healer | ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed | Triage

Sharing

General

Target

ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed
Size

830KB
Sample

230824-ctbnkahc86
MD5

b4592e7798726bb7edcccba913fc8f2e
SHA1

abaa9c7db99b549aa96fc2dd785490381a98e8b3
SHA256

ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed
SHA512

123a8c264e8aa0fb8d46023e6cc9d823a18279ac755be597dcbecd4b613a0a9a402f8508b489c84e4d7ddd1e95d9c17414e8b1eb0ef10388cadf2533ac3d323a
SSDEEP

12288:wMr4y90Ofope9tKFYvqB47mYh7DOwtuPRXnaWO5zdMeBUvY3RneTGuKe/A5rg7Hy:Yyd0eW0qB47mY8wkRXaWNvY3ReShiS

Score

10^/10

healer redline rwan dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

rwan

C2

77.91.124.73:19071

Attributes

auth_value
7c40eda5da4f888d6f61befbf947d9fe

Targets

- Target
  
  ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed
- Size
  
  830KB
- MD5
  
  b4592e7798726bb7edcccba913fc8f2e
- SHA1
  
  abaa9c7db99b549aa96fc2dd785490381a98e8b3
- SHA256
  
  ac736f75f5dca62eda1d93322c6bc3c7a084bbd285c958313e41b35f26385eed
- SHA512
  
  123a8c264e8aa0fb8d46023e6cc9d823a18279ac755be597dcbecd4b613a0a9a402f8508b489c84e4d7ddd1e95d9c17414e8b1eb0ef10388cadf2533ac3d323a
- SSDEEP
  
  12288:wMr4y90Ofope9tKFYvqB47mYh7DOwtuPRXnaWO5zdMeBUvY3RneTGuKe/A5rg7Hy:Yyd0eW0qB47mY8wkRXaWNvY3ReShiS
Score

10^/10

healer redline rwan dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

healerredlinerwandropperevasioninfostealerpersistencetrojan