Malware Analysis Report

2025-08-11 07:52

Sample ID 241111-gngpvaxpck
Target 159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87
SHA256 159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87

Threat Level: Known bad

The file 159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Healer

Redline family

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 05:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 05:56

Reported

2024-11-11 05:59

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4932 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe
PID 4932 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe
PID 4932 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe
PID 2636 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe
PID 2636 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe
PID 2636 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe
PID 5108 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe
PID 5108 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe
PID 5108 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe
PID 5108 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe
PID 5108 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe

Processes

C:\Users\Admin\AppData\Local\Temp\159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87.exe

"C:\Users\Admin\AppData\Local\Temp\159d20917e497b3bbdb8c118aad1fadcdf665fcccaf2c42f867727238624ec87.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp
RU 185.161.248.152:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zilQ6729.exe

MD5 b38c65a5338a7fe48d50c4c4cb2daf35
SHA1 ba94d0ddbbfd240bde94a807fee9460713bfa2b7
SHA256 bfdc96529af0e6b69c7b1d25dbe25f2e26636ddc561d08d292ec16bd883583c6
SHA512 502abf162c0be034438aabc127749a0e7f8e1e4b6558f1f681f6fe8c4eda59ec637b02065a5fb255adbac1b8201dfc1f0c739b4fd500a62122263d78f4db8980

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zidP3969.exe

MD5 73134dc69bf75f1fe9445f5a1abd33b2
SHA1 aac3020388e507fc5773aecc6137236a8cc6e93a
SHA256 4a2915caf515fd0a21c938255a3e481bcb24b6c2a2efeb3baff54821a7c92dc5
SHA512 76c82052035408c41be17141a663d79224dc3c8660438e2cbc424d93d5a6994fa8608ed63114d74cc747dc2e923ac4c4866d41a2c76984ef8e6874b006fe547b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\it142833.exe

MD5 7e93bacbbc33e6652e147e7fe07572a0
SHA1 421a7167da01c8da4dc4d5234ca3dd84e319e762
SHA256 850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38
SHA512 250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

memory/3708-21-0x00007FFA20253000-0x00007FFA20255000-memory.dmp

memory/3708-22-0x00000000000F0000-0x00000000000FA000-memory.dmp

memory/3708-23-0x00007FFA20253000-0x00007FFA20255000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\jr368530.exe

MD5 c36000ca77135ecfb10ededd0c983c82
SHA1 bb1a20ecd15434c05841a785c873bd27c8baa35c
SHA256 4c566252d4a71abda6544c6509e034515e5e99635c4658678e0e45a22a4be58d
SHA512 7b828cf571f71474d398db521f6bdfb7ce81a9149a9dcc3a499d3df25f7541e5cb1e05b87044ad93923717b128680674c1420e7e5db5cf516a484931663c0f7d

memory/2976-29-0x00000000025E0000-0x000000000261C000-memory.dmp

memory/2976-30-0x0000000005070000-0x0000000005614000-memory.dmp

memory/2976-31-0x0000000004E90000-0x0000000004ECA000-memory.dmp

memory/2976-45-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-43-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-42-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-39-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-37-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-35-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-33-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-32-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-95-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-93-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-91-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-89-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-88-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-85-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-825-0x0000000007FC0000-0x0000000007FD2000-memory.dmp

memory/2976-826-0x0000000007FE0000-0x00000000080EA000-memory.dmp

memory/2976-824-0x00000000079A0000-0x0000000007FB8000-memory.dmp

memory/2976-83-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-81-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-79-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-77-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-75-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-73-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-71-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-69-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-67-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-65-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-63-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-61-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-59-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-57-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-55-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-53-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-51-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-49-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-47-0x0000000004E90000-0x0000000004EC5000-memory.dmp

memory/2976-827-0x00000000080F0000-0x000000000812C000-memory.dmp

memory/2976-828-0x00000000049C0000-0x0000000004A0C000-memory.dmp