Malware Analysis Report

2025-06-15 22:33

Sample ID 241109-xzebvszhmp
Target 062edd98233e77734c5b99bbbe401fb1c63150b97836a0e800585841d762eac8
SHA256 062edd98233e77734c5b99bbbe401fb1c63150b97836a0e800585841d762eac8
Tags
healer redline fud discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

062edd98233e77734c5b99bbbe401fb1c63150b97836a0e800585841d762eac8

Threat Level: Known bad

The file 062edd98233e77734c5b99bbbe401fb1c63150b97836a0e800585841d762eac8 was found to be: Known bad.

Malicious Activity Summary

healer redline fud discovery dropper evasion infostealer persistence trojan

RedLine payload

Detects Healer an antivirus disabler dropper

RedLine

Redline family

Modifies Windows Defender Real-time Protection settings

Healer

Healer family

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:17

Reported

2024-11-09 19:19

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\062edd98233e77734c5b99bbbe401fb1c63150b97836a0e800585841d762eac8.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\062edd98233e77734c5b99bbbe401fb1c63150b97836a0e800585841d762eac8.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\062edd98233e77734c5b99bbbe401fb1c63150b97836a0e800585841d762eac8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tf69tX65zZ13.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tf69tX65zZ13.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\062edd98233e77734c5b99bbbe401fb1c63150b97836a0e800585841d762eac8.exe

"C:\Users\Admin\AppData\Local\Temp\062edd98233e77734c5b99bbbe401fb1c63150b97836a0e800585841d762eac8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tf69tX65zZ13.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tf69tX65zZ13.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sf21lk84iL85.exe

MD5 05b282d5b4815a8e2c88576138f1824c
SHA1 e49c98cc0964dccc1380da194cf082913cd8ea70
SHA256 9bbcf4ff67e303ab189b0b53120b79c6d1c891ebc1f8c2bf98b5f9ea560777cd
SHA512 398f9483c287f02bf91a17374cb00bfbfb3cce7a8a5cda2827e75f1f94b9fb0afc1cdc845323a43134e5f7d2d4f33952aa73767ac82a2313242913d07fcf769d

memory/2388-7-0x00007FFEED8A3000-0x00007FFEED8A5000-memory.dmp

memory/2388-8-0x00000000004D0000-0x00000000004DA000-memory.dmp

memory/2388-9-0x00007FFEED8A3000-0x00007FFEED8A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tf69tX65zZ13.exe

MD5 d918db9077504212d04e97bc5857b710
SHA1 cbac3bfca65f8dfe4efd408bcf480f3d603f1d06
SHA256 ab46765a44c015f420a104a2ffee2d036dc0cb4ce25e72be2540eed2cd521bb3
SHA512 f00800d9c2616090029632b5fea54abacc92e9c323feda1ea3c50a2ffdacd0f047d4da66b185b75d4570bee869c9684a3746b1daf58cc66278cbb09a0946f187

memory/1192-15-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

memory/1192-16-0x0000000002CC0000-0x0000000002D0B000-memory.dmp

memory/1192-17-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1192-18-0x00000000048D0000-0x0000000004916000-memory.dmp

memory/1192-19-0x0000000007350000-0x00000000078F4000-memory.dmp

memory/1192-20-0x0000000007230000-0x0000000007274000-memory.dmp

memory/1192-34-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-32-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-84-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-82-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-80-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-78-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-76-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-74-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-70-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-68-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-66-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-64-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-62-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-60-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-58-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-54-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-52-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-51-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-48-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-46-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-44-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-42-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-40-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-38-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-36-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-30-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-28-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-72-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-56-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-26-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-24-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-22-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-21-0x0000000007230000-0x000000000726E000-memory.dmp

memory/1192-927-0x0000000007900000-0x0000000007F18000-memory.dmp

memory/1192-928-0x0000000007F20000-0x000000000802A000-memory.dmp

memory/1192-929-0x0000000007300000-0x0000000007312000-memory.dmp

memory/1192-930-0x0000000008030000-0x000000000806C000-memory.dmp

memory/1192-931-0x0000000008170000-0x00000000081BC000-memory.dmp

memory/1192-932-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

memory/1192-933-0x0000000002CC0000-0x0000000002D0B000-memory.dmp

memory/1192-935-0x0000000000400000-0x000000000044E000-memory.dmp