Malware Analysis Report

2025-08-05 10:15

Sample ID 241109-fwxkla1mfn
Target 0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16
SHA256 0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16

Threat Level: Known bad

The file 0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Healer

Redline family

Healer family

Detects Healer an antivirus disabler dropper

RedLine payload

Modifies Windows Defender Real-time Protection settings

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:13

Reported

2024-11-09 05:16

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kDu75BV14.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kDu75BV14.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 312 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exe
PID 312 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exe
PID 312 wrote to memory of 3416 N/A C:\Users\Admin\AppData\Local\Temp\0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exe
PID 3416 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exe
PID 3416 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exe
PID 3416 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exe
PID 1108 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exe
PID 1108 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exe
PID 1108 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exe
PID 4420 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe
PID 4420 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe
PID 4420 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe
PID 972 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe
PID 972 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe
PID 972 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kDu75BV14.exe
PID 972 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kDu75BV14.exe
PID 972 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kDu75BV14.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe

"C:\Users\Admin\AppData\Local\Temp\0bb21344db4901776a9180e959cc3cd5f6f4c63f3a2a58dbf437081c564a5c16.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kDu75BV14.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kDu75BV14.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmqX40xf95.exe

MD5 bfae7a87f2d47686bf522e13ead90343
SHA1 3c0ecf2cd82cb84484a571007a0219164148e790
SHA256 a4405a3ed84f9624585fb577f2d11e8b3f38734a5ed17615262de6e388413f50
SHA512 5cab4584f1db595a6bc11143a95919a248a5628ea26df4f771b565b45d971957d2a899b6895c820b1568d9fa9be50785968e92b7ee5f13e07d52424fed0a918d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmVt47fs66.exe

MD5 bef21e67fa4822fba440ab7ceddfce71
SHA1 94b3f00414695a88352ef59831acd1823610c550
SHA256 0223603d3f60333683e42dfd0412a23181ba48797543c9847cfab5141fd7a05f
SHA512 eb6c61826e9fe2dd85ba1a6c66c64a7c56dbffbc7faab43aee00520b904beab4703107baae76fbc7d31d5545248e6580e7a4a4b9f906d2bc90caba7978e917c1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmNY35Qf32.exe

MD5 973b4e17a631e057f9ed95a3e920708b
SHA1 6f990190fbe64c67c64f69e1a28cd1fc66d596c5
SHA256 a1b564e3b17a6d91fb9a5a11358e2140e98dfd54be47c2d4ccd2f88a6979808d
SHA512 642ccf7a471b0da8a63322e25a2094fdc334f223de9364674e3bfb727adafeb694d7f6bcc8fff4abd934a1857d7e6923c4a8103e253590ab09b595c00d9e361d

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmux18GI80.exe

MD5 8484368cc64c3ceda617ef01d6096e2b
SHA1 d3d482b9da9b147430cb3407bf916a18c87dc9eb
SHA256 c6af6326c8cdaa5a6f211897f57af57b31781dd24691a938999a6cbfd35038b8
SHA512 bd4ac59195d09e3e8579c2f0257f5ac9f89a443b7c0aea29c9f49624be0587812e5263e33d7a20bbb7dfbaa9b4c623159bbedd9da8c3787004cf7ecd647b424b

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ibd76HK37.exe

MD5 da24b2706a7e8dd8ffbacde3b39d72f9
SHA1 1476442694f0798b17310bad3bff3416ae133436
SHA256 887265dbcad5bcf84e4a8558ea5fe34ddffa581fd6a6e55544785aa1df22698a
SHA512 5c7d1071b4a9666350b8cefc8edde1e819a8b1fc98bc059eb940070f89eedb648aee7db12b2ad9213485880dcd74dadadabd25a05f9c6a61f05aba0c1ab0a3f2

memory/2180-35-0x0000000000090000-0x000000000009A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kDu75BV14.exe

MD5 9792900c815b23017f946773359ebe08
SHA1 15629567cf9023b6a9a7a4b69a805e8314a6bb2d
SHA256 edbe4131b7bd5f130c9650d2585d97337834a62073e58fcce4d3b6d2f95d3907
SHA512 cf27fc151b7d74daebdad990da0e26bea2337d2b2b90b2d5586343c077e9540e3f1a0a94099b603ffe4eaf6263e864e009795ec4ff900063237d6b44b0ec7465

memory/1712-41-0x00000000023B0000-0x00000000023F6000-memory.dmp

memory/1712-42-0x0000000004BE0000-0x0000000005184000-memory.dmp

memory/1712-43-0x0000000005190000-0x00000000051D4000-memory.dmp

memory/1712-59-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-107-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-105-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-103-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-101-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-99-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-97-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-95-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-93-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-91-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-89-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-87-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-85-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-83-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-81-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-79-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-77-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-75-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-73-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-71-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-69-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-67-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-65-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-63-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-61-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-57-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-55-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-53-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-51-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-49-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-47-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-45-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-44-0x0000000005190000-0x00000000051CE000-memory.dmp

memory/1712-950-0x00000000051D0000-0x00000000057E8000-memory.dmp

memory/1712-951-0x0000000005860000-0x000000000596A000-memory.dmp

memory/1712-952-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/1712-953-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/1712-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp