Malware Analysis Report

2025-08-11 06:40

Sample ID 241109-eaqz9axakh
Target 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a
SHA256 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a

Threat Level: Known bad

The file 8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

RedLine payload

Redline family

Healer family

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:44

Reported

2024-11-09 03:47

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe

"C:\Users\Admin\AppData\Local\Temp\8336022fdb5b5264d315804f35bd2eccc4968a43e535fdfcebec8c49edbc679a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziGu9219.exe

MD5 3e91b0adc4ce2421d09efd4231a2b9e1
SHA1 45688cee5dd411d460670ca1a1d5e68c8702b634
SHA256 54d4789f22d957f4583cf3c1c6f333827268a90873f9ff51ab1f046521871d93
SHA512 e2972d7ba7967e2ca8dee3e2a265fc36376674e0e80ec3b21efc2c038b3ade1e84b8d08ae27d6e3cb1eb8a25cb20848c4f1a6e70ad214a62b62b372b1d1e3a58

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr350483.exe

MD5 78c3c8212cb8c23b1adfa1c970a5ea61
SHA1 70cb7000ca8a18ed2da17a59ead6f905fc13eaee
SHA256 04cdace3f1f541f266f553f581943d847b765821a933c7695a6830ea3ae37a48
SHA512 87474d9f045b6c32e2555c95d45f6c8628ce953fc9fc8c4dfbe538b8b48d12164bc5cea0d8df6eaa32b2e52a356c13f712b7ea7eaeb385a077ea7536f8b58e9a

memory/468-14-0x00007FFA812E3000-0x00007FFA812E5000-memory.dmp

memory/468-15-0x0000000000280000-0x000000000028A000-memory.dmp

memory/468-16-0x00007FFA812E3000-0x00007FFA812E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku895889.exe

MD5 99fe8a12de549bc4afa5ddfe635fae38
SHA1 6f339d74d8913b23384b9236463b8978f4af1bb6
SHA256 5f627e3af21dcadff429f64fb608429c0564935d2ae2360b9c1b56bdfcb0c8bd
SHA512 af4f9d865fb67aef5506d3ded3018dfa3f844a6ec3db7d5c3353c782cba09511521a4c247512420234ec1ba7eb5acf542360d44841d8edbbb648b278d98d2226

memory/4088-22-0x0000000002370000-0x00000000023B6000-memory.dmp

memory/4088-23-0x0000000004EB0000-0x0000000005454000-memory.dmp

memory/4088-24-0x0000000002760000-0x00000000027A4000-memory.dmp

memory/4088-28-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-36-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-88-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-86-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-84-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-82-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-78-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-76-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-74-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-72-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-70-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-68-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-66-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-64-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-60-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-58-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-56-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-55-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-52-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-50-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-48-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-46-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-44-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-42-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-40-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-34-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-32-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-30-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-80-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-62-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-38-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-26-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-25-0x0000000002760000-0x000000000279F000-memory.dmp

memory/4088-931-0x0000000005460000-0x0000000005A78000-memory.dmp

memory/4088-932-0x0000000005A80000-0x0000000005B8A000-memory.dmp

memory/4088-933-0x00000000029D0000-0x00000000029E2000-memory.dmp

memory/4088-934-0x0000000004E40000-0x0000000004E7C000-memory.dmp

memory/4088-935-0x0000000005C90000-0x0000000005CDC000-memory.dmp