Malware Analysis Report

2025-04-03 09:05

Sample ID 241107-cxdx4aslhs
Target 4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3
SHA256 4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3
Tags
healer redline rodik discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3

Threat Level: Known bad

The file 4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3 was found to be: Known bad.

Malicious Activity Summary

healer redline rodik discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

RedLine payload

Redline family

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 02:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 02:27

Reported

2024-11-07 02:29

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe
PID 2708 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe
PID 2708 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe
PID 1920 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe
PID 1920 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe
PID 1920 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe
PID 464 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe
PID 464 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe
PID 464 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe
PID 116 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe
PID 116 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe
PID 116 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe
PID 116 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe
PID 116 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe

"C:\Users\Admin\AppData\Local\Temp\4d088e2c3449df88bddf86e0f58caf983be6e41a6b6d2ad7956a1d31e530b0e3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stC21UM78.exe

MD5 cda0ba2f46109dff4625c138815333e0
SHA1 d53b9d3b75f951209ae60dadb31e169ecb1cc88f
SHA256 19cef52d8912f92c2e70466d0239eb8d1ac2de2366a64228bfc459d596a88d9b
SHA512 bbae5af7f5bb82cdb2279f05b276cdce11fcdad1635e6020753ffac66fb84343a7eef5b39cdc166cabfbfd7f8213d0a2017a70101785936c252559f7ad452ca1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sEq64AI19.exe

MD5 4acde0c98110d81a16cc4142ad0768bb
SHA1 0e8d37d14a1807ff1d7b8919f55fb2f991909f17
SHA256 00a08145060b94c2bbcdce4a7991d80f44ad1beb189ade90c28eae356189e54c
SHA512 ce287ae4a6fb8128156c5b2754e8168d36c58359aa7112fda2ccd8f7bb3dc3d4a0783a0b868926ff4df80c817806318b0efe5603326a37f14ca857096ee98545

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\szM42Gn92.exe

MD5 ee2972dc9ac93157ba79e2d60eedcf4b
SHA1 66bba59a4be4d7746434d03d941da65bdc4188b1
SHA256 37648268773e03f8f89e732342c31b8c84d32d13ed2017cdcfed22e14448b607
SHA512 ecd18c626899e889c34981cb2840d754a9b5ed2868bedcdc083015ac0029dbefb2d95a481cd9afb2ac4983a7a707e126477ed70bdd0336ce032a77f7ea801462

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iHO86rq.exe

MD5 3f743544178d1d7086fb775f43dcfeeb
SHA1 7b9c026e578b764614a1bbf3784d24f1598db442
SHA256 d08e033389f404907756d12db74080967c5b64473fbef8a309bc1d760f58e16c
SHA512 66db004f3c60a8cd093f2df6c71e0248a78645022b1d96aa47f3658ebd9bd26b528339942b9a322ac1529d80f8eae1c4a416a9ae03323e030271239c1a284eaa

memory/3636-28-0x00000000004E0000-0x00000000004EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kaE74HJ.exe

MD5 b907779ac03be51e3fe55c545e16195d
SHA1 d39a6ffa3af1153cb920e4fd1a9bd38b99c1f37b
SHA256 49c804cc4ef692834971fe93b96777381c9b247ce2f1d49b34b39e01b05d610c
SHA512 c72a9fbaad8653f9f2f065c196a8abf5dcf540dd5f52514df72b9668220849d8921cd6b3c9441386bcfbc27e507b578bcf59b31d802279d5141d1c0bcf3b78b7

memory/3184-34-0x0000000004BF0000-0x0000000004C36000-memory.dmp

memory/3184-35-0x0000000007240000-0x00000000077E4000-memory.dmp

memory/3184-36-0x0000000004D40000-0x0000000004D84000-memory.dmp

memory/3184-37-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-52-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-100-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-96-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-94-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-92-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-90-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-88-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-86-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-84-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-82-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-80-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-78-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-76-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-72-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-70-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-68-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-66-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-62-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-60-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-58-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-56-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-50-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-48-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-46-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-44-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-42-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-40-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-38-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-98-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-74-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-64-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-54-0x0000000004D40000-0x0000000004D7F000-memory.dmp

memory/3184-943-0x00000000077F0000-0x0000000007E08000-memory.dmp

memory/3184-944-0x0000000007E90000-0x0000000007F9A000-memory.dmp

memory/3184-945-0x0000000007FD0000-0x0000000007FE2000-memory.dmp

memory/3184-946-0x0000000007FF0000-0x000000000802C000-memory.dmp

memory/3184-947-0x0000000008140000-0x000000000818C000-memory.dmp