healer | c8eb9662199443eee0be998482cd9a6cd4bf9f0f115c04db6bae8f0816a9e7bf | Triage

Sharing

General

Target

c8eb9662199443eee0be998482cd9a6cd4bf9f0f115c04db6bae8f0816a9e7bf
Size

3.1MB
Sample

231014-amcwyafd9s
MD5

89bb472642a708698b253b0fb0411322
SHA1

bc20878f661e44565946338ba344388595bc7e0b
SHA256

c8eb9662199443eee0be998482cd9a6cd4bf9f0f115c04db6bae8f0816a9e7bf
SHA512

ad00df710f334fee08dc64d33a3e7742f313af866e9cdbcec0d9381d4dce2ee36687187c16f30bad663de27d66a31df96442ee4778f558c4e496252db7c70fb4
SSDEEP

49152:g4ctSwHupD6ERas+6a3vDgHDuPUQknGKQIM0dhflElN3X6f:g4ctrEPSgHDW4nGC3flmNa

Score

10^/10

healer redline ramon dropper evasion infostealer persistence trojan

Malware Config

Extracted

Family

redline

Botnet

ramon

C2

77.91.124.82:19071

Attributes

auth_value
3197576965d9513f115338c233015b40

Targets

- Target
  
  c8eb9662199443eee0be998482cd9a6cd4bf9f0f115c04db6bae8f0816a9e7bf
- Size
  
  3.1MB
- MD5
  
  89bb472642a708698b253b0fb0411322
- SHA1
  
  bc20878f661e44565946338ba344388595bc7e0b
- SHA256
  
  c8eb9662199443eee0be998482cd9a6cd4bf9f0f115c04db6bae8f0816a9e7bf
- SHA512
  
  ad00df710f334fee08dc64d33a3e7742f313af866e9cdbcec0d9381d4dce2ee36687187c16f30bad663de27d66a31df96442ee4778f558c4e496252db7c70fb4
- SSDEEP
  
  49152:g4ctSwHupD6ERas+6a3vDgHDuPUQknGKQIM0dhflElN3X6f:g4ctrEPSgHDW4nGC3flmNa
Score

10^/10

healer redline ramon dropper evasion infostealer persistence trojan
- Detects Healer an antivirus disabler dropper
- Healer
  Healer an antivirus disabler dropper.
  dropper healer
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Executes dropped EXE
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

healerredlineramondropperevasioninfostealerpersistencetrojan