Malware Analysis Report

2025-04-03 14:17

Sample ID 241109-1nkahstall
Target 6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378
SHA256 6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378
Tags
healer redline dark discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378

Threat Level: Known bad

The file 6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378 was found to be: Known bad.

Malicious Activity Summary

healer redline dark discovery dropper evasion infostealer persistence trojan

RedLine payload

Detects Healer an antivirus disabler dropper

Healer family

Redline family

RedLine

Healer

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:47

Reported

2024-11-09 21:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si168256.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5040 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe
PID 5040 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe
PID 5040 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe
PID 4212 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe
PID 4212 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe
PID 4212 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe
PID 4668 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe C:\Windows\Temp\1.exe
PID 4668 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe C:\Windows\Temp\1.exe
PID 4212 wrote to memory of 5332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe
PID 4212 wrote to memory of 5332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe
PID 4212 wrote to memory of 5332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe
PID 5040 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si168256.exe
PID 5040 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si168256.exe
PID 5040 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si168256.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe

"C:\Users\Admin\AppData\Local\Temp\6e09e9ec9368fcee10e0ad33dc14679fc81592486c94c7b35c63dc01ad9b5378.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4668 -ip 4668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1524

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5332 -ip 5332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5332 -s 1260

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si168256.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si168256.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un133101.exe

MD5 02dbd5b76ca7da877d2559125a412dd2
SHA1 15cee3a4fe0a5d6dffe5b220d4e9ac5b9058b472
SHA256 090a6ac11064c612582f6e81863364674c6f3c520b81a6058a7ac2c7d7ebd32b
SHA512 eeb79719168896b0de4d7f74afb6060fc468cbae99509cd0904895e3cd9d764c3404d03da73ab2960f3c96367902783d514eb31ee00495dfa4923a7c57e1c649

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65331000.exe

MD5 d0186d4724c69b9aa469531553c6fe58
SHA1 3036ebacf9d596343df4010a643461ac211d3312
SHA256 60dc63bc639c4fb22f2bbec9d7675f061d6a147ea9c5b22d18521b60c9f4f6ad
SHA512 6394718f14719e1deefde49a1510f4aad8d4f86fc024d65f765ffc54bfec0bddb57de113da38f96f20132d57badb49909503d9de4c8d67dbe92b90e7b36ceee7

memory/4668-15-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

memory/4668-17-0x0000000000400000-0x0000000000828000-memory.dmp

memory/4668-16-0x0000000000400000-0x000000000044F000-memory.dmp

memory/4668-18-0x0000000000400000-0x0000000000828000-memory.dmp

memory/4668-19-0x0000000002760000-0x00000000027B8000-memory.dmp

memory/4668-20-0x0000000005090000-0x0000000005634000-memory.dmp

memory/4668-21-0x0000000002AF0000-0x0000000002B46000-memory.dmp

memory/4668-29-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-61-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-85-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-83-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-81-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-79-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-77-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-75-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-73-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-71-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-69-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-65-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-63-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-59-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-57-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-55-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-53-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-51-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-49-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-47-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-45-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-43-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-41-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-39-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-37-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-35-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-33-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-31-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-27-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-25-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-24-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-67-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-22-0x0000000002AF0000-0x0000000002B41000-memory.dmp

memory/4668-2150-0x0000000004F70000-0x0000000004F7A000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3964-2163-0x00000000009D0000-0x00000000009DA000-memory.dmp

memory/4668-2164-0x0000000000AB0000-0x0000000000BB0000-memory.dmp

memory/4668-2166-0x0000000000400000-0x0000000000828000-memory.dmp

memory/4668-2167-0x0000000000400000-0x000000000044F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk059219.exe

MD5 b01e5f897729f7b2485eb05cc2b4c04c
SHA1 3513743386aaa0fac5b6d0290639f6474c366f15
SHA256 e24c61c8f8b80d4f1949616e5b1c43976bf487d96aaaea44f5cfd10f53cc32c7
SHA512 8709bafefe3c79ed0cc33754293bd696fe72e5bc43c4c38bdbb9d586dd6ecdd7c3f37e180bf832364020af99737331e6250a8b6af212dbae5df8a8f5137ba865

memory/5332-2172-0x0000000002660000-0x00000000026C8000-memory.dmp

memory/5332-2173-0x00000000055B0000-0x0000000005616000-memory.dmp

memory/5332-4320-0x0000000005780000-0x00000000057B2000-memory.dmp

memory/5332-4321-0x00000000057B0000-0x0000000005842000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si168256.exe

MD5 44c52d581b66b8c0585de054d8fcfa20
SHA1 50701f6964abd0032fb8fac39de24ed4add08f3d
SHA256 98dba28b0826d507fbe8c17633ca2890c06531ce3bc70f829b4847278dede737
SHA512 b6d484b17b15f64c49690e2a042df278daeaab3e6898172a04fdf7a77e2cc2c2ca1b9c1a2ae5c9494425bf60d016441a023fcedb2b0ebd8377730744dd00e3c2

memory/1720-4327-0x0000000000CA0000-0x0000000000CD0000-memory.dmp

memory/1720-4328-0x0000000002E50000-0x0000000002E56000-memory.dmp

memory/1720-4329-0x0000000005C10000-0x0000000006228000-memory.dmp

memory/1720-4330-0x0000000005700000-0x000000000580A000-memory.dmp

memory/1720-4331-0x0000000005620000-0x0000000005632000-memory.dmp

memory/1720-4332-0x0000000005680000-0x00000000056BC000-memory.dmp

memory/1720-4333-0x0000000005810000-0x000000000585C000-memory.dmp