Malware Analysis Report

2025-08-05 10:16

Sample ID 241109-fxz24sycnk
Target 66a18c8185e38f9a765ca44d43319be3296dd0d44a3b4f3d306be6e50bcbf03c
SHA256 66a18c8185e38f9a765ca44d43319be3296dd0d44a3b4f3d306be6e50bcbf03c
Tags
healer redline down discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66a18c8185e38f9a765ca44d43319be3296dd0d44a3b4f3d306be6e50bcbf03c

Threat Level: Known bad

The file 66a18c8185e38f9a765ca44d43319be3296dd0d44a3b4f3d306be6e50bcbf03c was found to be: Known bad.

Malicious Activity Summary

healer redline down discovery dropper evasion infostealer persistence trojan

RedLine

Modifies Windows Defender Real-time Protection settings

Healer family

Healer

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 05:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 05:15

Reported

2024-11-09 05:18

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\66a18c8185e38f9a765ca44d43319be3296dd0d44a3b4f3d306be6e50bcbf03c.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\66a18c8185e38f9a765ca44d43319be3296dd0d44a3b4f3d306be6e50bcbf03c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1288.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\66a18c8185e38f9a765ca44d43319be3296dd0d44a3b4f3d306be6e50bcbf03c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1288.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9541.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9541.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\66a18c8185e38f9a765ca44d43319be3296dd0d44a3b4f3d306be6e50bcbf03c.exe

"C:\Users\Admin\AppData\Local\Temp\66a18c8185e38f9a765ca44d43319be3296dd0d44a3b4f3d306be6e50bcbf03c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1288.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1288.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9541.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9541.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.31:4125 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 193.233.20.31:4125 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.31:4125 tcp
RU 193.233.20.31:4125 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.233.20.31:4125 tcp
RU 193.233.20.31:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\unio1288.exe

MD5 8a8f6741c69631bdf37b09f305172d72
SHA1 d40b956f77b235f77ec467917323ef25bbe4a72e
SHA256 5304e48a3ff2820befd351af4e0c19c192aceb684c3cf7f75fb98e49683f05c2
SHA512 7d31b35fefffddddc3b367c1d115a77cbcddcac95e89f6b25f358751b296957bdf31993add9e58f26e180c03e6db796852955975e29b4bcd3cb7b2253faf646b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro2508.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4584-14-0x00007FF8C0A03000-0x00007FF8C0A05000-memory.dmp

memory/4584-15-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu9541.exe

MD5 52e4c75d9663946be625ec0d72836dba
SHA1 cfc77ad8dc2b8f9e34168acfe2cd812bef446c71
SHA256 a954411e9ed569b5e9360ab0269b63c487228384a17ca0eaacd4bdfd001dc196
SHA512 697d97c0aca5190468be8da30eb758ccf22af114c995002adbb894a6b795b4106013b5c78ea323724e63ac22f7c03a39a2c53f2fb5f02e832edb438f330b6ba2

memory/2800-21-0x0000000002300000-0x0000000002346000-memory.dmp

memory/2800-22-0x0000000004AB0000-0x0000000005054000-memory.dmp

memory/2800-23-0x00000000050A0000-0x00000000050E4000-memory.dmp

memory/2800-24-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-37-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-87-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-85-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-83-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-81-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-79-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-77-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-73-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-71-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-69-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-67-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-65-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-63-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-61-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-59-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-57-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-55-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-53-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-51-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-49-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-47-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-43-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-41-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-39-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-35-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-33-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-31-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-29-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-27-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-25-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-75-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-45-0x00000000050A0000-0x00000000050DE000-memory.dmp

memory/2800-930-0x0000000005130000-0x0000000005748000-memory.dmp

memory/2800-931-0x00000000057D0000-0x00000000058DA000-memory.dmp

memory/2800-932-0x0000000005910000-0x0000000005922000-memory.dmp

memory/2800-933-0x0000000005930000-0x000000000596C000-memory.dmp

memory/2800-934-0x0000000005A80000-0x0000000005ACC000-memory.dmp