Malware Analysis Report

2025-04-03 14:19

Sample ID 241110-dhhheayamk
Target c3b4d41725a9a97fab0309d2d45f6f0e2c6df5fc12360b69d2de2d4704b3cbed
SHA256 c3b4d41725a9a97fab0309d2d45f6f0e2c6df5fc12360b69d2de2d4704b3cbed
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3b4d41725a9a97fab0309d2d45f6f0e2c6df5fc12360b69d2de2d4704b3cbed

Threat Level: Known bad

The file c3b4d41725a9a97fab0309d2d45f6f0e2c6df5fc12360b69d2de2d4704b3cbed was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer

Redline family

RedLine payload

Healer family

Detects Healer an antivirus disabler dropper

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:00

Reported

2024-11-10 03:02

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3b4d41725a9a97fab0309d2d45f6f0e2c6df5fc12360b69d2de2d4704b3cbed.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c3b4d41725a9a97fab0309d2d45f6f0e2c6df5fc12360b69d2de2d4704b3cbed.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixz4912.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c3b4d41725a9a97fab0309d2d45f6f0e2c6df5fc12360b69d2de2d4704b3cbed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixz4912.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr945848.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr945848.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4552 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\c3b4d41725a9a97fab0309d2d45f6f0e2c6df5fc12360b69d2de2d4704b3cbed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixz4912.exe
PID 4552 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\c3b4d41725a9a97fab0309d2d45f6f0e2c6df5fc12360b69d2de2d4704b3cbed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixz4912.exe
PID 4552 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\c3b4d41725a9a97fab0309d2d45f6f0e2c6df5fc12360b69d2de2d4704b3cbed.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixz4912.exe
PID 4012 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixz4912.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe
PID 4012 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixz4912.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe
PID 4012 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixz4912.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe
PID 3420 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe
PID 3420 wrote to memory of 4400 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe
PID 3420 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr945848.exe
PID 3420 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr945848.exe
PID 3420 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr945848.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c3b4d41725a9a97fab0309d2d45f6f0e2c6df5fc12360b69d2de2d4704b3cbed.exe

"C:\Users\Admin\AppData\Local\Temp\c3b4d41725a9a97fab0309d2d45f6f0e2c6df5fc12360b69d2de2d4704b3cbed.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixz4912.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixz4912.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr945848.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr945848.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zixz4912.exe

MD5 c466c2ca03d60cd187fd8402b16ff2c7
SHA1 c31e3dee9f919c0c2361ceddbaf72d3670c80a29
SHA256 8353ffe18441ecccef17b0c60c5e7850455a99cbe278c5c1389180ffa4567950
SHA512 1cac18286f7df1a80c8f18def1668612008bc11bd3e2df5df661ce3a17d60658b23061c0b51c4d1b61b12b0fd488d0cd732e05a412025cdc5579bdd15edfb601

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ziVX1387.exe

MD5 35e67fc8201c6c755e8b1fe12e2b3f45
SHA1 d6e7bc34989df68a66a193a1b71bb1a28055b595
SHA256 4101e35d2f0f51f8f882dce9fd77c659f8e63c4cf416f30726ea765a9313ec3a
SHA512 79003f9a92f1071f3db871e12db4724ef81053a960624f3b71da8d3507c8f1b4a25c13582b28df5110dd5c0725a04b9019302d2269e6b3ea05ff86286bf9a8b8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it816270.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4400-22-0x0000000000150000-0x000000000015A000-memory.dmp

memory/4400-21-0x00007FFB49103000-0x00007FFB49105000-memory.dmp

memory/4400-23-0x00007FFB49103000-0x00007FFB49105000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr945848.exe

MD5 9db154e36b910b1c07235e5d5ae1e708
SHA1 e60a9b6da9016bd97d58d1deddfad621e69989af
SHA256 754c123d73ac19ac2b576ad80c87687c3742df9318065ef316097eda85bee9c6
SHA512 f9a44a2b87107d3cd150d160e133ca893133f142518b09c85fad25954e662712442ef38ab2e059d4aa14e72b94c53ee09fd6f88e026c4c23edadb4ccf3664061

memory/3256-29-0x0000000004D60000-0x0000000004D9C000-memory.dmp

memory/3256-30-0x0000000004EB0000-0x0000000005454000-memory.dmp

memory/3256-31-0x0000000004E20000-0x0000000004E5A000-memory.dmp

memory/3256-41-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-45-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-43-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-81-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-71-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-53-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-39-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-37-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-35-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-33-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-32-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-95-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-93-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-91-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-89-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-87-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-85-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-83-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-79-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-77-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-75-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-74-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-69-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-67-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-65-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-63-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-61-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-59-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-57-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-55-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-51-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-49-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-47-0x0000000004E20000-0x0000000004E55000-memory.dmp

memory/3256-824-0x00000000078E0000-0x0000000007EF8000-memory.dmp

memory/3256-825-0x0000000007FA0000-0x0000000007FB2000-memory.dmp

memory/3256-826-0x0000000007FC0000-0x00000000080CA000-memory.dmp

memory/3256-827-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/3256-828-0x0000000004850000-0x000000000489C000-memory.dmp