Malware Analysis Report

2025-08-10 14:35

Sample ID 241111-gr4nsathqk
Target 64bec3fe65069e5f7b005133c647aff0279d37f1e7d33ae2528b87d2e48fe108N.exe
SHA256 89040e7d35b9a12a6e9a529c3b9ec6c29fdd679ce3106d61fd2fe874615d2607
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

89040e7d35b9a12a6e9a529c3b9ec6c29fdd679ce3106d61fd2fe874615d2607

Threat Level: Known bad

The file 64bec3fe65069e5f7b005133c647aff0279d37f1e7d33ae2528b87d2e48fe108N.exe was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer family

RedLine payload

Redline family

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:03

Reported

2024-11-11 06:05

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\64bec3fe65069e5f7b005133c647aff0279d37f1e7d33ae2528b87d2e48fe108N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\64bec3fe65069e5f7b005133c647aff0279d37f1e7d33ae2528b87d2e48fe108N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibM7862.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibM7862.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku093719.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\64bec3fe65069e5f7b005133c647aff0279d37f1e7d33ae2528b87d2e48fe108N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku093719.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\64bec3fe65069e5f7b005133c647aff0279d37f1e7d33ae2528b87d2e48fe108N.exe

"C:\Users\Admin\AppData\Local\Temp\64bec3fe65069e5f7b005133c647aff0279d37f1e7d33ae2528b87d2e48fe108N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibM7862.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibM7862.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku093719.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku093719.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zibM7862.exe

MD5 2e687e8b9f9a60a425a8a5bf24da6ff6
SHA1 3671eb6d985a3f0ddba5a05abe34bc22103e416f
SHA256 fdaef8f50c626e98d36eb43b8ce160805ce5cf729af170fa2554cb0b16bfc485
SHA512 8da745662a3dfe315750d73b94494da8093727110461815f41b0748339a5702c58dde9a47966fd68e41cc53130db96f137d47ef580240db3a6889288d534959b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr906185.exe

MD5 b1611126b26d3a820698c71942879f08
SHA1 6ddddd6a0535e38f5803811722d1b78ca6470cba
SHA256 c293d6a9a6ee24c93cd2f8656919f39beafa13344084c1ebb459dcf55775d9be
SHA512 5753c0d9c9bba196ce3b604e0573b373ce5a11f14ff5d1f188163aefe91d040ec3afb68988a138383f627bdbfcd344f49b02379b53c5cdd59d8e20d8258a6c4e

memory/2316-14-0x00007FFBF20D3000-0x00007FFBF20D5000-memory.dmp

memory/2316-15-0x00000000008F0000-0x00000000008FA000-memory.dmp

memory/2316-16-0x00007FFBF20D3000-0x00007FFBF20D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku093719.exe

MD5 f7d6e6b14eedbc715c605d93c31377be
SHA1 8bfa77451e5029a6e0560920ff9132295fce4f01
SHA256 58eea3db32c479dde630d3fd9c2ddcf0b7b4d28633081841e38de89d4c2ffeba
SHA512 f1b1d2b53e2e7b5aa87472179565ce4ccd8a9822f299e774714b0fab31ed290069428e4a787ecd0d4817f991442c863b3d1f7a981b189d07c7b76040beb0fa56

memory/2784-22-0x00000000023E0000-0x0000000002426000-memory.dmp

memory/2784-23-0x0000000004AD0000-0x0000000005074000-memory.dmp

memory/2784-24-0x0000000005080000-0x00000000050C4000-memory.dmp

memory/2784-36-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-38-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-88-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-87-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-84-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-83-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-80-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-78-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-76-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-74-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-72-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-70-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-68-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-66-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-64-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-62-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-58-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-56-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-54-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-52-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-50-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-48-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-46-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-44-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-42-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-40-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-34-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-32-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-30-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-28-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-60-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-26-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-25-0x0000000005080000-0x00000000050BF000-memory.dmp

memory/2784-931-0x00000000050F0000-0x0000000005708000-memory.dmp

memory/2784-932-0x0000000005790000-0x000000000589A000-memory.dmp

memory/2784-933-0x00000000058D0000-0x00000000058E2000-memory.dmp

memory/2784-934-0x00000000058F0000-0x000000000592C000-memory.dmp

memory/2784-935-0x0000000005A40000-0x0000000005A8C000-memory.dmp