healer | 1498cea6a80638cef6b65a1281a329ccdd09ff6f17763538dba20c56e5e55db4 | Triage

Sharing

General

Target

JC_1498cea6a80638cef6b65a1281a329ccdd09ff6f17763538dba20c56e5e55db4
Size

830KB
Sample

230902-mm98nabh81
MD5

54a027797db3cf418309c7d316263a3e
SHA1

c2b7b982aab869ead87e851b6932218ef17ea7ba
SHA256

1498cea6a80638cef6b65a1281a329ccdd09ff6f17763538dba20c56e5e55db4
SHA512

60f329794016f7d30012f678a6052fa0fab3cd8e94303b9f0f3a3050baf49bfe2e587a89c445e98b5f00dba4ce99578557675c59e7f3c4eaa0aab9321c118efe
SSDEEP

12288:jMrPy90vT97KUVQrEiMuIWxueUXVLvFgu7yRAYvrDtKsUOu5VdUbPidtm07ILo5I:Yy8sYiMuIkLUXldyzt+5uPot0LHdT

Score

10^/10

healer redline domka dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

domka

C2

77.91.124.82:19071

Attributes

auth_value
74e19436acac85e44d691aebcc617529

Targets

- Target
  
  JC_1498cea6a80638cef6b65a1281a329ccdd09ff6f17763538dba20c56e5e55db4
- Size
  
  830KB
- MD5
  
  54a027797db3cf418309c7d316263a3e
- SHA1
  
  c2b7b982aab869ead87e851b6932218ef17ea7ba
- SHA256
  
  1498cea6a80638cef6b65a1281a329ccdd09ff6f17763538dba20c56e5e55db4
- SHA512
  
  60f329794016f7d30012f678a6052fa0fab3cd8e94303b9f0f3a3050baf49bfe2e587a89c445e98b5f00dba4ce99578557675c59e7f3c4eaa0aab9321c118efe
- SSDEEP
  
  12288:jMrPy90vT97KUVQrEiMuIWxueUXVLvFgu7yRAYvrDtKsUOu5VdUbPidtm07ILo5I:Yy8sYiMuIkLUXldyzt+5uPot0LHdT
Score

10^/10

healer redline domka dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

healerredlinedomkadropperevasioninfostealerpersistencetrojan

behavioral2

healerredlinedomkadropperevasioninfostealerpersistencetrojan