Malware Analysis Report

2025-08-06 01:52

Sample ID 241111-hke8aavdqr
Target b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349
SHA256 b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349
Tags
healer redline discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349

Threat Level: Known bad

The file b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349 was found to be: Known bad.

Malicious Activity Summary

healer redline discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Redline family

RedLine

Detects Healer an antivirus disabler dropper

Healer

RedLine payload

Healer family

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:47

Reported

2024-11-11 06:50

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110243.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110243.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe
PID 2424 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe
PID 2424 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe
PID 4200 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe
PID 4200 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe
PID 4200 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe
PID 4200 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110243.exe
PID 4200 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110243.exe
PID 4200 wrote to memory of 2104 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110243.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe

"C:\Users\Admin\AppData\Local\Temp\b5e7a0c012504e94852b2f77f00ca4d845fb9bc9a98b0d059b939c9930eb5349.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4792 -ip 4792

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 1084

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110243.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110243.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp
RU 185.161.248.143:38452 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un223649.exe

MD5 7d34c9bdb9723a8d659f6dc3ed674f16
SHA1 27da3c22fec89f6c736e91b0566690f50d1b2b55
SHA256 b916e0b81adb81e40c2c85c9f3d477ddbc4913d269ea40b10972de77dd720ae7
SHA512 28683f29dd0013078b52800ef51bf876af1c59afea79c762b6bd7d4b3e65bf68c2af41ed58c44b6de3e95a2a516d11224cc28c315a0c9932668b2d9d2365eefc

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\30895238.exe

MD5 66549a9b42008ae1ab2ee3864edadbd8
SHA1 0da21f27b18eab67e1f12e109bfe5190cc1e102c
SHA256 5636eca782839b28ee9a1e7b918563ca9e5629920050baee92059529627ef1d9
SHA512 ebb2756e78ec98a6783822d5c94c292b62ee93a4c3a79c95ec5935e591abfb29e2cb245d2cf1649e9bb7980bda795d79d0fce0f59120e65bc9ebca6d3eb7f0de

memory/4792-15-0x0000000002BA0000-0x0000000002CA0000-memory.dmp

memory/4792-16-0x0000000004540000-0x000000000456D000-memory.dmp

memory/4792-17-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4792-18-0x0000000004B50000-0x0000000004B6A000-memory.dmp

memory/4792-19-0x0000000007110000-0x00000000076B4000-memory.dmp

memory/4792-20-0x0000000007700000-0x0000000007718000-memory.dmp

memory/4792-21-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-28-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-48-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-46-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-44-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-42-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-40-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-38-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-36-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-34-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-33-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-30-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-26-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-24-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-22-0x0000000007700000-0x0000000007713000-memory.dmp

memory/4792-49-0x0000000002BA0000-0x0000000002CA0000-memory.dmp

memory/4792-51-0x0000000004540000-0x000000000456D000-memory.dmp

memory/4792-50-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/4792-52-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4792-55-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rk110243.exe

MD5 dae81d49ec27c5e46fe9734aa396fba5
SHA1 0d31e122f10750a34e31422a55ed19127ae68465
SHA256 e48a89079c27032f5b27bd4b123173f0d76f839d066048cc457b52e845903d06
SHA512 39054cfac24f040ec7cc4b3e3a35ea80a9d66af3553eb85b2f862feb34b6ec41d843ad5500e46539d2902de6e7d25d4a37c45e784d764ef133271d505e039c30

memory/4792-54-0x0000000000400000-0x0000000002B9B000-memory.dmp

memory/2104-60-0x0000000004CE0000-0x0000000004D1C000-memory.dmp

memory/2104-61-0x00000000077C0000-0x00000000077FA000-memory.dmp

memory/2104-75-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-95-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-93-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-91-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-89-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-87-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-85-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-83-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-81-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-79-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-77-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-73-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-71-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-69-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-67-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-65-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-63-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-62-0x00000000077C0000-0x00000000077F5000-memory.dmp

memory/2104-854-0x0000000009CC0000-0x000000000A2D8000-memory.dmp

memory/2104-855-0x000000000A330000-0x000000000A342000-memory.dmp

memory/2104-856-0x000000000A350000-0x000000000A45A000-memory.dmp

memory/2104-857-0x000000000A470000-0x000000000A4AC000-memory.dmp

memory/2104-858-0x0000000004970000-0x00000000049BC000-memory.dmp