Malware Analysis Report

2025-06-15 23:32

Sample ID 241109-xxb4qazjhx
Target 0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e
SHA256 0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e
Tags
healer redline morty discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e

Threat Level: Known bad

The file 0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e was found to be: Known bad.

Malicious Activity Summary

healer redline morty discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

RedLine

Healer

RedLine payload

Redline family

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:13

Reported

2024-11-09 19:16

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5036 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe
PID 5036 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe
PID 5036 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe
PID 60 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe
PID 60 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe
PID 60 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe
PID 60 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe
PID 60 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe
PID 60 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe

"C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe

MD5 e1ea8227deff3d431e9af22c642a6011
SHA1 2f4b73de7db5c8c6b8a9047a6f2da48fec68ad16
SHA256 8dd76c6b2f719886552f75cd22912274c14b05766bea8b4ee61f8470f1f4cb7b
SHA512 61c84424f5a270bc2534f07f06d8089ed58dfce8fd84c549c0e6a19be2253cf60df3d14563f508e0a3063fe7924cac3874ac92901b7bcfc37be4d0ed0d228cbc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe

MD5 45cf0dc03b5352571138c8c2698c8cfe
SHA1 601d40add54ce3a816e6d1de99b33ff00c723423
SHA256 c24b33cd7d5c257b50a4a3ec5e75d18abcc2a2d04c6229b9968b22f9c44b6986
SHA512 36b056d0568a96b31b38f45b94447da7ecc7db5efac83ef384e27617ce8fd9a445a4cb26744a1d585aa270bf5612a4a748e7a5748c1094dd84cc9c97d0c2cdf3

memory/4700-14-0x000000007480E000-0x000000007480F000-memory.dmp

memory/4700-15-0x00000000020D0000-0x00000000020EA000-memory.dmp

memory/4700-17-0x0000000004B70000-0x0000000005114000-memory.dmp

memory/4700-16-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/4700-18-0x0000000002560000-0x0000000002578000-memory.dmp

memory/4700-19-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/4700-20-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/4700-22-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-48-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-46-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-44-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-42-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-40-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-38-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-36-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-34-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-32-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-28-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-26-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-24-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-21-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-30-0x0000000002560000-0x0000000002572000-memory.dmp

memory/4700-49-0x000000007480E000-0x000000007480F000-memory.dmp

memory/4700-50-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/4700-52-0x0000000074800000-0x0000000074FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe

MD5 4136481881f343d02ffbef27ca9ec717
SHA1 7fad11267c6e3fc8d869df68a396c925f73ad276
SHA256 93565fe60bbd30ca86d91be39af3eef493da40d0de5462719c8ff1349d906017
SHA512 88a6e3752c1d552c3465a5331a3f98a0dcbd5524004183fcfe85ce8e6b155bd1ac255beca68835ad2b2e09a4087c9bf84c562596c68fe23945a0dcb136d4cde9

memory/3892-56-0x0000000000710000-0x000000000073E000-memory.dmp

memory/3892-57-0x0000000000DA0000-0x0000000000DA6000-memory.dmp

memory/3892-58-0x000000000AB80000-0x000000000B198000-memory.dmp

memory/3892-59-0x000000000A6C0000-0x000000000A7CA000-memory.dmp

memory/3892-60-0x000000000A5F0000-0x000000000A602000-memory.dmp

memory/3892-61-0x000000000A650000-0x000000000A68C000-memory.dmp

memory/3892-62-0x0000000004960000-0x00000000049AC000-memory.dmp