Malware Analysis Report

2025-05-06 00:50

Sample ID 241109-y9a8ma1hla
Target 4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3
SHA256 4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3

Threat Level: Known bad

The file 4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

Redline family

RedLine payload

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:28

Reported

2024-11-09 20:31

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 756 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe
PID 756 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe
PID 756 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe
PID 2212 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe
PID 2212 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe
PID 2212 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe
PID 380 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe
PID 380 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe
PID 380 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe
PID 4968 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe
PID 4968 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe
PID 4968 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe
PID 924 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe
PID 924 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe
PID 924 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe
PID 924 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe
PID 924 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe

"C:\Users\Admin\AppData\Local\Temp\4e4e508f9f0c352a117805d77f9f909d1d8b122a13e252813a3e6163a7446dd3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmxj11GD85.exe

MD5 0b2cd96a8200c53cdb3444f20beab59c
SHA1 7cb02f5bdf1c09e092811ac4694e901bb615185c
SHA256 3fcbe17a70708e176220b4cea32d6d943b4a9d0ad0e377faac9aaa61b511e1b3
SHA512 29b5a7a79487c382be028546ab2ee117131790376b9b17fc3d218387957ec1c127c07c90dfbab0093b8b0d052af6efa00107a692f2d2a21e827af77b59697559

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmuZ57MA69.exe

MD5 5b8e2d4a66a2ce0212ed8aa69dcea885
SHA1 ff7e32af36ab17cb7975715149f3fd8015d7cb35
SHA256 0a3a17c7a2810b6170217452f3620cd03dc73b057a7b84add77e4483134bfc95
SHA512 d8bc3c060563973adc3fb6100bef2f53cde2dca22a7097a910d32a237246a9f2c06d49d5ea0ebcef746c3596d20abd4a28cc47abe3e5e20f699fdb6dd049639c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmXk06gx55.exe

MD5 930edad88617c23a2131799e6a09fb1e
SHA1 9bf42e57bded7bd008f7eb00a440081791362948
SHA256 4c38db1995815b5ac1d563c3f7d7f1008fb03fac172fda4e0199c60959f185e7
SHA512 e0316b63c8f64b9ed7c6f32648c514a0693551bbddafecaf315b19a51f2fe80c14e0c043b24fcefe4680b3c3c425c609ad389beddc9b8c12384d6500944ec869

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmhZ99Jv09.exe

MD5 a680c007f6adb5517d70e62e24c71530
SHA1 da1155c9b7a9f3aa4f54f24572ca91ffe8a92323
SHA256 3e55fd01e3a6b3a900a823224e17d65ac5d2ded159a9d3a1c83c0f0f796d4138
SHA512 61a153d55962e44f11b0711a6400a6403594c479d2c13b85367c40e48dab903578104819258e02940c61f3ff982007e759d3938ca92a1e81eaf4a98bc54cbf98

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ijq28CK70.exe

MD5 98d9c461a70cb5acc16ae75961d0772b
SHA1 f394f68605824023ad32202edbc52f48d53722b3
SHA256 5648925fdaf06007f0bb809d4f1d75156f13931af1ec48f5bf7b61b3b39b1a22
SHA512 0536e0526ead22e4165bc93efaecc714652fca896daf418df644b1dc242cf4e71122193c4ee3ac1860982dc841808c2a81fc948db29b8369761e9c4544e94be9

memory/1284-35-0x00000000009B0000-0x00000000009BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ken45nJ33.exe

MD5 bc06501e2cbbcfd5b533d51c6a5ef3fb
SHA1 7caa42a1b56383b958098d71bdffbe0b69b1ba93
SHA256 1ea5e787e9d231e9e5c0ebc4a058e587a9b37057469fc949d6458acef78a6c16
SHA512 98da782c0b87b2b6dca516a98a86a0bd90966be55b40ed55cb61975277efbb366d3fb7d3ef8fbbb841cf62d2c39c842db8180013667193caff98285dd3769970

memory/2716-41-0x0000000004AB0000-0x0000000004AF6000-memory.dmp

memory/2716-42-0x0000000004C20000-0x00000000051C4000-memory.dmp

memory/2716-43-0x0000000004B70000-0x0000000004BB4000-memory.dmp

memory/2716-55-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-59-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-107-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-105-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-103-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-101-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-99-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-97-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-95-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-91-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-90-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-87-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-83-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-81-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-80-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-75-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-73-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-71-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-69-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-67-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-65-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-63-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-61-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-57-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-53-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-51-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-50-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-48-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-93-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-85-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-77-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-45-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-44-0x0000000004B70000-0x0000000004BAE000-memory.dmp

memory/2716-950-0x00000000051D0000-0x00000000057E8000-memory.dmp

memory/2716-951-0x0000000005860000-0x000000000596A000-memory.dmp

memory/2716-952-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/2716-953-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/2716-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp