Malware Analysis Report

2025-04-03 14:20

Sample ID 241110-dlxfqsycqd
Target 39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c
SHA256 39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c

Threat Level: Known bad

The file 39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

RedLine payload

Healer

RedLine

Redline family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 03:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 03:06

Reported

2024-11-10 03:08

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe

"C:\Users\Admin\AppData\Local\Temp\39aafcee05ce7ebcc2d8687d180f9bf92868f3a640fb898bea847bc649c82b6c.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibt7449.exe

MD5 78003b1ea497f6f84f7afad641859118
SHA1 fc8afa0ba93ff6fdb32b3e676b552702108fbf70
SHA256 dc126269651b47efa91d6bc1a6b1605a8a18cdd5356df33741bbdd670123ef1b
SHA512 72d5728ed0afa62881ebe54cf999f8868f75e130dba166d945666367ab821413d3cb02ad985e4683524f18c358560cd61159fb21186755c48b26b33fdcc34252

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr904134.exe

MD5 a2a8ebd2d93bb408c2d46f89c35b9311
SHA1 6b4c7e88f6153783580daf181ce95c1ad51d96bf
SHA256 a2bbb490986f915ee0fcffee1d57bbd8bd86e38089332ebfa1d7c9a2ce8900fa
SHA512 ee3b4fb8a8dcc407fda4cc916159a1d07392c6cabb92ab80009a1cc719a27cb2c91944ec79b602886b325d493ea80111959f824317833705a48036608c1a5431

memory/2648-14-0x00007FFA074F3000-0x00007FFA074F5000-memory.dmp

memory/2648-15-0x00000000008F0000-0x00000000008FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku419500.exe

MD5 11aff3a44973cce6d628ed29341607b4
SHA1 c20444542e2a0c8081cfc47c793e2a02826f8f89
SHA256 d035c4ca01bf0cee293a8e35ff34768355c8748567108fdd5dfa3c4d89816d3c
SHA512 76eae33deb8ebea5d725b134c923711513fd6f1eb642310ac504685f1411727610f4ef7ea7db3f2c085807d5c3b8a32fcf2d46ff634d49f5b10cb94e2336f0a7

memory/3184-21-0x0000000002700000-0x0000000002746000-memory.dmp

memory/3184-22-0x0000000004EE0000-0x0000000005484000-memory.dmp

memory/3184-23-0x0000000002800000-0x0000000002844000-memory.dmp

memory/3184-35-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-39-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-37-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-33-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-31-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-73-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-61-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-47-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-41-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-87-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-85-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-83-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-81-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-79-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-77-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-75-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-71-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-69-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-67-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-65-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-63-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-59-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-57-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-55-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-53-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-51-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-49-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-45-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-43-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-29-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-27-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-25-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-24-0x0000000002800000-0x000000000283F000-memory.dmp

memory/3184-930-0x0000000005590000-0x0000000005BA8000-memory.dmp

memory/3184-931-0x0000000005C20000-0x0000000005D2A000-memory.dmp

memory/3184-932-0x0000000005D60000-0x0000000005D72000-memory.dmp

memory/3184-933-0x0000000005D80000-0x0000000005DBC000-memory.dmp

memory/3184-934-0x0000000005ED0000-0x0000000005F1C000-memory.dmp