Malware Analysis Report

2025-04-03 09:03

Sample ID 241107-nkjhla1flf
Target 01fb1660fdd47de75c7272ae16fb87142fb749f4646ee32ebc1592a741245a72
SHA256 01fb1660fdd47de75c7272ae16fb87142fb749f4646ee32ebc1592a741245a72
Tags
healer redline rodik discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01fb1660fdd47de75c7272ae16fb87142fb749f4646ee32ebc1592a741245a72

Threat Level: Known bad

The file 01fb1660fdd47de75c7272ae16fb87142fb749f4646ee32ebc1592a741245a72 was found to be: Known bad.

Malicious Activity Summary

healer redline rodik discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Redline family

Healer

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 11:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 11:27

Reported

2024-11-07 11:29

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\01fb1660fdd47de75c7272ae16fb87142fb749f4646ee32ebc1592a741245a72.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\01fb1660fdd47de75c7272ae16fb87142fb749f4646ee32ebc1592a741245a72.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntJ69Xq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVX92wa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\01fb1660fdd47de75c7272ae16fb87142fb749f4646ee32ebc1592a741245a72.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntJ69Xq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVX92wa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bUm64gG11.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bUm64gG11.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3504 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\01fb1660fdd47de75c7272ae16fb87142fb749f4646ee32ebc1592a741245a72.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntJ69Xq.exe
PID 3504 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\01fb1660fdd47de75c7272ae16fb87142fb749f4646ee32ebc1592a741245a72.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntJ69Xq.exe
PID 3504 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\01fb1660fdd47de75c7272ae16fb87142fb749f4646ee32ebc1592a741245a72.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntJ69Xq.exe
PID 4612 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntJ69Xq.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVX92wa.exe
PID 4612 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntJ69Xq.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVX92wa.exe
PID 4612 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntJ69Xq.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVX92wa.exe
PID 1252 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVX92wa.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe
PID 1252 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVX92wa.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe
PID 1252 wrote to memory of 4176 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVX92wa.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe
PID 4176 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe
PID 4176 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe
PID 4176 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bUm64gG11.exe
PID 4176 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bUm64gG11.exe
PID 4176 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bUm64gG11.exe

Processes

C:\Users\Admin\AppData\Local\Temp\01fb1660fdd47de75c7272ae16fb87142fb749f4646ee32ebc1592a741245a72.exe

"C:\Users\Admin\AppData\Local\Temp\01fb1660fdd47de75c7272ae16fb87142fb749f4646ee32ebc1592a741245a72.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntJ69Xq.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntJ69Xq.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVX92wa.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVX92wa.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bUm64gG11.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bUm64gG11.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ntJ69Xq.exe

MD5 4a044846e1d93c56cc02a33aed1f1f33
SHA1 97b6c314d2e2f4028e6411b5d8d9c9fc2c3e3e51
SHA256 865772910c63e776fd8d8b1dfb91011e6db49e222a7ced0d4d1caca71c4a9aa8
SHA512 f3e0c0f115775e99f4d179167858f5d085fe94865e3f29e920e1db4ea392f893d3daf7e4683725277d59301c9a891c8d6307ed2755dc153206c796a1595d5fa4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\nVX92wa.exe

MD5 f1faf3a71a13302982309db5a3813373
SHA1 479572eed0c6724ed7b76d54fa8bb3da0c7221a0
SHA256 75e4a71961d8eb338b37113baa104a0fb49a8d1bb4c9bd2a7998ae42c12a257e
SHA512 bf5df48b739918fc1b0718fcfceafaff568fdf8775be55fa1d2d20e88ff63ced965aa9d6c272cdf009f49b26198a8b85f06cd7fd810aa4b69652db0363f90289

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\nau69RE.exe

MD5 f44746ec5b262e4f9e94ff10a63a296c
SHA1 4dc95fc02994ed985ecbfc4791df5f80e0526537
SHA256 9f6daa29f0e9ab2c7097984dae5f4524efff3748e0eaa9aecf015a62f849c952
SHA512 15d4de8df74efa6266c10d36a161ac1dce17c88829b22c01cd65d8d80d43f2a87c45ae30ae32722f11b255afe18b3469961fe441c6d316d67434e4db75e8ff70

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bIS75nY.exe

MD5 d53189fe5a9f5a18daec60aae9e1425e
SHA1 d1eb1ca0498bca6266bc59a807b36383c32258e3
SHA256 9d4976da7f505b246980b0108aba89902f0b35097ae18d20612f2a0801136833
SHA512 1db176014db9b3fcf3ddb7a47a4153de7e018b369cb4e77fcfd528ec3e8aa5a783b27de8672785a15e7d6eb8d83c0e59720a0e63ab271a73d3bcbd8aeaba1c50

memory/3376-28-0x0000000000210000-0x000000000021A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\bUm64gG11.exe

MD5 443c71caec6bed37a71ecd59cb978302
SHA1 540e05954bfa11903221e910e469294f86c07f3a
SHA256 df2d8bfb601197ca4fc0336b2d1c64984e12f399fa4a6a1269e306b008e8e61c
SHA512 53fea4974fb51b019a74287a7c46e9cabb47a8069029d80070c63c5b78b674efc7826a0cab1e40e5298b711a38e36f28677896585ef5729212eaec9928b74308

memory/1340-34-0x0000000004BE0000-0x0000000004C26000-memory.dmp

memory/1340-35-0x00000000073D0000-0x0000000007974000-memory.dmp

memory/1340-36-0x0000000004C60000-0x0000000004CA4000-memory.dmp

memory/1340-98-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-101-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-96-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-94-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-92-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-90-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-88-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-86-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-84-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-82-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-80-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-78-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-76-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-74-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-70-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-68-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-66-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-64-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-62-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-60-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-58-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-56-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-54-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-52-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-48-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-46-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-44-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-42-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-40-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-72-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-50-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-38-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-37-0x0000000004C60000-0x0000000004C9F000-memory.dmp

memory/1340-943-0x0000000007980000-0x0000000007F98000-memory.dmp

memory/1340-944-0x0000000007FA0000-0x00000000080AA000-memory.dmp

memory/1340-945-0x00000000072F0000-0x0000000007302000-memory.dmp

memory/1340-946-0x0000000007310000-0x000000000734C000-memory.dmp

memory/1340-947-0x0000000007360000-0x00000000073AC000-memory.dmp