healer | c891e3032f2179def6000a036ad4641829efe55670408110ac1d2683e8b17273 | Triage

Sharing

General

Target

c891e3032f2179def6000a036ad4641829efe55670408110ac1d2683e8b17273_JC.exe
Size

1.5MB
Sample

230912-qszwnach8x
MD5

7c9a817e63843b6f41e203cd3cf7f47a
SHA1

46d0dae4d90a73aa9d3549d377eed4ee158a9558
SHA256

c891e3032f2179def6000a036ad4641829efe55670408110ac1d2683e8b17273
SHA512

38f2972072c8d5cac7625ee3f9a0f2e2420b2f4da7954e07077a7b86d01a9f7877b32ca96eb354768354e22e39721d0f166004b3cd575e5060caffed132fe3b6
SSDEEP

24576:poeCJ4evdU0MvbTT+GTD7Oqrr7AgDN1JvFjfDxWNb2EPB/eDzBxnPFuSvOR232vS:SeCJ4Ud/8Pd/7/8gDnHjDxgb9QDzBBw2

Score

10^/10

healer redline smokeloader smokiez_build tuco backdoor dropper evasion infostealer persistence spyware trojan

Malware Config

Extracted

Family

redline

Botnet

smokiez_build

C2

194.169.175.232:45450

Attributes

auth_value
2e68bc276986767f0f14a3d75567abcd

Extracted

Family

smokeloader

Version

2022

C2

http://77.91.68.29/fks/

rc4.i32

rc4.i32

Extracted

Family

redline

Botnet

tuco

C2

77.91.124.82:19071

Attributes

auth_value
dcfeb759bae9232de006fc3a4b34ac53

Targets

- Target
  
  c891e3032f2179def6000a036ad4641829efe55670408110ac1d2683e8b17273_JC.exe
- Size
  
  1.5MB
- MD5
  
  7c9a817e63843b6f41e203cd3cf7f47a
- SHA1
  
  46d0dae4d90a73aa9d3549d377eed4ee158a9558
- SHA256
  
  c891e3032f2179def6000a036ad4641829efe55670408110ac1d2683e8b17273
- SHA512
  
  38f2972072c8d5cac7625ee3f9a0f2e2420b2f4da7954e07077a7b86d01a9f7877b32ca96eb354768354e22e39721d0f166004b3cd575e5060caffed132fe3b6
- SSDEEP
  
  24576:poeCJ4evdU0MvbTT+GTD7Oqrr7AgDN1JvFjfDxWNb2EPB/eDzBxnPFuSvOR232vS:SeCJ4Ud/8Pd/7/8gDnHjDxgb9QDzBBw2
Score

10^/10

healer redline smokeloader smokiez_build tuco backdoor dropper evasion infostealer persistence spyware trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- RedLine payload
- SmokeLoader
  Modular backdoor trojan in use since 2014.
  trojan backdoor smokeloader
- Downloads MZ/PE file
- Executes dropped EXE
- Uses the VBS compiler for execution
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Scripting

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

Peripheral Device Discovery

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

behavioral2

healerredlinesmokeloadersmokiez_buildtucobackdoordropperevasioninfostealerpersistencespywaretrojan