Malware Analysis Report

2025-08-06 01:53

Sample ID 241111-hj7wxatqet
Target 0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700
SHA256 0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700
Tags
healer redline max discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700

Threat Level: Known bad

The file 0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700 was found to be: Known bad.

Malicious Activity Summary

healer redline max discovery dropper evasion infostealer persistence trojan

Healer family

Healer

Redline family

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:47

Reported

2024-11-11 06:49

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe
PID 2528 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe
PID 2528 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe
PID 4480 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe
PID 4480 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe
PID 4480 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe
PID 1624 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe
PID 1624 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe
PID 1624 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe
PID 4736 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe
PID 4736 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe
PID 4736 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe
PID 1156 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe
PID 1156 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe
PID 1156 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe
PID 1156 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe
PID 1156 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe
PID 1156 wrote to memory of 4944 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe

"C:\Users\Admin\AppData\Local\Temp\0ac0d148918b3cd9f2d43c3c9d78b980c81dd23b73906cb5ea78a75ffbb19700.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i07930430.exe

MD5 7db1ac7c2f9d84fe7b11df33d9b65259
SHA1 ff41dfc211fbf4239dda95c705e6d479006cb402
SHA256 a81fdc3be528b464d464b74542d690ecd502ac503788c495c1c60f5526a192cd
SHA512 6b348156e4965a082e812ea952f5d68ddb1afb7be14c6b33facf580ece1a73a352a20a5f58f13456b748edee6a9c73ebb130ac9f704cf99374e2a72c00d2bd59

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i41481659.exe

MD5 b425b4a9f016d95cddc22b8e6543deb6
SHA1 a0b49db5b5e17a8add44d3b3eeb3fdab03659858
SHA256 6ffb2299ae539c576f6ba0cdbad6062151aa0745c720f3ff39ab123cf802c313
SHA512 302d06fab11fb6ad2a5ca233c782b3cffeba3c5ace9ceef68cb0d081ada79113ca88a21cdf1e4230c23164cbf67d88da2f40b2e5662e62d1ae31722ab8b88b21

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i58734986.exe

MD5 fa5c4cc610eb9b882dd49d57c91e856f
SHA1 169442ac3feb1988ff88b9e5dfbbb1ff634f6ad3
SHA256 dfab72691cbfd39913f7694be89071b3dc98c1873b95855b42c1f1191fca1ccb
SHA512 4d84ad07e051c84305194f086c9358f21b1615f78cd5c6a64d4e3cb69cf7f27336d6cea7027eaad2ad96e9b96f78378a9038df62053099dfa6b97608c4a75513

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\i09453305.exe

MD5 cdfb76668c1a0de0e545275331661b73
SHA1 7b96af1982fd27323468a5f74345c2de046a734a
SHA256 0dea7ae46714df770e3674c6ae78f5f93abe886b0b45f0df02cfd694e356a415
SHA512 bb5cdeff4fe687f746b63203b0e15ed6ce97dc6c8731640458d4872dbd9271573c9f21de46511dd019b75373546acd989ab76c34d4fd2ba4d5059138097e01f6

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\a98532674.exe

MD5 0e70e336b50840a9ddc7817fc0caf63b
SHA1 1666ebb4448cecb7a21f32b340441878f1fb720e
SHA256 0b96476ad431e92c5e7121f2d6cfae50d05f5eef14ba878f0d9550567e15ad70
SHA512 0c7b5b78575005bf600f069eca4e570f8b2b00f24b8594ea1032c1c77b7a8c03c11acc5dbcd8d2fc39775db020363696de8033a9fccf020a9ac8d7f36dad376e

memory/4196-35-0x00000000049F0000-0x0000000004A0A000-memory.dmp

memory/4196-36-0x0000000004AD0000-0x0000000005074000-memory.dmp

memory/4196-37-0x0000000005080000-0x0000000005098000-memory.dmp

memory/4196-63-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-61-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-59-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-57-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-55-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-65-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-47-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-45-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-43-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-41-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-39-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-53-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-51-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-49-0x0000000005080000-0x0000000005093000-memory.dmp

memory/4196-38-0x0000000005080000-0x0000000005093000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\b04622328.exe

MD5 fb50afd3a9e83d1ce7932914cf8e3534
SHA1 fd996173a34c311485b4a9671d6fde3392ae2843
SHA256 498842af0fbff25318307ae68f5e0afbd2dc067e37d871b8dd5834592a36c720
SHA512 f0efa77feb8bb33c556b61d20e3598ed1271366b587ff449de3455a544b9bd2673548a4ccc5e87164a7c47001b7ecd2ae353ec507ef10794fdb2bee26513f6ab

memory/4944-70-0x00000000008C0000-0x00000000008F0000-memory.dmp

memory/4944-71-0x0000000002AF0000-0x0000000002AF6000-memory.dmp

memory/4944-72-0x000000000AD50000-0x000000000B368000-memory.dmp

memory/4944-73-0x000000000A870000-0x000000000A97A000-memory.dmp

memory/4944-74-0x000000000A7A0000-0x000000000A7B2000-memory.dmp

memory/4944-75-0x000000000A800000-0x000000000A83C000-memory.dmp

memory/4944-76-0x0000000004C30000-0x0000000004C7C000-memory.dmp