Malware Analysis Report

2025-04-03 14:18

Sample ID 241109-1m56lashrc
Target 227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2
SHA256 227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2

Threat Level: Known bad

The file 227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Healer family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer

Redline family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:47

Reported

2024-11-09 21:49

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnK4465lE.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnK4465lE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPl92Zw66.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPl92Zw66.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2.exe

"C:\Users\Admin\AppData\Local\Temp\227f543477358af7f051fc7858d8bf635b9e2332a09a3759e0b829ae6ff437b2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnK4465lE.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnK4465lE.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPl92Zw66.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPl92Zw66.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vnK4465lE.exe

MD5 a89ade95c44340d9ba86e947aa047681
SHA1 8f869081f1fe3724dacb0ab2d8b4d6bdd57c4d89
SHA256 a5fcb36cb7dd6940a4904551359e69e3cf3b321c7ebd4779d905e133a3bc52df
SHA512 9bba94890635de9e9cae87111b7c09f1104aba1816deaff5837ec362927981104091204bdc546a6abc10b99cc8a422a84c8c4a4c6e5c384b66e399d6d91d666e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw58bd16eL61.exe

MD5 0a3d59173bc50e605c828c11c1bdefe7
SHA1 ef6bac750cdd66820f3d387fb1bbf78de2a4c47e
SHA256 cebeff134d3d7f0f446456d57545060a94054e4b63c9fef4ae9d466fbceaee22
SHA512 c8c91a29df197a18768ffd9ea3e04a1cbfd781ba4575eba8940002adef7169a4720ad622e337479c9ded4283a9940142ab65bb48b57cfc81590deff8bd9cf79a

memory/2136-14-0x00007FFCA10C3000-0x00007FFCA10C5000-memory.dmp

memory/2136-15-0x0000000000310000-0x000000000031A000-memory.dmp

memory/2136-16-0x00007FFCA10C3000-0x00007FFCA10C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tPl92Zw66.exe

MD5 0b1fc7b6b5f423e268221516747427e9
SHA1 46193a7985ffd4b645fb2abf9eb10bc11a78a537
SHA256 d798407025621d1aab6e51a2cd6b6b8db9b0832b5ff932001ae3a42789c69bc2
SHA512 120304b76de795816e47f07555c149c65dc52a152b92dafc5f5e4ff4dc4c09e8a1ca3b71c043d0cecb2f4c74e434ba0ec9ae4bd15a3cf22bb880326c77be02e8

memory/3980-22-0x00000000024B0000-0x00000000024F6000-memory.dmp

memory/3980-23-0x0000000004C40000-0x00000000051E4000-memory.dmp

memory/3980-24-0x0000000004B90000-0x0000000004BD4000-memory.dmp

memory/3980-40-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-50-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-88-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-86-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-82-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-80-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-78-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-76-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-74-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-72-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-70-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-68-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-66-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-64-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-60-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-58-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-56-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-54-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-52-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-48-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-46-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-44-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-42-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-38-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-36-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-932-0x0000000005860000-0x000000000596A000-memory.dmp

memory/3980-933-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/3980-931-0x00000000051F0000-0x0000000005808000-memory.dmp

memory/3980-34-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-32-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-30-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-28-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-84-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-62-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-934-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/3980-26-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-25-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/3980-935-0x0000000005B10000-0x0000000005B5C000-memory.dmp