Malware Analysis Report

2025-05-28 18:49

Sample ID 241110-d9pe2aykft
Target b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb
SHA256 b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb
Tags
healer redline dumud discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb

Threat Level: Known bad

The file b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb was found to be: Known bad.

Malicious Activity Summary

healer redline dumud discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine payload

Detects Healer an antivirus disabler dropper

Healer family

RedLine

Redline family

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:42

Reported

2024-11-10 03:45

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7725239.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2308 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe
PID 2308 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe
PID 2308 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe
PID 4880 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe
PID 4880 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe
PID 4880 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe
PID 4880 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7725239.exe
PID 4880 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7725239.exe
PID 4880 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7725239.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe

"C:\Users\Admin\AppData\Local\Temp\b5e55b3f579910248429b8295401eb6cca708ce389a0a9431b9f5fa083d2e1cb.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7725239.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7725239.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
CY 217.196.96.101:4132 tcp
CY 217.196.96.101:4132 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y9714322.exe

MD5 35b2bc877ae55e3f5f7067bb5b2630ae
SHA1 9c6ca8e4b50de8ddee2428c5ccd645429fff4c84
SHA256 d84972dff03da9d2d8fd9e3dc5f84a40fdd8f899a2492433be2dc3677b30f823
SHA512 404706968da3dbdddecd49b92744cb6b9ac9d5919f7c2ca2ff332a2565a289cb558061db99e675cf4cfea939a483eed69253c2e43b152fd2d6b6e6d370fc1515

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\k7967811.exe

MD5 fbd3ef92cfaaf7eec314dea971095d5e
SHA1 16f9defe16511fa73732b1e431eb0dc9b73c457b
SHA256 7c817ddadf209c0b0385ecb0340f5331a6681a0684fa034037c8f426a2d8fb77
SHA512 4d2201724f500a6933cdb7b7e01032c55a76be7dcabc66e23d65c4b7a0ccaa6b614b77b1c0a4e69425ccbe152ae848983c9aae1059f8abbd7786788f3c97ebdc

memory/4172-14-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

memory/4172-15-0x0000000002020000-0x000000000203A000-memory.dmp

memory/4172-16-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/4172-17-0x0000000004C50000-0x00000000051F4000-memory.dmp

memory/4172-18-0x0000000002540000-0x0000000002558000-memory.dmp

memory/4172-19-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/4172-47-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-45-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-43-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-41-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-39-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-37-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-35-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-33-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-31-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-29-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-27-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-25-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-23-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-21-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-20-0x0000000002540000-0x0000000002552000-memory.dmp

memory/4172-48-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/4172-49-0x0000000074AEE000-0x0000000074AEF000-memory.dmp

memory/4172-50-0x0000000074AE0000-0x0000000075290000-memory.dmp

memory/4172-52-0x0000000074AE0000-0x0000000075290000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l7725239.exe

MD5 a27f4e37a4539ff0f8ab648f5a1700a6
SHA1 32a51599313569b0fc9a400c64c47776e55bb782
SHA256 fd5783bb8c45a48a8e4bb2a764e69213afcfb7266b50d0ca5477512495a4f691
SHA512 153b761f71944d8ffda33aeadefb592ad3d2e2f8fab5aa037bfc3fc5b5fec6cf96e012ea633d84c89d144f9edebd84c8bdf4cb8329c787aa92217ea3dd59c14e

memory/3436-56-0x0000000000470000-0x00000000004A0000-memory.dmp

memory/3436-57-0x0000000000C90000-0x0000000000C96000-memory.dmp

memory/3436-58-0x00000000053B0000-0x00000000059C8000-memory.dmp

memory/3436-59-0x0000000004EC0000-0x0000000004FCA000-memory.dmp

memory/3436-60-0x0000000004DF0000-0x0000000004E02000-memory.dmp

memory/3436-61-0x0000000004E50000-0x0000000004E8C000-memory.dmp

memory/3436-62-0x0000000004FD0000-0x000000000501C000-memory.dmp