healer | 878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4

General

Target

878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe
Size

3.1MB
MD5

8cb6d463ebaca729bc6250586e487e3f
SHA1

ba77b0cc638df4749d90386d14f0f077a7a887df
SHA256

878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4
SHA512

160b41b33561f15132a06af012d7d67c2f347452b1a96d09008ea45e4e523bd403c1434787b76a3452abedef8156ffbdc4b04dec06f13314ad6542d6ba033250
SSDEEP

49152:MpFzUE1/x5XSke5ec6a3vTlsn35QDS1h2b6CtI3jc8U8kE5:MpFzvSk1OqI6mgw8UXE

Score

10^/10

healer redline ramon dropper infostealer

Malware Config

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Signatures

Detects Healer an antivirus disabler dropper 1 IoCs

resource	yara_rule
behavioral2/memory/3628-25-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3540 set thread context of 4564	3540	878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe	95

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 4564	3540	878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe	95
PID 3540 wrote to memory of 4564	3540	878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe	95
PID 3540 wrote to memory of 4564	3540	878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe	95
PID 3540 wrote to memory of 4564	3540	878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe	95
PID 3540 wrote to memory of 4564	3540	878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe	95
PID 3540 wrote to memory of 4564	3540	878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe	95
PID 3540 wrote to memory of 4564	3540	878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe	95
PID 3540 wrote to memory of 4564	3540	878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe	95
PID 3540 wrote to memory of 4564	3540	878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe	95
PID 3540 wrote to memory of 4564	3540	878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe	95

C:\Users\Admin\AppData\Local\Temp\878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe
"C:\Users\Admin\AppData\Local\Temp\878a1fc02579c37f7ebfee0e3a35b0e16884bb2af701d2de65080fce3cb8b3c4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:4564
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9431376.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9431376.exe
    3⤵
    PID:3264
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6764285.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6764285.exe
      4⤵
      PID:2416
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4059131.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4059131.exe
        5⤵
        
        PID:4248
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:2204
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:4396
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        
        PID:3628
    - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9006407.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9006407.exe
        5⤵
        
        PID:3740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9431376.exe

Filesize
731KB

MD5
419244c8dcc9ba51caa5943e41baab1f

SHA1
ab55cdedc904cca537cdbd46f0bab8e9d1ec7052

SHA256
bda408e3d4d8021cefa4149b07e925db576d357788deba77f19b2935ad585c17

SHA512
e290bb50bcadfdab141c6d463287a13fe5402fff7001f086c6935585d9b349848038025fc2f4703c74d4d44fd8ba3dec5ecd2eeafd727868217f073424942b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x9431376.exe

Filesize
731KB

MD5
419244c8dcc9ba51caa5943e41baab1f

SHA1
ab55cdedc904cca537cdbd46f0bab8e9d1ec7052

SHA256
bda408e3d4d8021cefa4149b07e925db576d357788deba77f19b2935ad585c17

SHA512
e290bb50bcadfdab141c6d463287a13fe5402fff7001f086c6935585d9b349848038025fc2f4703c74d4d44fd8ba3dec5ecd2eeafd727868217f073424942b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6764285.exe

Filesize
565KB

MD5
3702e9bb612de3f5452566ff7d8bea83

SHA1
b232f0a5d94a3c4750ab5432b4ecea1e949a55b4

SHA256
5f4ad3386e03c994b148e4d4fdc6968b6de123b531818cde5b16ee10cb229801

SHA512
12ac2e9654b9c04366e46744e01637f1fd8c3cb440b9f301b8bc14d864782b7c24e9729c5a7cdbc6f6b2584e8c291bcbecfe9ce77e4c807589ddb752aaf91014

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6764285.exe

Filesize
565KB

MD5
3702e9bb612de3f5452566ff7d8bea83

SHA1
b232f0a5d94a3c4750ab5432b4ecea1e949a55b4

SHA256
5f4ad3386e03c994b148e4d4fdc6968b6de123b531818cde5b16ee10cb229801

SHA512
12ac2e9654b9c04366e46744e01637f1fd8c3cb440b9f301b8bc14d864782b7c24e9729c5a7cdbc6f6b2584e8c291bcbecfe9ce77e4c807589ddb752aaf91014

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4059131.exe

Filesize
1.6MB

MD5
505b7cf0d29654cbdd51f323997752cd

SHA1
aa1f907ac447b33a905e664d8d80cd8c2bcf8256

SHA256
e850cd1c5de3d36894b7b6366a8665bee5d06ca5cabce888500a74c0365596d5

SHA512
981a7cfa39b9857e9af78ef8b716e3bc8af5d8b532a4672f7fb1f6f3fec15604c382c78bc58b55080af19910f5cbcd38ba9b8e67bb07871356fa3602cf9ff971

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4059131.exe

Filesize
1.6MB

MD5
505b7cf0d29654cbdd51f323997752cd

SHA1
aa1f907ac447b33a905e664d8d80cd8c2bcf8256

SHA256
e850cd1c5de3d36894b7b6366a8665bee5d06ca5cabce888500a74c0365596d5

SHA512
981a7cfa39b9857e9af78ef8b716e3bc8af5d8b532a4672f7fb1f6f3fec15604c382c78bc58b55080af19910f5cbcd38ba9b8e67bb07871356fa3602cf9ff971

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9006407.exe

Filesize
64KB

MD5
9baffac7ea8f64a1d3671300658f84d3

SHA1
4bcd19898ceb9d4ed5803496cb3aabd356d2dcff

SHA256
b477398decb044f2c3bc41e3d583f7a2a54961326a101716593da3e852347b83

SHA512
71eb72416eb3ddaa9e9079341d3dead15db2e6b046e498b4636dfd59fbfd73a4f953c2c35aded00124c26532824ec144562091adbdaec8f0eae8327d5e333c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9006407.exe

Filesize
174KB

MD5
a3033cd989eda6f0895cccde6cf8c0c6

SHA1
a029129407bf22ddaf8e96a00d4f5c29b9e820c5

SHA256
bb05d4b4cf5c55cab4150ae910e589bd58dde03e592a1a85ca28995176d2a80b

SHA512
7ac922469fb584f73ccfbaf218a9693ca26bc6ce58eab3f275501991a26e71357cd81b4e87387962765d6fcec62741cb7e05953e9ae4a36fe795414d587a3bc8

Download Submit
memory/3628-25-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4564-3-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4564-2-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4564-1-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/4564-0-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing