Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-ehhnvazldl
Target d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e
SHA256 d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e

Threat Level: Known bad

The file d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Redline family

Healer family

Healer

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:56

Reported

2024-11-09 03:59

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieB4574.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieB4574.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku855629.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku855629.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe

"C:\Users\Admin\AppData\Local\Temp\d0a5150e46445d2ade0f913ffca157f9865feaa2c513c4deac3813f4ed2b7f8e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieB4574.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieB4574.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku855629.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku855629.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zieB4574.exe

MD5 8bef6b0facf50f45bc7d2b746ee04716
SHA1 67578bf3a03a5461e4dc38f5ea953ca02d4ca984
SHA256 4712d275696c14f832f0cadef849ec4bbe5093bce8aeb1172aad5b4043a33ca8
SHA512 3bb516e9951860c3b019a4f29133af3ee1515f3a44d81d12cd097956550e2175b2eaa2cd345db6a1da48f499b1f244afa31102af96986f89a1a65f5c9c7a8ac9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr162597.exe

MD5 34460244ddc626d4599e070c66ea340f
SHA1 5a24de2a7c59aea23106ef0af22b4b391f192dbb
SHA256 535baee1fe5d24e6ceefd7b3f7037d4ea2a0cd14535a814b6978f5ee9ebe2146
SHA512 09945543c5e51666d2819b9213f1251b4074b28bb5fbea9637cdc104f977e5d83b2160ad1807874c57124ff67d6cc2c95c918d23733e61e01b14b8b6a788c37d

memory/2008-14-0x00007FFB47243000-0x00007FFB47245000-memory.dmp

memory/2008-15-0x0000000000720000-0x000000000072A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku855629.exe

MD5 fec2fb517b3eb96b94407d6e1ad9ac6c
SHA1 500066dc7eec7643cefc6830b30013fccb144d79
SHA256 624ab4d1bcec473a5ed13d870212ecb30a35fd61f89d9b70d28246a5e720258d
SHA512 93bbbb9e841266f2b13778bc13f5525ac155f832f93ceab6481641b9fca12f370bc20ca626bef59b9b66683a5b57f6373f7bd6fcdccc79d7dd61773ee87af654

memory/2904-21-0x00000000028A0000-0x00000000028E6000-memory.dmp

memory/2904-22-0x0000000004E10000-0x00000000053B4000-memory.dmp

memory/2904-23-0x00000000053C0000-0x0000000005404000-memory.dmp

memory/2904-27-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-37-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-88-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-85-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-83-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-81-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-79-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-77-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-75-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-73-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-69-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-67-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-65-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-63-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-61-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-59-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-57-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-55-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-53-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-51-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-47-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-45-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-43-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-42-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-39-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-35-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-33-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-31-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-29-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-71-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-49-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-25-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-24-0x00000000053C0000-0x00000000053FF000-memory.dmp

memory/2904-930-0x0000000005580000-0x0000000005B98000-memory.dmp

memory/2904-931-0x0000000005C20000-0x0000000005D2A000-memory.dmp

memory/2904-932-0x0000000005D60000-0x0000000005D72000-memory.dmp

memory/2904-933-0x0000000005D80000-0x0000000005DBC000-memory.dmp

memory/2904-934-0x0000000005ED0000-0x0000000005F1C000-memory.dmp