384dcbbb82bbc45db53beb186a4e94b681371617a6aed6ad6ec8006ab2899346d2aa5b1ea86513d95a2b7715a0a6a79c697bba68d5b7cb42c653e2f6632d4fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6961747.exe

Filesize
598KB

MD5
5e7358460072c07a08afffb1f321d571

SHA1
b7f29f6eebc4ed25f97d9da32e950b180e5c3473

SHA256
42efd6fef7a3d9fe2f7508efbc719312457dcc38cc553bb32853ac7c201c0368

SHA512
bd84195d475dd72158f2bc10a9c470d4bf7b234d8a22dc7f0a12e5a0ff3b43b5b5660b0e0a832039f64a7d6575deaf650be590a34c323e918a0d3cf956f1e026

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z6961747.exe

Filesize
598KB

MD5
5e7358460072c07a08afffb1f321d571

SHA1
b7f29f6eebc4ed25f97d9da32e950b180e5c3473

SHA256
42efd6fef7a3d9fe2f7508efbc719312457dcc38cc553bb32853ac7c201c0368

SHA512
bd84195d475dd72158f2bc10a9c470d4bf7b234d8a22dc7f0a12e5a0ff3b43b5b5660b0e0a832039f64a7d6575deaf650be590a34c323e918a0d3cf956f1e026

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5853863.exe

Filesize
372KB

MD5
6e1c4f6093d26e5a5718f55d474e38f5

SHA1
be20c57f2f60dbb7ae04c9d7bc821ee5b3ba90b0

SHA256
eb6176ed626657a3d92bb9dbb7957803d532ec17509fdef9dd94b1b8b49d9710

SHA512
61b3132e0bb438b687373e6acd15a455ca2e3a38e03de73bc0214e5cffdacf3f01f85629cddbda3af6da8f78cd00961f6689ded05ae4f33d9bc64abf57f9b20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z5853863.exe

Filesize
372KB

MD5
6e1c4f6093d26e5a5718f55d474e38f5

SHA1
be20c57f2f60dbb7ae04c9d7bc821ee5b3ba90b0

SHA256
eb6176ed626657a3d92bb9dbb7957803d532ec17509fdef9dd94b1b8b49d9710

SHA512
61b3132e0bb438b687373e6acd15a455ca2e3a38e03de73bc0214e5cffdacf3f01f85629cddbda3af6da8f78cd00961f6689ded05ae4f33d9bc64abf57f9b20f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0661561.exe

Filesize
176KB

MD5
cc68d10346b1afdace498400919aebf1

SHA1
11a183866eb78679f02fda9fa2a51f424957a2ad

SHA256
41bfb6d1c4b3e580d0b0f094f683ed5944f8ebee0af27f532e9216d3f736aaf5

SHA512
80a0c18f33360e7920c7ebe52ecdd247bef48889e26849bf7d8dee6c2004d06ce3de8b6ee5b52c6cee27dbc9526b4da405882a8c6206394be5fe9b63314c0194

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0661561.exe

Filesize
176KB

MD5
cc68d10346b1afdace498400919aebf1

SHA1
11a183866eb78679f02fda9fa2a51f424957a2ad

SHA256
41bfb6d1c4b3e580d0b0f094f683ed5944f8ebee0af27f532e9216d3f736aaf5

SHA512
80a0c18f33360e7920c7ebe52ecdd247bef48889e26849bf7d8dee6c2004d06ce3de8b6ee5b52c6cee27dbc9526b4da405882a8c6206394be5fe9b63314c0194

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6675446.exe

Filesize
217KB

MD5
6e8979a561c016416ba73bd52cf7a299

SHA1
59731711557e0b697dc312e82362f8dceff7df0d

SHA256
82413fd112089bc2a974c4ea969896a678c225de785a2e61b273af75e2d4be6e

SHA512
1887c88a95d612d48d033e09b6d6f9203a2417f6d5fe7a6554e696a60ad8e8a47167febaa9a8fcf7800a2d534b7b509abedc89f4353cdf6631c363d6713f213d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z6675446.exe

Filesize
217KB

MD5
6e8979a561c016416ba73bd52cf7a299

SHA1
59731711557e0b697dc312e82362f8dceff7df0d

SHA256
82413fd112089bc2a974c4ea969896a678c225de785a2e61b273af75e2d4be6e

SHA512
1887c88a95d612d48d033e09b6d6f9203a2417f6d5fe7a6554e696a60ad8e8a47167febaa9a8fcf7800a2d534b7b509abedc89f4353cdf6631c363d6713f213d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7861507.exe

Filesize
18KB

MD5
80efc1d0c0199b0bd855600ed2f0373e

SHA1
0809d3c5657182e8055fd6a145b08a39623744f0

SHA256
04754a207b86de59513fcd62427957b2543dfbd13ff8af57eeb15bf053d230fb

SHA512
c47067926621ab430943df54408bdb010ad7ba01b6154e63b05033bb1ebddcd45acdeaac4b656fa2d2f5c6aa6e9314a9bf4de3c60ccf4463246a6293ccdd2c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q7861507.exe

Filesize
18KB

MD5
80efc1d0c0199b0bd855600ed2f0373e

SHA1
0809d3c5657182e8055fd6a145b08a39623744f0

SHA256
04754a207b86de59513fcd62427957b2543dfbd13ff8af57eeb15bf053d230fb

SHA512
c47067926621ab430943df54408bdb010ad7ba01b6154e63b05033bb1ebddcd45acdeaac4b656fa2d2f5c6aa6e9314a9bf4de3c60ccf4463246a6293ccdd2c4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3095229.exe

Filesize
141KB

MD5
1c05248b737b8f63b8f37b275cf34d2c

SHA1
f837c06e1f2cb6a33b2af116f0d97cfd0bb1e1e6

SHA256
c62b87604a6b026c186c16e9afaa09d84bc84c3499f40a1fc209df1bfad610a1

SHA512
a77ae76cd997d7b544e954c02a0aac46dc55a4168c9224ef7477754195f041dc13c6f20e22f3e3a506f162b8894b870ea45232de09a40d88ea2ec779910c1b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3095229.exe

Filesize
141KB

MD5
1c05248b737b8f63b8f37b275cf34d2c

SHA1
f837c06e1f2cb6a33b2af116f0d97cfd0bb1e1e6

SHA256
c62b87604a6b026c186c16e9afaa09d84bc84c3499f40a1fc209df1bfad610a1

SHA512
a77ae76cd997d7b544e954c02a0aac46dc55a4168c9224ef7477754195f041dc13c6f20e22f3e3a506f162b8894b870ea45232de09a40d88ea2ec779910c1b5b

Download Submit
memory/3928-38-0x00007FF93F960000-0x00007FF940421000-memory.dmp

Filesize
10.8MB

Download
memory/3928-36-0x00007FF93F960000-0x00007FF940421000-memory.dmp

Filesize
10.8MB

Download
memory/3928-35-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/4504-45-0x0000000000EB0000-0x0000000000EE0000-memory.dmp

Filesize
192KB

Download
memory/4504-46-0x0000000073CB0000-0x0000000074460000-memory.dmp

Filesize
7.7MB

Download
memory/4504-47-0x000000000B210000-0x000000000B828000-memory.dmp

Filesize
6.1MB

Download
memory/4504-48-0x000000000AD20000-0x000000000AE2A000-memory.dmp

Filesize
1.0MB

Download
memory/4504-49-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download
memory/4504-50-0x000000000AC60000-0x000000000AC72000-memory.dmp

Filesize
72KB

Download
memory/4504-51-0x000000000ACC0000-0x000000000ACFC000-memory.dmp

Filesize
240KB

Download
memory/4504-52-0x0000000073CB0000-0x0000000074460000-memory.dmp

Filesize
7.7MB

Download
memory/4504-53-0x0000000005860000-0x0000000005870000-memory.dmp

Filesize
64KB

Download