Malware Analysis Report

2025-08-11 07:52

Sample ID 241111-glspbsvcjf
Target 2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N
SHA256 2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95

Threat Level: Known bad

The file 2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Redline family

Detects Healer an antivirus disabler dropper

RedLine

Healer

Healer family

RedLine payload

Modifies Windows Defender Real-time Protection settings

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:53

Reported

2024-11-11 05:56

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3544 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe
PID 3544 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe
PID 3544 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe
PID 2204 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe
PID 2204 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe
PID 2204 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe
PID 2836 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe
PID 2836 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe
PID 2836 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe
PID 2836 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe
PID 2836 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe

"C:\Users\Admin\AppData\Local\Temp\2e91f153c8cb771ed52dc1ad721658cb5ab364caf96b6064a695bcef31719a95N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pldC82om58.exe

MD5 154b755ed8b39e209b21102819a53c69
SHA1 40cf66e793d4321766fe1946c8a26276e9ce159d
SHA256 93a76a6ba05223c90c8e56f659962b5faceaa6d80793eb4f74be69873685a37e
SHA512 fc2ada576d455e3906b15ae0b8ff1ca34b14d3ac3c3ad251c7a534b37cce7993757b24f7eb73fcfc0674a747c84b7cb844fde435db2cbf19d1ceb515b3885982

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plWS05BD42.exe

MD5 8fbd7bb022b564856a8c878af221b119
SHA1 1b29df15d831b2659a8b5a93cb2287c3698dda04
SHA256 24234c78ad8fa53dc5800a8da9d00aff435cf521ec02104ded757d413daf33d3
SHA512 bad0ea94a84d32d64573de8b54e4d3cb5e092d07a683d4527d6efdba26a4a1505048c435fbe2b60c20752e0332bd9a91fe08972210d5ea0cf6d11d0c275042ed

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\buIQ20re10.exe

MD5 d83a07b6f1e657e333f9cec7f6b82600
SHA1 628186840068d99e54dc9147a951b5d1a1ab48a8
SHA256 3ed120337dc52133093f34e4faa0a6ad23c688669f9b82ec4cb78f45a6a4346f
SHA512 7ceb69f448dacdafc620d64ddaefeacda0a3af8316dc98262366bf8b583b8d7bb3710c22c6338a3e4b92f3062b6b9f1628d5aa461729cf5d7e84447ab8f2dbc8

memory/764-21-0x00007FFF2A923000-0x00007FFF2A925000-memory.dmp

memory/764-22-0x0000000000F60000-0x0000000000F6A000-memory.dmp

memory/764-23-0x00007FFF2A923000-0x00007FFF2A925000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\caEj05Je95.exe

MD5 049b7e9c3b3777fd130ad01127cd8268
SHA1 7f56ea5b4e7029a2da226d899ddfce99ff960e0f
SHA256 aff2553c6b6d9a7f84838eb4a2b47cbb3891e122ba04e305c020e68b27847b68
SHA512 d89cdb1b58ceb4d9b83ab498fc69e5c423b9f44ea2eb24a07b860a6594462899cb1d08e5427dd57473fa2b15d233744f7f7e9fd5f7ae082387a0072c278e0aa1

memory/4828-29-0x0000000004A10000-0x0000000004A56000-memory.dmp

memory/4828-30-0x0000000007360000-0x0000000007904000-memory.dmp

memory/4828-31-0x00000000071D0000-0x0000000007214000-memory.dmp

memory/4828-47-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-45-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-95-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-93-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-91-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-89-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-87-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-83-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-81-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-79-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-77-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-75-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-71-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-69-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-67-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-65-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-63-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-61-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-57-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-55-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-53-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-51-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-49-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-43-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-41-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-40-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-38-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-85-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-73-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-59-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-35-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-33-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-32-0x00000000071D0000-0x000000000720E000-memory.dmp

memory/4828-938-0x0000000007910000-0x0000000007F28000-memory.dmp

memory/4828-939-0x0000000007F30000-0x000000000803A000-memory.dmp

memory/4828-940-0x00000000072F0000-0x0000000007302000-memory.dmp

memory/4828-941-0x0000000007310000-0x000000000734C000-memory.dmp

memory/4828-942-0x0000000008150000-0x000000000819C000-memory.dmp