Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-fp3g9sxmgs
Target 85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f
SHA256 85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f

Threat Level: Known bad

The file 85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Redline family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer family

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:03

Reported

2024-11-09 05:06

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3200 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe
PID 3200 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe
PID 3200 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe
PID 3640 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe
PID 3640 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe
PID 3640 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe
PID 3640 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe
PID 3640 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe
PID 3640 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe

Processes

C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe

"C:\Users\Admin\AppData\Local\Temp\85d3feccfd30e3ca9e4869222433176c290f660ec27848c2825d6f167ff1aa0f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 768 -ip 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 1064

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un249754.exe

MD5 8c48c05847bd9dbddaa4ebef48d35a10
SHA1 8cdfbd6b6c045443dca40db195f96b014093d77b
SHA256 e436f2350f6b012a4935a24326881d0583c05002444cc60a11c3ffd1a06f6849
SHA512 a5bfcd7b29be3d2a59f499122db682709d2d366598ba1566cae322ee4f66f3cfad89d3f464a74ea21cbeb3bbd164c2c0328b71df189b3aac518480b2afb406bb

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr883687.exe

MD5 756d07db535310244ea4d8f29629abe6
SHA1 760e467705b6392fe511cebba6876265a4145fc9
SHA256 793f0be82ac28894f71c03f1e9221158674a608b1b424309901d45a4da8f6378
SHA512 8e24a892c9147b60edf42b9b3cc33e38a3cbe0be7ff7da443b391bec9775521f1a945f037c31259b4008e84fb5712062798dd23e22a7bbf438beb303a16f4958

memory/768-15-0x0000000002D10000-0x0000000002E10000-memory.dmp

memory/768-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/768-16-0x0000000002CA0000-0x0000000002CCD000-memory.dmp

memory/768-18-0x0000000004AB0000-0x0000000004ACA000-memory.dmp

memory/768-19-0x0000000007230000-0x00000000077D4000-memory.dmp

memory/768-20-0x0000000007140000-0x0000000007158000-memory.dmp

memory/768-32-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-46-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-44-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-42-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-40-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-39-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-36-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-34-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-31-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-28-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-26-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-24-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-22-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-21-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-48-0x0000000007140000-0x0000000007152000-memory.dmp

memory/768-49-0x0000000002D10000-0x0000000002E10000-memory.dmp

memory/768-50-0x0000000002CA0000-0x0000000002CCD000-memory.dmp

memory/768-51-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/768-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/768-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu217000.exe

MD5 79f9f72138971754bde274c56e372510
SHA1 6f7e38cbdd632a6e69f1e762c1fa6f7e325b3ad2
SHA256 b69892fd6e8e05d9c00d73337651a75b6d626ce9d0b456cd37a91fb7e77cf1cd
SHA512 36c7503c5f7fa293dd621cc4fab6d72ae016f5471feedba4478cccdd3022dd963c481609856102fe7ffb4afa27ce4e6906bf417528a246593b5b00a2b776bad2

memory/768-54-0x0000000000400000-0x0000000002BAF000-memory.dmp

memory/2032-60-0x0000000004B20000-0x0000000004B5C000-memory.dmp

memory/2032-61-0x0000000007840000-0x000000000787A000-memory.dmp

memory/2032-71-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-95-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-93-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-89-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-87-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-85-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-81-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-79-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-77-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-75-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-73-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-69-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-67-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-91-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-83-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-65-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-63-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-62-0x0000000007840000-0x0000000007875000-memory.dmp

memory/2032-854-0x0000000009D40000-0x000000000A358000-memory.dmp

memory/2032-855-0x0000000004BA0000-0x0000000004BB2000-memory.dmp

memory/2032-856-0x000000000A3A0000-0x000000000A4AA000-memory.dmp

memory/2032-857-0x000000000A4B0000-0x000000000A4EC000-memory.dmp

memory/2032-858-0x00000000047C0000-0x000000000480C000-memory.dmp