Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-fqbe6sybke
Target 758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e
SHA256 758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e

Threat Level: Known bad

The file 758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer family

Healer

RedLine payload

RedLine

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:04

Reported

2024-11-09 05:06

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1375229.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe
PID 1100 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe
PID 1100 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe
PID 2304 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe
PID 2304 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe
PID 2304 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe
PID 2304 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1375229.exe
PID 2304 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1375229.exe
PID 2304 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1375229.exe

Processes

C:\Users\Admin\AppData\Local\Temp\758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe

"C:\Users\Admin\AppData\Local\Temp\758e36f0b6920f57a3b0b43b6f3a6f217895a19e43b42e440135857aa759fb9e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1375229.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1375229.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp
FI 77.91.124.251:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0548186.exe

MD5 f2135ae35446adb296e45b563e8ea95f
SHA1 6cfa21a42af381ed44c5885c16c095e57b6c6880
SHA256 8a19314234a24bbd87e1eb351403ca5cd067f313383763f6a544ffebe6d81688
SHA512 b227693e204d5f87bc1ce1680062ddc921a61116571a37b3a3cdc0b4ad9bf80046cb2e4ebbff1da32b69964715d23dbaf7d95265dc869252f78726b47e293dd0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7578256.exe

MD5 20e0ddd55ed3dc015658737d2eeaf494
SHA1 75d92d2a1bb6dc287b81d00a2aed0e41c058f906
SHA256 a8a357cb1d84123cf0ccc1945f660cff594900dc7ea14489d392a0556633733a
SHA512 e5e7f0c676c8598adb13da85b7879f51ff37bff9abc200accf5ad4d85851b728ff76c423ab459123064cbadf408b33b2d07845fa4ad7f6acde37b0bda96cb557

memory/1932-14-0x000000007465E000-0x000000007465F000-memory.dmp

memory/1932-15-0x00000000021A0000-0x00000000021BA000-memory.dmp

memory/1932-16-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/1932-17-0x0000000004B30000-0x00000000050D4000-memory.dmp

memory/1932-18-0x0000000002270000-0x0000000002288000-memory.dmp

memory/1932-19-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/1932-47-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-43-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-41-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-39-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-37-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-35-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-48-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/1932-33-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-31-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-29-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-27-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-25-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-23-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-21-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-20-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-45-0x0000000002270000-0x0000000002282000-memory.dmp

memory/1932-49-0x000000007465E000-0x000000007465F000-memory.dmp

memory/1932-50-0x0000000074650000-0x0000000074E00000-memory.dmp

memory/1932-52-0x0000000074650000-0x0000000074E00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l1375229.exe

MD5 fb35c5c86da33ce45453cf6618bbfedb
SHA1 c93d8cca5dab3402cfcf59c68c6befe101b8bf7f
SHA256 bbc888b7381f3d04c73cf7f81c6c46bf30532ab13f2f2c2531774ac39624a8ac
SHA512 4e09207eda58133ca53bd871e51a1d21496596613a9c8f7e6e9a63e913fedb96abc584a91cfdc28c78712dbe2235a83f884b1c26e6cc860be6d6508928c34852

memory/1620-56-0x0000000000810000-0x0000000000838000-memory.dmp

memory/1620-57-0x0000000007AA0000-0x00000000080B8000-memory.dmp

memory/1620-58-0x0000000007530000-0x0000000007542000-memory.dmp

memory/1620-59-0x00000000076A0000-0x00000000077AA000-memory.dmp

memory/1620-60-0x00000000075D0000-0x000000000760C000-memory.dmp

memory/1620-61-0x0000000004AF0000-0x0000000004B3C000-memory.dmp