Malware Analysis Report

2025-08-06 00:59

Sample ID 241109-fsg1qsxna1
Target 39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8
SHA256 39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8

Threat Level: Known bad

The file 39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

Redline family

RedLine payload

Healer family

Detects Healer an antivirus disabler dropper

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:07

Reported

2024-11-09 05:10

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk155659.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk155659.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2848 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe
PID 2848 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe
PID 2848 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe
PID 4820 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe
PID 4820 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe
PID 4820 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe
PID 4820 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk155659.exe
PID 4820 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk155659.exe
PID 4820 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk155659.exe

Processes

C:\Users\Admin\AppData\Local\Temp\39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe

"C:\Users\Admin\AppData\Local\Temp\39a0c4fec134183ea4d8ad807f172fc834f74394a1571ea1aba6d3a30815b5d8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1196 -ip 1196

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 1016

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk155659.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk155659.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un559504.exe

MD5 46b99b6dc860a611e8b0bf3098b6b2d5
SHA1 f4d3b6bf0ae20a753282cb9e6254fc3a667fc6f8
SHA256 219ca6573d7e70f9e34ad972a2e8dd6b45ac91c52ced3bc2494ef4a2d6e6c465
SHA512 000dcaafa2b1f18cc1ed6fcd46298a291a5a050689cba10217d213d47dbddd23e57d5c0b08041c7e8e700485e6cdc806d07e42d7dcd85a5ed209f142ba686bb1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\35397102.exe

MD5 0cc6c3e42ff1571b993b0339c603c204
SHA1 8404d98ceb739d7d47e7d79a8241097074647d66
SHA256 369f288d67dc41a16b75b75586e913906d9d38881b25fcb7b9879575aad73d6f
SHA512 2900a55b26dd40b14c9504316db7ac20b5e0d38fd442204aa5a39c5a5c6de612d54bb967a508b6a23605ef6b01a7bdb2bad4c4ec81f06eb02fcff2d8041ee1d9

memory/1196-15-0x0000000002E50000-0x0000000002F50000-memory.dmp

memory/1196-16-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

memory/1196-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1196-18-0x00000000047F0000-0x000000000480A000-memory.dmp

memory/1196-19-0x00000000072F0000-0x0000000007894000-memory.dmp

memory/1196-20-0x00000000049E0000-0x00000000049F8000-memory.dmp

memory/1196-21-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-28-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-44-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-42-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-38-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-36-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-34-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-32-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-30-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-22-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-26-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-24-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-48-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-46-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-40-0x00000000049E0000-0x00000000049F3000-memory.dmp

memory/1196-49-0x0000000002E50000-0x0000000002F50000-memory.dmp

memory/1196-51-0x0000000002BA0000-0x0000000002BCD000-memory.dmp

memory/1196-50-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/1196-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1196-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk155659.exe

MD5 d9158a9694a84aa59e00b95bf5ca5d3a
SHA1 025fc0dc642c6db28a01993f1dfefc085b5486cf
SHA256 7615913fc9446e10c2d2e35d4050dd8486a0a9bb5c3044b0fe734dee674999a5
SHA512 a869d3051ea1b8b8a1451b0e32eee0b1617a139517c8f37d75f9a348690520d2e6f1ab33d08aa6ef642fa318cf362ddf6143c60f9cc7dacd97328b0f2e083a7b

memory/1196-54-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/4884-60-0x0000000007130000-0x000000000716C000-memory.dmp

memory/4884-61-0x0000000007790000-0x00000000077CA000-memory.dmp

memory/4884-71-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-77-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-96-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-91-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-89-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-87-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-85-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-83-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-82-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-79-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-75-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-73-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-69-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-93-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-67-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-65-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-63-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-62-0x0000000007790000-0x00000000077C5000-memory.dmp

memory/4884-854-0x0000000009C90000-0x000000000A2A8000-memory.dmp

memory/4884-855-0x000000000A330000-0x000000000A342000-memory.dmp

memory/4884-856-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/4884-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/4884-858-0x0000000004990000-0x00000000049DC000-memory.dmp