Malware Analysis Report

2025-04-03 14:17

Sample ID 241109-1s7llswlal
Target 5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286
SHA256 5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286
Tags
healer redline max discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286

Threat Level: Known bad

The file 5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286 was found to be: Known bad.

Malicious Activity Summary

healer redline max discovery dropper evasion infostealer persistence trojan

Healer family

RedLine payload

Redline family

RedLine

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 21:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 21:55

Reported

2024-11-09 21:58

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b92097652.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1832 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe
PID 1832 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe
PID 1832 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe
PID 380 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe
PID 380 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe
PID 380 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe
PID 492 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe
PID 492 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe
PID 492 wrote to memory of 1128 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe
PID 1128 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe
PID 1128 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe
PID 1128 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe
PID 2428 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe
PID 2428 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe
PID 2428 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe
PID 2428 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b92097652.exe
PID 2428 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b92097652.exe
PID 2428 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b92097652.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286.exe

"C:\Users\Admin\AppData\Local\Temp\5e1c47fa15607f0181a265844141992a9ea68d1bdd7387361a175e266a7d4286.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b92097652.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b92097652.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i23692502.exe

MD5 a5c8a8494de272d852dd4999d1e329c4
SHA1 3881f72ecd48ec71f036aac4ee997d7e56ab19fd
SHA256 488ec3515d3f54b83bba6b4f711fd5c779909cc9f1d4ad9522d86f47e7338ec4
SHA512 b15c2d053c90b56d980ab178ffc3d828f17d94518b03b942cba29fa5a49aeafe64b6c96d0a1f3948b8d71928d44fc3b834e6b5595536d2b81d8c8796c18f504d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i86791332.exe

MD5 c0d68b9a50930ad08ed8e6f5ea124661
SHA1 129ed97386ca1c6f17d66d45fa7c3132946d5c9c
SHA256 02464048dc6d7e00c7e09c38693765d48bad3b225acdba3cf058bdaedb6793e6
SHA512 29c3cbbd9368daf16145f61c6479a2ac73efccdbb2789e0a7d868a8f0c15a3988bf1f9f4bdd3a8da2fd5c923e3521c21aa5a89955967583e9a3756cc1f913892

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i53562307.exe

MD5 01d082d4f8da86e0d73f9c31a5db7db2
SHA1 702cb6db6539f46416a99ccdc2e6cf14373cf59c
SHA256 207248d5470886f01f24ef4485948cb5b7a7e46302260845f22b142781d002e8
SHA512 27677cba1978510bb50ab5125dde3c372f471122bfb222297a025a4913255b054546b6d1c69a08eb1d080022ba93c783ff3007ae57554442841ecb6cfa3628b8

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i47964642.exe

MD5 570bf6b234976a49820fc98aa4463b22
SHA1 ad937493cf4ef098a946c41ce7db823d9d75994b
SHA256 db168f0c96afcfd1d5c55d1990711688c9d13877c1e816cdadde38eab388715e
SHA512 9d0381f8e8ba41db0976628465c6da2500ba8a357d5bcc21a579e7f4fd9ba66b4017206184cdcc55ba06ab479adbed8073bebd14fef4fe7fc0d1f6c10429e132

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a08058096.exe

MD5 ee80b3316cd5c83b97e0e8bb9c39ba53
SHA1 16f11a4f64ef79d2b1372733a1e87b37cc67d605
SHA256 f891ef3396e701000a6154ab62e73d8bcd0d98d4b4237375e44a33ba71f1798a
SHA512 8b1441586261d3b0b30172bd585a72bf55bbaa1fe142ee4ced239dac145d927a0438ff6e3268e5761c5400b9c97d292aca3728f71725656ba7ecf6eeef51b097

memory/3492-35-0x00000000048D0000-0x00000000048EA000-memory.dmp

memory/3492-36-0x0000000004970000-0x0000000004F14000-memory.dmp

memory/3492-37-0x0000000004900000-0x0000000004918000-memory.dmp

memory/3492-65-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-63-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-61-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-59-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-57-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-55-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-53-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-51-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-49-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-47-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-45-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-43-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-41-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-39-0x0000000004900000-0x0000000004913000-memory.dmp

memory/3492-38-0x0000000004900000-0x0000000004913000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b92097652.exe

MD5 9006af2a5fefcdbfe6e5df6b1513e9ca
SHA1 5b44a57ecf622a39cd474523e8ed049457b57cde
SHA256 ae970429e71e6ded80d3e3ecb49fab71da70ed1e1c7c1d311b71759c9094e854
SHA512 43751285cebc580f73bc735c8dc09c8bf150e16571cf14ea592a37dd865610e0083f43c1efa91151fdb432961e940370e8a8f5d93f5617501c08768eeca82cc8

memory/1436-70-0x0000000000E20000-0x0000000000E50000-memory.dmp

memory/1436-71-0x0000000002F90000-0x0000000002F96000-memory.dmp

memory/1436-72-0x0000000005D50000-0x0000000006368000-memory.dmp

memory/1436-73-0x0000000005870000-0x000000000597A000-memory.dmp

memory/1436-74-0x00000000057A0000-0x00000000057B2000-memory.dmp

memory/1436-75-0x0000000005800000-0x000000000583C000-memory.dmp

memory/1436-76-0x0000000005980000-0x00000000059CC000-memory.dmp