Malware Analysis Report

2025-08-11 06:41

Sample ID 241109-ed1nvsxblk
Target b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74
SHA256 b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74
Tags
healer redline dumud discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74

Threat Level: Known bad

The file b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74 was found to be: Known bad.

Malicious Activity Summary

healer redline dumud discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Redline family

Healer family

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:50

Reported

2024-11-09 03:52

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8124334.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3276 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe
PID 3276 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe
PID 3276 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe
PID 3436 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe
PID 3436 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe
PID 3436 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe
PID 3436 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8124334.exe
PID 3436 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8124334.exe
PID 3436 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8124334.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74.exe

"C:\Users\Admin\AppData\Local\Temp\b40b3df8d8883cb46040ac3e531aa55903083e6c6136382535f9e201a9676f74.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8124334.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8124334.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y1923866.exe

MD5 4a74a39cfdf39606cd0984b18cb44652
SHA1 0238c0db7583b29e6ccdde3d870798e18aa4f4fb
SHA256 4322cd2bc07075a0a6e36957b7e0b7710918467026800e18d67fffd57a73ceac
SHA512 43629b98855a818813009401578d9b3c555aba94431000c214aa67d5bb11d31afba4d99ae3c2d01b9d028ff238c91877dda30c8ec1aebec89a10cb075c20eded

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k1396705.exe

MD5 cc34fa42f3cba0f5695bec580f4f6abd
SHA1 8fe44dbe160365ff9bd40c3df1a78b1b2a1d2a9b
SHA256 ce485e012ef5d49b4e62eedb06d11c24c4bc1d64167a87c2de69a446a35ac66a
SHA512 836aa7bac321cf93063a3dac8e04cf423956aac0a7c188c30514154a3f5047fb52dd13a440aad20e395efbd9365d0bf028551dd90d6db7431b0fb5eb276e3e8d

memory/2224-14-0x000000007443E000-0x000000007443F000-memory.dmp

memory/2224-15-0x00000000048C0000-0x00000000048DA000-memory.dmp

memory/2224-16-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/2224-17-0x00000000049C0000-0x0000000004F64000-memory.dmp

memory/2224-18-0x0000000004980000-0x0000000004998000-memory.dmp

memory/2224-19-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/2224-33-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-47-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-48-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/2224-45-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-43-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-41-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-40-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-37-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-35-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-27-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-25-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-23-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-21-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-20-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-31-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-29-0x0000000004980000-0x0000000004992000-memory.dmp

memory/2224-49-0x000000007443E000-0x000000007443F000-memory.dmp

memory/2224-50-0x0000000074430000-0x0000000074BE0000-memory.dmp

memory/2224-52-0x0000000074430000-0x0000000074BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l8124334.exe

MD5 b5ae0a5b1bbbc9ecd15d890ebd199d65
SHA1 5f6b57740d3b271b698cce6dd9a9376959dc543b
SHA256 b03465c946b69efbf9ca2a46f199a561d6fbbe5b833afb4102b3d679da84732b
SHA512 44735587cba67a8f464804c6a7dc677f43a7aca237dd2131a87e733e406526e2eb3e0aa48a18215af3719c0f45d83a91abe4aa2e3580dbc3ab4fb503cd0f71d3

memory/2868-56-0x0000000000690000-0x00000000006C0000-memory.dmp

memory/2868-57-0x0000000000F00000-0x0000000000F06000-memory.dmp

memory/2868-58-0x0000000005840000-0x0000000005E58000-memory.dmp

memory/2868-59-0x0000000005330000-0x000000000543A000-memory.dmp

memory/2868-60-0x0000000002BF0000-0x0000000002C02000-memory.dmp

memory/2868-61-0x0000000002C50000-0x0000000002C8C000-memory.dmp

memory/2868-62-0x0000000005220000-0x000000000526C000-memory.dmp