Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-fn7qlayare
Target 7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5
SHA256 7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5

Threat Level: Known bad

The file 7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Redline family

Healer family

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:02

Reported

2024-11-09 05:04

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe

"C:\Users\Admin\AppData\Local\Temp\7df950a2c40ec9c514a539e575a51616152b553b6e83c05ebc5c5103a4561ec5.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziEi9057.exe

MD5 21027cb188f40490066154654e60e3c7
SHA1 9a981a31ad1a33e7e3f2830738e45d9435bf1f96
SHA256 ffd1488bb251d82d1378cc7f6b9633e55eef97d8d50978440b5a0c48f5249e6a
SHA512 8a5ec496d88808a3bbcadd788342cbbb01257c37d12bab91d4570e08d4da5415a2c17f060db4c82c73bd278f86b25296a15892c34c86bfced2e7a38f6f4d5851

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr365161.exe

MD5 b5d2eb69dbf7867c1308103cebbb8287
SHA1 9a587694e49fcb89a48b029aec9aa1bfafdfe3ac
SHA256 e16ee90aa92ab21eb34a8b4e4a5027f3e59224e94196f81f45312ee124abcaf9
SHA512 486ace5c0a8ebcf8642fe9ebfa65bcd96d054cf9bc6e6f60437dbec1db99961f0f40402b8a2f05f1435054edd40019e6d1806214296008d16701528d3b3db7ae

memory/1664-14-0x00007FFBAC0C3000-0x00007FFBAC0C5000-memory.dmp

memory/1664-15-0x00000000008A0000-0x00000000008AA000-memory.dmp

memory/1664-16-0x00007FFBAC0C3000-0x00007FFBAC0C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku239007.exe

MD5 29a1d47a0a764e756409e83d84a5c0a3
SHA1 94fdc133eab57c39c1e692ddd64035ef39d6b427
SHA256 7850d76bc48a8b4bd776069b9e89daac6348d0bd972de32943c886ce1e24f60c
SHA512 4189fc3d08e800ab4043a73bb73922ed11cdba79fef73e7c609191f890a1ce8e14ecda120664290908e236c4bc477fa8980f0b92453addc33b0b4a13a0a2c0c8

memory/3852-22-0x00000000049F0000-0x0000000004A36000-memory.dmp

memory/3852-23-0x0000000004B10000-0x00000000050B4000-memory.dmp

memory/3852-24-0x0000000004A80000-0x0000000004AC4000-memory.dmp

memory/3852-66-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-50-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-34-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-26-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-25-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-82-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-88-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-84-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-80-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-78-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-76-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-74-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-72-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-71-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-68-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-64-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-62-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-60-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-58-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-56-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-54-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-52-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-48-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-46-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-44-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-42-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-40-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-38-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-36-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-32-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-30-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-28-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-86-0x0000000004A80000-0x0000000004ABF000-memory.dmp

memory/3852-931-0x00000000050E0000-0x00000000056F8000-memory.dmp

memory/3852-932-0x0000000005780000-0x000000000588A000-memory.dmp

memory/3852-933-0x00000000058C0000-0x00000000058D2000-memory.dmp

memory/3852-934-0x00000000058E0000-0x000000000591C000-memory.dmp

memory/3852-935-0x0000000005A30000-0x0000000005A7C000-memory.dmp