Malware Analysis Report

2025-04-13 23:56

Sample ID 241104-zlw1vsxekr
Target 5c3eab2e71a40873199df9515488b8cc13a0fe3bc47036f0fd2f822bd23f3df3
SHA256 5c3eab2e71a40873199df9515488b8cc13a0fe3bc47036f0fd2f822bd23f3df3
Tags
healer redline gena discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c3eab2e71a40873199df9515488b8cc13a0fe3bc47036f0fd2f822bd23f3df3

Threat Level: Known bad

The file 5c3eab2e71a40873199df9515488b8cc13a0fe3bc47036f0fd2f822bd23f3df3 was found to be: Known bad.

Malicious Activity Summary

healer redline gena discovery dropper evasion infostealer persistence trojan

Redline family

RedLine payload

Healer

Healer family

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 20:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 20:48

Reported

2024-11-04 20:51

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c3eab2e71a40873199df9515488b8cc13a0fe3bc47036f0fd2f822bd23f3df3.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5c3eab2e71a40873199df9515488b8cc13a0fe3bc47036f0fd2f822bd23f3df3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5c3eab2e71a40873199df9515488b8cc13a0fe3bc47036f0fd2f822bd23f3df3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dCVuK95.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dCVuK95.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\5c3eab2e71a40873199df9515488b8cc13a0fe3bc47036f0fd2f822bd23f3df3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe
PID 3068 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\5c3eab2e71a40873199df9515488b8cc13a0fe3bc47036f0fd2f822bd23f3df3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe
PID 3068 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\5c3eab2e71a40873199df9515488b8cc13a0fe3bc47036f0fd2f822bd23f3df3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe
PID 3252 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe
PID 3252 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe
PID 3252 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe
PID 1652 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe
PID 1652 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe
PID 1652 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe
PID 1652 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe
PID 1652 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe
PID 3252 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dCVuK95.exe
PID 3252 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dCVuK95.exe
PID 3252 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dCVuK95.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c3eab2e71a40873199df9515488b8cc13a0fe3bc47036f0fd2f822bd23f3df3.exe

"C:\Users\Admin\AppData\Local\Temp\5c3eab2e71a40873199df9515488b8cc13a0fe3bc47036f0fd2f822bd23f3df3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dCVuK95.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dCVuK95.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8686.exe

MD5 20f65e60c50660e7b5ec3fe7fd32f3d3
SHA1 65c84b863f8fecc3850d1faa592116f1895bd88b
SHA256 981aa5a8846ebd73a5111fba2369946a5f2059a83b3569c7f23f026931a3dba1
SHA512 8e41ee57b2055ec3df218a11dc8f97bc143a04fbec555847b498e37f6947e4469dd8959b6d8434d88d06979e05fdd09d378379c92e0fb334351860390037a263

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice1132.exe

MD5 734ef3f2d99fb127977cd48a969e76a1
SHA1 0d1d8ee3c4d09ab84fedefa37df7db01204c17c4
SHA256 e50ae894a1fe077345ea57cddbd4d6d51ea1d99135b7e231c26ea8e81b7dc273
SHA512 449e842e8fc360c9036c25750e3c2f2ddaad04fb96fc2b6db9920dcf2a5668ce32012f906927347b3d6e9d19d2b0f84ae475870c0cc382b51e228838e886f422

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b4099ab.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2228-22-0x0000000000930000-0x000000000093A000-memory.dmp

memory/2228-21-0x00007FFEC1373000-0x00007FFEC1375000-memory.dmp

memory/2228-23-0x00007FFEC1373000-0x00007FFEC1375000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c63kr48.exe

MD5 bd4d8a462ce5cb42f93b4c030ceccf01
SHA1 6a822f5f244b963d76e093f0ffdfa4d5f767f3b5
SHA256 b5ed9e2e8cbe8ae3659ac63f160a3c1ef04a60dfef22abc4b24b5310e23c39d1
SHA512 c83b10307407b2c366338fec1f7594f6f6976adcc6914d3451b026aacff3c818f20aeed8bc80d085e2f4332c4ee84dfb9b023acc31ae17a4ad0f8b141a7a7be7

memory/2752-29-0x00000000048F0000-0x000000000490A000-memory.dmp

memory/2752-30-0x0000000007180000-0x0000000007724000-memory.dmp

memory/2752-31-0x0000000004AB0000-0x0000000004AC8000-memory.dmp

memory/2752-33-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-39-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-55-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-53-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-51-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-49-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-59-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-57-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-47-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-45-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-43-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-41-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-37-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-35-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-32-0x0000000004AB0000-0x0000000004AC2000-memory.dmp

memory/2752-60-0x0000000000400000-0x0000000002B0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dCVuK95.exe

MD5 be32ecbcda90dc5e29e48547c9bb8b27
SHA1 7f62ee35cfcd773dd61647e5a49ee302526487c7
SHA256 12ed47b454ecdea0141dab4505c86ee95e5f6caff6426269ced95e16b03627a7
SHA512 1a303464bf17fab65dbf8af12b589695f58dbc0ad5a588048fea076717bb1b8b2027af8c3763ba2dfebe7b114e3c557415a26d2092c2eb6f03c7bc9b8725b3dc

memory/2752-62-0x0000000000400000-0x0000000002B0C000-memory.dmp

memory/3136-67-0x0000000004B50000-0x0000000004B96000-memory.dmp

memory/3136-68-0x0000000004DE0000-0x0000000004E24000-memory.dmp

memory/3136-102-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-100-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-98-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-96-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-94-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-92-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-90-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-86-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-82-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-80-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-78-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-76-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-88-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-84-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-74-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-72-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-70-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-69-0x0000000004DE0000-0x0000000004E1E000-memory.dmp

memory/3136-975-0x0000000007830000-0x0000000007E48000-memory.dmp

memory/3136-976-0x0000000007E50000-0x0000000007F5A000-memory.dmp

memory/3136-977-0x0000000004F00000-0x0000000004F12000-memory.dmp

memory/3136-978-0x0000000007F60000-0x0000000007F9C000-memory.dmp

memory/3136-979-0x00000000080A0000-0x00000000080EC000-memory.dmp