healer | c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5 | Triage

Sharing

General

Target

c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5
Size

1.3MB
Sample

230917-sp1d5aah7t
MD5

4a05dd3afee92c247ae5afd584217677
SHA1

85617a85e1183f160afbac80fde61aac8c4540e6
SHA256

c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5
SHA512

596e928da5749a9db9a1f2927511aedb3eb81b844639749b55ac1d7e25e1c000160b27c8bef55afd3e39bb242861b3daa5d73aff07dc53f6b956dfcc0175eaf0
SSDEEP

24576:209BY6wnpPsz9R8UuCUjEdp/BPsG29RIn+uxiFMcBtPuYdQ:209DUp2CUmj+ZPB29SxtcBs6Q

Score

10^/10

healer redline black dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

black

C2

77.91.124.82:19071

Attributes

auth_value
c5887216cebc5a219113738140bc3047

Targets

- Target
  
  c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5
- Size
  
  1.3MB
- MD5
  
  4a05dd3afee92c247ae5afd584217677
- SHA1
  
  85617a85e1183f160afbac80fde61aac8c4540e6
- SHA256
  
  c8ae519292c26b32d79e82cc41bbe68a91bb0db3d13035117111475f6c2e15c5
- SHA512
  
  596e928da5749a9db9a1f2927511aedb3eb81b844639749b55ac1d7e25e1c000160b27c8bef55afd3e39bb242861b3daa5d73aff07dc53f6b956dfcc0175eaf0
- SSDEEP
  
  24576:209BY6wnpPsz9R8UuCUjEdp/BPsG29RIn+uxiFMcBtPuYdQ:209DUp2CUmj+ZPB29SxtcBs6Q
Score

10^/10

healer redline black dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

healerredlineblackdropperevasioninfostealerpersistencetrojan