Malware Analysis Report

2025-06-15 22:33

Sample ID 241109-xzpslazhnp
Target 0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e
SHA256 0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e
Tags
healer redline morty discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e

Threat Level: Known bad

The file 0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e was found to be: Known bad.

Malicious Activity Summary

healer redline morty discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

Detects Healer an antivirus disabler dropper

RedLine payload

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:17

Reported

2024-11-09 19:20

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3412 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe
PID 3412 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe
PID 3412 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe
PID 3112 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe
PID 3112 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe
PID 3112 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe
PID 3112 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe
PID 3112 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe
PID 3112 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe

"C:\Users\Admin\AppData\Local\Temp\0919eae9b9b5a0ed62cb46794c1b154119127947f42a02e8051e0a7492741b5e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9639336.exe

MD5 e1ea8227deff3d431e9af22c642a6011
SHA1 2f4b73de7db5c8c6b8a9047a6f2da48fec68ad16
SHA256 8dd76c6b2f719886552f75cd22912274c14b05766bea8b4ee61f8470f1f4cb7b
SHA512 61c84424f5a270bc2534f07f06d8089ed58dfce8fd84c549c0e6a19be2253cf60df3d14563f508e0a3063fe7924cac3874ac92901b7bcfc37be4d0ed0d228cbc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\a7383723.exe

MD5 45cf0dc03b5352571138c8c2698c8cfe
SHA1 601d40add54ce3a816e6d1de99b33ff00c723423
SHA256 c24b33cd7d5c257b50a4a3ec5e75d18abcc2a2d04c6229b9968b22f9c44b6986
SHA512 36b056d0568a96b31b38f45b94447da7ecc7db5efac83ef384e27617ce8fd9a445a4cb26744a1d585aa270bf5612a4a748e7a5748c1094dd84cc9c97d0c2cdf3

memory/4372-14-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

memory/4372-15-0x0000000000670000-0x000000000068A000-memory.dmp

memory/4372-16-0x0000000073F20000-0x00000000746D0000-memory.dmp

memory/4372-17-0x0000000004AE0000-0x0000000005084000-memory.dmp

memory/4372-18-0x0000000073F20000-0x00000000746D0000-memory.dmp

memory/4372-19-0x00000000021C0000-0x00000000021D8000-memory.dmp

memory/4372-41-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-47-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-45-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-43-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-39-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-37-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-35-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-33-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-31-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-48-0x0000000073F20000-0x00000000746D0000-memory.dmp

memory/4372-29-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-27-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-25-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-23-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-21-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-20-0x00000000021C0000-0x00000000021D2000-memory.dmp

memory/4372-49-0x0000000073F2E000-0x0000000073F2F000-memory.dmp

memory/4372-50-0x0000000073F20000-0x00000000746D0000-memory.dmp

memory/4372-52-0x0000000073F20000-0x00000000746D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\b8152210.exe

MD5 4136481881f343d02ffbef27ca9ec717
SHA1 7fad11267c6e3fc8d869df68a396c925f73ad276
SHA256 93565fe60bbd30ca86d91be39af3eef493da40d0de5462719c8ff1349d906017
SHA512 88a6e3752c1d552c3465a5331a3f98a0dcbd5524004183fcfe85ce8e6b155bd1ac255beca68835ad2b2e09a4087c9bf84c562596c68fe23945a0dcb136d4cde9

memory/4672-56-0x0000000000B70000-0x0000000000B9E000-memory.dmp

memory/4672-57-0x0000000001420000-0x0000000001426000-memory.dmp

memory/4672-58-0x0000000005C50000-0x0000000006268000-memory.dmp

memory/4672-59-0x0000000005740000-0x000000000584A000-memory.dmp

memory/4672-60-0x0000000005630000-0x0000000005642000-memory.dmp

memory/4672-61-0x0000000005690000-0x00000000056CC000-memory.dmp

memory/4672-62-0x00000000056E0000-0x000000000572C000-memory.dmp