Malware Analysis Report

2025-08-06 01:25

Sample ID 241109-gtfdzaykhv
Target aa287e63e7801f3cfe162fcf59cb82d5ac0a605271e5bcc54397a2b642f5a758
SHA256 aa287e63e7801f3cfe162fcf59cb82d5ac0a605271e5bcc54397a2b642f5a758
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

aa287e63e7801f3cfe162fcf59cb82d5ac0a605271e5bcc54397a2b642f5a758

Threat Level: Known bad

The file aa287e63e7801f3cfe162fcf59cb82d5ac0a605271e5bcc54397a2b642f5a758 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

Healer family

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 06:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 06:05

Reported

2024-11-09 06:08

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aa287e63e7801f3cfe162fcf59cb82d5ac0a605271e5bcc54397a2b642f5a758.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\aa287e63e7801f3cfe162fcf59cb82d5ac0a605271e5bcc54397a2b642f5a758.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aa287e63e7801f3cfe162fcf59cb82d5ac0a605271e5bcc54397a2b642f5a758.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk760601.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk760601.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4524 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\aa287e63e7801f3cfe162fcf59cb82d5ac0a605271e5bcc54397a2b642f5a758.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe
PID 4524 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\aa287e63e7801f3cfe162fcf59cb82d5ac0a605271e5bcc54397a2b642f5a758.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe
PID 4524 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\aa287e63e7801f3cfe162fcf59cb82d5ac0a605271e5bcc54397a2b642f5a758.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe
PID 436 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe
PID 436 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe
PID 436 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe
PID 436 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk760601.exe
PID 436 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk760601.exe
PID 436 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk760601.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aa287e63e7801f3cfe162fcf59cb82d5ac0a605271e5bcc54397a2b642f5a758.exe

"C:\Users\Admin\AppData\Local\Temp\aa287e63e7801f3cfe162fcf59cb82d5ac0a605271e5bcc54397a2b642f5a758.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4840 -ip 4840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4840 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk760601.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk760601.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un950229.exe

MD5 ec84a790654d7159bcd7813e253a9ed4
SHA1 48602aa90aa7e7a9dbd1b2ad7f0b721a6a741b6f
SHA256 763f00f2d9afabd7abfa11e7efd41348f8df6819b5b834776aee1a7e6b59360f
SHA512 c5ffe66a2ff800b71c985d225bc1d0db520fa637bd9f9debcc8c3911585d1014f5cf3f5e49a4812fe0735960622d5e0799369054a5df01212f73d5902a6758da

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\82226276.exe

MD5 4d7255394a1cda555b3d0b2528f8b739
SHA1 242ded6e2781b49f347f562803f05c05d491b5c2
SHA256 7147f78aae7a946e8f1b9b3b80b18a83361e87e21b77af29653441efbb3aa607
SHA512 adbb0a0ee53bbcb3fc1c4a19a2f9eb5ee6f1f3acd41718c3ef48838240ca92b8fc34162007ab2bdf2413c26e1debe6a3a37ab799a9f56d381809167525d623d4

memory/4840-15-0x0000000000660000-0x0000000000760000-memory.dmp

memory/4840-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4840-16-0x0000000000600000-0x000000000062D000-memory.dmp

memory/4840-18-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4840-19-0x0000000002240000-0x000000000225A000-memory.dmp

memory/4840-20-0x0000000004AD0000-0x0000000005074000-memory.dmp

memory/4840-21-0x0000000002340000-0x0000000002358000-memory.dmp

memory/4840-49-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-48-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-45-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-43-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-41-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-39-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-37-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-35-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-33-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-31-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-29-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-27-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-25-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-23-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-22-0x0000000002340000-0x0000000002353000-memory.dmp

memory/4840-50-0x0000000000660000-0x0000000000760000-memory.dmp

memory/4840-51-0x0000000000600000-0x000000000062D000-memory.dmp

memory/4840-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4840-55-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4840-56-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk760601.exe

MD5 74a4f67d35ae518c3373cbf2ba430e29
SHA1 53614d6bf63e6c8b20b74552f4b4d4b4afbc0e6f
SHA256 05c677219aedb7390097654aa74101c73dbd40cc7e0de80684c55eae6f5f2fa0
SHA512 72ddc7627fa573ed6ffcd2b68ee9b19c04110fcba4a7f46b94a23391f350673bfe0cbd05ce8f7fe8ffd3005163ec324e8ab4059a76e8622bc64861f747895916

memory/3332-61-0x00000000023A0000-0x00000000023DC000-memory.dmp

memory/3332-62-0x0000000002540000-0x000000000257A000-memory.dmp

memory/3332-80-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-90-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-96-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-94-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-88-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-86-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-84-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-82-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-78-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-76-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-74-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-72-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-92-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-70-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-68-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-66-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-64-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-63-0x0000000002540000-0x0000000002575000-memory.dmp

memory/3332-855-0x0000000007610000-0x0000000007C28000-memory.dmp

memory/3332-856-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/3332-857-0x0000000007C30000-0x0000000007D3A000-memory.dmp

memory/3332-858-0x0000000007D40000-0x0000000007D7C000-memory.dmp

memory/3332-859-0x00000000025A0000-0x00000000025EC000-memory.dmp