Malware Analysis Report

2025-08-06 01:52

Sample ID 241111-hjs3ratqcy
Target fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719
SHA256 fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719
Tags
healer redline rouch discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719

Threat Level: Known bad

The file fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719 was found to be: Known bad.

Malicious Activity Summary

healer redline rouch discovery dropper evasion infostealer persistence trojan

Healer

Healer family

RedLine

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:46

Reported

2024-11-11 06:48

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe
PID 1104 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe
PID 1104 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe
PID 4120 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe
PID 4120 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe
PID 4120 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe
PID 3696 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe
PID 3696 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe
PID 3696 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe
PID 2840 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe
PID 2840 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe
PID 2840 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe
PID 4516 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe
PID 4516 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe
PID 4516 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe
PID 4516 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe
PID 4516 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe

"C:\Users\Admin\AppData\Local\Temp\fb9e293be756bbcdbaa9affcaa6108114dc1593329c07d06806d287f6cd82719.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plKm15iQ00.exe

MD5 11462e068f11faff85171d9873373f75
SHA1 8ba525be5b75a11fb7f7dce9967136fd29a4e754
SHA256 7ee1a8ac396b3cd754c42bdd957fa1e00b1ef575f4eb8ba4d19f31d6b97270b9
SHA512 201fa9dcb54d139dd508a895b2235bd9ce73995aeaca2f686d98b52ceaf2204874b97efe89b519bc385d7cdb158deb0548fc73eb3753be8f9c2ecb15ca29a634

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plpa03rq83.exe

MD5 6ee11fe378a08f269781165b66e3780d
SHA1 ba7927b981dca0dbce9ccd9d4fee3db2504da960
SHA256 a9a2f9e8fcbb643439c822131dbafc2613e9d111df0cfd1ed81df53b146bc19d
SHA512 eca830365adffece2c82e046dd6a0017a0f9a9452e987cc5f38f9b75fc29ec4b462fdc2fc31190d21b139c7c93f84790d788b813ff9f0c755f14ddeefcc27941

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plja71gS40.exe

MD5 3871f08e02bcab2e42b33397b9f72c07
SHA1 9725fe4325783baa2ef9ff571244b983da71a420
SHA256 0aa39174c4a31ba950861bf5c8362de5c8fb6db1ff699b29b2be44c12559df3e
SHA512 b598a8a1cbcf2c61b5ff2af08b276fec9f3984a187c75fe0e39b010441ab6201879511dd1c387a5c5982bb3d35b70747a4747a6472add6cc340db47d277c9de5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plWN70gW84.exe

MD5 c57afb423d0f47dc19c0f7c517fb4b92
SHA1 a1d62492b4dc19e766e25fa11a9044dfd20da61c
SHA256 0353b11cf93f02e9648278bebc88cc9e54fcf4932764b4aafdeb07e7d06467c7
SHA512 2b60642662558030ee252442bd6f5fca2a7cce8ff7a4ba26a8294571b35ff509b574bf1dd6cdd4f704f552acd933c60724dfd77af137c589f304d0e6ca9b8019

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\buxz12Qp46.exe

MD5 102966585816bcda269165e0785f39df
SHA1 5a351f0bbe9a27b961b939aa639dd7c3e312b3fe
SHA256 c6babb3ca19027457fdce2f4afbf9a1d03226889ac4cdb199dcf3bfb3482ca13
SHA512 bf8a031209932d3e257b34b65685e94a0043de927078cedc0aa0d7fff3ff1cb3ea1132f3b5a55fe953f4a4e313c9e2983521417a6fa989e3ed3505cb3a6f5d40

memory/2356-35-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\cadz01Ca85.exe

MD5 a3da8951bb23f305fd251958e8535aa4
SHA1 ef6115e81f6e8a5a7ed3428db8ff7e34619e7e54
SHA256 786dcca370472e838015aaff2797f569f05b3fe168087a60e95294354ced715a
SHA512 be73e7708641e3d8d8f3f7b9136287bdf4de58798dd98ba5b03d1e486ff97aafcba07f428d135c87cb84098595e711a64d72b3ec43100375049d49d88618fe9d

memory/212-41-0x00000000049F0000-0x0000000004A36000-memory.dmp

memory/212-42-0x0000000007380000-0x0000000007924000-memory.dmp

memory/212-43-0x0000000004B40000-0x0000000004B84000-memory.dmp

memory/212-47-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-57-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-107-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-105-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-103-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-101-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-99-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-97-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-95-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-93-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-91-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-89-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-87-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-83-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-81-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-79-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-77-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-75-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-73-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-72-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-69-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-67-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-63-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-61-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-59-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-55-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-53-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-51-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-49-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-85-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-65-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-45-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-44-0x0000000004B40000-0x0000000004B7E000-memory.dmp

memory/212-950-0x0000000007930000-0x0000000007F48000-memory.dmp

memory/212-951-0x0000000007F50000-0x000000000805A000-memory.dmp

memory/212-952-0x0000000004EB0000-0x0000000004EC2000-memory.dmp

memory/212-953-0x0000000004ED0000-0x0000000004F0C000-memory.dmp

memory/212-954-0x0000000008160000-0x00000000081AC000-memory.dmp