Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-fscq1sybnb
Target 88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f
SHA256 88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f

Threat Level: Known bad

The file 88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer family

Redline family

RedLine payload

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:07

Reported

2024-11-09 05:10

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixv2093.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixv2093.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp090683.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp090683.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f.exe

"C:\Users\Admin\AppData\Local\Temp\88be0d3f31d57124a331e08e91c99f9528dc26a98fe730523e4f8ad74525f48f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixv2093.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixv2093.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp090683.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp090683.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp
RU 185.161.248.142:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixv2093.exe

MD5 52bdb82791a20eabd4f1e4ffcfa9bfc4
SHA1 2ce39c9e12e41b35bc90f5dfee4856cfc42cb561
SHA256 fa740a5ba4ab993f9fda028dc9de20120a7cafcfaa9ffffc1378e9562775e563
SHA512 0ddedf08687dcb92801e45d6db59418da534f552595a42885a84d05e76b76351844f08c05b305733c8ab50b95c9ea4ae8b6fd999455cb4bbbe7e3fb2fb604b7b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it124458.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2192-14-0x00007FFE75773000-0x00007FFE75775000-memory.dmp

memory/2192-15-0x0000000000B80000-0x0000000000B8A000-memory.dmp

memory/2192-16-0x00007FFE75773000-0x00007FFE75775000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp090683.exe

MD5 d06a24c98b52d4ad31b4dc0a5d8ec563
SHA1 bccd0fb5b6951fa8e2a0278724c7f6830562b7a5
SHA256 5ae7494834fd42403fe4df86b80407ce04dcb73fa666b1e1ff8a9aedcc1cefe6
SHA512 09f3da370a77d105f6107474b5ce6d49ce67f6d53ef09c272f83edd29ae3e834a00f89f6d9849e1976a37b8bf3b5491314edb775a96fad178bac982e02bebaa9

memory/2676-22-0x0000000007150000-0x000000000718C000-memory.dmp

memory/2676-23-0x00000000072D0000-0x0000000007874000-memory.dmp

memory/2676-24-0x00000000071D0000-0x000000000720A000-memory.dmp

memory/2676-40-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-46-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-88-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-86-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-84-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-82-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-80-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-78-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-76-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-74-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-72-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-70-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-68-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-66-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-62-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-60-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-58-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-56-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-54-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-52-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-50-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-48-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-44-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-42-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-38-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-36-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-35-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-32-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-30-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-28-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-64-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-26-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-25-0x00000000071D0000-0x0000000007205000-memory.dmp

memory/2676-817-0x0000000009D00000-0x000000000A318000-memory.dmp

memory/2676-818-0x000000000A350000-0x000000000A362000-memory.dmp

memory/2676-819-0x000000000A370000-0x000000000A47A000-memory.dmp

memory/2676-820-0x000000000A490000-0x000000000A4CC000-memory.dmp

memory/2676-821-0x0000000006C80000-0x0000000006CCC000-memory.dmp