Malware Analysis Report

2025-01-23 07:35

Sample ID 241104-rbmens1ape
Target 1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778
SHA256 1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778

Threat Level: Known bad

The file 1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

RedLine payload

Healer family

Redline family

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 14:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 14:01

Reported

2024-11-04 14:03

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9834.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9834.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe
PID 1332 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe
PID 1332 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe
PID 968 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe
PID 968 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe
PID 968 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe
PID 968 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9834.exe
PID 968 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9834.exe
PID 968 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9834.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778.exe

"C:\Users\Admin\AppData\Local\Temp\1ba653eb8a0633e5450989333ffd706d58fde688d4692849d895f1073c905778.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 860 -ip 860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9834.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9834.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 31.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un741506.exe

MD5 38942ed647966139df59d55976fc3bb2
SHA1 6f794775747cb151bfd5c176f63b95e4190f6a9a
SHA256 3d2d216db8b6cc38cbf1976613b655b36cff090a8c37fc14e0d35380963b08e3
SHA512 e413494e927dfeecd1630fe52b998ebdf3fc3ee732835acd25a1bdda5a2203444cd1909586b6263ea93775639676d33d97d5b0a2212b6e73fcf5f4fea3a21cca

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5236.exe

MD5 2382f9d8ee4d02f6c02384c461045a96
SHA1 a0cf995e4315f581d637d85df713b408994d6736
SHA256 530d67e57e8bbe63aeb502f0c811a8fd8a707219b0f0f0ae11c1bc1c0732afc8
SHA512 6f3823e12a02a9d0971c7a8b121d172128ead58e9eb4ac1344e814c6a5e4aa883b4ec3da3259250f904ff4b218951df71968e50e42425aca413676ab4a377936

memory/860-15-0x0000000000950000-0x0000000000A50000-memory.dmp

memory/860-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/860-17-0x0000000000400000-0x000000000070B000-memory.dmp

memory/860-18-0x0000000000400000-0x000000000070B000-memory.dmp

memory/860-19-0x0000000002670000-0x000000000268A000-memory.dmp

memory/860-20-0x0000000004DE0000-0x0000000005384000-memory.dmp

memory/860-21-0x0000000004CA0000-0x0000000004CB8000-memory.dmp

memory/860-22-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-47-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-43-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-49-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-41-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-39-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-37-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-35-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-33-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-31-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-29-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-27-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-25-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-23-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-45-0x0000000004CA0000-0x0000000004CB2000-memory.dmp

memory/860-50-0x0000000000950000-0x0000000000A50000-memory.dmp

memory/860-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/860-54-0x0000000000400000-0x000000000070B000-memory.dmp

memory/860-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9834.exe

MD5 ff67e130b6d70b2883c7f60f37d134ff
SHA1 f48375438d3724a25b06f88c9fec7cbb56810fab
SHA256 4edf96b78713c72114987d50d05eeffca11e604e123e30cb185b8e81879f8428
SHA512 c9a030656c6452757c2e7e8b31cbb72a71e9c719ff060f7b1c1df397beacdfdc6b4eea166c09a01e7f67c359b49506954d55184ce8452b81a534b2c30b215abf

memory/1040-60-0x00000000037D0000-0x0000000003816000-memory.dmp

memory/1040-61-0x00000000039B0000-0x00000000039F4000-memory.dmp

memory/1040-69-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-71-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-95-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-93-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-89-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-87-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-85-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-83-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-81-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-79-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-77-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-75-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-73-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-67-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-65-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-91-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-63-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-62-0x00000000039B0000-0x00000000039EF000-memory.dmp

memory/1040-968-0x0000000006780000-0x0000000006D98000-memory.dmp

memory/1040-969-0x0000000006DA0000-0x0000000006EAA000-memory.dmp

memory/1040-970-0x0000000003D10000-0x0000000003D22000-memory.dmp

memory/1040-971-0x0000000003D30000-0x0000000003D6C000-memory.dmp

memory/1040-972-0x0000000006FB0000-0x0000000006FFC000-memory.dmp