Malware Analysis Report

2025-01-23 07:35

Sample ID 241104-raryrstkfm
Target bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418
SHA256 bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418

Threat Level: Known bad

The file bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Detects Healer an antivirus disabler dropper

RedLine payload

Redline family

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 13:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 13:59

Reported

2024-11-04 14:02

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR2369.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR2369.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku808780.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku808780.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe

"C:\Users\Admin\AppData\Local\Temp\bf997da4d9959531292eec0cc69a9f66f124574bb2a98162ba6e9c06133a8418.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR2369.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR2369.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku808780.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku808780.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziNR2369.exe

MD5 bce988539b5a259386c752cf7c5582a5
SHA1 af3b0b08903a8a2584af7ed096ced26963b9c668
SHA256 c0f811c4fcade019d3c1d74a54e26d3ed17b08f7f4fd50106e3cd5a159ddf82e
SHA512 9698346123571c9d52ebb7574f54ca8de803d6bf2e74ef7d54d5d68b9934aa9389ae6a149a3efcd7e71451305b973bae7eb9032ad7bdbe513a8721e65d023932

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr339264.exe

MD5 825a3bc8a8ef0961138471a216579d82
SHA1 b685a4c990327c7f6f660b41a155e2c62418b77f
SHA256 653ef118c8d5cb365230cbf0350e7c9ca836f62326cab7e4f0568e33acde4d46
SHA512 c42b65d9d6941db3b6ea975da71e3f3375091e23b00b5ccf39ee756ef0fd5a393273d9e60fbe4cf8ab5fa5d5fdd53ff3b06d5f04ab02cb626c9313481d889ad0

memory/5016-14-0x00007FFA0A613000-0x00007FFA0A615000-memory.dmp

memory/5016-15-0x0000000000010000-0x000000000001A000-memory.dmp

memory/5016-16-0x00007FFA0A613000-0x00007FFA0A615000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku808780.exe

MD5 688f5fee44da30e9d2a9c8d24e9ff786
SHA1 e31a537d9c09cff4ec8da58b09a4901be60ef3af
SHA256 2c681ed1cf6e04c821e2d20abd1bf657aad5322814262cc6143236c172764bca
SHA512 ce620db26bdd6a876ab0dc8a12bdbd7e09741dd27f21369a2c1e8acdbd6a81c247e8ab1dfeb39d3cdbebe69acffc53ad33a777a0545c3695e091778b50be5395

memory/2044-22-0x00000000024C0000-0x0000000002506000-memory.dmp

memory/2044-23-0x0000000004CD0000-0x0000000005274000-memory.dmp

memory/2044-24-0x0000000002680000-0x00000000026C4000-memory.dmp

memory/2044-28-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-35-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-32-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-30-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-56-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-26-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-25-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-36-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-88-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-86-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-84-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-82-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-80-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-78-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-76-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-74-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-72-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-70-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-68-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-66-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-64-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-62-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-60-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-58-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-54-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-53-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-50-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-48-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-47-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-44-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-42-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-40-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-38-0x0000000002680000-0x00000000026BF000-memory.dmp

memory/2044-931-0x0000000005280000-0x0000000005898000-memory.dmp

memory/2044-932-0x0000000004BB0000-0x0000000004CBA000-memory.dmp

memory/2044-933-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/2044-934-0x00000000058F0000-0x000000000592C000-memory.dmp

memory/2044-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp