Malware Analysis Report

2025-08-11 07:52

Sample ID 241111-gne61svcld
Target e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316
SHA256 e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316

Threat Level: Known bad

The file e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Healer

Redline family

Healer family

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:56

Reported

2024-11-11 05:59

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552166.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552166.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe
PID 1244 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe
PID 1244 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe
PID 2252 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe
PID 2252 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe
PID 2252 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe
PID 2252 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552166.exe
PID 2252 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552166.exe
PID 2252 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552166.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe

"C:\Users\Admin\AppData\Local\Temp\e85ceb1ea04bb5f794abadcbb290d7336ca87b56e3c9beeb9d802fe1a96f7316.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4960 -ip 4960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1080

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552166.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552166.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un724550.exe

MD5 018cefdbba06d41255b22223948162a6
SHA1 01db8921bdc61d9bbe407c07d820256ce92d0eab
SHA256 1065a89558485850beb9a249fbbf481702d695ff52b08171a20c9c79bf6e5686
SHA512 6278c7498d534fa90001ecb170599c016b741d0a6d46deef125879786c14f3141e22e5d27a56b47d1ad83853d849c282d21b77d2c7991aa8175f6e6f70693d28

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\72842346.exe

MD5 a76f450660c6b5cdc05b90b866e64a1d
SHA1 f141241f931e9111be349c8ecb196abf38fbdccf
SHA256 5ba7b615ccca7d432ef9e5e2490628f2727ff93ae6d460b0f55af5d920dc05cb
SHA512 193b03f06d7e468122523a7a692d7dc03c07ae4c306e0007b54956f5663deadbd209638da9f73737f3db35152edf04e25024d04a99d57e348e06a35a4f70122d

memory/4960-15-0x0000000000490000-0x0000000000590000-memory.dmp

memory/4960-17-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4960-16-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4960-18-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4960-19-0x0000000002240000-0x000000000225A000-memory.dmp

memory/4960-20-0x0000000004BC0000-0x0000000005164000-memory.dmp

memory/4960-21-0x00000000023F0000-0x0000000002408000-memory.dmp

memory/4960-29-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-22-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-45-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-47-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-43-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-41-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-49-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-39-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-37-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-35-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-33-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-31-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-27-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-25-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-23-0x00000000023F0000-0x0000000002403000-memory.dmp

memory/4960-50-0x0000000000490000-0x0000000000590000-memory.dmp

memory/4960-51-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4960-54-0x0000000000400000-0x0000000000455000-memory.dmp

memory/4960-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk552166.exe

MD5 589b9e21d5cc76140af238a42f3211d5
SHA1 29388cf938d42ffd54f5b16d1c51b0475cdd03ba
SHA256 648ad049626481b66f235a4fc5c5c9cac5b8b657b1d03a0ce074e945631861de
SHA512 04e963d80786c456b9e0eccd0d8a64d79b3515bde6bda7c7bb60efdfbe3179d131f83835d8eff8960033cada882a8eac5df1423357e976f8ec4e40d4bccb8702

memory/3724-60-0x00000000023D0000-0x000000000240C000-memory.dmp

memory/3724-61-0x0000000004A70000-0x0000000004AAA000-memory.dmp

memory/3724-75-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-65-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-63-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-62-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-81-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-95-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-93-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-91-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-89-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-87-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-85-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-79-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-77-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-73-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-71-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-70-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-67-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-84-0x0000000004A70000-0x0000000004AA5000-memory.dmp

memory/3724-854-0x0000000007620000-0x0000000007C38000-memory.dmp

memory/3724-855-0x0000000004B90000-0x0000000004BA2000-memory.dmp

memory/3724-856-0x0000000007C40000-0x0000000007D4A000-memory.dmp

memory/3724-857-0x0000000007D50000-0x0000000007D8C000-memory.dmp

memory/3724-858-0x0000000004560000-0x00000000045AC000-memory.dmp