Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-fp1nnsybka
Target 1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84
SHA256 1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84

Threat Level: Known bad

The file 1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

Healer

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer family

RedLine

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:03

Reported

2024-11-09 05:06

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe
PID 2936 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe
PID 2936 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe
PID 5064 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe
PID 5064 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe
PID 5064 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe
PID 5064 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe
PID 5064 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe
PID 5064 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe

"C:\Users\Admin\AppData\Local\Temp\1e9f281bf8bdf2e847fefd7a791ca2c70db8f1ad0b4cd5bd5794a842e4d6eb84.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 116 -ip 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un641977.exe

MD5 03e2d633dd8d3b9d7f1059e4e7ad27c8
SHA1 a6edfc39536fc573d3bf0b0799f36eb523e3d347
SHA256 64ef312fb4b36559480c2b789aa4f2461e2b01945972a0b624abacb67bba54b1
SHA512 ae396667efae35b19f627406e02a1bab24ace858389adef4d5afab2112769859a3586fbf58dc8a5b3aeedaaae75d30e7e9dbaed05ef6e49e6390aee339b6359f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\65099622.exe

MD5 f9ab407f187f8e5cf997a132860334b1
SHA1 f84ae1c6314d60f4fba8f47709cfa76ab01e5996
SHA256 725df5d14ec61c974c129debae9910704b9199dc5ba1c0f70d5275807fca79f6
SHA512 1a235d605133d8d12b978196cd1219fcf9209367f3d8af4eaeb01b2211a3c1ee2ce323739893b2882810ab3d8f1ba236282e2a14fa1021413a712ac07ae3ba26

memory/116-15-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/116-16-0x0000000000970000-0x000000000099D000-memory.dmp

memory/116-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/116-18-0x0000000000400000-0x0000000000455000-memory.dmp

memory/116-19-0x0000000002250000-0x000000000226A000-memory.dmp

memory/116-20-0x0000000004B80000-0x0000000005124000-memory.dmp

memory/116-21-0x0000000002500000-0x0000000002518000-memory.dmp

memory/116-47-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-49-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-45-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-43-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-41-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-39-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-37-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-36-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-33-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-31-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-29-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-27-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-25-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-23-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-22-0x0000000002500000-0x0000000002513000-memory.dmp

memory/116-50-0x00000000006E0000-0x00000000007E0000-memory.dmp

memory/116-51-0x0000000000970000-0x000000000099D000-memory.dmp

memory/116-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/116-55-0x0000000000400000-0x0000000000455000-memory.dmp

memory/116-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk133285.exe

MD5 0b6a05a09e6f6c3c1fa480ad8d174aac
SHA1 91652bf99cbf223394d716b50184cd060c4bd866
SHA256 c3bba445b3160f1aaf80b77a7ac3ec4f36a157eb697a66be8d7f6c544afd77a0
SHA512 ac499bd04742c799a99645372b5a5b09b175c6c4284914074604b902ed5b3f57859921e34eb9b0b0f1f629a9240c41f95446ed6432c3da85e5d269a131ae8953

memory/4644-61-0x00000000023B0000-0x00000000023EC000-memory.dmp

memory/4644-62-0x0000000004A50000-0x0000000004A8A000-memory.dmp

memory/4644-70-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-82-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-96-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-94-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-92-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-90-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-88-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-86-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-84-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-80-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-78-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-76-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-74-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-72-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-68-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-66-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-64-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-63-0x0000000004A50000-0x0000000004A85000-memory.dmp

memory/4644-855-0x0000000007600000-0x0000000007C18000-memory.dmp

memory/4644-856-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/4644-857-0x0000000007C20000-0x0000000007D2A000-memory.dmp

memory/4644-858-0x0000000007D30000-0x0000000007D6C000-memory.dmp

memory/4644-859-0x0000000004540000-0x000000000458C000-memory.dmp