Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-egmamswnby
Target 3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5
SHA256 3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5

Threat Level: Known bad

The file 3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Healer family

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:54

Reported

2024-11-09 03:57

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694173.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694173.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe
PID 2788 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe
PID 2788 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe
PID 1556 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe
PID 1556 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe
PID 1556 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe
PID 1556 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694173.exe
PID 1556 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694173.exe
PID 1556 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694173.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe

"C:\Users\Admin\AppData\Local\Temp\3ae4fd1a08e9692aa192fe223abd2549f1e500fef3c33af9882c59e82cb68da5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694173.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694173.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 185.161.248.72:38452 tcp
RU 185.161.248.72:38452 tcp
RU 185.161.248.72:38452 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st051241.exe

MD5 4e00448f514bc360d2b3ba0d32ba3a9c
SHA1 1898f427a14b4aa1bdecb82cc2e6b681123ad2b8
SHA256 6777a827a4fca11d9d9c894c8ba94ae7e4a548e7d4511ad3835f3cdbff60f5f5
SHA512 40389bc5330f05a26fc167ee754a5ae51ce7aa679ab95648547db906161c16f62cfff248bac6b814edfaf0e66194d03af7dc4d36f66f2f1830cac747e72a604b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\88805179.exe

MD5 a165b5f6b0a4bdf808b71de57bf9347d
SHA1 39a7b301e819e386c162a47e046fa384bb5ab437
SHA256 68349ed349ed7bbb9a279ac34ea4984206a1a1b3b73587fd1b109d55391af09a
SHA512 3dd6ca63a2aecb2a0599f0b918329e75b92eb5259d6986bd8d41cb8ebcf7b965bbd12786929d61743ae8613c2e180078f2eed2835ccb54378cd343c4a048c1a1

memory/4120-14-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

memory/4120-15-0x0000000002260000-0x000000000227A000-memory.dmp

memory/4120-16-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/4120-17-0x0000000004980000-0x0000000004F24000-memory.dmp

memory/4120-18-0x0000000004F40000-0x0000000004F58000-memory.dmp

memory/4120-19-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/4120-47-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-45-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-43-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-41-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-39-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-37-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-35-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-33-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-31-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-29-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-27-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-25-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-23-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-21-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-20-0x0000000004F40000-0x0000000004F53000-memory.dmp

memory/4120-48-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

memory/4120-49-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/4120-51-0x0000000074AE0000-0x0000000075290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp694173.exe

MD5 284f780c9cd27de884b5813a0c4bca48
SHA1 c98967626737555b220edeb8e70f459c3e7cee3e
SHA256 8e7894415b1c4890a3d9ea1ae90bcf90c60c174a3f91dee7bafe271691a87bce
SHA512 3641c8e5e5a000f9b0200a7b20dfe6c5edc3a0cb21a5f4514621c864e27fb4654420dd01685dfb6442acb59b622a015bab31bfcf0835d4a762eef5112efae6d3

memory/5024-56-0x00000000023F0000-0x000000000242C000-memory.dmp

memory/5024-57-0x0000000004AB0000-0x0000000004AEA000-memory.dmp

memory/5024-61-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-65-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-94-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-91-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-89-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-87-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-83-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-81-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-79-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-77-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-75-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-73-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-71-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-69-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-67-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-63-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-85-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-59-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-58-0x0000000004AB0000-0x0000000004AE5000-memory.dmp

memory/5024-850-0x0000000007570000-0x0000000007B88000-memory.dmp

memory/5024-851-0x0000000007C00000-0x0000000007C12000-memory.dmp

memory/5024-852-0x0000000007C20000-0x0000000007D2A000-memory.dmp

memory/5024-853-0x0000000007D40000-0x0000000007D7C000-memory.dmp

memory/5024-854-0x0000000002450000-0x000000000249C000-memory.dmp