Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-fs459sybrm
Target 59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b
SHA256 59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b

Threat Level: Known bad

The file 59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer family

RedLine

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:09

Reported

2024-11-09 05:11

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe
PID 2252 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe
PID 2252 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe
PID 2192 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe
PID 2192 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe
PID 2192 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe
PID 2192 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe
PID 2192 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe
PID 2192 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe

Processes

C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe

"C:\Users\Admin\AppData\Local\Temp\59b1696761224935ad29bd6cf46b6e4f505e8012be4d88828ce88c280204c48b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2540 -ip 2540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 168.253.116.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un193496.exe

MD5 0b6757967148f63d4646e3a9962fdba1
SHA1 1d0f9a80dd5e993b2137ed1ec4d1d6341e620568
SHA256 569347686f1b4bfa455c32796f0d2316f046ec6304d4d16cb60d3eb5398b5b62
SHA512 0cc45c188edde411652b0b735f5356cef1b79af77fc1d45f26f25e065957de9078eec6acf7165a23d4d71b218bedf7f729d5b92dbfde184e4a8cc707d24f1b38

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro5652.exe

MD5 5a6c217d8e38307a56e57cdf154abc7c
SHA1 ede9eef581013d7050befce767ebd7b9cbcfd3d2
SHA256 7b75883394b37d6d42f9a1fd0ec3d8516e48441935ea51b128a7f6da9c0f8f7f
SHA512 4ea36a456e2cb0e12ef560f483920b536adf07021e34ae7e67af1941ca766e7482dd768dfbc480b1dd7bdcf65c7614297700330705a403d17ece0d5ce93b8759

memory/2540-16-0x0000000002CE0000-0x0000000002D0D000-memory.dmp

memory/2540-15-0x0000000002D50000-0x0000000002E50000-memory.dmp

memory/2540-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2540-18-0x0000000004A40000-0x0000000004A5A000-memory.dmp

memory/2540-19-0x0000000007150000-0x00000000076F4000-memory.dmp

memory/2540-20-0x0000000007110000-0x0000000007128000-memory.dmp

memory/2540-23-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-48-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-46-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-44-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-42-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-40-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-38-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-36-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-34-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-32-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-30-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-28-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-26-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-24-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-21-0x0000000007110000-0x0000000007122000-memory.dmp

memory/2540-49-0x0000000002D50000-0x0000000002E50000-memory.dmp

memory/2540-50-0x0000000002CE0000-0x0000000002D0D000-memory.dmp

memory/2540-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2540-51-0x0000000000400000-0x0000000002B75000-memory.dmp

memory/2540-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu3104.exe

MD5 812153ffaf3811afdc07d1e5811043e6
SHA1 7ee9e034ce8bb5cd3cf1bbf084365f210c13b0b0
SHA256 935a1a653308fe7c376f305eda28b5c62ef9aa8ffa4863a6c90bfb29ba05d0c0
SHA512 66d8788d45826a3bd173f5bc4b30e02d640ad4226ed5978988027b551c7a3657ce0f5244cf2eac8806ac4259fa0e9942f61f445ef2a7de959a17dc7ee9a3efe6

memory/2540-54-0x0000000000400000-0x0000000002B75000-memory.dmp

memory/4464-60-0x0000000004B50000-0x0000000004B96000-memory.dmp

memory/4464-61-0x0000000007740000-0x0000000007784000-memory.dmp

memory/4464-93-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-95-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-91-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-89-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-87-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-85-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-83-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-81-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-77-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-75-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-73-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-71-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-69-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-67-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-65-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-63-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-79-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-62-0x0000000007740000-0x000000000777F000-memory.dmp

memory/4464-968-0x00000000077C0000-0x0000000007DD8000-memory.dmp

memory/4464-969-0x0000000007E60000-0x0000000007F6A000-memory.dmp

memory/4464-970-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/4464-971-0x0000000007FC0000-0x0000000007FFC000-memory.dmp

memory/4464-972-0x0000000008110000-0x000000000815C000-memory.dmp