Malware Analysis Report

2025-04-03 14:18

Sample ID 241109-1nklaashrh
Target 8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7
SHA256 8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7

Threat Level: Known bad

The file 8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Healer family

Redline family

RedLine payload

RedLine

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:47

Reported

2024-11-09 21:50

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3720 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe
PID 3720 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe
PID 3720 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe
PID 984 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe
PID 984 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe
PID 984 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe
PID 1148 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe
PID 1148 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe
PID 1148 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe
PID 760 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe
PID 760 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe
PID 760 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe
PID 3996 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe
PID 3996 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe
PID 3996 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe
PID 3996 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe
PID 3996 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe

"C:\Users\Admin\AppData\Local\Temp\8b143622df1c5aa48a67188443989926ef6369fc24d953d03ab7f8288d8c2fd7.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plwR53XV66.exe

MD5 f003153796f70e87fdf82c03b69c67e3
SHA1 df3bfa6dd79848814c54d3b4e3ad6a7ffbc89c17
SHA256 9b41fd3db882884ed682679a542f29449f17fc9c66c3a4a751e308dbdb0a5bb9
SHA512 2c69211c098219cf8ecfcdb18c24d19545bf1085aa4bfa65c530f5402463aaff4731687286b9228740ef6dfd2c3c4b8b1d97d0a1b7c40d4bb1b8cf24e11c6044

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pluw54Ay31.exe

MD5 bd7aad6029dd31a1044d70254b6757fc
SHA1 5ced6f16380ed50f684b20c464832a16735eba84
SHA256 d00cf2953ee6328d0b3daaa61056a93100ca46e3a9796905744d446a886adf6b
SHA512 fe66275dd5f1d6c6b960a95ea3590c384f04baaf247224471a226c5cd786af7e7259764c626b669c4aaece8a01f1596231abb59994ab17e645e81e825ba7b29f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plth89Ky84.exe

MD5 9e5806e118d5cf37a1b69b9ef3cae97c
SHA1 6aaf49fee6e81f30385addb960351df1651e1578
SHA256 c2de137b70bad720eeb2ebf1e952dd3aeba45083875240674926227a34b138e0
SHA512 98e21af720a08495f335c7c3e983e8da37a92825ca1d81797087113b01f38c0949f2dd7e385b60733b8718b50fdfae045ae59c45a923874b49d7f0e0a1ebc286

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plnT07rg77.exe

MD5 33e54a633f912b08a6d143e489dddc2c
SHA1 b9f9a8eca74148c1815e5c3f7381b331112d7bfe
SHA256 aa195070ece625d3cc583cb26ccff74972768ccfe965cd3055b61c65f6bb21f0
SHA512 d7991c6ebc000baaaca1a876da423b5a34e637cbc428f252269e852f0fda29c4221166f1c7d6ab6e2077e69da656c0c08cd81443eeed8ac4774a404ebc735413

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\budO52re96.exe

MD5 96e6d9a63a0c85a0e6b1cda3dca13ddc
SHA1 dad3842c8548ea821bec9a765d353b7a15f2a042
SHA256 6238087f85028aa0170f4e8a55bc0d29138c9dc9d8c1fdcae4d4b57c2d134178
SHA512 84957495bf0b2ad4dcb537c60d774754f3e35b0c5445c81d5a275a98b13a83c71209c636c59dbc609f81903a1c5e6d5f23fd1dc3a33fe0220b839edaa8e411b4

memory/3164-35-0x0000000000360000-0x000000000036A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caaT50kN16.exe

MD5 12a07204bf4c65efdd968689ed260c4e
SHA1 8430e5110448dc962c4191a1a06b05c4e3c1a140
SHA256 e4666bb9e57296f0140b125a1c5e32f446659b0baa2c3d7fef87a7aef339433b
SHA512 61dbfcedae6259039196942064d62cae0de853c6c5afa3547e6394e789ddf3c0acc6e94cd2c89c090c6f891a77565b0fe332b21da0afa5a5102f1d12d4f3989a

memory/2184-41-0x0000000002750000-0x0000000002796000-memory.dmp

memory/2184-42-0x0000000004C50000-0x00000000051F4000-memory.dmp

memory/2184-43-0x0000000004B60000-0x0000000004BA4000-memory.dmp

memory/2184-53-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-67-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-107-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-105-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-104-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-101-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-99-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-95-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-93-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-91-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-89-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-87-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-85-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-83-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-79-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-78-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-75-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-71-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-69-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-65-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-63-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-61-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-59-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-57-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-55-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-51-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-97-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-81-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-73-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-49-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-47-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-45-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-44-0x0000000004B60000-0x0000000004B9E000-memory.dmp

memory/2184-950-0x0000000005200000-0x0000000005818000-memory.dmp

memory/2184-951-0x0000000005860000-0x000000000596A000-memory.dmp

memory/2184-952-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/2184-953-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/2184-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp