Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-egqcasxbpr
Target a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff
SHA256 a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff

Threat Level: Known bad

The file a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine payload

Redline family

Healer

RedLine

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:54

Reported

2024-11-09 03:57

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559120.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559120.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe
PID 3396 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe
PID 3396 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe
PID 5112 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe
PID 5112 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe
PID 5112 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe
PID 5112 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559120.exe
PID 5112 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559120.exe
PID 5112 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559120.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe

"C:\Users\Admin\AppData\Local\Temp\a625698ba0ea32bb52436cadb7c912c96f12facc903c8534cdd1a2b6d4cf64ff.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3084 -ip 3084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 1028

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559120.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559120.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un004922.exe

MD5 2dd5238b3b2449e87cf074a2b5fbd5d7
SHA1 1d3f24351b31e77932acf34dee461dac3244ba7a
SHA256 9cd3358e160620f06b88608460c02df349293052a0435640b93bf2fdfaba0145
SHA512 06098c44e16495e4a511a5f6bbd7ebdab0fb6564dd9d1758c1e57e1f4d1f8502e0fb456b00cb8ff3bc3471bb174d0d21bb6e9829c6a2355dea7fd24bb07783e0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\94147134.exe

MD5 8c4c12c61a341ea625718f90fd510a64
SHA1 d510720279e956ee661f5b16204476e0b5e87ea3
SHA256 2d2a27ae447755247db4f4599c8934c2788aabbc320e83fde35fa74dae39b181
SHA512 27e66e932edc86fca7b98d2f6c4a2400b28016bd6bf7093520e5b71a4f76e4bed02b2560668afed7216c964f5774deb3a956656a179662b5a9cbbd4d1df508d3

memory/3084-15-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/3084-16-0x00000000004A0000-0x00000000004CD000-memory.dmp

memory/3084-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3084-18-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3084-19-0x0000000002220000-0x000000000223A000-memory.dmp

memory/3084-20-0x0000000004AA0000-0x0000000005044000-memory.dmp

memory/3084-21-0x0000000002280000-0x0000000002298000-memory.dmp

memory/3084-49-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-47-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-45-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-43-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-41-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-39-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-37-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-35-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-33-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-31-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-29-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-27-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-25-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-23-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-22-0x0000000002280000-0x0000000002293000-memory.dmp

memory/3084-50-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/3084-51-0x00000000004A0000-0x00000000004CD000-memory.dmp

memory/3084-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3084-55-0x0000000000400000-0x0000000000455000-memory.dmp

memory/3084-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk559120.exe

MD5 868d17b6bcdd2cdd7689c7a0076a687d
SHA1 1e48359969b9bccd4663df7f86c916c2f8156583
SHA256 972d23bb18f7b3940e98b14352758c64f348391a632c53028774b1ce80cfd99d
SHA512 ec51ce73ff86282f5a2504867d469c0efde03b5abf9a42d52edd8066d97151c5e520f151f18bda3b7296d3dc282789b1eca9a81d6cac65e7f56a1fa24b9958e8

memory/2968-61-0x00000000023F0000-0x000000000242C000-memory.dmp

memory/2968-62-0x0000000002710000-0x000000000274A000-memory.dmp

memory/2968-70-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-78-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-96-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-94-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-92-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-90-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-88-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-86-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-82-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-80-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-76-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-74-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-72-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-84-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-68-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-66-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-64-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-63-0x0000000002710000-0x0000000002745000-memory.dmp

memory/2968-855-0x00000000076D0000-0x0000000007CE8000-memory.dmp

memory/2968-856-0x0000000002830000-0x0000000002842000-memory.dmp

memory/2968-857-0x0000000007CF0000-0x0000000007DFA000-memory.dmp

memory/2968-858-0x0000000002880000-0x00000000028BC000-memory.dmp

memory/2968-859-0x0000000002100000-0x000000000214C000-memory.dmp