Malware Analysis Report

2025-08-11 07:14

Sample ID 241109-fng5ya1lam
Target 85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f
SHA256 85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f

Threat Level: Known bad

The file 85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer

RedLine payload

RedLine

Healer family

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:00

Reported

2024-11-09 05:03

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3332 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe
PID 3332 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe
PID 3332 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe
PID 4820 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe
PID 4820 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe
PID 4820 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe
PID 4820 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe
PID 4820 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe
PID 4820 wrote to memory of 5024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe

"C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4532 -ip 4532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4532 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe

MD5 8c48c05847bd9dbddaa4ebef48d35a10
SHA1 8cdfbd6b6c045443dca40db195f96b014093d77b
SHA256 e436f2350f6b012a4935a24326881d0583c05002444cc60a11c3ffd1a06f6849
SHA512 a5bfcd7b29be3d2a59f499122db682709d2d366598ba1566cae322ee4f66f3cfad89d3f464a74ea21cbeb3bbd164c2c0328b71df189b3aac518480b2afb406bb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe

MD5 756d07db535310244ea4d8f29629abe6
SHA1 760e467705b6392fe511cebba6876265a4145fc9
SHA256 793f0be82ac28894f71c03f1e9221158674a608b1b424309901d45a4da8f6378
SHA512 8e24a892c9147b60edf42b9b3cc33e38a3cbe0be7ff7da443b391bec9775521f1a945f037c31259b4008e84fb5712062798dd23e22a7bbf438beb303a16f4958

memory/4532-15-0x0000000002D70000-0x0000000002E70000-memory.dmp

memory/4532-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4532-17-0x0000000004C60000-0x0000000004C7A000-memory.dmp

memory/4532-18-0x0000000007190000-0x0000000007734000-memory.dmp

memory/4532-19-0x0000000004D10000-0x0000000004D28000-memory.dmp

memory/4532-20-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/4532-26-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-48-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-46-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-44-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-42-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-40-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-38-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-36-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-34-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-32-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-30-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-28-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-24-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-22-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-21-0x0000000004D10000-0x0000000004D22000-memory.dmp

memory/4532-49-0x0000000002D70000-0x0000000002E70000-memory.dmp

memory/4532-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4532-53-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/4532-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe

MD5 79f9f72138971754bde274c56e372510
SHA1 6f7e38cbdd632a6e69f1e762c1fa6f7e325b3ad2
SHA256 b69892fd6e8e05d9c00d73337651a75b6d626ce9d0b456cd37a91fb7e77cf1cd
SHA512 36c7503c5f7fa293dd621cc4fab6d72ae016f5471feedba4478cccdd3022dd963c481609856102fe7ffb4afa27ce4e6906bf417528a246593b5b00a2b776bad2

memory/5024-59-0x0000000004AB0000-0x0000000004AEC000-memory.dmp

memory/5024-60-0x0000000004DB0000-0x0000000004DEA000-memory.dmp

memory/5024-94-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-92-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-90-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-88-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-86-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-84-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-83-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-80-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-78-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-76-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-74-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-72-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-70-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-68-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-66-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-64-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-62-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-61-0x0000000004DB0000-0x0000000004DE5000-memory.dmp

memory/5024-853-0x0000000009CC0000-0x000000000A2D8000-memory.dmp

memory/5024-854-0x000000000A350000-0x000000000A362000-memory.dmp

memory/5024-855-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/5024-856-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/5024-857-0x00000000048B0000-0x00000000048FC000-memory.dmp