Malware Analysis Report

2025-05-28 18:49

Sample ID 241110-d8h7maykcw
Target 3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd
SHA256 3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd

Threat Level: Known bad

The file 3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Redline family

Healer

RedLine payload

Modifies Windows Defender Real-time Protection settings

Healer family

Detects Healer an antivirus disabler dropper

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:40

Reported

2024-11-10 03:43

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTi2861.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTi2861.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku743758.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku743758.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe

"C:\Users\Admin\AppData\Local\Temp\3499cbe4e494c920199e61526e99e28f5a3aed1ebbb911b08ec97336b7d83abd.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTi2861.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTi2861.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku743758.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku743758.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziTi2861.exe

MD5 acfa868b13dbf3e79b7d56f4b110418b
SHA1 ef394ee77e917aa53cb6552c4e8e03a3b6df6035
SHA256 e324ea6673016b0de367d395e7191e4b0801ad1dbc8199bab85525edfcc02c93
SHA512 1746742c0d594afa1be8e4af9cae53e302ddba5d3983ff6f912d07566fb2bd85fa4d7b5b622c3a1fbb1dc469d890b4d146cf7a8be7762b07d9cb6eefe8682b98

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr533923.exe

MD5 223eaf1cad299c0ed7e67067398b4563
SHA1 8633c28a5aa38c5741a37464b7e9d4372ffa1ab2
SHA256 e901b004d6ba77cb69784c0a9b87b0fcbf5aedd6a47a99dd46772ee4422c3c70
SHA512 1262a85ee3236ad981e97dd61482497a0fda45d81062f7447918c81c390694ad4ed0796ea41643a5be7e9708f7c914725785ed2ec504b3d373a4a5fb65690f51

memory/4484-14-0x00007FFDDE513000-0x00007FFDDE515000-memory.dmp

memory/4484-15-0x00000000008E0000-0x00000000008EA000-memory.dmp

memory/4484-16-0x00007FFDDE513000-0x00007FFDDE515000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku743758.exe

MD5 0cf655ac70715e92bbe7c51e32fd2e18
SHA1 7e855b6103c2b0200b9901a6875aa3d9592a0caf
SHA256 8e0536100223410eb1bbb68c8cadba1d407e998bb9b4a8986e88f38653809920
SHA512 661940b18224451c6a255e883dd0f236888844bc4a4c08f623d6ead957808562a5d677e1497dea4e095ed59e77e13b9335d91415356e3e83ae2a042789d23fef

memory/5048-22-0x0000000004E80000-0x0000000004EC6000-memory.dmp

memory/5048-23-0x0000000004F00000-0x00000000054A4000-memory.dmp

memory/5048-24-0x00000000054F0000-0x0000000005534000-memory.dmp

memory/5048-28-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-36-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-88-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-84-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-83-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-80-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-78-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-76-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-74-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-72-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-70-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-68-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-66-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-62-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-60-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-58-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-56-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-54-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-52-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-50-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-48-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-46-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-42-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-40-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-39-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-34-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-32-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-30-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-86-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-64-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-44-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-26-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-25-0x00000000054F0000-0x000000000552F000-memory.dmp

memory/5048-931-0x0000000005580000-0x0000000005B98000-memory.dmp

memory/5048-932-0x0000000005C20000-0x0000000005D2A000-memory.dmp

memory/5048-933-0x0000000005D60000-0x0000000005D72000-memory.dmp

memory/5048-934-0x0000000005D80000-0x0000000005DBC000-memory.dmp

memory/5048-935-0x0000000005ED0000-0x0000000005F1C000-memory.dmp