Malware Analysis Report

2025-06-15 22:33

Sample ID 241109-xyf43azka1
Target 709c8b0e42f5b5aa8680ed2a282050ac38b674b56d129b6f4556c1b03c71114b
SHA256 709c8b0e42f5b5aa8680ed2a282050ac38b674b56d129b6f4556c1b03c71114b
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

709c8b0e42f5b5aa8680ed2a282050ac38b674b56d129b6f4556c1b03c71114b

Threat Level: Known bad

The file 709c8b0e42f5b5aa8680ed2a282050ac38b674b56d129b6f4556c1b03c71114b was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine

Healer family

Modifies Windows Defender Real-time Protection settings

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Redline family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:15

Reported

2024-11-09 19:18

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\709c8b0e42f5b5aa8680ed2a282050ac38b674b56d129b6f4556c1b03c71114b.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\709c8b0e42f5b5aa8680ed2a282050ac38b674b56d129b6f4556c1b03c71114b.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRH8945.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRH8945.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp203509.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\709c8b0e42f5b5aa8680ed2a282050ac38b674b56d129b6f4556c1b03c71114b.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp203509.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\709c8b0e42f5b5aa8680ed2a282050ac38b674b56d129b6f4556c1b03c71114b.exe

"C:\Users\Admin\AppData\Local\Temp\709c8b0e42f5b5aa8680ed2a282050ac38b674b56d129b6f4556c1b03c71114b.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRH8945.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRH8945.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp203509.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp203509.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 101.210.23.2.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp
RU 185.161.248.153:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziRH8945.exe

MD5 26cf74ca71d9bdd291d7ae2b8e744315
SHA1 0f7d1a9a9add2c1eea6e33888b8f62399f42307f
SHA256 dc782ec21567fa4db46454ec7d6cd22390f7cf67bd27283506831c07a872d025
SHA512 4f1decf41aca59dc10cd1c555d7bcee3c9ecdd8e91b9a66797226fc21400dfaf09515c2880589523d2c13ebab9d5f6b6495fb996e2cb87f777fc739d68c331d9

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\it020675.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/2364-14-0x00007FFE3CE33000-0x00007FFE3CE35000-memory.dmp

memory/2364-15-0x0000000000D40000-0x0000000000D4A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\kp203509.exe

MD5 5d9157b474a4f07123cfce2ea6073788
SHA1 dfeaa48087897b039fc2bdfda25c9f76067de898
SHA256 97816aa5dead7ca4cbd4001627d949ec85812cf6208c41c123931613a51c4332
SHA512 0e9e6e0e1bba2591f029bc56b83c7d5c1168e4ba5c81ea71f1e6b13854002b13793bdd321799c8da384bfe2e75001a2ae985904da74673a2865eb8fa1742fd7c

memory/5016-21-0x0000000004CE0000-0x0000000004D1C000-memory.dmp

memory/5016-22-0x0000000007320000-0x00000000078C4000-memory.dmp

memory/5016-23-0x00000000078D0000-0x000000000790A000-memory.dmp

memory/5016-24-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-47-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-87-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-86-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-83-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-81-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-79-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-77-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-75-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-73-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-71-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-69-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-67-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-65-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-63-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-816-0x0000000009DD0000-0x000000000A3E8000-memory.dmp

memory/5016-61-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-59-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-57-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-55-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-53-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-51-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-49-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-45-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-43-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-41-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-817-0x000000000A490000-0x000000000A4A2000-memory.dmp

memory/5016-39-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-37-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-35-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-33-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-31-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-29-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-25-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-27-0x00000000078D0000-0x0000000007905000-memory.dmp

memory/5016-818-0x000000000A4B0000-0x000000000A5BA000-memory.dmp

memory/5016-819-0x000000000A5E0000-0x000000000A61C000-memory.dmp

memory/5016-820-0x0000000004C50000-0x0000000004C9C000-memory.dmp