Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-eg774szlcp
Target f673917c49f535a1f82005578e1b86625dd7c8f25bafb25a215273a819aa0808
SHA256 f673917c49f535a1f82005578e1b86625dd7c8f25bafb25a215273a819aa0808
Tags
healer redline mango discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f673917c49f535a1f82005578e1b86625dd7c8f25bafb25a215273a819aa0808

Threat Level: Known bad

The file f673917c49f535a1f82005578e1b86625dd7c8f25bafb25a215273a819aa0808 was found to be: Known bad.

Malicious Activity Summary

healer redline mango discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

RedLine

Healer family

Redline family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:55

Reported

2024-11-09 03:58

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f673917c49f535a1f82005578e1b86625dd7c8f25bafb25a215273a819aa0808.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\f673917c49f535a1f82005578e1b86625dd7c8f25bafb25a215273a819aa0808.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f673917c49f535a1f82005578e1b86625dd7c8f25bafb25a215273a819aa0808.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfyhF50.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfyhF50.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1040 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\f673917c49f535a1f82005578e1b86625dd7c8f25bafb25a215273a819aa0808.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe
PID 1040 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\f673917c49f535a1f82005578e1b86625dd7c8f25bafb25a215273a819aa0808.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe
PID 1040 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\f673917c49f535a1f82005578e1b86625dd7c8f25bafb25a215273a819aa0808.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe
PID 3488 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe
PID 3488 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe
PID 3488 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe
PID 2196 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe
PID 2196 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe
PID 2196 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe
PID 2196 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe
PID 2196 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe
PID 3488 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfyhF50.exe
PID 3488 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfyhF50.exe
PID 3488 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfyhF50.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f673917c49f535a1f82005578e1b86625dd7c8f25bafb25a215273a819aa0808.exe

"C:\Users\Admin\AppData\Local\Temp\f673917c49f535a1f82005578e1b86625dd7c8f25bafb25a215273a819aa0808.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3472 -ip 3472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfyhF50.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfyhF50.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice8934.exe

MD5 40a0659a17c846c594cb2d6ff2dd3b0b
SHA1 fe8da12c77ec3843e6ed1809398b8f5656ed7c4f
SHA256 a780b18bd1f028a9dcd04935a23c57e7796ac67d74c2251dd841398c7ee55079
SHA512 cbf5ef88b93b15e49783464f5c4978ba823d7f6ceee54a85fd85c82bbe4d3e5e1d8c29221da2b712241b56273efe4605a6264571e04c73dde283b062d2dadd6e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice9370.exe

MD5 46207b97bda9d3a63e7a35f0480e9f1d
SHA1 f9161bafd862629f9e8bc0c8595c180b59861604
SHA256 435b7978c465a46fe0c74d3d9a0983edff21c8d8029fbb192fd557eeb15afefa
SHA512 7833ff1c9fe0c90b8096cfc34cf283d8f1a9dd8b7f8e9393bf0f4b0e6e2a09f8b62d0506b7fe9bef169cd918e042dff1797ed36bbe253a5ee4b31688dd74f4c6

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b1243kD.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3500-21-0x00007FFCC1783000-0x00007FFCC1785000-memory.dmp

memory/3500-22-0x0000000000F40000-0x0000000000F4A000-memory.dmp

memory/3500-23-0x00007FFCC1783000-0x00007FFCC1785000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c86MJ24.exe

MD5 e15cc7dabcfc261ed2b6ca61be94ed8f
SHA1 782f8f4519b04650d49aaf7c19ed86d5717bf2b3
SHA256 84a50ad8ce817ad9dccd527acf11946a99e5c2e43ce72c7935d9a175f10c7dad
SHA512 b859ce375906f728a86a82184537ef2be7143aca97882ff5c545d57ba38eb6403ca6540f9117d78b88a41021830a79690c7211bd81d6c6328a46df64289e6d88

memory/3472-29-0x0000000002200000-0x000000000221A000-memory.dmp

memory/3472-30-0x0000000004CC0000-0x0000000005264000-memory.dmp

memory/3472-31-0x0000000002430000-0x0000000002448000-memory.dmp

memory/3472-59-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-57-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-55-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-53-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-51-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-49-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-47-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-45-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-43-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-41-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-39-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-37-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-35-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-33-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-32-0x0000000002430000-0x0000000002442000-memory.dmp

memory/3472-60-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/3472-62-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dfyhF50.exe

MD5 cb6fa58618b4cc98523919fbdb8a242f
SHA1 aa9b46fc2a54945a0fb5ffa1b8c3ceadca456967
SHA256 04afa8a84ab3ec5e421c95daab3061612de6f2554f52208acb4dd888f79a25f0
SHA512 95bad4ce13d2efdf6f8b46bbeb3164c522fef693b527c3bbbd6a57840eff43172868b1cc66bdab9641c30526678569276acd121fb04420cba4f9cf0fd0ea7f92

memory/4996-67-0x00000000049B0000-0x00000000049F6000-memory.dmp

memory/4996-68-0x0000000004AA0000-0x0000000004AE4000-memory.dmp

memory/4996-80-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-84-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-102-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-100-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-96-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-94-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-92-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-90-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-88-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-86-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-82-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-78-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-76-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-74-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-98-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-72-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-70-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-69-0x0000000004AA0000-0x0000000004ADE000-memory.dmp

memory/4996-975-0x0000000005120000-0x0000000005738000-memory.dmp

memory/4996-976-0x00000000057A0000-0x00000000058AA000-memory.dmp

memory/4996-977-0x00000000058E0000-0x00000000058F2000-memory.dmp

memory/4996-978-0x0000000005900000-0x000000000593C000-memory.dmp

memory/4996-979-0x0000000005A50000-0x0000000005A9C000-memory.dmp