Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-fqw2wa1ldl
Target 9485ef0fd41cfa9c499db8806fcf9162709d6bfe0cc9e95d7c1737875c69923d
SHA256 9485ef0fd41cfa9c499db8806fcf9162709d6bfe0cc9e95d7c1737875c69923d
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9485ef0fd41cfa9c499db8806fcf9162709d6bfe0cc9e95d7c1737875c69923d

Threat Level: Known bad

The file 9485ef0fd41cfa9c499db8806fcf9162709d6bfe0cc9e95d7c1737875c69923d was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:05

Reported

2024-11-09 05:07

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9485ef0fd41cfa9c499db8806fcf9162709d6bfe0cc9e95d7c1737875c69923d.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\9485ef0fd41cfa9c499db8806fcf9162709d6bfe0cc9e95d7c1737875c69923d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9485ef0fd41cfa9c499db8806fcf9162709d6bfe0cc9e95d7c1737875c69923d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu495147.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu495147.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\9485ef0fd41cfa9c499db8806fcf9162709d6bfe0cc9e95d7c1737875c69923d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe
PID 2788 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\9485ef0fd41cfa9c499db8806fcf9162709d6bfe0cc9e95d7c1737875c69923d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe
PID 2788 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\9485ef0fd41cfa9c499db8806fcf9162709d6bfe0cc9e95d7c1737875c69923d.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe
PID 5072 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe
PID 5072 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe
PID 5072 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe
PID 5072 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu495147.exe
PID 5072 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu495147.exe
PID 5072 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu495147.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9485ef0fd41cfa9c499db8806fcf9162709d6bfe0cc9e95d7c1737875c69923d.exe

"C:\Users\Admin\AppData\Local\Temp\9485ef0fd41cfa9c499db8806fcf9162709d6bfe0cc9e95d7c1737875c69923d.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1064 -ip 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu495147.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu495147.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 100.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un136621.exe

MD5 56fcd41a4728151efd13d3f658f3c26f
SHA1 f32ebb7b3d9028ef3e4832e343e82e4d8036534e
SHA256 f6f2c225a13482fac413f3f67545e4ca5e7c8e316375a8b769f08551875e52ab
SHA512 40dba1af361c70dc2343fbde35d4bc9b1b905bdd3e63c433a27d3928cdae7b22bfcbea54cadfcd99246e3b8b2323b1e1fd458e71b09fbb1e8d5451924aa62fd3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pr860330.exe

MD5 d9d4928aef8b361713cebf04c4fec3f0
SHA1 4f54914a09561c2f62f4c53a399a959f563d2763
SHA256 7a4feca5c652d29873f98916a41ed7aa35a6ff8a88a88ebaa858572e9c39d3b2
SHA512 815ba9d13d5543628df4b7c13ffc284652cb8ae8d36ef54b4f77d89ee78e99025c5b1562a0ddedf06c932cda839b5acb5f705b32c4a21aecc10eb6ba6493c203

memory/1064-15-0x0000000002E70000-0x0000000002F70000-memory.dmp

memory/1064-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1064-17-0x0000000004810000-0x000000000482A000-memory.dmp

memory/1064-18-0x0000000007400000-0x00000000079A4000-memory.dmp

memory/1064-19-0x0000000004C50000-0x0000000004C68000-memory.dmp

memory/1064-20-0x0000000000400000-0x0000000002BB4000-memory.dmp

memory/1064-24-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-26-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-48-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-47-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-44-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-42-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-40-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-38-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-36-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-34-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-32-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-30-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-28-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-22-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-21-0x0000000004C50000-0x0000000004C62000-memory.dmp

memory/1064-49-0x0000000002E70000-0x0000000002F70000-memory.dmp

memory/1064-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1064-50-0x0000000000400000-0x0000000002BB4000-memory.dmp

memory/1064-53-0x0000000000400000-0x0000000002BB4000-memory.dmp

memory/1064-54-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu495147.exe

MD5 8c8fff74d0171dfdb826fe049a1c44a1
SHA1 66188e74790f5e34e9d61404532d00997d8b2236
SHA256 bf28d29b62e729e57675f35e81a5cdcec860ee003db686ee1a3c96975cbf7c6e
SHA512 72acb5031ee51241afb61694cd787ee51823277fd2bc96de042e552622a49792aff22e6f07e263194d15975429f9131ef46e13b77dfb2f93929454daac8649b9

memory/1312-59-0x0000000007180000-0x00000000071BC000-memory.dmp

memory/1312-60-0x00000000077B0000-0x00000000077EA000-memory.dmp

memory/1312-86-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-90-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-94-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-92-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-88-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-84-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-82-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-80-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-78-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-76-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-74-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-72-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-70-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-68-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-66-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-64-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-62-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-61-0x00000000077B0000-0x00000000077E5000-memory.dmp

memory/1312-853-0x0000000009CB0000-0x000000000A2C8000-memory.dmp

memory/1312-854-0x000000000A350000-0x000000000A362000-memory.dmp

memory/1312-855-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/1312-856-0x000000000A4A0000-0x000000000A4DC000-memory.dmp

memory/1312-857-0x00000000049E0000-0x0000000004A2C000-memory.dmp