Malware Analysis Report

2025-05-28 18:49

Sample ID 241110-d9a8eaygqh
Target bb63d75f7338d7e739f46afd45f55f14811d752e211db21245f6701967982aa7
SHA256 bb63d75f7338d7e739f46afd45f55f14811d752e211db21245f6701967982aa7
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb63d75f7338d7e739f46afd45f55f14811d752e211db21245f6701967982aa7

Threat Level: Known bad

The file bb63d75f7338d7e739f46afd45f55f14811d752e211db21245f6701967982aa7 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

RedLine payload

Modifies Windows Defender Real-time Protection settings

Redline family

Detects Healer an antivirus disabler dropper

Healer

Healer family

RedLine

Windows security modification

Executes dropped EXE

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:42

Reported

2024-11-10 03:44

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4206979.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exe
PID 2964 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exe
PID 2964 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exe
PID 3924 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exe
PID 3924 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exe
PID 3924 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exe
PID 3752 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exe
PID 3752 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exe
PID 3752 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exe
PID 4188 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe
PID 4188 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe
PID 4188 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe
PID 2388 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe
PID 2388 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe
PID 2388 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe
PID 2388 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4206979.exe
PID 2388 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4206979.exe
PID 2388 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4206979.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe

"C:\Users\Admin\AppData\Local\Temp\ae388559b711c73041590e5cef681969828abc52e653387d333f0612a486b8d8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1404 -ip 1404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4206979.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4206979.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp
FI 77.91.124.111:19069 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v0298957.exe

MD5 c5b9e4833b83471eb13cfb2d38bd19e9
SHA1 852e1302285b2c9ed108eb4463083ee084b7e64e
SHA256 b96f6dcdc7becc043cc7d11196cff92475c275835803ec743db5790507680b95
SHA512 70586407ceef2d631309b61d542f40c17438d5e893bf6d51cad507210d0983050114df459c8b8689471be7c75270079b277ad7d27456f0eb419a8e79ed0b42cc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v0991080.exe

MD5 27afa2d783ac422b0f4ecf5328fd3d25
SHA1 aca524a69f3d554b7818d2307e287fa0b75c7770
SHA256 85b04b6e984397b29e6876b6f457928faef9bc542057f5be85eea19616823419
SHA512 00d2c9db205c90e89ff42894ff1922823a01c191b86f2f6d0295809259b19d7b56d39a0c3c7ea193d3555aeabe7150c6bf70306d552e81bd7d24129919470498

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v6827553.exe

MD5 949fdb52ba681b128271693003332ae6
SHA1 19b442f2141e588709ad417e64c3736e43f5075a
SHA256 e9a947baa4bce2b22ca9deafb3cc6aef66c984d5c39a0b7900c7598356cb445a
SHA512 0f537ac37e5370138b9b85675bada19ad10679cfbf56e1e2dc63ff62b4f2270a08a60dd371b21707d68d2d4e8b45241c2b71693b5ffbcc9efd7f1ac0d2346d75

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v0163979.exe

MD5 317cb3a6e32a5d75f5f668776ede82c5
SHA1 efd29a6e93859dff257ca0a300cac5f0563fb12c
SHA256 71d12500798d38119139d1677de7ebf12fce1ccd7cf9d0f4d72fc833da55be68
SHA512 430f21559344b233110cac76d4b4d8ac4a14f371ea26dcf70c7709a158a5eda1feea799be7ca06c85585f34634c09f8018d5203d12e30d50f6844a60c54cb013

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a5961201.exe

MD5 a1aad20f88335977d3f603dd7a864191
SHA1 abd7aae69b0b77afad699495730a343c2182bfad
SHA256 ff9bbc88c94b796a9947c25b7c3c64f662bfc1d20de943482e7418400d03d459
SHA512 93779f75def6a262d774f7ca51fbd505eb5e258c69b8ee0cbebadfdb12ec9dbb597969529d69e22d1ec4733181980ecabdaa5d7f4a9d4e6b3d2fe55821511379

memory/1404-36-0x00000000024D0000-0x00000000024EA000-memory.dmp

memory/1404-37-0x0000000004F00000-0x00000000054A4000-memory.dmp

memory/1404-38-0x0000000002780000-0x0000000002798000-memory.dmp

memory/1404-48-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-66-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-64-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-62-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-61-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-58-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-56-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-54-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-52-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-50-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-46-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-44-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-42-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-40-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-39-0x0000000002780000-0x0000000002792000-memory.dmp

memory/1404-67-0x0000000000400000-0x00000000006F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b4206979.exe

MD5 9b06d0e1fdaa5398aad108c6e68fdbb9
SHA1 8e5d0b1b3faa675a238b2c44157e9ebf74489c93
SHA256 7ca183bb42b19bd975df32550834e168fda08c51a4554ffb003d1975c45eeab7
SHA512 4313359f663f627d93db4955aee0fb2bae68771418a2b7ce2015ce1dc75e8d450354012c8a1bd547344dcc49bbabbd08293fb8a6c2d3ff5539be121e57e4bc59

memory/1404-69-0x0000000000400000-0x00000000006F4000-memory.dmp

memory/3640-73-0x00000000006D0000-0x00000000006F8000-memory.dmp

memory/3640-74-0x0000000007950000-0x0000000007F68000-memory.dmp

memory/3640-75-0x00000000073E0000-0x00000000073F2000-memory.dmp

memory/3640-76-0x0000000007550000-0x000000000765A000-memory.dmp

memory/3640-77-0x0000000007480000-0x00000000074BC000-memory.dmp

memory/3640-78-0x00000000048A0000-0x00000000048EC000-memory.dmp