Malware Analysis Report

2025-08-06 01:53

Sample ID 241111-hkrajsykhl
Target de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05
SHA256 de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05
Tags
healer redline mango discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05

Threat Level: Known bad

The file de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05 was found to be: Known bad.

Malicious Activity Summary

healer redline mango discovery dropper evasion infostealer persistence trojan

RedLine

RedLine payload

Redline family

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Healer family

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

Launches sc.exe

Unsigned PE

System Location Discovery: System Language Discovery

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:48

Reported

2024-11-11 06:50

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w13Xx67.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w13Xx67.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w13Xx67.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05.exe

"C:\Users\Admin\AppData\Local\Temp\de0ab0a6e57ee6175ae5fd5cbae53ff569ba4c26aa35d7a5a22efcf43bf82e05.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 1092

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w13Xx67.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w13Xx67.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.28:4125 tcp
RU 193.233.20.28:4125 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r2082aY.exe

MD5 8141937b23cd1895e561d8e90fdeeff3
SHA1 6f810e9e480564f5837461f8ccdd07c951a1bece
SHA256 ddda10348c77cf0a1539c3a42ce4f71e2c1895ab9b77348256e0a1f01c0936b6
SHA512 40957cd33c4be1dab98ac0c40424c868aa3be6f6265fa28df050e5a4844ac6324acb93770bc6cb7cafedabc93fab9b9179a6e6525f6b3dd6fa9e31b4d5da5bec

memory/4348-8-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/4348-10-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/4348-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4348-11-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/4348-12-0x0000000002180000-0x000000000219A000-memory.dmp

memory/4348-13-0x0000000004CE0000-0x0000000005284000-memory.dmp

memory/4348-14-0x0000000002200000-0x0000000002218000-memory.dmp

memory/4348-15-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-42-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-40-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-38-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-36-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-34-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-32-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-30-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-28-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-26-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-24-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-22-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-20-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-18-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-16-0x0000000002200000-0x0000000002212000-memory.dmp

memory/4348-43-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/4348-44-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4348-47-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/4348-48-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w13Xx67.exe

MD5 13693461251149817425e66f1206913a
SHA1 998dbccbd83323f62a3b2b578a9605c0d933630f
SHA256 8e9c17eef3b9aea25037691c41032485a6bc4b768861ac8da022ae30c76a494a
SHA512 674b8043f203e5ec1e149775fc5ce7caf78e7a614be365e4dd719093a29ce4c37b7b3683262ce3e15f9df4f3854b63fec0176183766d9baa495b1fe7e4555b62

memory/3852-53-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3852-54-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3852-56-0x00000000049A0000-0x00000000049E6000-memory.dmp

memory/3852-55-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3852-57-0x0000000005030000-0x0000000005074000-memory.dmp

memory/3852-58-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-85-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-83-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-81-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-79-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-77-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-75-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-73-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-71-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-69-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-67-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-65-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-63-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-61-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-59-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-91-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-89-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-87-0x0000000005030000-0x000000000506E000-memory.dmp

memory/3852-964-0x00000000050A0000-0x00000000056B8000-memory.dmp

memory/3852-965-0x0000000005740000-0x000000000584A000-memory.dmp

memory/3852-966-0x0000000005880000-0x0000000005892000-memory.dmp

memory/3852-967-0x00000000058A0000-0x00000000058DC000-memory.dmp

memory/3852-968-0x00000000059F0000-0x0000000005A3C000-memory.dmp