Malware Analysis Report

2025-04-03 14:20

Sample ID 241110-dkqa2aycme
Target 2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f
SHA256 2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f

Threat Level: Known bad

The file 2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Healer

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:04

Reported

2024-11-10 03:06

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVK43IT57.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVK43IT57.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exe
PID 1684 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exe
PID 1684 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exe
PID 4496 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exe
PID 4496 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exe
PID 4496 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exe
PID 3600 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exe
PID 3600 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exe
PID 3600 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exe
PID 3024 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe
PID 3024 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe
PID 3024 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe
PID 2184 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe
PID 2184 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe
PID 2184 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVK43IT57.exe
PID 2184 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVK43IT57.exe
PID 2184 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVK43IT57.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe

"C:\Users\Admin\AppData\Local\Temp\2eb2e5be66b4378daa5a1ae41aac3ccc1f5737f831ca6a8669c2b29c42536b9f.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVK43IT57.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVK43IT57.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plSp47nm46.exe

MD5 aa36b4e19d2c64cb2a77fabe3876fac5
SHA1 10d7c9d8e2e6b5108e245f61413af104d2287905
SHA256 02c9aec800b530693ba115c7fa5160ff2f8384dff1011e85712ca583a3312dad
SHA512 078ec4e79986461042e6cc47976e78c0c0450df32451842284ee1aa386087708d8efeb6672c01585367aad0ba6adb60eea9c2edc0e5611b6b3d15e0d624edc61

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plnJ68vL16.exe

MD5 bf4f711c128f1e503fc31ec383cff510
SHA1 ba452e3005deb44a0da88b71c0a0c217f1b23c17
SHA256 0046964ced5a585fa476ca0473f7232e61de1267cdafec46d9f585dfa3d9e76e
SHA512 9429d5bc36937c3ef3118dea23687ca73f2f559dab1356df32981e9e70739a2a39a0625753bd6d6e08e0fe3357a2ef95423854863ffc59ba4870eaceed50e288

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plvH72Gs88.exe

MD5 2e378bb4471fc24346324f088058a9b2
SHA1 a8c2ac17d4b04e7efabcfd59e604a8ee37a4ccad
SHA256 352e0895bfcf72868d86a15b83bd680d9d690e281f917f8a1e63fa6fab4cf469
SHA512 f4ce1f0f4f8283ea9f58c03de43d73cef1a18b1c0116e9bd884a298e262b18a42bd39ea62f911f0ac7c2072f54b8080a8624474c215dacdc518021db058ba124

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWP38mG35.exe

MD5 40d5ef9a4492b69cece82aa6a6067f05
SHA1 74243043947f51dd32a3d8bd8906e343f1c3a781
SHA256 51a7fbb318160625153ffd73faac18c399b4cd867f44ed26e797aaf39337ad7c
SHA512 dcc1a380659673eda567c08017d2ff9d495ae61174487daf11a9b410f623c9606e3d5813ed5a6603e063bb7f4f9783a321336bb1a611db7ea945a6913159d71c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buna14wg02.exe

MD5 5fd12f066c4d1f6b7a68489696b9c65a
SHA1 fd51fcd5960b0305a685aef6b425225e2f13024b
SHA256 b1d9037b7cca29d57757d1a2b934af8712812cb544972651d78fd0af94038b49
SHA512 d158cb0f653ac54cee65e90cce2d6a0fa571dae2759970d169532f4de61ab7ac75407445a6cf5e96f1aea5d042cf1b5c68886ab0df95c73df66f66a19b022daa

memory/2284-35-0x0000000000430000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caVK43IT57.exe

MD5 bc94778948460579a0739b42d8018118
SHA1 f960e87471a354673dc63408a7cfd07052a18561
SHA256 164e02a2c9318020d3b3db0e977aadf0890dd6ad139cfcd07195e62578f44d8b
SHA512 ff267c27af132c2ce96ca075011a96596d045f771c3439d72b1ea1f567fe585f139b0e7dc8f5c97d340209f478d7e9cad374fc0497345998702f06e234ca657b

memory/4156-41-0x00000000026B0000-0x00000000026F6000-memory.dmp

memory/4156-42-0x0000000004CD0000-0x0000000005274000-memory.dmp

memory/4156-43-0x0000000004BD0000-0x0000000004C14000-memory.dmp

memory/4156-55-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-107-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-105-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-103-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-101-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-97-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-95-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-93-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-91-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-89-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-87-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-85-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-83-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-81-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-77-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-75-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-73-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-71-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-69-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-67-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-65-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-63-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-61-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-59-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-57-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-53-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-51-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-50-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-99-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-79-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-47-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-45-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-44-0x0000000004BD0000-0x0000000004C0E000-memory.dmp

memory/4156-950-0x0000000005280000-0x0000000005898000-memory.dmp

memory/4156-951-0x00000000058A0000-0x00000000059AA000-memory.dmp

memory/4156-952-0x00000000059B0000-0x00000000059C2000-memory.dmp

memory/4156-953-0x0000000005AD0000-0x0000000005B0C000-memory.dmp

memory/4156-954-0x0000000005B10000-0x0000000005B5C000-memory.dmp