Malware Analysis Report

2025-08-11 06:41

Sample ID 241109-echrnaxark
Target 28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4
SHA256 28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4

Threat Level: Known bad

The file 28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

Redline family

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:47

Reported

2024-11-09 03:50

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe

"C:\Users\Admin\AppData\Local\Temp\28dfe706f9d3b327dd253451ef888e96ceeb3c2f608dfba2e0e6b519625889e4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPK9492.exe

MD5 2145719c8df48ee93ffcc94961129132
SHA1 3d8a1a345c5a8633586f949a815a0e312b78f61c
SHA256 96a8b64a822baea461eaf71aaf5cdb61465760c16bab2c9edf7b1ce76406b293
SHA512 725fe1ad6da10db61394df73754a279c0e9c0dcf67f89e0db93c208170d268cbc7e8be8d6c28a1a52e3e8a5b27ca7c934109224273bfe9d60d7f9901d375a050

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr994622.exe

MD5 7ff24f9bb4b0dcc5bc325a3b9215b692
SHA1 a2a74df8e9d1cd66156fe82f07c9c31a83e235cb
SHA256 1466a0eac7850d5bbef7831b1a3628e7859089e6647abc9e9f96ab0de837c7d7
SHA512 0b8af222520eb70d7ef37384b6489c33a438fcc0325d3b9e5cd313b6a734f665ffdc405690d31ec221dc3583562befa29e214053b732352af5eddd4733be2734

memory/5032-15-0x0000000000560000-0x000000000056A000-memory.dmp

memory/5032-14-0x00007FFA1FE33000-0x00007FFA1FE35000-memory.dmp

memory/5032-16-0x00007FFA1FE33000-0x00007FFA1FE35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku195452.exe

MD5 6d4736f10db18f610f659f8c799c9392
SHA1 b433de01816df02380bc34bc2fe8a0c84859b79d
SHA256 6673ac912bc7ca0660715ef4f2935b7fbb8e9d5c1a8ff291f7cf295074034ed7
SHA512 95d066b502b8654d2953e8075c116e703cb0f6ef7836f9a98b2b5e79139c15285ce3fde444fb0aeb65cc3680b09667f0dd022c4f747e5d65924e76df49787e41

memory/1676-22-0x0000000002530000-0x0000000002576000-memory.dmp

memory/1676-23-0x0000000004BD0000-0x0000000005174000-memory.dmp

memory/1676-24-0x0000000004B10000-0x0000000004B54000-memory.dmp

memory/1676-30-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-36-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-35-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-32-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-86-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-74-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-44-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-28-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-26-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-25-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-88-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-84-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-82-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-80-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-78-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-76-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-72-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-70-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-68-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-66-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-64-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-62-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-60-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-58-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-57-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-54-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-52-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-50-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-48-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-46-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-42-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-41-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-38-0x0000000004B10000-0x0000000004B4F000-memory.dmp

memory/1676-931-0x0000000005180000-0x0000000005798000-memory.dmp

memory/1676-932-0x00000000057A0000-0x00000000058AA000-memory.dmp

memory/1676-933-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/1676-934-0x00000000058F0000-0x000000000592C000-memory.dmp

memory/1676-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp