Malware Analysis Report

2025-01-23 07:34

Sample ID 241104-q5x8lazhqe
Target eae12126345f769e285066a48a7cfdcb382f1ab57e61c319def43263ba118ee7
SHA256 eae12126345f769e285066a48a7cfdcb382f1ab57e61c319def43263ba118ee7
Tags
healer redline fud discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eae12126345f769e285066a48a7cfdcb382f1ab57e61c319def43263ba118ee7

Threat Level: Known bad

The file eae12126345f769e285066a48a7cfdcb382f1ab57e61c319def43263ba118ee7 was found to be: Known bad.

Malicious Activity Summary

healer redline fud discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

Detects Healer an antivirus disabler dropper

Healer family

RedLine

Redline family

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:51

Reported

2024-11-04 13:53

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eae12126345f769e285066a48a7cfdcb382f1ab57e61c319def43263ba118ee7.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\eae12126345f769e285066a48a7cfdcb382f1ab57e61c319def43263ba118ee7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhdP5422ax.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eae12126345f769e285066a48a7cfdcb382f1ab57e61c319def43263ba118ee7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhdP5422ax.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf36qU55ea36.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf36qU55ea36.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\eae12126345f769e285066a48a7cfdcb382f1ab57e61c319def43263ba118ee7.exe

"C:\Users\Admin\AppData\Local\Temp\eae12126345f769e285066a48a7cfdcb382f1ab57e61c319def43263ba118ee7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhdP5422ax.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhdP5422ax.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf36qU55ea36.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf36qU55ea36.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhdP5422ax.exe

MD5 e16cdda26a71b7571f6708f127489ae7
SHA1 2eac9db69a76cd875d922ff7dd3f3913cf34a20c
SHA256 e207a86ccfc1974af0ce966d9ce6b3b441e1d761e069ce29b9f4b0521f2b156b
SHA512 6ce670b4629ff3e1f42b850573f9a9c6b0dbb299fbfa2e8dda4c07b5449a7639153e69cbf8c49eb17504b92c69e1b61b9ec7d2dcd065c14ecccf686ede2637e7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf16vt64eG17.exe

MD5 b487eeeffe34eea6add09947288fb97f
SHA1 23d37d71ddd6075e39da6dcea9f1cec477513b24
SHA256 c0bfabb7c57081dacc2510aea7bd473f4e05c6d539f24506fd5e773b47cc0ead
SHA512 2b526efca3e277336be987620d399c0cafc5cdd787a82b131e0faf5c37daf44622feb4f079611ccd8ef38c78020971d47204da4fe1cab868cf66ee74b3919f4e

memory/4432-14-0x00007FFDBE1B3000-0x00007FFDBE1B5000-memory.dmp

memory/4432-15-0x0000000000530000-0x000000000053A000-memory.dmp

memory/4432-16-0x00007FFDBE1B3000-0x00007FFDBE1B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf36qU55ea36.exe

MD5 33eef0ef7d3d426c664f6e3380b0a87c
SHA1 66eea27c3262719cb51de3a08a47b13da67f33b7
SHA256 4dec2b62f8f47bed9dad690b372fe7ab707a251657470a0cc9b85cf603ce441e
SHA512 cc0b998114447a96d23f8cbd4ede81b5f103f204cd5a887fbe892b67ce836226bcc0d15ec60f9a754d166e57c5d9fd10c6e2b1851416654f504860ffd93cd6c5

memory/3104-22-0x00000000027A0000-0x00000000027E6000-memory.dmp

memory/3104-23-0x0000000004DB0000-0x0000000005354000-memory.dmp

memory/3104-24-0x0000000004CA0000-0x0000000004CE4000-memory.dmp

memory/3104-30-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-34-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-88-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-86-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-85-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-82-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-80-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-79-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-76-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-74-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-73-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-70-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-68-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-67-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-64-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-62-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-61-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-58-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-56-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-54-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-52-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-51-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-48-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-46-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-45-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-42-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-40-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-39-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-36-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-32-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-28-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-26-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-25-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/3104-931-0x0000000005360000-0x0000000005978000-memory.dmp

memory/3104-932-0x00000000059A0000-0x0000000005AAA000-memory.dmp

memory/3104-933-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

memory/3104-934-0x0000000005B00000-0x0000000005B3C000-memory.dmp

memory/3104-935-0x0000000005C50000-0x0000000005C9C000-memory.dmp