Malware Analysis Report

2025-08-11 06:41

Sample ID 241109-eapgesxakg
Target ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba
SHA256 ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba

Threat Level: Known bad

The file ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Redline family

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:44

Reported

2024-11-09 03:47

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe
PID 3444 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe
PID 3444 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe
PID 1712 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe
PID 1712 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe
PID 1712 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe
PID 1636 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe
PID 1636 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe
PID 1636 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe
PID 3488 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe
PID 3488 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe
PID 3488 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe
PID 1684 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe
PID 1684 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe
PID 1684 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe
PID 1684 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe
PID 1684 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe

"C:\Users\Admin\AppData\Local\Temp\ba292dd501459fcb6ec1713a73f84779bca0ab51d6e553d3eefda3521be34aba.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plTD63tH43.exe

MD5 31e49c076c9f5f481049d21f5d7466a4
SHA1 f1c8c843f27c49dac45309e51c5da71ea80d0354
SHA256 4c59f0140a2a5bec54a47116ef8b46b009113e90e7cd837207eb82a73126dddd
SHA512 c29eba3c70c7c51a7b2c05e46eab0c63fb403c8471fda3705022b927522e8b1287b91bf69a4d14804b8af5fa1a620af543ad973dfdf8fe2d195993fc490894cb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWn52Tr46.exe

MD5 6f9db12e693f874756df86591469c811
SHA1 2ec5afc635c0f18d71ddecd7dbb6960ce7472f71
SHA256 9b019b3da9f6f051ff2c823ebdcc6df3744e31e381ae8a38d06a14d5cc283893
SHA512 2268d71baa74abc170851629bec6b484f9bc503a335dfd633c850350e06542ab5abb6750413ab1acd7c796c3681305e67b79af7e0090c81de67f6bfcc6882133

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plxK22xd12.exe

MD5 211d334d1a60cda7626157e350d84ff6
SHA1 ecd805b6bf786afb6d54af9ed6994b054cf06d0b
SHA256 04eec6e8f16c21184164a6656e34f509af70643572d4abaa53547c9627db35d2
SHA512 58f3f9342ed2474f64296ed22d71cae29fa62d8947c884e823b0ee7459218309ce7d6402db7675dddd6e3b3424ff1a69efc2eb06cf3748865b4b6b9af151d75c

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plxs42Pr03.exe

MD5 b9699518cc3eb473f1e40fa602fdd5f5
SHA1 82f0aa154492521a3369cfbea9f433474e87ec80
SHA256 9a44e92d9f91f46c440147b6ac59e8c7cd4d60a7d3bb2adb441eabe4dbe2e348
SHA512 45c6fbb9a4e333583783ad01fa88415998ea1ab443f1e7e158b384981f71dc0e8f759ebdde7f72330652daf9a31faf3b3b6b0343cef483cdd0462216c07e31b1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buPP88aU61.exe

MD5 0230b8e0207c22f72ca5384d0dae0537
SHA1 c9d08bf47ef6e162c0cb7469a667af02ec6b2b75
SHA256 a8c034dd6336e263f91ed34e502adfeda4c77ad2d83a646d5ba0cbee1b8baa02
SHA512 f9ce412f9017b66e5b6f8c0c1f38dff9904941c4ab64b2461bd76fbf5101c7f350c5bfc314e943717493d1c552f28e51ccdf14766f671089e1e5332a701eb4fc

memory/1540-35-0x0000000000010000-0x000000000001A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caiT63dU80.exe

MD5 463f0342eb5474bc19102d174e782a52
SHA1 b688ca055a9e17bcddb4795120d198771d7e1142
SHA256 c2cc1ff0910959f41320a8155bd4b8cc28a156c5ab9529f83ea0f741af1c432e
SHA512 63b3fb356d0f5bc7be1574990dd7de7c68e845e15356e4934cba291d8019a7dbfaedab28e9795f2d33af98982e715738ddf16ff96bfb2cbca7d05814a1d79dc3

memory/4104-41-0x0000000004BF0000-0x0000000004C36000-memory.dmp

memory/4104-42-0x0000000004C60000-0x0000000005204000-memory.dmp

memory/4104-43-0x0000000005250000-0x0000000005294000-memory.dmp

memory/4104-55-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-107-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-106-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-103-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-101-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-99-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-97-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-95-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-93-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-91-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-89-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-87-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-85-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-81-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-79-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-77-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-75-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-73-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-71-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-69-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-67-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-65-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-63-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-61-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-59-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-57-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-53-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-51-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-49-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-47-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-45-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-44-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-83-0x0000000005250000-0x000000000528E000-memory.dmp

memory/4104-950-0x0000000005290000-0x00000000058A8000-memory.dmp

memory/4104-951-0x0000000005900000-0x0000000005A0A000-memory.dmp

memory/4104-952-0x0000000005A40000-0x0000000005A52000-memory.dmp

memory/4104-953-0x0000000005A60000-0x0000000005A9C000-memory.dmp

memory/4104-954-0x0000000005BB0000-0x0000000005BFC000-memory.dmp