Malware Analysis Report

2025-05-06 00:51

Sample ID 241109-y992ys1hmc
Target 3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab
SHA256 3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab

Threat Level: Known bad

The file 3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Redline family

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine payload

RedLine

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:30

Reported

2024-11-09 20:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 396 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe
PID 396 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe
PID 396 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe
PID 4768 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe
PID 4768 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe
PID 4768 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe
PID 2780 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe
PID 2780 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe
PID 2780 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe
PID 4896 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe
PID 4896 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe
PID 4896 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe
PID 4496 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe
PID 4496 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe
PID 4496 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe
PID 4496 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe
PID 4496 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe

"C:\Users\Admin\AppData\Local\Temp\3f763f0ef211e1c738c42828ddd96c4290e096c60535984cc22b010d276bceab.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plkb49sV13.exe

MD5 846752d9776cf9797e42e0f24951f202
SHA1 3d36f315a3cbcd3a3e83ed0495ba6abaf82b1a8b
SHA256 999e01b1e7997f754dc679e4290528b6fb761ea4b33e48045032c2fc767f957a
SHA512 9bdd1ecffffec360730bbd3a31c777d77f7e218569e5a906f8bf571fe29afab0f6c1b5e72fbae06386540d41617c2a5da3d52d0cd2dc2cd09e66a84c422de649

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plSX28AB69.exe

MD5 2f5aa6b05006f4355d685630dbaad0d0
SHA1 03c08e1615b3737c2fb07429b153d363482b43fd
SHA256 5b0b782a07d4785eafbb61e2235664ee4aceed418bcb485f7993b3e827c3395e
SHA512 4949b26d1f5bb87ada568449ff4ce0addc90fa77acc799435d7c5bf6c1d8f5e8c4ce404cf68ac3685e391e5618f86e7113a9710dd82ccd61e3bbfb265ad97c0e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plWA19ET88.exe

MD5 411e492d8d3e18009daad37ea576e95f
SHA1 907096d8686ccaefde158a621320846c9b43176a
SHA256 7863a83b3508ef96c4007b40f61e2147caad3304e447e48ee895352ccc00dbea
SHA512 80190904e93865128511ab6ba9b6aa9da634596a9279fe382aaffa22ec5de5bc5d7f474258edddfb8d368e7dac2ed2cbfbd28936a6a9ecd88f858dc9d98c8516

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plsb34EQ73.exe

MD5 46d6c2a9d674d2babeb0ec0d9006e507
SHA1 b7c0e4a85b14dfaf77d617d45492f56a86729a41
SHA256 0c13b74ffda55b31fe7dc88e8ba38682e2d019eaf54bf6787092a1ffad00b4fa
SHA512 bbad193ec6cc1ab80ca4fa68ce335e9cefc9e29fc85e16633451089f97f854b2ca95e4b825530de40e4b70582795a00504e97ac337cb7431333373eb4393aa70

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buAR21yH66.exe

MD5 290f8fba79c89a814e1d0189af17ad64
SHA1 a7db61b58650fe394c019eeb96912e847ead8948
SHA256 08bdde22915a2b6cc2466570ba5495a70ac356f9344b739b8f005ed230f1e213
SHA512 a9adf32ab3f003530dc56ad518bc5d42025cf7d73af9ba3dcd0127204301fabe894ac94370295bfb1f617a3d8cb32b85150c2a69792618987dfadff23e99f9e5

memory/2916-35-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

memory/2916-37-0x00007FFDFAAA0000-0x00007FFDFABA0000-memory.dmp

memory/2916-39-0x00007FFDFBD80000-0x00007FFDFBE1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKw13th10.exe

MD5 8240ae7f59fb434977686a2040ea62e9
SHA1 c0fe02012d46dc9e12c388dd75cab32643708a18
SHA256 230a7452b0db2ecd65ee767d852990ff9cb94f65c485e3a68faa4bcb11b52605
SHA512 78c782edce8e3cdb57624f3be1bc69976691e1a1938b46214bde842b9cc02966be80872c7ae4093d8154c62fe9de20e2cfdf532feae5dfe647ba0d748777c96b

memory/3844-44-0x0000000007160000-0x00000000071A6000-memory.dmp

memory/3844-45-0x0000000007270000-0x0000000007814000-memory.dmp

memory/3844-46-0x00000000071E0000-0x0000000007224000-memory.dmp

memory/3844-48-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-47-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-98-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-108-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-106-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-104-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-102-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-100-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-96-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-94-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-92-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-90-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-88-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-84-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-82-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-80-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-78-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-76-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-74-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-72-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-70-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-68-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-66-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-64-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-62-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-60-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-58-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-56-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-54-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-52-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-86-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-50-0x00000000071E0000-0x000000000721E000-memory.dmp

memory/3844-953-0x0000000007820000-0x0000000007E38000-memory.dmp

memory/3844-954-0x0000000007E90000-0x0000000007F9A000-memory.dmp

memory/3844-955-0x0000000007FD0000-0x0000000007FE2000-memory.dmp

memory/3844-956-0x0000000007FF0000-0x000000000802C000-memory.dmp

memory/3844-957-0x0000000008140000-0x000000000818C000-memory.dmp