Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-egrv5azlbp
Target b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717
SHA256 b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717
Tags
healer redline dark discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717

Threat Level: Known bad

The file b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717 was found to be: Known bad.

Malicious Activity Summary

healer redline dark discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

Healer family

Redline family

Detects Healer an antivirus disabler dropper

RedLine payload

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:55

Reported

2024-11-09 03:57

Platform

win10v2004-20241007-en

Max time kernel

138s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09473267.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr786829.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09473267.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp894297.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09473267.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp894297.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 464 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe
PID 464 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe
PID 464 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe
PID 4708 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09473267.exe
PID 4708 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09473267.exe
PID 4708 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09473267.exe
PID 1452 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09473267.exe C:\Windows\Temp\1.exe
PID 1452 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09473267.exe C:\Windows\Temp\1.exe
PID 4708 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp894297.exe
PID 4708 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp894297.exe
PID 4708 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp894297.exe
PID 464 wrote to memory of 5440 N/A C:\Users\Admin\AppData\Local\Temp\b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr786829.exe
PID 464 wrote to memory of 5440 N/A C:\Users\Admin\AppData\Local\Temp\b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr786829.exe
PID 464 wrote to memory of 5440 N/A C:\Users\Admin\AppData\Local\Temp\b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr786829.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717.exe

"C:\Users\Admin\AppData\Local\Temp\b95b3029b3b5329ea88b3f988e2e7b4110dc33f7ddd385b3dcfcac174aecb717.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09473267.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09473267.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp894297.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp894297.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4084 -ip 4084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1212

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr786829.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr786829.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st132727.exe

MD5 7d0fbb7464012fb9f1b35fd4ca0fa6fb
SHA1 1ca2598f2011cc6e7c413b8157aa0efc4c6cb005
SHA256 cfef514dca8397e6f67246d5c7cdfacb879cf2dbb049b755fd63638c2fd19338
SHA512 7a32a2839c4f73d02cbc0e0a2a5eea68b087eafe79caf9897e0b6748ebc31b2fd8581199b534d64408d989543a10d12a55876f41aa9e7e6dfaaaa3dac71c9379

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\09473267.exe

MD5 008f55d23ab154c4e7994633d840e3d0
SHA1 c8d8766ccec8006a83caecc28f6d0418b0ebbc05
SHA256 31acae5cfa528b51af429932665fe60aab4d603251ba9fde78710be677ee1725
SHA512 465667af80633ef3635ed8ef99d23c130fc1547c5fcfab2d7e99d3135b2c0f3813b60c9df8b59efad4a73f502c6afadd5a537ef2b4f8cd5eaf35c4098e385d3a

memory/1452-14-0x00000000745CE000-0x00000000745CF000-memory.dmp

memory/1452-15-0x00000000048F0000-0x0000000004948000-memory.dmp

memory/1452-16-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/1452-17-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/1452-18-0x0000000004A10000-0x0000000004FB4000-memory.dmp

memory/1452-19-0x0000000004FC0000-0x0000000005016000-memory.dmp

memory/1452-65-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-83-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-81-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-80-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-77-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-75-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-73-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-71-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-69-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-67-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-63-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-61-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-59-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-57-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-55-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-53-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-51-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-49-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-47-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-45-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-43-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-39-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-37-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-36-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-33-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-29-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-27-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-26-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-23-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-21-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-20-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-41-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-31-0x0000000004FC0000-0x0000000005011000-memory.dmp

memory/1452-2148-0x00000000745C0000-0x0000000074D70000-memory.dmp

memory/1452-2149-0x00000000052F0000-0x00000000052FA000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/516-2162-0x0000000000F10000-0x0000000000F1A000-memory.dmp

memory/1452-2163-0x00000000745C0000-0x0000000074D70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp894297.exe

MD5 82a3f63f3320bb153465db2797442577
SHA1 3f180955557122521085268ccb387a61b2801266
SHA256 208a9e14e057f61c95f8f812d3998a890ada90b66403f267b3f9f9f4b917faed
SHA512 8daba50cfa9cdfec7d17a9cc3874c3d8839c9ee7896d984462999ed219df9aea9154a54438024f9aadc16715e35c530aa5eeb92bd3218a183ca20dfb3d40ec11

memory/4084-2168-0x0000000004EA0000-0x0000000004F08000-memory.dmp

memory/4084-2169-0x0000000005540000-0x00000000055A6000-memory.dmp

memory/4084-4316-0x0000000005750000-0x0000000005782000-memory.dmp

memory/4084-4317-0x0000000005790000-0x0000000005822000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr786829.exe

MD5 16cf18c8ef1d4be89b36e27c8fb88e9d
SHA1 7811ba84f75a1adc6d995c2c1121ec996d1cc003
SHA256 116156cc3af0bf4d81d9b2fba83c569cf9f4c9055b9c9cd5731538de036417e8
SHA512 4cb9e29db63d28c802c7c1799fd53e00b5facdc0b63d08b76d619c7a9be6cc06f11c0d435ad035bf3f9c3c96687e03e5157ae2ce7494a621c0762bc8083d9fbd

memory/5440-4323-0x0000000000480000-0x00000000004B0000-memory.dmp

memory/5440-4324-0x0000000002590000-0x0000000002596000-memory.dmp

memory/5440-4325-0x0000000005460000-0x0000000005A78000-memory.dmp

memory/5440-4326-0x0000000004F50000-0x000000000505A000-memory.dmp

memory/5440-4327-0x0000000004CF0000-0x0000000004D02000-memory.dmp

memory/5440-4328-0x0000000004E80000-0x0000000004EBC000-memory.dmp

memory/5440-4329-0x0000000004EC0000-0x0000000004F0C000-memory.dmp