Malware Analysis Report

2025-06-15 23:32

Sample ID 241109-xv7gvazjf1
Target e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e
SHA256 e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e

Threat Level: Known bad

The file e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

RedLine payload

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

Redline family

Detects Healer an antivirus disabler dropper

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:11

Reported

2024-11-09 19:14

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPg9265.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPg9265.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku482805.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku482805.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe

"C:\Users\Admin\AppData\Local\Temp\e6f5010727a4edd699176a490dae773081d425d2336ee46e9d3eb8ed132fc88e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPg9265.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPg9265.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku482805.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku482805.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziPg9265.exe

MD5 4a99fbb3ed374dc9b1c4d4a47e348bab
SHA1 ea862d969475b64a2c065036c65fc4ff37758c98
SHA256 6e09fafa1afca7d57cd5917c69bed0778f2924e6ac328f7fb297ce79609c0001
SHA512 31ba21037d7a25b5de41449f664174158821800bbb163a730ef874784c3a7fc276493064f60fcbddacf41841e651e10153fea893e699295d1ee7f4aacbbc76d3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr124673.exe

MD5 82c749fa6625d8c6e48c420f5c2565b1
SHA1 eff963bc29076776689c1990bed0e3b0321ec337
SHA256 e664a7bbd65f77b24bb7ab344c2cbee17bc65adca1d8dbc9c51abd5edf4af477
SHA512 5884175c453db14cf5d7c59da42bbf95c46d3208a3bb49f0421f859930aa4eebf28d32895dc52c518283dbf8e2cb9aa3fea1e068e461009416e9a80a53d7d4de

memory/1376-14-0x00007FFD0A233000-0x00007FFD0A235000-memory.dmp

memory/1376-15-0x0000000000DF0000-0x0000000000DFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku482805.exe

MD5 ade81ab1cf1d6c5ee90f40cf8780f88a
SHA1 35ebfeca8199fe13f1ab89fcdf01ec0dbd1f05d3
SHA256 056c951c72290de0123a806fe72eb981153d9911380cfcafbc6c003a3b224674
SHA512 b8152e753d4faef97c681ebd02b6fe377af06d34e6f3b24e7702c5aa67ad025697b9403b3e628b286ae42158dd980b85f7350a6bf6e5d42ae1d3b6a57da81d9b

memory/2760-21-0x0000000004A50000-0x0000000004A96000-memory.dmp

memory/2760-22-0x0000000004BE0000-0x0000000005184000-memory.dmp

memory/2760-23-0x0000000004AD0000-0x0000000004B14000-memory.dmp

memory/2760-37-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-87-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-85-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-77-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-83-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-81-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-79-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-75-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-71-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-69-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-67-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-65-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-63-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-61-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-59-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-57-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-55-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-53-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-51-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-49-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-47-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-45-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-43-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-41-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-39-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-35-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-33-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-31-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-73-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-29-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-27-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-25-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-24-0x0000000004AD0000-0x0000000004B0F000-memory.dmp

memory/2760-930-0x0000000005190000-0x00000000057A8000-memory.dmp

memory/2760-931-0x00000000057B0000-0x00000000058BA000-memory.dmp

memory/2760-932-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/2760-933-0x00000000058F0000-0x000000000592C000-memory.dmp

memory/2760-934-0x0000000005A40000-0x0000000005A8C000-memory.dmp