Malware Analysis Report

2025-04-03 09:06

Sample ID 241107-c5x1yawlbn
Target 189cf43dc7c4f36a23108a7283c8abf0200476e5040f5705b22996c11191d945
SHA256 189cf43dc7c4f36a23108a7283c8abf0200476e5040f5705b22996c11191d945
Tags
healer redline rodik discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

189cf43dc7c4f36a23108a7283c8abf0200476e5040f5705b22996c11191d945

Threat Level: Known bad

The file 189cf43dc7c4f36a23108a7283c8abf0200476e5040f5705b22996c11191d945 was found to be: Known bad.

Malicious Activity Summary

healer redline rodik discovery dropper evasion infostealer persistence trojan

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine

Healer

Redline family

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 02:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 02:40

Reported

2024-11-07 02:42

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe
PID 2564 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe
PID 2564 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe
PID 1232 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe
PID 1232 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe
PID 1232 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe
PID 3520 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe
PID 3520 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe
PID 3520 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe
PID 4768 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe
PID 4768 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe
PID 4768 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe
PID 4768 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe
PID 4768 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe

"C:\Users\Admin\AppData\Local\Temp\8fb96ea4bb20343081a18910f7d1f7b59f67ed801b32c610eb738fa584836cb2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sVE65PH76.exe

MD5 41288373432a73184167966c46465d3e
SHA1 77e34bdafa177fa7e9c148b8b44ce450e91c3324
SHA256 20248e9f11ba2792db80b181086fb94ebbdea0b314a60be93e547e42657010a7
SHA512 b22ecf771ed103f3b4a4ea3cf31ae99fb8ec1237bc818131726db20bc235649207120e1e51acb5cd76bb77fff4416568cba1958947ded2f5727c93d0acff0937

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\srX37jJ41.exe

MD5 803bead51b64f1d47818c3c8de41a52a
SHA1 2b6542fd9001056ccf1a702cfdf32fc536ba3589
SHA256 e153e41f67febc814a63aba356167861400b378a4782faafc8845fbe57c08a34
SHA512 e3382318084a7c1ed2cded1eeefa3a4b98929a410c59794fd092a1114145381d610d95e65b9c3a892eb2b3b4f643ad314fa425096448c1f41f58b49a5f3ab0f4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\saq72Ff13.exe

MD5 59d1dd6f1027ec76e8f60ebfb87bb2c3
SHA1 20720894881ad763c165ced843d3e18920458ccb
SHA256 8877e6541a946e3ae5966211f09de3913bc66c399e046b0057baff16b3d86b60
SHA512 76ea5ddb13cfdd96c98c1aef65600ac4ef6f17a6b8ad06d366dc052faa2a61362d97f5717281baea832adac1f2f5b0f3344ffe5999b0c70e1cad760935f190a4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iNT92JN.exe

MD5 04f3c63ce81835b2054683bcfc3dde69
SHA1 cd1f5d0a2a905ac46c556dd1157ae6bfddfdae4e
SHA256 7539469ced6e51a6dad4db72bc209948028e863dbda0a33910f700056964a6f9
SHA512 0593f081909f7fd614dc073404527c64341929a90bf93fbdef9758100d99260eb94c8e521e70cae42cd9ee0921e93860588ab8e8a9f88c3cb819567f215277ad

memory/4460-28-0x0000000000550000-0x000000000055A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kkj98JQ.exe

MD5 89043a2a2ea21c3bd2a007ecd51c585f
SHA1 8a69615923db088e06a0ea0e6b9c0c910275573d
SHA256 f412aef193eb688eeac1e9cf396e0cc888d3be7ff19c9ce07f815b6a1bff3ecf
SHA512 206203bb26173099ceb68ad16a0da6565181b9fc841bec240652f8d7c4f53325a6a1a4af0d33de1d77ad6c27a127189b4f6e4c0f6b354c378e995ce80f1527bd

memory/1784-34-0x0000000004BE0000-0x0000000004C26000-memory.dmp

memory/1784-35-0x00000000072F0000-0x0000000007894000-memory.dmp

memory/1784-36-0x0000000007190000-0x00000000071D4000-memory.dmp

memory/1784-50-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-52-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-98-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-96-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-94-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-92-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-90-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-88-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-84-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-82-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-80-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-78-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-76-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-74-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-72-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-70-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-68-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-66-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-64-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-62-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-60-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-58-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-56-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-48-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-100-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-46-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-44-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-42-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-86-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-40-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-38-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-54-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-37-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/1784-943-0x00000000078A0000-0x0000000007EB8000-memory.dmp

memory/1784-944-0x0000000007EC0000-0x0000000007FCA000-memory.dmp

memory/1784-945-0x0000000007FD0000-0x0000000007FE2000-memory.dmp

memory/1784-946-0x0000000007FF0000-0x000000000802C000-memory.dmp

memory/1784-947-0x0000000008140000-0x000000000818C000-memory.dmp