healer | 7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb | Triage

Sharing

General

Target

7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe
Size

753KB
Sample

231012-tcvtjsaa6v
MD5

cd477aac77d7453206b9e984a4444fc3
SHA1

c798de0cf5623a3d7b4beb0e8fa98bb6f32e91b9
SHA256

7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb
SHA512

a9ac3f52f11f0d4c439cbbcf99a864928b5fd4713bc867cc28d33655276e8c853310e7b4d28d99d64bab94377f199b35da24e68d11a0b260a099e1fb583764f8
SSDEEP

12288:qMrYy90EqcrEywjFwiKj1PC4/JTc557oUsiB3yPC/oVSnuFlx1GM7Hzj:eyUOiKFC4BTI57oUEkoVcWvnj

Score

10^/10

healer redline dusa dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

dusa

C2

83.97.73.127:19045

Attributes

auth_value
ee896466545fedf9de5406175fb82de5

Targets

- Target
  
  7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb_JC.exe
- Size
  
  753KB
- MD5
  
  cd477aac77d7453206b9e984a4444fc3
- SHA1
  
  c798de0cf5623a3d7b4beb0e8fa98bb6f32e91b9
- SHA256
  
  7106d40d171b3795f4583a91e1b105bd7fc2cb102e290d33d9bbd01ce12622bb
- SHA512
  
  a9ac3f52f11f0d4c439cbbcf99a864928b5fd4713bc867cc28d33655276e8c853310e7b4d28d99d64bab94377f199b35da24e68d11a0b260a099e1fb583764f8
- SSDEEP
  
  12288:qMrYy90EqcrEywjFwiKj1PC4/JTc557oUsiB3yPC/oVSnuFlx1GM7Hzj:eyUOiKFC4BTI57oUEkoVcWvnj
Score

10^/10

healer redline dusa dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Impair Defenses

Disable or Modify Tools

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

healerredlinedusadropperevasioninfostealerpersistencetrojan

behavioral2

healerredlinedusadropperevasioninfostealerpersistencetrojan