Malware Analysis Report

2025-01-23 07:37

Sample ID 241104-q87anstkej
Target a592b3c6c9fc22bc0923e16b8a66a7971bb883674665c8a2ddc16e3c9ef52530
SHA256 a592b3c6c9fc22bc0923e16b8a66a7971bb883674665c8a2ddc16e3c9ef52530
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a592b3c6c9fc22bc0923e16b8a66a7971bb883674665c8a2ddc16e3c9ef52530

Threat Level: Known bad

The file a592b3c6c9fc22bc0923e16b8a66a7971bb883674665c8a2ddc16e3c9ef52530 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Redline family

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

RedLine payload

Healer family

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:56

Reported

2024-11-04 13:59

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a592b3c6c9fc22bc0923e16b8a66a7971bb883674665c8a2ddc16e3c9ef52530.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a592b3c6c9fc22bc0923e16b8a66a7971bb883674665c8a2ddc16e3c9ef52530.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vVA1243nB.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a592b3c6c9fc22bc0923e16b8a66a7971bb883674665c8a2ddc16e3c9ef52530.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vVA1243nB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\taQ10fK27.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\taQ10fK27.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a592b3c6c9fc22bc0923e16b8a66a7971bb883674665c8a2ddc16e3c9ef52530.exe

"C:\Users\Admin\AppData\Local\Temp\a592b3c6c9fc22bc0923e16b8a66a7971bb883674665c8a2ddc16e3c9ef52530.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vVA1243nB.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vVA1243nB.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\taQ10fK27.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\taQ10fK27.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vVA1243nB.exe

MD5 e4ed2f0ca51e29fcefa8bf7ddcba5dc1
SHA1 6fdd9f23362d99bc07bc36eb47478fc78ca0a4e0
SHA256 5cc8de6f31e587132810bd23be14aded83742b4111f8fcd17e5dc5b81df96f4f
SHA512 3393559c7fefeb0eff9ba650ea64c294910db18c8deda8b92d1f024ac949f80bd40506c3fb8cf86ff5e80b758534cc56eeaf4b3ecaa4c05d12f990f0885369b5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw53LE41lb54.exe

MD5 f21ca2578f292953a12108dc54b39cf2
SHA1 910a14a2f1c832cc0c4992767ac86e55ff42f704
SHA256 04c3ac2875bff1b51c300e6ab2466d3a6e92ac6d79c9a8c0ab923803559336c7
SHA512 d9cea972fa60618d17ba54384202cca45b4b450cccbfe3c9f8e41c4620061a14fb8f44a44267d345f5d3fc38fda55a0312602a26aeaf2f431798ba54ef37d7b2

memory/3464-14-0x00007FF8164C3000-0x00007FF8164C5000-memory.dmp

memory/3464-15-0x0000000000EB0000-0x0000000000EBA000-memory.dmp

memory/3464-17-0x00007FF8164C3000-0x00007FF8164C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\taQ10fK27.exe

MD5 ad61b513e0bbc3784d0c28ba13ab19ff
SHA1 0d86785da45331516385d7d72e18457e32b89aed
SHA256 5e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA512 80d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a

memory/4216-22-0x0000000002610000-0x0000000002656000-memory.dmp

memory/4216-23-0x0000000004BA0000-0x0000000005144000-memory.dmp

memory/4216-24-0x0000000005150000-0x0000000005194000-memory.dmp

memory/4216-26-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-28-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-88-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-86-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-84-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-80-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-78-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-76-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-74-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-72-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-70-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-66-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-64-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-62-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-60-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-58-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-54-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-52-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-50-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-48-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-47-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-44-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-40-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-38-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-36-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-34-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-32-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-30-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-82-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-68-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-56-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-42-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-25-0x0000000005150000-0x000000000518E000-memory.dmp

memory/4216-931-0x00000000051C0000-0x00000000057D8000-memory.dmp

memory/4216-932-0x0000000005860000-0x000000000596A000-memory.dmp

memory/4216-933-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/4216-934-0x0000000005AC0000-0x0000000005AFC000-memory.dmp

memory/4216-935-0x0000000005B10000-0x0000000005B5C000-memory.dmp