Malware Analysis Report

2025-06-15 22:33

Sample ID 241109-xzvc3stjcm
Target b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056
SHA256 b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056

Threat Level: Known bad

The file b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Redline family

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:17

Reported

2024-11-09 19:20

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe
PID 4828 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe
PID 4828 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe
PID 3584 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe
PID 3584 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe
PID 3584 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe
PID 3584 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe
PID 3584 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe
PID 3584 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056.exe

"C:\Users\Admin\AppData\Local\Temp\b137868f8c0f273aca3cd1065da73dd76f9e209638d44ecc54002bee74f40056.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1124 -ip 1124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un227161.exe

MD5 98b709c70c51e42a0974c9cb8a775f5f
SHA1 3f8fefc895f631938b30ef75d87b5e8a5ac75cdf
SHA256 0f395a6a29e0c33ab4c1318af15c976c8613185ce7217e5c0bb88e4cd5587edc
SHA512 077e76ec1d73f7edee6e4610420c1dfaeea7a10ced24e4e182173cd7e6190ee5eaf72e680b387f560bf328199124232a420d1e886211b0d97f9c6a2d1d2374f3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\58076760.exe

MD5 7f148a00e12edaef9a15d660c8109bd8
SHA1 2b206f44daee100e32df14ea1dc2d316747bd17c
SHA256 b2ad7ebf3b6821ca21b620e70cf2b35a922a92e1e02647f6966bcd577ce5fdb2
SHA512 c13ea7d048115a13f44e7c5a4b075eee6a011fa2bfbc84d668309d395472ede41e2e0a42884947581987fdf56c253bfc2e4f351e325ade9a8e34eab1208bd0b1

memory/1124-15-0x00000000007C0000-0x00000000008C0000-memory.dmp

memory/1124-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1124-17-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1124-18-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1124-19-0x0000000002390000-0x00000000023AA000-memory.dmp

memory/1124-20-0x0000000004CF0000-0x0000000005294000-memory.dmp

memory/1124-21-0x0000000002630000-0x0000000002648000-memory.dmp

memory/1124-27-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-49-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-48-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-45-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-43-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-42-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-40-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-37-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-35-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-33-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-31-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-29-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-26-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-23-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-25-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-22-0x0000000002630000-0x0000000002643000-memory.dmp

memory/1124-50-0x00000000007C0000-0x00000000008C0000-memory.dmp

memory/1124-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1124-54-0x0000000000400000-0x0000000000455000-memory.dmp

memory/1124-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk331272.exe

MD5 7457dc6742a2a3c2bffe967b628499f3
SHA1 0c3b6deb84476b28c0cdd54e61dc2f3d9778e642
SHA256 05ca104e0ebf1cbb1021e183521cf90f95435974596c24bbb2d182b446457728
SHA512 2198761294eaad84ec8259aecce4d6985e393181eb91d9b6cb531ec83142bd689ed42d49b3cd135128f5b40dabb89400f3375a4f25fd40e7cbef088fcd89e519

memory/4588-60-0x0000000002650000-0x000000000268C000-memory.dmp

memory/4588-61-0x0000000004A70000-0x0000000004AAA000-memory.dmp

memory/4588-69-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-91-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-79-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-67-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-65-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-63-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-62-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-95-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-94-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-89-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-87-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-85-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-83-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-81-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-77-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-75-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-73-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-71-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/4588-854-0x00000000075E0000-0x0000000007BF8000-memory.dmp

memory/4588-855-0x0000000007C00000-0x0000000007C12000-memory.dmp

memory/4588-856-0x0000000007C20000-0x0000000007D2A000-memory.dmp

memory/4588-857-0x0000000007D30000-0x0000000007D6C000-memory.dmp

memory/4588-858-0x0000000002220000-0x000000000226C000-memory.dmp