Malware Analysis Report

2025-06-15 22:33

Sample ID 241109-xz3pfszhjg
Target a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e
SHA256 a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e
Tags
healer redline fud discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e

Threat Level: Known bad

The file a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e was found to be: Known bad.

Malicious Activity Summary

healer redline fud discovery dropper evasion infostealer persistence trojan

RedLine payload

Modifies Windows Defender Real-time Protection settings

Redline family

Healer family

RedLine

Healer

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:18

Reported

2024-11-09 19:20

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhGE5018ma.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhGE5018ma.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48gr78wj52.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48gr78wj52.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe

"C:\Users\Admin\AppData\Local\Temp\a27fdee3bd82b6eaa17bbb0859dfdbe493689712037e58a931f0b0d6194a469e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhGE5018ma.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhGE5018ma.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48gr78wj52.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48gr78wj52.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhGE5018ma.exe

MD5 02c864ce5b8c5eb2cf145f72fe73c5d0
SHA1 22d93ea9d58dd6cbb0ed406fc83eaee90f6c81f2
SHA256 7c3205244e76cc80ffa3cad2e4138fefd314479e3ed59ff67e5477516aa4e40d
SHA512 52b8787801f1d62b7a60265b1b54c028b04242bb03f4f27cbae7be0d3b360f49ca3943db0c227a77d37cd733fc73bd04d9cecbc10da199dd0faafc4cbd77e83f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf28nL43eS86.exe

MD5 8a3793d6f2f25c9119382380dae46ba4
SHA1 2deee8af4e98b1849cde7ee9722a419d69a36a87
SHA256 c9470a2786af60b9d763bb3ebe9513bff1a3151516803b8fe6105b999dd5d266
SHA512 bd9f9a08cf7c97e77d8b980d2c07c351e7ce64b17ada5ea702bd62178abce3f3a87eec8b10dc3ec78c94ca8c336803ca123e3c176ee019ac8ad58df4f953bafa

memory/2412-14-0x00007FF8C0A03000-0x00007FF8C0A05000-memory.dmp

memory/2412-15-0x0000000000060000-0x000000000006A000-memory.dmp

memory/2412-16-0x00007FF8C0A03000-0x00007FF8C0A05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf48gr78wj52.exe

MD5 249978248eadf5f91425671a026f54a0
SHA1 80596f205182dcbeb05b93e5cdb77a067c723cf1
SHA256 0acc998717f3d96cb94c3160c2f07c54c5244d4d29df38db9ca0b5a71f219682
SHA512 aadc502c62ada1e529b0a11a335694cba325cb4d3ae1b85fac8d110238314b4f2bb6f4cae21bb15183a0252835bbc02a0d094c5911d0d7f1c74c4a1ba1167a14

memory/2704-22-0x0000000002790000-0x00000000027D6000-memory.dmp

memory/2704-23-0x0000000004EB0000-0x0000000005454000-memory.dmp

memory/2704-24-0x0000000004CB0000-0x0000000004CF4000-memory.dmp

memory/2704-38-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-88-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-86-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-82-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-80-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-79-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-76-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-74-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-72-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-68-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-66-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-64-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-62-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-60-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-58-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-56-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-54-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-52-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-48-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-46-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-42-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-40-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-36-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-34-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-32-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-30-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-84-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-28-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-70-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-50-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-26-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-44-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-25-0x0000000004CB0000-0x0000000004CEE000-memory.dmp

memory/2704-931-0x0000000005460000-0x0000000005A78000-memory.dmp

memory/2704-932-0x0000000005A80000-0x0000000005B8A000-memory.dmp

memory/2704-933-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/2704-934-0x0000000004E10000-0x0000000004E4C000-memory.dmp

memory/2704-935-0x0000000005C90000-0x0000000005CDC000-memory.dmp