Malware Analysis Report

2025-06-15 22:33

Sample ID 241109-xx84fssrhp
Target 2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf
SHA256 2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf

Threat Level: Known bad

The file 2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer family

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:15

Reported

2024-11-09 19:17

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikp8686.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikp8686.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku301020.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku301020.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf.exe

"C:\Users\Admin\AppData\Local\Temp\2f4924be9e17eaa5e0adeb6fd7e0f70dd6ad0f40ba88ac409cdc42b61a2129cf.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikp8686.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikp8686.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku301020.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku301020.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zikp8686.exe

MD5 374d61630d151cf9df195f65d11770ac
SHA1 f5e0e8e45dd149251c0420b38dd47978b131e4d8
SHA256 26f46cdcc014956680520dfbca11d981f7da17b01e3ac9ae3f139aacb52063ca
SHA512 6232fa552b67a97212f7ba65b1a360cdee01afe6861164c6bd18c22acae0e677d0bce987437fe1e0436d8b7b8a9f84de9f74b341835ae0d0c4390872a6b35184

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr963509.exe

MD5 0913800af7bbcdba4386d817777acbd9
SHA1 239c84198b270551465c35775fc7fe28f69840df
SHA256 09c3c7479684ce7ee25e1ffe1eac45ddbb6d65f1c64fe5d9e1a95809f62d4215
SHA512 5f33f355dce40d366ca8ae2d1e7bdf0871a17690ed2eb813454b516062deb370b6faff47fe58ad9d2893ca7f740379f4f0fbcd3032adc0d8aa2f2d1c4eb26f2f

memory/5052-15-0x0000000000C10000-0x0000000000C1A000-memory.dmp

memory/5052-14-0x00007FF813FE3000-0x00007FF813FE5000-memory.dmp

memory/5052-16-0x00007FF813FE3000-0x00007FF813FE5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku301020.exe

MD5 5ca7499cd5bf2e6cb25975878de9f440
SHA1 bbdd3fbfadede3a4c7cbd568f418d611e4061551
SHA256 286052867ffb40f5406b40eb10d68eebd539181efc8c12acb25b93cce3ab9f50
SHA512 8704bc8ac964d0c605c55a0eb8efa67b513f75341c8e33edf8ba02b801aff070b10868780aa20ef407a704ee8a6eb7c2b3480c5e8cc9a8d4ad865a5590d81a69

memory/3044-22-0x00000000028C0000-0x0000000002906000-memory.dmp

memory/3044-23-0x0000000004FF0000-0x0000000005594000-memory.dmp

memory/3044-24-0x0000000004E40000-0x0000000004E84000-memory.dmp

memory/3044-34-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-32-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-30-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-44-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-88-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-84-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-80-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-78-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-74-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-72-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-70-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-69-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-66-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-64-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-62-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-60-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-58-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-54-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-52-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-50-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-48-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-46-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-42-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-40-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-39-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-36-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-86-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-82-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-76-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-56-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-28-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-26-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-25-0x0000000004E40000-0x0000000004E7F000-memory.dmp

memory/3044-931-0x00000000055A0000-0x0000000005BB8000-memory.dmp

memory/3044-932-0x0000000005BC0000-0x0000000005CCA000-memory.dmp

memory/3044-933-0x0000000004F30000-0x0000000004F42000-memory.dmp

memory/3044-934-0x0000000004F50000-0x0000000004F8C000-memory.dmp

memory/3044-935-0x0000000005DD0000-0x0000000005E1C000-memory.dmp