Malware Analysis Report

2025-01-23 07:36

Sample ID 241104-q8v8ea1akh
Target 988547db7ecdd96e81a52a83932c988f19f39a9b7085c4a1666c3a22b62d3c19
SHA256 988547db7ecdd96e81a52a83932c988f19f39a9b7085c4a1666c3a22b62d3c19
Tags
healer redline rouch discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

988547db7ecdd96e81a52a83932c988f19f39a9b7085c4a1666c3a22b62d3c19

Threat Level: Known bad

The file 988547db7ecdd96e81a52a83932c988f19f39a9b7085c4a1666c3a22b62d3c19 was found to be: Known bad.

Malicious Activity Summary

healer redline rouch discovery dropper evasion infostealer persistence trojan

Healer family

Healer

Detects Healer an antivirus disabler dropper

RedLine

Redline family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:56

Reported

2024-11-04 13:59

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\988547db7ecdd96e81a52a83932c988f19f39a9b7085c4a1666c3a22b62d3c19.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\988547db7ecdd96e81a52a83932c988f19f39a9b7085c4a1666c3a22b62d3c19.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vBO1221EX.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\988547db7ecdd96e81a52a83932c988f19f39a9b7085c4a1666c3a22b62d3c19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vBO1221EX.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tnY70cz46.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tnY70cz46.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\988547db7ecdd96e81a52a83932c988f19f39a9b7085c4a1666c3a22b62d3c19.exe

"C:\Users\Admin\AppData\Local\Temp\988547db7ecdd96e81a52a83932c988f19f39a9b7085c4a1666c3a22b62d3c19.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vBO1221EX.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vBO1221EX.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tnY70cz46.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tnY70cz46.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vBO1221EX.exe

MD5 817992124adb1ddd30430849d1230f68
SHA1 39aba09828fd7538783cb5c2d5e322419e4e78b2
SHA256 091205d6a8e332bf37917ee8f927c883a48190488b9a8012df877896d35a4ce0
SHA512 d813d86e5cb3e63c71627847290e8c567c6ebc6679b9fecccd6c8ca5aa5f6e8e456393cca709150d2cb231111634341414e51a567d799a830bd9dcfc23762968

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw46WV45ey35.exe

MD5 b383c2b049c8392397de834932ea8de4
SHA1 898a37cbd4bb27f4f483c8f945f9cb4b4e2a5475
SHA256 f9538fd7796392b356c0e438f1ee5f85bb376fd73dad0f58056d2a5a9689267c
SHA512 1a04199bc0c235411c9aabf522b7080a5bc05c68ae528e00bc6241aa66e45e35487ac7067bb4e9d19c4cfb2516ca29461d12b23ba43969380d2c090d3dc20801

memory/4440-14-0x00007FF8970B3000-0x00007FF8970B5000-memory.dmp

memory/4440-15-0x0000000000600000-0x000000000060A000-memory.dmp

memory/4440-16-0x00007FF8970B3000-0x00007FF8970B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tnY70cz46.exe

MD5 6940451e769c094029427d1531775121
SHA1 03c763ca8ebc6896fb35c9f8d4d3fc64d03fe850
SHA256 ab9bbcc3bb273a1f13db7566032205b26f5a4a634194ba39007349aa34801dca
SHA512 53578c0693e6a171feec767f38f4601da453875d14a37f82e3ca30cce3b7217d4b5b0a6de659d54d11810ee238bd5816d2bc9635cf20dcd9f73901a09c08ff06

memory/3548-22-0x0000000004C10000-0x0000000004C56000-memory.dmp

memory/3548-23-0x0000000004DB0000-0x0000000005354000-memory.dmp

memory/3548-24-0x0000000004CD0000-0x0000000004D14000-memory.dmp

memory/3548-26-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-31-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-88-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-86-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-84-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-82-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-80-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-78-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-76-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-74-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-70-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-69-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-66-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-64-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-62-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-60-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-58-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-56-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-54-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-50-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-48-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-46-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-44-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-42-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-40-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-38-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-34-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-32-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-28-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-72-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-52-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-36-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-25-0x0000000004CD0000-0x0000000004D0E000-memory.dmp

memory/3548-931-0x0000000005360000-0x0000000005978000-memory.dmp

memory/3548-932-0x00000000059A0000-0x0000000005AAA000-memory.dmp

memory/3548-933-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

memory/3548-934-0x0000000005B00000-0x0000000005B3C000-memory.dmp

memory/3548-935-0x0000000005C50000-0x0000000005C9C000-memory.dmp