Malware Analysis Report

2025-04-03 09:05

Sample ID 241107-bltcza1lcx
Target aefdf1cb367100f8aaee86bd6eee5c29a19471f88434c51fefb9fe1c68f71b62
SHA256 aefdf1cb367100f8aaee86bd6eee5c29a19471f88434c51fefb9fe1c68f71b62
Tags
healer redline rodik discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aefdf1cb367100f8aaee86bd6eee5c29a19471f88434c51fefb9fe1c68f71b62

Threat Level: Known bad

The file aefdf1cb367100f8aaee86bd6eee5c29a19471f88434c51fefb9fe1c68f71b62 was found to be: Known bad.

Malicious Activity Summary

healer redline rodik discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

Redline family

Healer family

Detects Healer an antivirus disabler dropper

RedLine

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 01:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 01:14

Reported

2024-11-07 01:16

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe
PID 3112 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe
PID 3112 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe
PID 1820 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe
PID 1820 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe
PID 1820 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe
PID 1008 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe
PID 1008 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe
PID 1008 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe
PID 4392 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe
PID 4392 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe
PID 4392 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe
PID 4392 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe
PID 4392 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe

"C:\Users\Admin\AppData\Local\Temp\8051b0ccaa40b8e46435f9d199a586ad5373065d6b9dcecf35fdb3c652740fe5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVY03EP16.exe

MD5 0c48443198836bed2d412b49a852bdbb
SHA1 fdd139aa10efa700a2f18a022dc995e9e9697d4b
SHA256 2c0c8195814f4dd6268dcb8a28971851215c6833fd5ee6c9ebea5fa227e6ca16
SHA512 56d36b3ef3373ed1897d87a1aad1bc7ab53b8fd9ec4578c1c0d1ab37ebcd0aa268b81576d9cf559900202a56e015d6dd95da8077444f452907fe5d6e89d02254

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\saE37fq29.exe

MD5 c919d05886ac6143a025c58301012f61
SHA1 06ab29ef3daff24c45ecc6ad61e6bc0ad76a36d5
SHA256 50922d00630558b9197fc7c1ae98742250e805ba7b27199d64ccf4a342572102
SHA512 c96b23ae67294e9be6e12e1622a815d7ab672958b369991749677b48f22fd266053653802c191128ebd9b11ad044a8b649fc1ea67f1d376f9788f05c7b1865ab

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\smU32lB60.exe

MD5 8fcbc09ad7098522547609f48c66831b
SHA1 d93a1cb789b0ef4cd14e0fa2211deef814483614
SHA256 d49245074ab6612a095780fea461963d7b0030c21300b808568ac92a139bc81e
SHA512 f54898d517b511c67c13dc1a5849e0d5f98e5de99ee7ca3c911d9381710cb5bcb9cab8ea038dff9bf06256bf779947517855e7b078a8fbeda4ab6284e7f17a11

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNj79MS.exe

MD5 4759c87cb8aae3b368ce489ed3888406
SHA1 428b9a715af61d129a9a86145884f344a557f1aa
SHA256 48ebc806315e6f54059fd03b98c5c853e0e3a457b1f1d8dc6fa61f57470b7f62
SHA512 e8b16bbc37b67efcbee78d2085487f57d909e4e84160e6fbef838a403f5642d86b330db35ea0887b89629176ed684a8d2c4ef76a32724dbb4b35aead6ef16d04

memory/3008-28-0x0000000000560000-0x000000000056A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\koJ02HY.exe

MD5 89043a2a2ea21c3bd2a007ecd51c585f
SHA1 8a69615923db088e06a0ea0e6b9c0c910275573d
SHA256 f412aef193eb688eeac1e9cf396e0cc888d3be7ff19c9ce07f815b6a1bff3ecf
SHA512 206203bb26173099ceb68ad16a0da6565181b9fc841bec240652f8d7c4f53325a6a1a4af0d33de1d77ad6c27a127189b4f6e4c0f6b354c378e995ce80f1527bd

memory/4140-34-0x0000000004BF0000-0x0000000004C36000-memory.dmp

memory/4140-35-0x0000000007180000-0x0000000007724000-memory.dmp

memory/4140-36-0x0000000007770000-0x00000000077B4000-memory.dmp

memory/4140-44-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-50-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-100-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-98-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-96-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-94-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-92-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-90-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-88-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-86-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-84-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-82-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-80-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-78-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-74-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-72-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-70-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-68-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-67-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-64-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-62-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-58-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-56-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-54-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-52-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-48-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-46-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-42-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-40-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-76-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-60-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-38-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-37-0x0000000007770000-0x00000000077AF000-memory.dmp

memory/4140-943-0x0000000007930000-0x0000000007F48000-memory.dmp

memory/4140-944-0x0000000007FD0000-0x00000000080DA000-memory.dmp

memory/4140-945-0x0000000008110000-0x0000000008122000-memory.dmp

memory/4140-946-0x0000000008170000-0x00000000081AC000-memory.dmp

memory/4140-947-0x00000000082B0000-0x00000000082FC000-memory.dmp