Malware Analysis Report

2025-08-11 07:52

Sample ID 241111-gln15stgqp
Target 18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42
SHA256 18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42
Tags
healer redline fud discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42

Threat Level: Known bad

The file 18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42 was found to be: Known bad.

Malicious Activity Summary

healer redline fud discovery dropper evasion infostealer persistence trojan

Healer family

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Healer

RedLine

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:53

Reported

2024-11-11 05:56

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe

"C:\Users\Admin\AppData\Local\Temp\18d6d1dccb443cc7bde7285e9f1cdf130d8e24de7e734331fcc0071e2bcc6b42.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhvw3541Jg.exe

MD5 7c45d2af19d7d2df103bf8f5b2d998c6
SHA1 0d0926970d9c1f69e4680bd66ff05c54e91e490e
SHA256 510797b333d7c78b8768085664399e7def03c85ab4901a3ac9038452ad69978a
SHA512 61318989d9e8ab1ce5f365a63d696713e36629c0db398429c504aa243f1b880dc268534a27b93ae20b0bfb80c2c578799dba0aa369e719b7232b9a573bb40fdc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf05BY60eM07.exe

MD5 7e3e91c47e76d39d1538a776ddf60a97
SHA1 13c80493883115b4caec7c829fdf61ea94abef5a
SHA256 945c12d10118478481fcabf0431ac8c6cf5ad91298f1838ef4705e0fe2bafcb5
SHA512 548c8465c0aead82426299ccd107b35764f506c8d83afe0572c0664c180ae1cb76658019a1200eb929b22f3d606333ea0c26dfbac61c9c7037a07066394ff926

memory/1064-15-0x00007FF8164C3000-0x00007FF8164C5000-memory.dmp

memory/1064-14-0x00000000002F0000-0x00000000002FA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf19hp48dQ24.exe

MD5 249978248eadf5f91425671a026f54a0
SHA1 80596f205182dcbeb05b93e5cdb77a067c723cf1
SHA256 0acc998717f3d96cb94c3160c2f07c54c5244d4d29df38db9ca0b5a71f219682
SHA512 aadc502c62ada1e529b0a11a335694cba325cb4d3ae1b85fac8d110238314b4f2bb6f4cae21bb15183a0252835bbc02a0d094c5911d0d7f1c74c4a1ba1167a14

memory/4568-21-0x0000000002710000-0x0000000002756000-memory.dmp

memory/4568-22-0x0000000004D60000-0x0000000005304000-memory.dmp

memory/4568-23-0x0000000004CA0000-0x0000000004CE4000-memory.dmp

memory/4568-81-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-87-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-85-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-83-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-79-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-77-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-75-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-74-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-71-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-69-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-67-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-65-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-63-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-61-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-59-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-55-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-53-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-51-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-49-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-47-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-45-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-43-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-41-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-39-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-37-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-33-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-31-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-29-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-57-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-35-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-27-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-25-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-24-0x0000000004CA0000-0x0000000004CDE000-memory.dmp

memory/4568-930-0x0000000005310000-0x0000000005928000-memory.dmp

memory/4568-931-0x00000000059A0000-0x0000000005AAA000-memory.dmp

memory/4568-932-0x0000000005AE0000-0x0000000005AF2000-memory.dmp

memory/4568-933-0x0000000005B00000-0x0000000005B3C000-memory.dmp

memory/4568-934-0x0000000005C50000-0x0000000005C9C000-memory.dmp