Malware Analysis Report

2025-01-23 07:37

Sample ID 241104-q76mrazmfy
Target 8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60
SHA256 8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60

Threat Level: Known bad

The file 8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

Redline family

Healer family

RedLine

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:55

Reported

2024-11-04 13:57

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipc4464.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipc4464.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku502293.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku502293.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60.exe

"C:\Users\Admin\AppData\Local\Temp\8e98a0fc62fc6821e20f7d7c866715b50a4349c5f49331a532624b95133d2c60.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipc4464.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipc4464.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku502293.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku502293.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zipc4464.exe

MD5 125fa5c5789c49b1ce0e3e4e7645ee87
SHA1 f6bd6dfeeb49ebbeae13799ecf1405d397220b44
SHA256 21d28b430809d4c3a0b0d3be2c7f173b5a63ac77d85b7923a1f8080100d47930
SHA512 dfb0fd787d31f6ffcd36ea1fa430bae95736bb6f37a2a2e3f874848faae31890e61c5425c34b547e18dd2026a5c811e7be4cd6a6e29ccc0cd64026fbee5bc75b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr602601.exe

MD5 e94f9ea238ec135bc3e19096e2d99c8d
SHA1 d717cb6ab24295736f9ce4f33f6d855ec34b8280
SHA256 7101073c4713ecf82757b83e7d89b9762bff9c90937049873c9cdd6b402537c2
SHA512 feb6075a1530969d8c78646100cc5f16bda1d86d1858db866b0aa202a0f0b0b95a9e4e145a5c2c6d7fddb1372049b108e9cd22498a97d041354d76b1841efeb7

memory/4856-14-0x00007FFEF60C3000-0x00007FFEF60C5000-memory.dmp

memory/4856-15-0x0000000000050000-0x000000000005A000-memory.dmp

memory/4856-16-0x00007FFEF60C3000-0x00007FFEF60C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku502293.exe

MD5 a3afce4bbef63e71b31abf6a594ba3c6
SHA1 554d5ebbbf3afa1650c4166c7da7b02e609c5ce9
SHA256 aa70250db464e51a950aae220664ea346c8028f13e8b3d95e25ca035079d9c28
SHA512 eabb19aa94955e23d84c36bc262da01544126eaed30c7af26c8563bb66736f6e078969b3acd4749e55b6515a3462480844833d47509857864a0256970b24bd39

memory/1648-22-0x0000000004D60000-0x0000000004DA6000-memory.dmp

memory/1648-23-0x0000000004DE0000-0x0000000005384000-memory.dmp

memory/1648-24-0x00000000053D0000-0x0000000005414000-memory.dmp

memory/1648-34-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-38-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-88-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-86-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-84-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-82-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-80-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-78-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-74-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-72-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-70-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-68-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-66-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-64-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-62-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-60-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-58-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-56-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-54-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-52-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-50-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-46-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-44-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-42-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-40-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-36-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-32-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-76-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-48-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-30-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-28-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-26-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-25-0x00000000053D0000-0x000000000540F000-memory.dmp

memory/1648-931-0x0000000005450000-0x0000000005A68000-memory.dmp

memory/1648-932-0x0000000005AF0000-0x0000000005BFA000-memory.dmp

memory/1648-933-0x0000000005C30000-0x0000000005C42000-memory.dmp

memory/1648-934-0x0000000005C50000-0x0000000005C8C000-memory.dmp

memory/1648-935-0x0000000005DA0000-0x0000000005DEC000-memory.dmp