healer | 5de39817d48c418c7e85b05c286dfe0d2270d190a78e9307b53305b102b28461

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2023, 11:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a4ee2cfc1cbd9e298141bbfde343af98dd6f8ef9f72edae72e40689f894d76a8.exe
Size

828KB
MD5

9451cabb6a19f7a4610bc7abc27feddb
SHA1

fa064a2352b283669be8a781a7059d8005d22b79
SHA256

a4ee2cfc1cbd9e298141bbfde343af98dd6f8ef9f72edae72e40689f894d76a8
SHA512

11d9c87bf9021ff09baf3fd54714d87cc6c3557742d8dc5f47d36af25ee53b8c607642cb18636227fbebe812ed45ecac42d09d2c6e0b67df0e323ded19afa499
SSDEEP

12288:nMrAy90jey2SiHFSumTGMYjvPJMIop5Nh+WKJlWUCucfRF583SYTYKcqst2c6A:nyRN5XeEjZMFXh+WKoxLfRL8CDqa56A

Score

10^/10

healer redline sruta dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

sruta

77.91.124.82:19071

Attributes

auth_value
c556edcd49703319eca74247de20c236

Signatures

Detects Healer an antivirus disabler dropper 3 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023279-33.dat	healer
behavioral2/files/0x0007000000023279-34.dat	healer
behavioral2/memory/4472-35-0x0000000000430000-0x000000000043A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a1848296.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a1848296.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a1848296.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a1848296.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a1848296.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a1848296.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Executes dropped EXE 7 IoCs

pid	Process
3420	v4337748.exe
4236	v7777234.exe
3144	v0112683.exe
2088	v1365745.exe
4472	a1848296.exe
4088	b7311188.exe
1436	c2413523.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a1848296.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0112683.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	v1365745.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a4ee2cfc1cbd9e298141bbfde343af98dd6f8ef9f72edae72e40689f894d76a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4337748.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7777234.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4472	a1848296.exe
4472	a1848296.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	a1848296.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3580 wrote to memory of 3420	3580	a4ee2cfc1cbd9e298141bbfde343af98dd6f8ef9f72edae72e40689f894d76a8.exe	87
PID 3580 wrote to memory of 3420	3580	a4ee2cfc1cbd9e298141bbfde343af98dd6f8ef9f72edae72e40689f894d76a8.exe	87
PID 3580 wrote to memory of 3420	3580	a4ee2cfc1cbd9e298141bbfde343af98dd6f8ef9f72edae72e40689f894d76a8.exe	87
PID 3420 wrote to memory of 4236	3420	v4337748.exe	88
PID 3420 wrote to memory of 4236	3420	v4337748.exe	88
PID 3420 wrote to memory of 4236	3420	v4337748.exe	88
PID 4236 wrote to memory of 3144	4236	v7777234.exe	89
PID 4236 wrote to memory of 3144	4236	v7777234.exe	89
PID 4236 wrote to memory of 3144	4236	v7777234.exe	89
PID 3144 wrote to memory of 2088	3144	v0112683.exe	90
PID 3144 wrote to memory of 2088	3144	v0112683.exe	90
PID 3144 wrote to memory of 2088	3144	v0112683.exe	90
PID 2088 wrote to memory of 4472	2088	v1365745.exe	91
PID 2088 wrote to memory of 4472	2088	v1365745.exe	91
PID 2088 wrote to memory of 4088	2088	v1365745.exe	94
PID 2088 wrote to memory of 4088	2088	v1365745.exe	94
PID 2088 wrote to memory of 4088	2088	v1365745.exe	94
PID 3144 wrote to memory of 1436	3144	v0112683.exe	95
PID 3144 wrote to memory of 1436	3144	v0112683.exe	95
PID 3144 wrote to memory of 1436	3144	v0112683.exe	95

C:\Users\Admin\AppData\Local\Temp\a4ee2cfc1cbd9e298141bbfde343af98dd6f8ef9f72edae72e40689f894d76a8.exe
"C:\Users\Admin\AppData\Local\Temp\a4ee2cfc1cbd9e298141bbfde343af98dd6f8ef9f72edae72e40689f894d76a8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3580
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4337748.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4337748.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3420
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7777234.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7777234.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0112683.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0112683.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1365745.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1365745.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1848296.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1848296.exe
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
      - C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7311188.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7311188.exe
        6⤵
        Executes dropped EXE
        
        PID:4088
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2413523.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2413523.exe
        5⤵
        Executes dropped EXE
        
        PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4337748.exe

Filesize
723KB

MD5
08f9a3b5fe3bf3bff4060a042f4765c3

SHA1
dc2d582c97d6ebac0f162e6e90dc9e9d60d2ba64

SHA256
c4b7d00b4a04beaea9fd20281ca859d3f34f8827f98d4f1bd6022f06502e03ee

SHA512
5d5b9275ce48ebcf76ed96e5b94c94fc55eef2bb91846e18ade6a3cfd6f74e9e02c618b7534c83b464d6b8561604ee194919c2604c3b615bb393bf565d3c0235

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4337748.exe

Filesize
723KB

MD5
08f9a3b5fe3bf3bff4060a042f4765c3

SHA1
dc2d582c97d6ebac0f162e6e90dc9e9d60d2ba64

SHA256
c4b7d00b4a04beaea9fd20281ca859d3f34f8827f98d4f1bd6022f06502e03ee

SHA512
5d5b9275ce48ebcf76ed96e5b94c94fc55eef2bb91846e18ade6a3cfd6f74e9e02c618b7534c83b464d6b8561604ee194919c2604c3b615bb393bf565d3c0235

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7777234.exe

Filesize
497KB

MD5
7d7b8829c810676260554a60845184d6

SHA1
5f88b1b8fe029704eb1da743c608a9e2d4110fa1

SHA256
d32ec82f55016c334e1e5af15765f0d48760d97a0adaffc0091c853013ab3db7

SHA512
6c03d4004f283bbe1ed6d61d1e91e5742e34b8898d33ecd31fbca2632c3b56538a0f1fcf0860cb4acaaa54671f3b83f1e41d46b1dee27df4d9da47c381eac16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7777234.exe

Filesize
497KB

MD5
7d7b8829c810676260554a60845184d6

SHA1
5f88b1b8fe029704eb1da743c608a9e2d4110fa1

SHA256
d32ec82f55016c334e1e5af15765f0d48760d97a0adaffc0091c853013ab3db7

SHA512
6c03d4004f283bbe1ed6d61d1e91e5742e34b8898d33ecd31fbca2632c3b56538a0f1fcf0860cb4acaaa54671f3b83f1e41d46b1dee27df4d9da47c381eac16c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0112683.exe

Filesize
372KB

MD5
902ee12fceedd635f71b7b7b1e3e7b8f

SHA1
e2ca499f23fe748e8d31896f878a50f876dab5a9

SHA256
327fd7e92e3a01ecb913674aaefaa6dbd6174fe2761108aa240e4b59ae41ca04

SHA512
eb0fb688ff2452adb4ee5bebca94265b8fd09e96908aa5836eb770ae2f0559862135c13b1a92ddd7b6574f6e1b07fb3b216f62279ede67cf04008e09234d4b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0112683.exe

Filesize
372KB

MD5
902ee12fceedd635f71b7b7b1e3e7b8f

SHA1
e2ca499f23fe748e8d31896f878a50f876dab5a9

SHA256
327fd7e92e3a01ecb913674aaefaa6dbd6174fe2761108aa240e4b59ae41ca04

SHA512
eb0fb688ff2452adb4ee5bebca94265b8fd09e96908aa5836eb770ae2f0559862135c13b1a92ddd7b6574f6e1b07fb3b216f62279ede67cf04008e09234d4b27

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2413523.exe

Filesize
176KB

MD5
9e10faa42c5b7fd76d7de5165a104ebe

SHA1
43415b8f16096e41d51579b6130591fb88dfb50d

SHA256
3208a31697c9290343ad88387daae01f15c4d15612be8900a2a4c0038c195af1

SHA512
cd535e9d7c93d8e8f090d088c84668438c86211d5a10a3cc8fa2d4d96775de64fa4f2ed38d384a90c5c8ff0171a99a547fadbcadcda76cd4b47cc72c13763800

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\c2413523.exe

Filesize
176KB

MD5
9e10faa42c5b7fd76d7de5165a104ebe

SHA1
43415b8f16096e41d51579b6130591fb88dfb50d

SHA256
3208a31697c9290343ad88387daae01f15c4d15612be8900a2a4c0038c195af1

SHA512
cd535e9d7c93d8e8f090d088c84668438c86211d5a10a3cc8fa2d4d96775de64fa4f2ed38d384a90c5c8ff0171a99a547fadbcadcda76cd4b47cc72c13763800

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1365745.exe

Filesize
217KB

MD5
73822e49163b9dd032e9693ff6b2e1ce

SHA1
7e5bb4ff5383ed20776713f8392169824e0bf328

SHA256
2f1f474c48ca164d5156c44a04cc688f424b89ff1fa5a3c1dd2c6a7596c954fc

SHA512
35aa9579953344cea0aefd75f517eb83cfbf633fab7f0bb7f33a3f86f81b82283ae959074b5602c2b0f7e0cf1611920595b785d1d687013be8ea3f40c9f15eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v1365745.exe

Filesize
217KB

MD5
73822e49163b9dd032e9693ff6b2e1ce

SHA1
7e5bb4ff5383ed20776713f8392169824e0bf328

SHA256
2f1f474c48ca164d5156c44a04cc688f424b89ff1fa5a3c1dd2c6a7596c954fc

SHA512
35aa9579953344cea0aefd75f517eb83cfbf633fab7f0bb7f33a3f86f81b82283ae959074b5602c2b0f7e0cf1611920595b785d1d687013be8ea3f40c9f15eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1848296.exe

Filesize
18KB

MD5
d0043ab29aa66dce824a1bdd90ee89fd

SHA1
001370983ec43b7488a3278df4bb8cc909304b59

SHA256
1c76a65acfeb10daef52175fc9f5a564ebec235de94f55f8c968a9c448b0c02d

SHA512
04e03acc72c58e18d2be6df8eb0cb97502f4fa26fba924263c81edf7bd49158c591503a6e94d843e6e4894d732fc34c8b9833faacd7bd0fffb7f0bd2b00e3f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a1848296.exe

Filesize
18KB

MD5
d0043ab29aa66dce824a1bdd90ee89fd

SHA1
001370983ec43b7488a3278df4bb8cc909304b59

SHA256
1c76a65acfeb10daef52175fc9f5a564ebec235de94f55f8c968a9c448b0c02d

SHA512
04e03acc72c58e18d2be6df8eb0cb97502f4fa26fba924263c81edf7bd49158c591503a6e94d843e6e4894d732fc34c8b9833faacd7bd0fffb7f0bd2b00e3f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7311188.exe

Filesize
141KB

MD5
c192b66f7fe315fc049e63f5450e0729

SHA1
6ed197de1500be26628afcaf980b0570a5b64c7e

SHA256
e54e1eab937609081f1fa903b10e85a8e396e75c12e0e74cf88b78daecacac54

SHA512
32c11eaa517e21b8eda0a45dc13f1abbd9a2fb57d8bd336f63ff1f4f30750e6f12dac229c42a43fc2cd7dc8babd5dce8359545c3d203ac34b7a51ad3ca2c30ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b7311188.exe

Filesize
141KB

MD5
c192b66f7fe315fc049e63f5450e0729

SHA1
6ed197de1500be26628afcaf980b0570a5b64c7e

SHA256
e54e1eab937609081f1fa903b10e85a8e396e75c12e0e74cf88b78daecacac54

SHA512
32c11eaa517e21b8eda0a45dc13f1abbd9a2fb57d8bd336f63ff1f4f30750e6f12dac229c42a43fc2cd7dc8babd5dce8359545c3d203ac34b7a51ad3ca2c30ef

Download Submit
memory/1436-46-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/1436-45-0x0000000000940000-0x0000000000970000-memory.dmp

Filesize
192KB

Download
memory/1436-47-0x0000000005A00000-0x0000000006018000-memory.dmp

Filesize
6.1MB

Download
memory/1436-48-0x00000000054F0000-0x00000000055FA000-memory.dmp

Filesize
1.0MB

Download
memory/1436-50-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/1436-49-0x0000000005410000-0x0000000005422000-memory.dmp

Filesize
72KB

Download
memory/1436-51-0x0000000005470000-0x00000000054AC000-memory.dmp

Filesize
240KB

Download
memory/1436-52-0x0000000074A40000-0x00000000751F0000-memory.dmp

Filesize
7.7MB

Download
memory/1436-53-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

Filesize
64KB

Download
memory/4472-38-0x00007FFE55570000-0x00007FFE56031000-memory.dmp

Filesize
10.8MB

Download
memory/4472-36-0x00007FFE55570000-0x00007FFE56031000-memory.dmp

Filesize
10.8MB

Download
memory/4472-35-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download