Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-egyzfaxbqm
Target 106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a
SHA256 106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a

Threat Level: Known bad

The file 106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Healer family

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:55

Reported

2024-11-09 03:57

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3852 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe
PID 3852 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe
PID 3852 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe
PID 4912 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe
PID 4912 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe
PID 4912 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe
PID 4912 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe
PID 4912 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe
PID 4912 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe

Processes

C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe

"C:\Users\Admin\AppData\Local\Temp\106bf326e29c6bc7c4698c25095ecd2eec2b9cabd3bed14fe7e9b7a95f64258a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1156 -ip 1156

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1156 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un800228.exe

MD5 22c93af7dc94c8928cdddbd84b205391
SHA1 b08c303cea77885baa16458c591dec12f637bbb3
SHA256 ea213a31e1ad1addec54b34c179db45ff66ce7a7362ad7096722ec14f16645df
SHA512 2efd603131e1c18e63c5014069b1be188f8d4f76c1f4d191d5e5aecb4875a39fefaf774de68958469c897ba4ffa5d1e55e36d77520abf893ce50c46a13d5be4e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\04229891.exe

MD5 f78f972daad203de1a2120cd43fa3362
SHA1 c2c2a6a0404e414768c13860c9e24075deef8dfe
SHA256 18f3783b820beb723fc16c1dcd224c5e5e283a94376a8eda6a37cad8009cec9c
SHA512 8f74dcd5d6afbcf42e2bb4aa93ef3a2a39bb7f437afdbb7f7a49ee87a1461805339261ad3b4701062f0e8f5cdd7890255c8f2f09f95ddf614a706d596f3d155e

memory/1156-15-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

memory/1156-16-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

memory/1156-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1156-18-0x0000000007210000-0x000000000722A000-memory.dmp

memory/1156-19-0x00000000073B0000-0x0000000007954000-memory.dmp

memory/1156-20-0x0000000007270000-0x0000000007288000-memory.dmp

memory/1156-21-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-40-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-48-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-46-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-44-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-43-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-38-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-36-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-34-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-33-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-30-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-28-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-26-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-24-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-22-0x0000000007270000-0x0000000007283000-memory.dmp

memory/1156-49-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

memory/1156-50-0x0000000002CB0000-0x0000000002CDD000-memory.dmp

memory/1156-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1156-51-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/1156-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk437550.exe

MD5 d039136e4ab774f02c63fc0a2874ea01
SHA1 1b3a1dea9c305fdb01e1e1f993d51d0fea83e453
SHA256 846cdea9a4cbaf17c1ec38b4b7e9cb60bd616c1e345622d9fffdba46900fd3f2
SHA512 80b4ef4b07dd8034ce83a6f923d696007effee201d88e76af99d61866c5e1bfa2d368bf2be0f57127d048b786c0396bb0ba98db50155f9275133da2e29da4dd8

memory/1156-54-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/876-60-0x0000000004BF0000-0x0000000004C2C000-memory.dmp

memory/876-61-0x0000000007790000-0x00000000077CA000-memory.dmp

memory/876-69-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-63-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-96-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-93-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-91-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-90-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-87-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-85-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-84-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-81-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-79-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-77-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-75-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-73-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-71-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-67-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-65-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-62-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/876-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/876-855-0x000000000A330000-0x000000000A342000-memory.dmp

memory/876-856-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/876-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/876-858-0x0000000004AB0000-0x0000000004AFC000-memory.dmp