Malware Analysis Report

2025-01-23 07:40

Sample ID 241104-q5gkvazhpf
Target 641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba
SHA256 641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba

Threat Level: Known bad

The file 641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

Healer family

Detects Healer an antivirus disabler dropper

Redline family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:50

Reported

2024-11-04 13:53

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caSJ17Xq60.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caSJ17Xq60.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4548 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe
PID 4548 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe
PID 4548 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe
PID 2044 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe
PID 2044 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe
PID 2044 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe
PID 1164 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe
PID 1164 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe
PID 1164 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe
PID 4972 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe
PID 4972 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe
PID 4972 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caSJ17Xq60.exe
PID 4972 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caSJ17Xq60.exe
PID 4972 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caSJ17Xq60.exe

Processes

C:\Users\Admin\AppData\Local\Temp\641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe

"C:\Users\Admin\AppData\Local\Temp\641e73343af489f62956e0fe13b73bf45ead67848d62ed93687d983e97630dba.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caSJ17Xq60.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caSJ17Xq60.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plHS90Ml45.exe

MD5 050363a72618cd8daeceb3e578a5f608
SHA1 7f72580dc1f29095191147279ac3ea7ee976eff5
SHA256 5adcef5c45714294a236f5c66484e82b313aef84bf56cdce8577caef77896598
SHA512 b4e59378df88b3bcf97b86582d441b28ad93801ca377674994553c3e08183d0a6565ea4077cb5348e002c30e1ec8113eb455014789de4bb67765b73734689a1a

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plsK82Aw16.exe

MD5 eab9bb6d89f5701078f19c722f8e0dc6
SHA1 594daf0e997b94c904a35c257cee897f4667241d
SHA256 1f3dab058b3609ae76936cfe8367d8ffb7bc1f0e8680781c58f293f33080f582
SHA512 8b4ff732d63c86970d17100c330b729d065089aae9f4382b0eaafbc0238433264d196e014350bc8968c13166fca973218ec45b28b60be5a47592988a2fdca1df

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plhU87xn05.exe

MD5 e111d6fa6e42fad9c8fae534f9aec3b2
SHA1 48271a3e0d921e33151188a3a6c94d6d053b0107
SHA256 3e5843acfdda309c2adfa2b9ada9c1f203520ff5fa107156ddfa4a7e19d8712e
SHA512 f1f8f4c0dca540115bf63aee244c7c8e7984674534ff79ad4dfa2ebe662e6776de094fce049c922563566450f537916dad2e59ce943e78f35c9a786412acb480

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bujS90JC90.exe

MD5 73d2cf827d90dc57b44c4eed04b3b059
SHA1 49fa2dc46b0cd5b7267dbf3329ed870a78146889
SHA256 df65178a5efd3bcc968265fe47d85b0498a48cde9506cebc5cf3f5cf89ea1a2f
SHA512 a399fd11406b94bd876da627cb71f2bbc3b84d539705613cbab957ba5a827893f8745561eebe05d458d21c9d8efb0e027c88617bb88e71329ab52e66ff3ef7c3

memory/1556-28-0x00000000001C0000-0x00000000001CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\caSJ17Xq60.exe

MD5 28be961ba67309680c97708ff13bda38
SHA1 b117a1cdde51ca937c2f9c4c0e9b708bb5fee405
SHA256 1f80921dbca4c527f14120c3fbeda5b47ec92c9edbfc83cc1c768385cc7ef436
SHA512 979af5c41f486139f05928ed4adb59c0fedf38b698bcfb367fc8fb97118a91cb2b37b413962a241ced3a497a3fb54cea419394d68c3d932cc85447cbfc4fc4c5

memory/4692-34-0x0000000002520000-0x0000000002566000-memory.dmp

memory/4692-35-0x0000000004BC0000-0x0000000005164000-memory.dmp

memory/4692-36-0x0000000004B60000-0x0000000004BA4000-memory.dmp

memory/4692-42-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-52-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-100-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-98-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-96-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-94-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-92-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-90-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-82-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-81-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-76-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-74-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-72-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-70-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-68-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-64-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-62-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-58-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-56-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-50-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-48-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-46-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-44-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-88-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-86-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-78-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-66-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-60-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-54-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-40-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-38-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-37-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4692-943-0x0000000005300000-0x0000000005918000-memory.dmp

memory/4692-944-0x00000000059A0000-0x0000000005AAA000-memory.dmp

memory/4692-945-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

memory/4692-946-0x0000000005B00000-0x0000000005B3C000-memory.dmp

memory/4692-947-0x0000000005C50000-0x0000000005C9C000-memory.dmp