Malware Analysis Report

2025-08-10 13:16

Sample ID 241109-ejv1kaxbrg
Target 8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f
SHA256 8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f

Threat Level: Known bad

The file 8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

Detects Healer an antivirus disabler dropper

RedLine

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 03:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 03:58

Reported

2024-11-09 04:01

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3196 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe
PID 3196 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe
PID 3196 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe
PID 1912 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe
PID 1912 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe
PID 1912 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe
PID 1912 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe
PID 1912 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe
PID 1912 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe

"C:\Users\Admin\AppData\Local\Temp\8cf789c998abd5d05a87efd6c0aa4c4d6fe294bc1547d3ec20d77b6c83a5878f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3140 -ip 3140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un110322.exe

MD5 b32dcf3b1fb54b8e862f84fbe0c8547b
SHA1 6ae4f3678f777fc1656e57ab2db143277e60690d
SHA256 0a1744782ccb95374e71f029b46d807f2a31072e670a426a3c73495b759f29bf
SHA512 a66969f54069db93a8ff9f8380666e776a70adc43e6351b0ff6ac4582b7a7fe1b7a09d6f45bc7f0ed4bce8af7b04076597c8938ded22c442027ec8d23b9fee09

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\48352993.exe

MD5 a604d0a8dcf18156196619562ef426e5
SHA1 1065de6e640de17c6db19b6237d39913364e8ee6
SHA256 abf0068d194197a1c047aa30065f655033e0d25beee3d715e8d4f68b14781e6b
SHA512 046970ae23942f47b945bce62bfca5374bb27d22467a52001aec2f140629d30c2469481a3ba496495c6f88f7b8fd898927d7a724ea262375c82b358d6a5fd645

memory/3140-15-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

memory/3140-16-0x0000000002D20000-0x0000000002D4D000-memory.dmp

memory/3140-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3140-18-0x0000000004B80000-0x0000000004B9A000-memory.dmp

memory/3140-19-0x0000000007200000-0x00000000077A4000-memory.dmp

memory/3140-20-0x0000000004C00000-0x0000000004C18000-memory.dmp

memory/3140-48-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-46-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-44-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-42-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-40-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-38-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-36-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-34-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-32-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-30-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-28-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-26-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-24-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-22-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-21-0x0000000004C00000-0x0000000004C13000-memory.dmp

memory/3140-49-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

memory/3140-51-0x0000000002D20000-0x0000000002D4D000-memory.dmp

memory/3140-50-0x0000000000400000-0x0000000002B99000-memory.dmp

memory/3140-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3140-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk245905.exe

MD5 a3ee805808ba45946d51568bda5aff0b
SHA1 7576545caf28d1dc6589817f2ec6b6f4496cc40a
SHA256 50d3cbedfe32a3c147dba9805d5614cd669e8c945fd7e4e03d593ffc37cabe0a
SHA512 9270d661efd165e296ada752da2d774f10e9270e523b0a9f4f6a8c6e4411c0017e57b274120d27e96734dbb44b61bd1f7c22a182abb49525864593400f487c06

memory/3140-54-0x0000000000400000-0x0000000002B99000-memory.dmp

memory/2144-60-0x0000000004CA0000-0x0000000004CDC000-memory.dmp

memory/2144-61-0x0000000007750000-0x000000000778A000-memory.dmp

memory/2144-65-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-77-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-95-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-93-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-91-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-89-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-87-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-85-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-81-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-79-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-75-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-73-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-71-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-69-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-67-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-83-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-63-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-62-0x0000000007750000-0x0000000007785000-memory.dmp

memory/2144-854-0x0000000009C70000-0x000000000A288000-memory.dmp

memory/2144-855-0x000000000A330000-0x000000000A342000-memory.dmp

memory/2144-856-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/2144-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/2144-858-0x0000000004A80000-0x0000000004ACC000-memory.dmp