Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-fr37ksybpm
Target 150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238
SHA256 150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238

Threat Level: Known bad

The file 150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Redline family

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:07

Reported

2024-11-09 05:09

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe
PID 2012 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe
PID 2012 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe
PID 2344 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe
PID 2344 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe
PID 2344 wrote to memory of 4132 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe
PID 4132 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe
PID 4132 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe
PID 4132 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe
PID 1440 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe
PID 1440 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe
PID 1440 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe
PID 1912 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe
PID 1912 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe
PID 1912 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe
PID 1912 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe
PID 1912 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe

Processes

C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe

"C:\Users\Admin\AppData\Local\Temp\150eaf9466d35379e2bd637b81fef72c01554cb69605f8e2fab0c653393a8238.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plIW39QJ44.exe

MD5 63006e779a1321af9fc63a4f5e08d1ff
SHA1 7c4207fe719e32627fd1f863f77f0c2b24971f5c
SHA256 01bc15a2a4eec2e8de037392ce4ca1f1416fee9a86c482c24fb6644293d65205
SHA512 b4dfb6dda517ec06280a97d7a00bb30c209db8cc2728e176dabd881aa2079c24859b48da939941ffcaf7a93a7f72e2a30278b15e8c369d96b7c28d72846a8063

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plbi10NU96.exe

MD5 7801bb449714abdaf33bc82bf77eea7f
SHA1 aef687a3bf80ba07c64acd53d072263317bbd39b
SHA256 b66b400f860479d01b647e1ce479bf2355e3ea1d1666234942aa60214d4edb78
SHA512 9c9b9666816c93e5e9f27866f826037e3d8e27f98102467f25d0ba2dabee22c0e787c457077a425dc453ad549e29fa22871b81de68469685ec42ce35b3a88442

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plEI01Xn27.exe

MD5 d2f2658e42a8fa6249f5f49a4054f33c
SHA1 eeea2356f581cf1576b96d61cd7635f193ff8513
SHA256 875624098547ae7e8210b5c345700e12196d06b66888fa41204efda37423011c
SHA512 7ac142ca44c73a0805299d49e5611d4c8e1e2c989032de2016d7961fa113b4addd46ab4e3b3bab9c72acd38c7c30aa9ae8472df041f5366b1f4226e76de7b285

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plRl69xi77.exe

MD5 ec3aa3fc265d64c3372c94191d8fed99
SHA1 dea70c2a00754a52cfcada8528c26384950583fe
SHA256 4e8295c6a816b69c0e74a96c706dcb373f740d3f47d4de63881f68843f921bf3
SHA512 a804a2e9cacfded79118b9e08ff22d737c53f424295b8bee52a8afb792bbb31258ad4aeba110fcc0aa8807ad222c88bb417f483c581d0e5b3e912a514289664a

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buaJ79tT21.exe

MD5 1d961f38462df3d93ce0a4773ba8275b
SHA1 2ea2ce026296b7fc1988e9e962df91b23c62ace7
SHA256 d789a63d78a848dcb7770511716005b924a6502ec3ea6eead783ec270ef3a91f
SHA512 8dcca398e0b6eff2c4b1671d522d4be49d24850a6146d7a8d67b72bc887ead80d80ae91fd3a18b867e1c2a68b29ca8f4638311f8e219a9844c1942ceb5e2e3a6

memory/5100-35-0x0000000000CF0000-0x0000000000CFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caso25Qc87.exe

MD5 8543cf3384382f56703a6ee451ac68f3
SHA1 353211899c2c986e0d038a11f566e02e3113e113
SHA256 2f1d315d7594bdb561cc82a3e1893703535688dff362e547d1e0ce98362c0acf
SHA512 609055d116696778d46331609f81697e5b01e34bc70e3ddbd9a27a23f5024ed37902c38ee329e05c29e06422e9352ebb266e9f260cafad9e20f2b262248f4186

memory/2756-41-0x0000000004A00000-0x0000000004A46000-memory.dmp

memory/2756-42-0x00000000073A0000-0x0000000007944000-memory.dmp

memory/2756-43-0x0000000004D80000-0x0000000004DC4000-memory.dmp

memory/2756-59-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-107-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-105-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-103-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-101-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-99-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-93-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-91-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-89-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-88-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-85-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-83-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-82-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-79-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-77-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-75-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-73-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-71-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-69-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-67-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-65-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-63-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-61-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-57-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-55-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-53-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-51-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-49-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-97-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-95-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-47-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-45-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-44-0x0000000004D80000-0x0000000004DBE000-memory.dmp

memory/2756-950-0x0000000007950000-0x0000000007F68000-memory.dmp

memory/2756-951-0x0000000007F70000-0x000000000807A000-memory.dmp

memory/2756-952-0x0000000004FA0000-0x0000000004FB2000-memory.dmp

memory/2756-953-0x0000000004FC0000-0x0000000004FFC000-memory.dmp

memory/2756-954-0x0000000008180000-0x00000000081CC000-memory.dmp