healer | 8bd544af495a2cb1b8fa05598e03080cb9e5ec4d789b9786c5a939aaf8f6e4f1 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

8bd544af495a2cb1b8fa05598e03080cb9e5ec4d789b9786c5a939aaf8f6e4f1
Size

1.3MB
Sample

231012-qzdl1aee42
MD5

15191b422ca8442afe30ca33f4e14a92
SHA1

cd99d2c31e956dd0cfdc9326673e1da692ae45ba
SHA256

8bd544af495a2cb1b8fa05598e03080cb9e5ec4d789b9786c5a939aaf8f6e4f1
SHA512

76b5a8e4c58fc7edcebdaa59d5aaa1aaf4f66e16ddf31b6e9c3c1a071c779ad0d7c474a7bcf9e186c438ce4bb2a24ad2be427608e29b367575648b85ee1df418
SSDEEP

24576:4iGL5iZipp5tB2faukLIFyInKW277WUf+mV+eMj3s:k5iZiprT2iukLLInK/bfN+lj3s

Score

10^/10

healer redline vasha dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

vasha

C2

77.91.124.82:19071

Attributes

auth_value
42fc61786274daca54d589b85a2c1954

Targets

- Target
  
  8bd544af495a2cb1b8fa05598e03080cb9e5ec4d789b9786c5a939aaf8f6e4f1
- Size
  
  1.3MB
- MD5
  
  15191b422ca8442afe30ca33f4e14a92
- SHA1
  
  cd99d2c31e956dd0cfdc9326673e1da692ae45ba
- SHA256
  
  8bd544af495a2cb1b8fa05598e03080cb9e5ec4d789b9786c5a939aaf8f6e4f1
- SHA512
  
  76b5a8e4c58fc7edcebdaa59d5aaa1aaf4f66e16ddf31b6e9c3c1a071c779ad0d7c474a7bcf9e186c438ce4bb2a24ad2be427608e29b367575648b85ee1df418
- SSDEEP
  
  24576:4iGL5iZipp5tB2faukLIFyInKW277WUf+mV+eMj3s:k5iZiprT2iukLLInK/bfN+lj3s
Score

10^/10

healer redline vasha dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

healerredlinevashadropperevasioninfostealerpersistencetrojan

behavioral2

healerredlinevashadropperevasioninfostealerpersistencetrojan