Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-fpq48sxmfw
Target 828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea
SHA256 828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea

Threat Level: Known bad

The file 828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine payload

Healer family

RedLine

Redline family

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:03

Reported

2024-11-09 05:05

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4508 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe
PID 4508 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe
PID 4508 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe
PID 1820 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe
PID 1820 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe
PID 1820 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe
PID 1820 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe
PID 1820 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe
PID 1820 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe

Processes

C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe

"C:\Users\Admin\AppData\Local\Temp\828e1ac899b3e47895182811dfea5c20a4ffbf50707f7b95f74fff9e5095d7ea.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4724 -ip 4724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 1100

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 71.190.18.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un094663.exe

MD5 da6e5ef1a6e9eff9f48f61184d120ea0
SHA1 a9dc4fdd90eb607ae03aeb8b358879b989224796
SHA256 4bd60f370fa64bdab139ca68536c90a6370b1826a6d7117efbea3d06c3ea0e99
SHA512 b30b8dce488d430f630d5d7020b5e870a8bd1a047081d9a99785ecf966562723b9331fd80544d92d42744fc356da8462a38c95ab2d7e621cb4c1f8cfee915024

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\53224800.exe

MD5 fdda21ab82a198d66ed008afb7fec34d
SHA1 55380a21f145124b26e92c519ca1bf1c4e639f7d
SHA256 52ffddea2f5bd6f476a58660098e24dfb6e2568f9969122a20cb1bd677c6cade
SHA512 897f02fe0723a22ff1be206e0228498cdaece7d4bf9baa6813146db0bbdf1426db86094f619cd6af501f694f4889230fb881a1ca1d9be2e8f607f01e90fbda5a

memory/4724-15-0x0000000002C20000-0x0000000002D20000-memory.dmp

memory/4724-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4724-16-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

memory/4724-18-0x0000000004AE0000-0x0000000004AFA000-memory.dmp

memory/4724-19-0x00000000073D0000-0x0000000007974000-memory.dmp

memory/4724-20-0x0000000004C80000-0x0000000004C98000-memory.dmp

memory/4724-40-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-48-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-46-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-44-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-42-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-38-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-36-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-34-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-32-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-30-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-28-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-26-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-24-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-22-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-21-0x0000000004C80000-0x0000000004C93000-memory.dmp

memory/4724-49-0x0000000002C20000-0x0000000002D20000-memory.dmp

memory/4724-50-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/4724-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4724-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk931600.exe

MD5 797d059ba279a43c0689e69416d41082
SHA1 12b4af97ae8d97e2506ae6158bf16104a5b9fddc
SHA256 ed62b98920962c503ae98e2637d3b5623a9d4960134d913bc157720d9608b98d
SHA512 52a73e72df5a7fce956c0cfe452d49ce0bc93288f883e047b598566e123f6f6f98e66335bc12e33f497a7684bc055405f80c3820515f2c78c14d1a67719d1fbe

memory/4724-53-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/4000-59-0x0000000007120000-0x000000000715C000-memory.dmp

memory/4000-60-0x00000000071A0000-0x00000000071DA000-memory.dmp

memory/4000-66-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-74-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-72-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-70-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-68-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-82-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-64-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-62-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-61-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-76-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-94-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-92-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-90-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-88-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-86-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-84-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-80-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-78-0x00000000071A0000-0x00000000071D5000-memory.dmp

memory/4000-853-0x0000000009D30000-0x000000000A348000-memory.dmp

memory/4000-854-0x00000000072D0000-0x00000000072E2000-memory.dmp

memory/4000-855-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/4000-856-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/4000-857-0x0000000006C10000-0x0000000006C5C000-memory.dmp