Malware Analysis Report

2025-08-05 10:15

Sample ID 241109-fxqtfaycmq
Target ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63
SHA256 ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63
Tags
healer redline mango discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63

Threat Level: Known bad

The file ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63 was found to be: Known bad.

Malicious Activity Summary

healer redline mango discovery dropper evasion infostealer persistence trojan

RedLine payload

Healer

Healer family

RedLine

Redline family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:15

Reported

2024-11-09 05:17

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtcAo10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtcAo10.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2224 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe
PID 2224 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe
PID 2224 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe
PID 436 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe
PID 436 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe
PID 436 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe
PID 4460 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe
PID 4460 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe
PID 4460 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe
PID 4460 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe
PID 4460 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe
PID 436 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtcAo10.exe
PID 436 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtcAo10.exe
PID 436 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtcAo10.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe

"C:\Users\Admin\AppData\Local\Temp\ce87e52ca83e118efe8b0781ba18d11a706eba616d5cc5ee4c68a526a8044c63.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1004 -ip 1004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtcAo10.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtcAo10.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tice4526.exe

MD5 e062e3eeb8f85b20d0b4852bc4bf4945
SHA1 8daefd95f5df8e09b58b79831258063a94bd6459
SHA256 c32220f0fe324a77a4f9c4d3ffb0ab3cc597171fdb8a8f037ee528baa425cb54
SHA512 65706f8f17c78fc5c37dc4ea71fa5065d75999f9e2816f4f83b79b6e99e13970a22d84eab3a07ad19028fd6aba5cc80139fc83566329590a18034d2d41fb14b1

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tice0727.exe

MD5 6526c98ce8358c6825c1721496e28c87
SHA1 2840469aea3fd970e95799ab1eea8016ffe3c31d
SHA256 2dc495b215aefb3def5ecc0aa065e4a5c1d3041db5d28a6045f71caa4b8337c7
SHA512 ad04a620146208027d24208152f61c78b57a1e1628af3c7c0f6758f73113b4af1436191947ebdc257e0d630376f6b25cbf9908db12828d2487f1199cdd8db97c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b5572zf.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/1724-21-0x00007FFC727E3000-0x00007FFC727E5000-memory.dmp

memory/1724-22-0x0000000000E50000-0x0000000000E5A000-memory.dmp

memory/1724-23-0x00007FFC727E3000-0x00007FFC727E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c26QT20.exe

MD5 248ca5ae85884f64cfad2c74f9e1ada1
SHA1 3c350f649bc5b66c32358d4c6ceb4ec11a200730
SHA256 93fe4413c1af875a50fcf48bc90cd342ceeb7712bee66393d24cdbfcf816c151
SHA512 ad04559b142b8315420e287f5dba612c46a19a874813a38750af596b3bd908ec0e2af6acab023b55b44a560fd01dd3a6521e171fc1925f30de437d6fd35bd901

memory/1004-29-0x0000000002370000-0x000000000238A000-memory.dmp

memory/1004-30-0x0000000004C60000-0x0000000005204000-memory.dmp

memory/1004-31-0x0000000002550000-0x0000000002568000-memory.dmp

memory/1004-32-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-45-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-59-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-57-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-55-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-53-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-51-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-49-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-47-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-43-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-41-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-39-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-37-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-35-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-33-0x0000000002550000-0x0000000002562000-memory.dmp

memory/1004-60-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1004-62-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dtcAo10.exe

MD5 5ee7a56a1b34aadd4f53cc749672f15d
SHA1 1d25f0427b81e13613f58ec2c4bf19039c9c70c1
SHA256 1e3fa5c4b98df0cb2012d04f799222117dc07ed7c1701c5797e43109adb4a5a6
SHA512 d5debfd45704d6d0138954d1f21feb0f8c670c23c082b01f064d70463ff26598d346c4e2aae07e221b9563936173baed70ac6e8692e33fbd984e9750ee034341

memory/388-67-0x00000000023C0000-0x0000000002406000-memory.dmp

memory/388-68-0x00000000050B0000-0x00000000050F4000-memory.dmp

memory/388-72-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-78-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-84-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-102-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-100-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-96-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-94-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-92-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-90-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-88-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-86-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-82-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-80-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-76-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-74-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-98-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-70-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-69-0x00000000050B0000-0x00000000050EE000-memory.dmp

memory/388-975-0x0000000005100000-0x0000000005718000-memory.dmp

memory/388-976-0x00000000057A0000-0x00000000058AA000-memory.dmp

memory/388-977-0x00000000058E0000-0x00000000058F2000-memory.dmp

memory/388-978-0x0000000005900000-0x000000000593C000-memory.dmp

memory/388-979-0x0000000005A50000-0x0000000005A9C000-memory.dmp