Malware Analysis Report

2025-01-23 07:33

Sample ID 241104-q6sphazmet
Target eb3240c78e866fdfe779080ec448aab72ad088350c645b4c4860b84a7f375a53
SHA256 eb3240c78e866fdfe779080ec448aab72ad088350c645b4c4860b84a7f375a53
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eb3240c78e866fdfe779080ec448aab72ad088350c645b4c4860b84a7f375a53

Threat Level: Known bad

The file eb3240c78e866fdfe779080ec448aab72ad088350c645b4c4860b84a7f375a53 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer

RedLine

Detects Healer an antivirus disabler dropper

Healer family

Redline family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:52

Reported

2024-11-04 13:55

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb3240c78e866fdfe779080ec448aab72ad088350c645b4c4860b84a7f375a53.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\eb3240c78e866fdfe779080ec448aab72ad088350c645b4c4860b84a7f375a53.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eb3240c78e866fdfe779080ec448aab72ad088350c645b4c4860b84a7f375a53.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk160256.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk160256.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3664 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\eb3240c78e866fdfe779080ec448aab72ad088350c645b4c4860b84a7f375a53.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe
PID 3664 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\eb3240c78e866fdfe779080ec448aab72ad088350c645b4c4860b84a7f375a53.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe
PID 3664 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\eb3240c78e866fdfe779080ec448aab72ad088350c645b4c4860b84a7f375a53.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe
PID 3848 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe
PID 3848 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe
PID 3848 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe
PID 3848 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk160256.exe
PID 3848 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk160256.exe
PID 3848 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk160256.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb3240c78e866fdfe779080ec448aab72ad088350c645b4c4860b84a7f375a53.exe

"C:\Users\Admin\AppData\Local\Temp\eb3240c78e866fdfe779080ec448aab72ad088350c645b4c4860b84a7f375a53.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2656 -ip 2656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk160256.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk160256.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un583103.exe

MD5 4f9b7df7a3906002f68fba9810353462
SHA1 ccea7c0f4559a2470b3b5ad897ee07e36e84726b
SHA256 a38e40815f2824de6f2afeb0511725cbf30a4be656dddc219bd4a8fa64caf9e5
SHA512 26d009fde83937535af525d543913870eeb90cdae9f82fe73950cbe6c3b51176c5de1a26d6e6a9cf5b935e0038f53cf487173a6c4e77dc392181b3ef8d3f4c25

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\84892348.exe

MD5 ca74a516fc2991af4e24e1e1bd24b865
SHA1 44a7423318e6f0391200ab15ada12c9c1e0cb327
SHA256 3bde39ed6fa0242677cadee396a18325a75ab8651b1d9297a31c6d3bfe31f567
SHA512 7a7ffa3ff12b47600fc1b4a08854bb185d0afca1be8e90632ec1a113f139552fc166f4d34a6be4e4f39669579ed6f00add79d0288cb9b5c3705b15ca47b55fe9

memory/2656-15-0x0000000000A20000-0x0000000000B20000-memory.dmp

memory/2656-17-0x0000000000400000-0x0000000000803000-memory.dmp

memory/2656-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2656-18-0x0000000000400000-0x0000000000803000-memory.dmp

memory/2656-19-0x0000000002490000-0x00000000024AA000-memory.dmp

memory/2656-20-0x0000000004FE0000-0x0000000005584000-memory.dmp

memory/2656-21-0x0000000002850000-0x0000000002868000-memory.dmp

memory/2656-22-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-45-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-47-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-43-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-41-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-39-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-37-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-35-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-33-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-32-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-29-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-27-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-26-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-23-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-49-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2656-50-0x0000000000A20000-0x0000000000B20000-memory.dmp

memory/2656-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2656-54-0x0000000000400000-0x0000000000803000-memory.dmp

memory/2656-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk160256.exe

MD5 d1127fde94fd0506dd12f92af3bb4caa
SHA1 387b9eb4e015cfca9ca7940094018293b44027b1
SHA256 e8b5d8647d60469873b61ab0988ccf617e5b5599a6e8e2fde63fa3b0fe95d998
SHA512 cb89b0de1e0ae87d2a738f112af9af52670e51cbd0565198b1770189f21db8815298bd9e7e82f56d8a54408709afb80aec5e5f784b81023dbfa28f926e5c1654

memory/2752-60-0x0000000002600000-0x000000000263C000-memory.dmp

memory/2752-61-0x00000000053C0000-0x00000000053FA000-memory.dmp

memory/2752-75-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-89-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-95-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-94-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-91-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-87-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-85-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-83-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-81-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-79-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-77-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-73-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-71-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-69-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-67-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-65-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-63-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-62-0x00000000053C0000-0x00000000053F5000-memory.dmp

memory/2752-854-0x00000000078E0000-0x0000000007EF8000-memory.dmp

memory/2752-855-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/2752-856-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/2752-857-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/2752-858-0x0000000002780000-0x00000000027CC000-memory.dmp