Malware Analysis Report

2025-04-13 23:55

Sample ID 241104-zpfs2sxbne
Target ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa
SHA256 ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa

Threat Level: Known bad

The file ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

Redline family

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 20:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 20:53

Reported

2024-11-04 20:55

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cauA06Zk63.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cauA06Zk63.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exe
PID 2796 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exe
PID 2796 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exe
PID 4940 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exe
PID 4940 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exe
PID 4940 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exe
PID 2216 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exe
PID 2216 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exe
PID 2216 wrote to memory of 3608 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exe
PID 3608 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe
PID 3608 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe
PID 3608 wrote to memory of 3196 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe
PID 3196 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe
PID 3196 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe
PID 3196 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cauA06Zk63.exe
PID 3196 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cauA06Zk63.exe
PID 3196 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cauA06Zk63.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe

"C:\Users\Admin\AppData\Local\Temp\ebe65e0737ca45ee5c62d55f90efd454619f61602e6e6484b9552d4af333abfa.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cauA06Zk63.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cauA06Zk63.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkE09YZ28.exe

MD5 650bcd0d8fb9043864586e4a0de07263
SHA1 3d80875342b9c1a9d8c3e0c2edc572b4387473a5
SHA256 1c25f73635ecc9719b5c3277697056db1d34d5272c56e0df574b9b6fd6c78d08
SHA512 445ebd1be2d10a5eb02a938752b7a358b88d0f68a8f6533596c044230a826ee670b99d3a212a9268365fa772bece5c236773f8d0c43234b7b6f549ae0778fb3c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plNM24jf61.exe

MD5 0abddb8f1d5f487dfe24cbebd9d68745
SHA1 0a57f6132c73b67d9f8bab0ede687e528d33b5be
SHA256 92f3de7aad46c4cd5d5ad5e2ed79414fc2d4ed87b68be0c1d640496ced2196ba
SHA512 45bbd59cde3734cae3819edc0d468c234b5e1ca0db6e17a57fb2135cc7b629f0fa89c1019c59150f36c4583048bd12bd5eb3df66eb871ef1d05b14bd8ba86f00

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\pllr83yu17.exe

MD5 0964ae7c0e17409bcc12b890f62bfbc8
SHA1 e4e6493155cd09369ef74ed568ca968ddcc10fbe
SHA256 489a34febca86e024b5dbb50aac3dd4a17171bef1363be4b8e88f47953cb285f
SHA512 b5b21c99e922f44d31a2b6fb63dadc55885b4476a38c11a4021165f1bb367b2d883d7cc7204a7512953d1eb569a8a9d0472855e9c62cb1150aaa882f5f05b9af

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plOf35mo83.exe

MD5 c20375ce850eb00354f2ab32c9e4af65
SHA1 4ece534d9a5b87a646d587e1c120ba3b6b02048d
SHA256 a8ab4314ef38d248de070aed98526ee80a0392a97f970dbac1888c2d5c82892f
SHA512 d6fdf1c59b050f8ca5eb488d47c841c35f1e0595c2f31091d84db788f179f7550c698da4bc87e4d660c298d86cbce7c2a055bd34970b2d9121b33f8988cf419a

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buOX02aD75.exe

MD5 9179f02d7eac3d42bcc20ee9577ec01f
SHA1 86f95654183c964d4d0dff1687db50ce1eaa2cb5
SHA256 dd80b6597b9dec7a6b794b745b96e5ca4c9e17a22afdb2c6870c362f15079422
SHA512 a1f316764154644444acbb63f29c276e8f717a6ac3ab1f86189479e5d208c78a903d7638a15ab568d4087881aa23a844b1e0f5d791981be5c35054b164ff77f7

memory/2964-35-0x00000000009A0000-0x00000000009AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cauA06Zk63.exe

MD5 5b4052ee747278a02dac44898f59aaee
SHA1 6b59810f74916a6921ea2276b57b6f5f61c79654
SHA256 baddc727c186e86b475b2b6dd68a39db563c8f1b6129e7e5f88fb4060cb7ee80
SHA512 9d14b58234c4790199902771cecd0723a17e01e7fd1cc5a66d7d92e1848de7347e86429c8985ea885e345e0a80d550af5b4629c98a8e30142c8c21201d7e2c23

memory/4444-41-0x0000000002460000-0x00000000024A6000-memory.dmp

memory/4444-42-0x0000000004C60000-0x0000000005204000-memory.dmp

memory/4444-43-0x0000000004B60000-0x0000000004BA4000-memory.dmp

memory/4444-63-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-65-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-107-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-103-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-101-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-99-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-98-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-95-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-93-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-89-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-87-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-83-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-81-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-79-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-77-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-75-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-74-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-71-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-69-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-67-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-61-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-59-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-55-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-51-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-49-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-105-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-91-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-57-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-53-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-47-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-45-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-44-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/4444-950-0x0000000005210000-0x0000000005828000-memory.dmp

memory/4444-951-0x0000000005860000-0x000000000596A000-memory.dmp

memory/4444-952-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/4444-953-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/4444-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp