Malware Analysis Report

2025-08-11 07:52

Sample ID 241111-gl6wysxpak
Target 061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913
SHA256 061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913

Threat Level: Known bad

The file 061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine payload

Healer family

Healer

Detects Healer an antivirus disabler dropper

RedLine

Redline family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:54

Reported

2024-11-11 05:57

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGn8315Om.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGn8315Om.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\trI32mI00.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\trI32mI00.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe

"C:\Users\Admin\AppData\Local\Temp\061d9dff039ee5b9ec579a40414c3a2d99079b57e9dbaf7ac17701bcc8274913.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGn8315Om.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGn8315Om.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\trI32mI00.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\trI32mI00.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vGn8315Om.exe

MD5 0993e95ae27882da0c7787a5db5cf739
SHA1 aa48344d457967d5b5db8862ef982a28bbc31225
SHA256 2066536fbd0f156307ae62373db2cd9def0c636ccc4657d6ef1108af1b3ea7ae
SHA512 352b3f19f02776e10f6a4f69c925928e309917bf73575a454257f656ed118711426480c9c4e02a4fddd7bd78f62faf57aeea13c1618d104636b53eb51a135888

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sw30jj96hY34.exe

MD5 596e04282e3a029549517d998b641bc9
SHA1 37695102540deddbc8f076ebf9e593cafad73ad3
SHA256 c6d07a2afcc66999fbbac2811e4906479d1a335885a55ea1b875659d870bc064
SHA512 0310991ddf36481d80a44c3d6ab2bcd984ba96e2ecc4c7fda34617866d759c348b2b533c065c15de2f482028a0d4bbcf731a4bc428fbbceeea95d11ec4f32c5a

memory/4672-14-0x00007FFA81253000-0x00007FFA81255000-memory.dmp

memory/4672-15-0x0000000000710000-0x000000000071A000-memory.dmp

memory/4672-16-0x00007FFA81253000-0x00007FFA81255000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\trI32mI00.exe

MD5 1c5a86f75232313703fab93a198cfae7
SHA1 ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA256 6c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512 fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f

memory/4944-22-0x0000000002360000-0x00000000023A6000-memory.dmp

memory/4944-23-0x0000000004DE0000-0x0000000005384000-memory.dmp

memory/4944-24-0x0000000002600000-0x0000000002644000-memory.dmp

memory/4944-26-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-30-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-28-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-82-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-78-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-68-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-60-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-58-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-88-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-86-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-84-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-80-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-76-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-74-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-72-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-932-0x0000000004C80000-0x0000000004D8A000-memory.dmp

memory/4944-933-0x00000000059B0000-0x00000000059C2000-memory.dmp

memory/4944-931-0x0000000005390000-0x00000000059A8000-memory.dmp

memory/4944-70-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-66-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-64-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-62-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-56-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-54-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-52-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-934-0x00000000059D0000-0x0000000005A0C000-memory.dmp

memory/4944-50-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-48-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-46-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-44-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-42-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-40-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-36-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-34-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-32-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-38-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-25-0x0000000002600000-0x000000000263E000-memory.dmp

memory/4944-935-0x0000000005B10000-0x0000000005B5C000-memory.dmp