Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-ej8lnaxclr
Target c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b
SHA256 c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b

Threat Level: Known bad

The file c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

Redline family

RedLine payload

Healer

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:59

Reported

2024-11-09 04:01

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4844 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe
PID 4844 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe
PID 4844 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe
PID 2520 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe
PID 2520 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe
PID 2520 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe
PID 4944 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe
PID 4944 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe
PID 4944 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe
PID 1768 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe
PID 1768 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe
PID 1768 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe
PID 1764 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe
PID 1764 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe
PID 1764 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe
PID 1764 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe
PID 1764 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe

"C:\Users\Admin\AppData\Local\Temp\c57e5ca36e3302bcab0bf907a5716e4dac2e1f0573e7e23302d57f2ac0ea631b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plMS91Qg62.exe

MD5 88a7c440ba6a258395f7ba5e6db29263
SHA1 a4e89c322c4607e4ff04e7f10279654a9cf82e45
SHA256 3fe77d9168812401c9498315680fd14eb7f2edee8d5ee4a4e131662aab84d4b0
SHA512 30e347c9731320d814fbe8a2173716e8ea2c3ec42440b5a357914d62b2b52d12dd03cf36ff3f176a197f10deadf9e854ce4d202431610c79154f6c31f6c3504e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plPh24aA08.exe

MD5 644a35ccced75f6bbe3d9c44a83116da
SHA1 dd80400673cdc473f17366985c9a70c77f966b89
SHA256 8b7c95094da886e8f300b9abcef7154481ef7d216509963eefd2558bab8bbe94
SHA512 3b515b14055602198ebc05c0b39689f2611458dc18cbc57a9c10f85b99ea7fc3185d6792157f8938a70ebacba7bab8ce78ce09b104de758c6c4a626db9fff693

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plSL95fF89.exe

MD5 0b92bb24bef10d276a17fed51356cde0
SHA1 4e7449c5c560da1ea69dc7d5de97eb3fe2b760d1
SHA256 782d4b75582a09f7a110215642a63dafb809040bc4c2a46e5f54bb3c54d41f4f
SHA512 25d229062a4b120f74d122d50f8f4bc7f80344cc8d40fd47a715a350c76201e0d8110c57d99362154cc8a45bbd965c7b28193623a384566d0c6a0a1c89afaee0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plJA80QM86.exe

MD5 d6f6093082c377a3e22482c71d79d950
SHA1 c8ddb15edf2574ed9c20f69c7e541fdb1381b776
SHA256 7736a59d4b323253f2a35f178d1cf2f43a3242a760dd18486dc85f19a1b14bc7
SHA512 54377e8b39d150d04ae81621a30de01e8a19eb8d82b8b6e980acb2213cd0f4da2c4b8408726965d72eda1df3281a8bc9740ed09cd60cc7c87b08dd5023bd5ae7

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buVB27Oe75.exe

MD5 d5ca0183e104522dc8688b9fde6384f9
SHA1 13de197195327a0cdd466a034c4fb050053df1f5
SHA256 2f834a83b7e3794a930e3ac9ec6ba824ee9119e105d23f5aa7e04ee555688a98
SHA512 17d596f00ac5cc3481f69fd6d67463e7bbf9a34d4795143fc239b9a882fe0771865919cda9257a28e03ae02ebd63665a68e43412fec01e92e5f7aa662663a22a

memory/800-35-0x0000000000B60000-0x0000000000B6A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caFV21gN19.exe

MD5 c20ade32de13d71d0544db09353ae664
SHA1 2360c19884041d41655172027c5ae07d537e01b4
SHA256 680ab026b99110c40b7082b3d30fa3f74ee17d49c1b6b3d97cb72ba4cf3323fc
SHA512 c09973e49b5d30ad8f3528913c73394e5144eaa857bdcbc05186a65bea1a5dc6c937e58d7e2ec2fb2aa017af312f678fad5b857c9fa988a7d78a04abfbe512aa

memory/388-41-0x0000000004AD0000-0x0000000004B16000-memory.dmp

memory/388-42-0x0000000004B80000-0x0000000005124000-memory.dmp

memory/388-43-0x0000000005170000-0x00000000051B4000-memory.dmp

memory/388-47-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-53-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-107-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-103-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-101-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-99-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-95-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-93-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-91-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-89-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-87-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-85-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-81-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-80-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-77-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-75-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-74-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-71-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-70-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-67-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-65-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-63-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-61-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-59-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-57-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-55-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-51-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-49-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-105-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-97-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-83-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-45-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-44-0x0000000005170000-0x00000000051AE000-memory.dmp

memory/388-950-0x00000000051C0000-0x00000000057D8000-memory.dmp

memory/388-951-0x0000000005860000-0x000000000596A000-memory.dmp

memory/388-952-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/388-953-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/388-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp