Malware Analysis Report

2025-08-11 06:41

Sample ID 241109-ecsa4axape
Target 2b9a1786ce2aa0025a6f6253969b95ee106fe966e8e73d8d9b121eb3f19134ed
SHA256 2b9a1786ce2aa0025a6f6253969b95ee106fe966e8e73d8d9b121eb3f19134ed
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b9a1786ce2aa0025a6f6253969b95ee106fe966e8e73d8d9b121eb3f19134ed

Threat Level: Known bad

The file 2b9a1786ce2aa0025a6f6253969b95ee106fe966e8e73d8d9b121eb3f19134ed was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

Healer

RedLine

Detects Healer an antivirus disabler dropper

Healer family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:48

Reported

2024-11-09 03:50

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b9a1786ce2aa0025a6f6253969b95ee106fe966e8e73d8d9b121eb3f19134ed.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2b9a1786ce2aa0025a6f6253969b95ee106fe966e8e73d8d9b121eb3f19134ed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk568967.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2b9a1786ce2aa0025a6f6253969b95ee106fe966e8e73d8d9b121eb3f19134ed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk568967.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4940 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2b9a1786ce2aa0025a6f6253969b95ee106fe966e8e73d8d9b121eb3f19134ed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe
PID 4940 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2b9a1786ce2aa0025a6f6253969b95ee106fe966e8e73d8d9b121eb3f19134ed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe
PID 4940 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\2b9a1786ce2aa0025a6f6253969b95ee106fe966e8e73d8d9b121eb3f19134ed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe
PID 4892 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe
PID 4892 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe
PID 4892 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe
PID 4892 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk568967.exe
PID 4892 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk568967.exe
PID 4892 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk568967.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b9a1786ce2aa0025a6f6253969b95ee106fe966e8e73d8d9b121eb3f19134ed.exe

"C:\Users\Admin\AppData\Local\Temp\2b9a1786ce2aa0025a6f6253969b95ee106fe966e8e73d8d9b121eb3f19134ed.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4496 -ip 4496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk568967.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk568967.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un821863.exe

MD5 e53087f3d3173e993408f41e765cada5
SHA1 bd35ac314511e6c02d3c307d8c8e4f6e487a4e00
SHA256 fc7ba7f42ddc061843321903be9f2b1d236dae765d941e656c0797aed1773115
SHA512 37572902956656f603417630a44e0a44c24b26f5f976affaddeb4ec0f0cb37ce5a61e9bb5957e59919d48cef84cd11a1842590d9c0328136e664bf25e0a41f76

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\23398009.exe

MD5 39988ff3c071e37d7419faf4c34848bc
SHA1 09752dbd0211d7104ee25c05716edf2f806b54fa
SHA256 29544694a529565603d30b356d8f9ebe2af86af4618c8587dbf62ac1bbb1b3f5
SHA512 a06944c42963e9fa503de758003877e0798f316ec06d792b3f8c657a58db3958498d278b61a6af753dfc39d0291c24d13b4304d5942d6d5cc1f549f3e4292374

memory/4496-15-0x0000000002BB0000-0x0000000002CB0000-memory.dmp

memory/4496-16-0x0000000002D80000-0x0000000002DAD000-memory.dmp

memory/4496-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4496-18-0x00000000071E0000-0x00000000071FA000-memory.dmp

memory/4496-19-0x0000000007320000-0x00000000078C4000-memory.dmp

memory/4496-20-0x0000000007260000-0x0000000007278000-memory.dmp

memory/4496-21-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-48-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-46-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-44-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-42-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-40-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-38-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-36-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-34-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-32-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-30-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-28-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-26-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-24-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-22-0x0000000007260000-0x0000000007273000-memory.dmp

memory/4496-49-0x0000000002BB0000-0x0000000002CB0000-memory.dmp

memory/4496-51-0x0000000002D80000-0x0000000002DAD000-memory.dmp

memory/4496-50-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/4496-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4496-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk568967.exe

MD5 d01b46e19ec58470019d25a8b1f3b11e
SHA1 eb2bef160efb70ab67051ace4ab1ce33e4f73da3
SHA256 aeac6da62a63dc09918fd3063c17b2ebd0be4903d26e9a5a2ff22730d7b00982
SHA512 b794fdcc8d7424ec72a87a61b4c05a7fe73f8d37fd733789bc47e831a880942fc23848419a2457c2d8c93d5cf254541c9f4e37209d6a29c885b2516545a087d5

memory/4496-54-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/724-60-0x0000000007000000-0x000000000703C000-memory.dmp

memory/724-61-0x0000000007760000-0x000000000779A000-memory.dmp

memory/724-63-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-77-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-75-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-73-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-71-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-69-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-67-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-65-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-87-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-62-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-79-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-95-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-93-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-91-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-89-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-85-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-854-0x0000000009C70000-0x000000000A288000-memory.dmp

memory/724-855-0x000000000A330000-0x000000000A342000-memory.dmp

memory/724-83-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-81-0x0000000007760000-0x0000000007795000-memory.dmp

memory/724-856-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/724-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/724-858-0x0000000004930000-0x000000000497C000-memory.dmp