Malware Analysis Report

2025-04-03 14:20

Sample ID 241110-dlb5ssycng
Target 28e932ac2a0eca09e6310f24d1ceb265f780027fa3d396db90548c0a8efca996
SHA256 28e932ac2a0eca09e6310f24d1ceb265f780027fa3d396db90548c0a8efca996
Tags
healer redline gena discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28e932ac2a0eca09e6310f24d1ceb265f780027fa3d396db90548c0a8efca996

Threat Level: Known bad

The file 28e932ac2a0eca09e6310f24d1ceb265f780027fa3d396db90548c0a8efca996 was found to be: Known bad.

Malicious Activity Summary

healer redline gena discovery dropper evasion infostealer persistence trojan

RedLine payload

Modifies Windows Defender Real-time Protection settings

Redline family

Healer family

RedLine

Healer

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:05

Reported

2024-11-10 03:07

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28e932ac2a0eca09e6310f24d1ceb265f780027fa3d396db90548c0a8efca996.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\28e932ac2a0eca09e6310f24d1ceb265f780027fa3d396db90548c0a8efca996.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28e932ac2a0eca09e6310f24d1ceb265f780027fa3d396db90548c0a8efca996.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\imQet85.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\imQet85.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 804 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\28e932ac2a0eca09e6310f24d1ceb265f780027fa3d396db90548c0a8efca996.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe
PID 804 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\28e932ac2a0eca09e6310f24d1ceb265f780027fa3d396db90548c0a8efca996.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe
PID 804 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\28e932ac2a0eca09e6310f24d1ceb265f780027fa3d396db90548c0a8efca996.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe
PID 4068 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe
PID 4068 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe
PID 4068 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe
PID 2400 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe
PID 2400 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe
PID 2400 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe
PID 2400 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe
PID 2400 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe
PID 4068 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\imQet85.exe
PID 4068 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\imQet85.exe
PID 4068 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\imQet85.exe

Processes

C:\Users\Admin\AppData\Local\Temp\28e932ac2a0eca09e6310f24d1ceb265f780027fa3d396db90548c0a8efca996.exe

"C:\Users\Admin\AppData\Local\Temp\28e932ac2a0eca09e6310f24d1ceb265f780027fa3d396db90548c0a8efca996.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2776 -ip 2776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\imQet85.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\imQet85.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.233.20.30:4125 tcp
RU 193.233.20.30:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\niba8563.exe

MD5 a35466b656aeae3c1f31f399caa4dcfb
SHA1 c1c7a05a1c21eb4f73a29bd14d1c7d4cb8de7125
SHA256 c0335bc90dd7c114eeca72cb1c3f847e1c5bea100f0a824263e2bcb189fcf923
SHA512 2d8ece94d6c3dd5088f630eb9fdfd8af72b961aa561e13481cc99c72f47717924454972a3dd8bc655eab2e9a272b5e37edcecb0ea5c888c0de9dfe1a8caa1ffa

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\niba0090.exe

MD5 f60b6406a15e3325ae8e832901616dc7
SHA1 c4644e190a8d87d531526ee71584e747c79a9de1
SHA256 c8ff954d8cc9c80a6d0d99a969d5008fac48eb100730f979ebb5e00a1c4edcdf
SHA512 d17884e29973b6c55212dd20fb29c3550c3f65a0c088aa340e69c389a87da2c9784d80d9a5e47192e8859fa948d8f2d54ebf5944254eef93ac370b585446581b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\f2080zv.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/4192-21-0x00007FF821B43000-0x00007FF821B45000-memory.dmp

memory/4192-22-0x0000000000B60000-0x0000000000B6A000-memory.dmp

memory/4192-23-0x00007FF821B43000-0x00007FF821B45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\h94zA66.exe

MD5 c7fc625e9870c42f37edbe3d7442e9b6
SHA1 378c09c7f5e849ae565b809305b4321703d0c61a
SHA256 cbe3b6c0b77ecb73840bf5771e47c38f6a186a9cc5db3ae40fa6805ba1edd910
SHA512 f62af964485ea29f9be001cabf0575fd35bc9e40d8a14683316a25185cda83fac557460ed8f3e27ed2e0cd4b255fff79c166174a8722b1cd58d0365906d34e64

memory/2776-29-0x0000000002260000-0x000000000227A000-memory.dmp

memory/2776-30-0x0000000004C30000-0x00000000051D4000-memory.dmp

memory/2776-31-0x0000000002450000-0x0000000002468000-memory.dmp

memory/2776-59-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-57-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-55-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-53-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-52-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-49-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-47-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-45-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-43-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-41-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-39-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-37-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-35-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-33-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-32-0x0000000002450000-0x0000000002462000-memory.dmp

memory/2776-61-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\imQet85.exe

MD5 7a16e553c2fa6ba9286726304411a77e
SHA1 9e9e16eaab9e74e0220328044e4f97f3795e24df
SHA256 e6cbf417f575b1fccb7a46c3569e75e223abcacaa4673ec8365f6aad937c4ef9
SHA512 efae2dd81a5da2cbb1569d849bf363442f0cc81e1afe399b813c98f7553701dcb218badb049079aa49aade64dceb018a41b5de1f37e5662ee004345a759a829b

memory/4104-67-0x0000000002480000-0x00000000024C6000-memory.dmp

memory/4104-68-0x00000000050E0000-0x0000000005124000-memory.dmp

memory/4104-78-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-80-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-102-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-100-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-98-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-96-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-94-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-92-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-90-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-88-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-86-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-84-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-82-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-76-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-74-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-72-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-70-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-69-0x00000000050E0000-0x000000000511E000-memory.dmp

memory/4104-975-0x0000000005120000-0x0000000005738000-memory.dmp

memory/4104-976-0x00000000057A0000-0x00000000058AA000-memory.dmp

memory/4104-977-0x00000000058E0000-0x00000000058F2000-memory.dmp

memory/4104-978-0x0000000005900000-0x000000000593C000-memory.dmp

memory/4104-979-0x0000000005A50000-0x0000000005A9C000-memory.dmp