Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-ehzblaxbqd
Target 329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2
SHA256 329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2
Tags
healer redline dark discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2

Threat Level: Known bad

The file 329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2 was found to be: Known bad.

Malicious Activity Summary

healer redline dark discovery dropper evasion infostealer persistence trojan

Healer

Detects Healer an antivirus disabler dropper

RedLine payload

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

Healer family

Checks computer location settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:57

Reported

2024-11-09 03:59

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Temp\1.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Temp\1.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Temp\1.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25545826.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Windows\Temp\1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25545826.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp307356.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr133136.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A
N/A N/A C:\Windows\Temp\1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25545826.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp307356.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe
PID 4656 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe
PID 4656 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe
PID 4180 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25545826.exe
PID 4180 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25545826.exe
PID 4180 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25545826.exe
PID 4616 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25545826.exe C:\Windows\Temp\1.exe
PID 4616 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25545826.exe C:\Windows\Temp\1.exe
PID 4180 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp307356.exe
PID 4180 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp307356.exe
PID 4180 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp307356.exe
PID 4656 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr133136.exe
PID 4656 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr133136.exe
PID 4656 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr133136.exe

Processes

C:\Users\Admin\AppData\Local\Temp\329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2.exe

"C:\Users\Admin\AppData\Local\Temp\329268e94726ae09ff3adc42fbb1cba6f03dd5b78b83269ef1f6b9cc9bd809e2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25545826.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25545826.exe

C:\Windows\Temp\1.exe

"C:\Windows\Temp\1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp307356.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp307356.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3440 -ip 3440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3440 -s 1268

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr133136.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr133136.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\st660619.exe

MD5 23009e21838ec5d3ea17a30274471fe2
SHA1 3f546f8afb483a245765883d58bf06db5fc755b0
SHA256 b97f6bef2b117ba7a49a9dfded9d6b967047532e4c1d580d41546510e682e531
SHA512 9ba2b0035095d74223ee59ad853f84104c3250012b93c5d85f7cea3e26cc53a20e413f762ec0d76c246c746d965184057aa3962854f0229cb8638de4c3875743

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\25545826.exe

MD5 2ef098324f80bd0a39afe42fa12528ac
SHA1 66c04eeb98b9bc6f20d8a3bb521ab49c46a9b58e
SHA256 b433bab5e7f94bb68a056809ac92540472857acfb2c16e6ae45158d8c4549869
SHA512 a7378666f1848296455c652f7911d939851555f3ec589c0f6860d215771d9cc3a3d6c25e54869bf3f7ebb74cbf9fed6ce24d8aba748da79200f37b76e11ab29b

memory/4616-14-0x0000000073DBE000-0x0000000073DBF000-memory.dmp

memory/4616-15-0x00000000025F0000-0x0000000002648000-memory.dmp

memory/4616-16-0x0000000073DB0000-0x0000000074560000-memory.dmp

memory/4616-17-0x0000000004BC0000-0x0000000005164000-memory.dmp

memory/4616-18-0x0000000004A10000-0x0000000004A66000-memory.dmp

memory/4616-19-0x0000000073DB0000-0x0000000074560000-memory.dmp

memory/4616-71-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-51-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-35-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-20-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-83-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-81-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-80-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-77-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-75-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-73-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-69-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-67-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-65-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-63-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-61-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-59-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-57-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-55-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-53-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-49-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-47-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-45-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-43-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-41-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-39-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-37-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-33-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-31-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-29-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-27-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-25-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-23-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-21-0x0000000004A10000-0x0000000004A61000-memory.dmp

memory/4616-2148-0x0000000004BA0000-0x0000000004BAA000-memory.dmp

memory/4616-2150-0x0000000073DB0000-0x0000000074560000-memory.dmp

C:\Windows\Temp\1.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3164-2162-0x00000000008F0000-0x00000000008FA000-memory.dmp

memory/4616-2163-0x0000000073DB0000-0x0000000074560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp307356.exe

MD5 652e22edc6d54fd53f26ae5a0046381f
SHA1 ddbb69795df5d649508024b11ef9b27e322e2491
SHA256 d1cac64fc859349d033070a7300bc7bccd47e2dc824b6713eaa8913b5baa4f07
SHA512 0afaf4c1a553d7276e4fa641d3ed03a4e5732ab53259c773519a288b64841dca503978d16f8e489eb4af5b32c94ae417f069d857609d3dfba33a8cebe9400001

memory/3440-2168-0x0000000002680000-0x00000000026E8000-memory.dmp

memory/3440-2169-0x0000000002990000-0x00000000029F6000-memory.dmp

memory/3440-4316-0x0000000002BF0000-0x0000000002C22000-memory.dmp

memory/3440-4317-0x00000000057C0000-0x0000000005852000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr133136.exe

MD5 5e1a040f815327cc82ba1bbcd7401cf1
SHA1 9ad026b6a1b7be2b6a8a5e1df7cc4bfb1a53d9d3
SHA256 50deda287af2e5a0e86c9e939c2b1608023c0f62673e441737b5aec43bc72a89
SHA512 90f75b7603dba1c946c91ba64de9fde0ff8c6b6868619c183457d794200f74a1c8901e23b43e86e87916b351bb1017145ee7acae944c936cf2ac89e61f5963f2

memory/4432-4323-0x0000000000970000-0x00000000009A0000-memory.dmp

memory/4432-4324-0x0000000005250000-0x0000000005256000-memory.dmp

memory/4432-4325-0x00000000059F0000-0x0000000006008000-memory.dmp

memory/4432-4326-0x0000000005500000-0x000000000560A000-memory.dmp

memory/4432-4327-0x0000000005430000-0x0000000005442000-memory.dmp

memory/4432-4328-0x0000000005490000-0x00000000054CC000-memory.dmp

memory/4432-4329-0x0000000005610000-0x000000000565C000-memory.dmp