Malware Analysis Report

2025-05-06 00:51

Sample ID 241109-zaangsvjcq
Target 029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04
SHA256 029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04
Tags
healer redline lade discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04

Threat Level: Known bad

The file 029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04 was found to be: Known bad.

Malicious Activity Summary

healer redline lade discovery dropper evasion infostealer persistence trojan

Redline family

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Healer family

RedLine payload

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:30

Reported

2024-11-09 20:32

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2640689.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 396 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe
PID 396 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe
PID 396 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe
PID 1692 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe
PID 1692 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe
PID 1692 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe
PID 1692 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2640689.exe
PID 1692 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2640689.exe
PID 1692 wrote to memory of 4784 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2640689.exe

Processes

C:\Users\Admin\AppData\Local\Temp\029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04.exe

"C:\Users\Admin\AppData\Local\Temp\029dab9196581a36066e22d6ca0f8220dc229836b4e09278319d0c8e7c74de04.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2640689.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2640689.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z2268608.exe

MD5 fde9bdb77698b33d989e1bdeb6ddf07e
SHA1 a146e8afe30b3dbcb7d641a213244cdbc215c445
SHA256 5729677e98a9388705457606b5133525f985ae0a08c09dbb685ce538f8eb17b9
SHA512 8bf622ca499981bdce8aa832cec4b2bd7fed5b676911f1aade0cb5d7c1250ea4dd984c3945a5f556a408590945b5954d1e139db96f2aff8c8e626c782e8d022d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\o8067822.exe

MD5 1d1ef34713c6116eabbf4ff4b61562d7
SHA1 132f8c84a5c1da6173786c7ac169d3eb11f2fc31
SHA256 f68c19401376fc590ace8959c71be433c90d9ed8f7192346fc766ff7c4a539fb
SHA512 50ec5949c575b159733ab217c00dc971ef4a11eb370ed44c2746c4e313da001a3d46c452f3873f3f6e7fe5140ef928e6b1214691e993881ef8c0444cb14c166f

memory/5036-14-0x000000007445E000-0x000000007445F000-memory.dmp

memory/5036-15-0x00000000022A0000-0x00000000022BA000-memory.dmp

memory/5036-16-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/5036-17-0x0000000004AD0000-0x0000000005074000-memory.dmp

memory/5036-18-0x0000000004980000-0x0000000004998000-memory.dmp

memory/5036-24-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-44-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-42-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-40-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-38-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-36-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-34-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-32-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-30-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-28-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-27-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-46-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-22-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-47-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/5036-20-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-19-0x0000000004980000-0x0000000004992000-memory.dmp

memory/5036-48-0x000000007445E000-0x000000007445F000-memory.dmp

memory/5036-49-0x0000000074450000-0x0000000074C00000-memory.dmp

memory/5036-51-0x0000000074450000-0x0000000074C00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\r2640689.exe

MD5 b84abbfcba7e0a2a3b8ccb57b2bc270e
SHA1 9381c88676cb7a6ac28953b68903183829982d9f
SHA256 38e8f83bcf43e6e2877f4af9670c33f03a8631c8d0e2989a1bd81a5df893e7cd
SHA512 1296269b70977069a62d282e901308071c9f0d9632e4966ad64c3cb77c62a14b0233100f1179fb9f1570f65713ba4d3ff45678f74ba1f8f2f6db3d9a6a005748

memory/4784-55-0x0000000000780000-0x00000000007AE000-memory.dmp

memory/4784-56-0x0000000002900000-0x0000000002906000-memory.dmp

memory/4784-57-0x000000000ABE0000-0x000000000B1F8000-memory.dmp

memory/4784-58-0x000000000A6D0000-0x000000000A7DA000-memory.dmp

memory/4784-59-0x00000000051A0000-0x00000000051B2000-memory.dmp

memory/4784-60-0x000000000A5C0000-0x000000000A5FC000-memory.dmp

memory/4784-61-0x0000000000F20000-0x0000000000F6C000-memory.dmp