Malware Analysis Report

2025-04-03 09:02

Sample ID 241107-p28pgsvnap
Target b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37
SHA256 b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37
Tags
healer redline rodik discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37

Threat Level: Known bad

The file b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37 was found to be: Known bad.

Malicious Activity Summary

healer redline rodik discovery dropper evasion infostealer persistence trojan

Redline family

Healer family

Healer

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 12:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 12:50

Reported

2024-11-07 12:53

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe
PID 1076 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe
PID 1076 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe
PID 2784 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe
PID 2784 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe
PID 2784 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe
PID 2668 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe
PID 2668 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe
PID 2668 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe
PID 3376 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe
PID 3376 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe
PID 3376 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe
PID 3376 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe
PID 3376 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37.exe

"C:\Users\Admin\AppData\Local\Temp\b8a48556b02335ad49007138f05674ab89093d9f33131e3067a4ef4ba68c7f37.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.23:4124 tcp
RU 193.233.20.23:4124 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\spC01tE66.exe

MD5 d4809a999631efe7cc9443a9f3fed079
SHA1 14b6d712f08bb273fd22afce2ad32619c5368b5e
SHA256 c67627ef66f20893d8d1f7c77a43aa09f586886f81e2fcd6788005075402c5f5
SHA512 153c0dbcc470444fe92456980af8015599b1c916e4d47482580c7787ffd97a04045cd9effd4cec2abf1e4ae9ec8fb58766d32d36a18a2f9b1817f51e7698558f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sIH26vQ95.exe

MD5 9f5c7eaaca4dd25798397e51e73b1fe7
SHA1 c1da599a37189854de9087d3ef5821bcb5410068
SHA256 c2bf7bc62d1cd5efdd17e9afa4fac6093e6375c547971a107fb1b2bf141261a9
SHA512 241b697fe4b51d5799139da78255f3df64f03c1e54f9df8585b0ead4f991706dbdb74fd66349401882b8e184e2c204099a5db59727821ad45d5062329c297969

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\sYy98mB77.exe

MD5 130bb20bbeee80ff5b2a07bff0795c64
SHA1 98bb27c1370465bd1c1361714e0cfac9c591035b
SHA256 a669c2e5e8d72e887926f5ee66de3032730e433b867fee0143e2fdc44059decd
SHA512 b8d4320b765202bc3459360de83ee519b711c3d2c043f109ab377846aedf57e72ae058c40615f8811c1ae2abf47141371def5583134eb29fc4e79e0f0fb26c02

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\iMF47jl.exe

MD5 6b32fa9f5272a83ceb3f05207a463819
SHA1 798a35e9ea7d24e61351abffd312c37b7ee1045a
SHA256 41aedc3e975128a3476e2bd9140c729d88e14d2da0b08857be9172b6984884e6
SHA512 1312da29742211db5870fee66c49d9b8558bc808dc22fd4990b98d8b6e20045096c926db28bbfaceb95c31c5f80943760fd8ad80bedaafe0edefd4b0dfc54b0b

memory/2092-28-0x0000000000660000-0x000000000066A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\kOx12EU.exe

MD5 e5e97fd2974a50b5a07e32634aa8c336
SHA1 c841973581b669ce53d079feae3bfc163eac3d48
SHA256 934f074101777f99e03a4671dfba2384942017a561be032adb310ac2aaf317e7
SHA512 9ce9697c2d5d18313dbcc463f3c6691f28783ff4a1671f205b8a4c5464adb2970fd34d279810266a814b65157e691fe7da59bac25da5a994ed15f35716a07e4b

memory/2400-34-0x00000000049D0000-0x0000000004A16000-memory.dmp

memory/2400-35-0x0000000007360000-0x0000000007904000-memory.dmp

memory/2400-36-0x0000000007190000-0x00000000071D4000-memory.dmp

memory/2400-51-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-48-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-100-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-98-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-96-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-94-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-92-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-90-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-86-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-84-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-82-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-80-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-78-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-76-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-74-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-72-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-70-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-68-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-64-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-62-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-60-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-56-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-54-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-52-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-46-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-44-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-42-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-88-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-66-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-58-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-40-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-38-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-37-0x0000000007190000-0x00000000071CF000-memory.dmp

memory/2400-943-0x0000000007910000-0x0000000007F28000-memory.dmp

memory/2400-944-0x0000000007F30000-0x000000000803A000-memory.dmp

memory/2400-945-0x00000000072E0000-0x00000000072F2000-memory.dmp

memory/2400-946-0x0000000007300000-0x000000000733C000-memory.dmp

memory/2400-947-0x0000000008140000-0x000000000818C000-memory.dmp