Malware Analysis Report

2025-08-06 01:53

Sample ID 241111-hldqvaylar
Target 8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460
SHA256 8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460

Threat Level: Known bad

The file 8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

Redline family

Healer

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:49

Reported

2024-11-11 06:51

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKs38YK50.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKs38YK50.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exe
PID 4768 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exe
PID 4768 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exe
PID 4288 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exe
PID 4288 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exe
PID 4288 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exe
PID 4340 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exe
PID 4340 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exe
PID 4340 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exe
PID 1452 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe
PID 1452 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe
PID 1452 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe
PID 3852 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe
PID 3852 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe
PID 3852 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKs38YK50.exe
PID 3852 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKs38YK50.exe
PID 3852 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKs38YK50.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe

"C:\Users\Admin\AppData\Local\Temp\8ccb179fcd8faa6adea45558d2ce9f8137d717987b9b8db106d5607df732b460.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKs38YK50.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKs38YK50.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plmi85NI84.exe

MD5 67ff8ed388f035ca7d8359de289bb08e
SHA1 a10ba1aafaa39e07f54888e9b4fc67d1b77bf766
SHA256 ec1ce2d8d894ec86e8e07ec23a2fb0b9285458349303935adb45446c18acde84
SHA512 1c6d6c5e0e4ba1278bb9f4f52555f954d4c131081119e035bd30318318afe978c73848b2f5e26b5226466f4f7068f87cedc55c2e0ab750ceca30e61456a34e6c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plDD21Ve37.exe

MD5 f7029d8355baff6927ae7e35fdb137ed
SHA1 8a5df90b274146edd1a0ce3c2f730d634303c81f
SHA256 2dabe42c0446f20ed04d5d3307da648416274791a4249558500785d952ebd0cd
SHA512 0b697c6f05006cef82d3f9cca67fd93135867c20ce4fd520d31a7a7e57e5da76e70e7347bd73bf6052fbb712daba0786ebc4f65020958b4101419c17fc6f9970

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plic29Eo01.exe

MD5 ebd5324b501d443d5ce7c65591b93128
SHA1 8e2c31f839eda683e28733f2b6ff97b41a20a115
SHA256 a55c17d85eb18760afe356e7a4b9aa84566a9a40497c038b9a6e59d1d2fe0bb3
SHA512 73a54a461dc17cafc22a04f3f0ccc37213378a0a4feb6818a71b4b7d0ed2f814b0f2ad916a97886e3a879ad61f9ac72e5518e55256fe5826b29711f25c55cc62

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plpg88gB90.exe

MD5 f6fd9dcf2b23b8b0536fb545cc2ff151
SHA1 73683510cf93188a55e78cc20a3a656a8aa0f371
SHA256 dd470a3b209379ad44989b6ceab743756fadcde772e18d2d7ff604f7d6913302
SHA512 294a081f99837f07b3ac4cd4c11f72c3927565ce0587e7332bdbd39e1a90ea403c9a7f19addb4fab42b6cfb87c14db5ec8afd9e4ad6bd634bf4dbbb66fec3250

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\busB72HL15.exe

MD5 05037c45b2be2d93d731f9078b628afc
SHA1 843a256a79fcf892093ba21d72e90d2582449739
SHA256 c094870e242d0e906cd1ea83c1cb5e2d1151b4414cc7a722984a8cfafad85cb7
SHA512 cd043022c84658406b1cfc259d512142c69fde88d78a99206b9ffc7a6e833ccfdf9f8fdd850a1cffbe5a9464d1a2daa33f1ad3a2d85742a0c37d4e149f3a77e4

memory/3992-35-0x0000000000730000-0x000000000073A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caKs38YK50.exe

MD5 1c5a86f75232313703fab93a198cfae7
SHA1 ecf2d10a917811db5f5da1e29c929ab6a2866a0e
SHA256 6c5ec3126e35491fe8716e34691036a2cd0a24c110ad9080ecc4b1130ba92b71
SHA512 fd6d22ad3c16dcfa708a2e04ca73946046867a18c10ddfda030f04bc7f77373284c043d433997c27ba7e186e814573a26e11cd0a939467b7ec7683b919f9eb0f

memory/2580-41-0x0000000002520000-0x0000000002566000-memory.dmp

memory/2580-42-0x0000000004E20000-0x00000000053C4000-memory.dmp

memory/2580-43-0x0000000002610000-0x0000000002654000-memory.dmp

memory/2580-65-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-63-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-61-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-59-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-57-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-55-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-107-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-105-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-103-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-101-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-99-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-97-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-93-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-91-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-89-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-87-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-85-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-83-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-81-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-77-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-75-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-73-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-71-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-69-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-67-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-53-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-51-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-49-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-47-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-95-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-45-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-79-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-44-0x0000000002610000-0x000000000264E000-memory.dmp

memory/2580-950-0x00000000053D0000-0x00000000059E8000-memory.dmp

memory/2580-951-0x00000000059F0000-0x0000000005AFA000-memory.dmp

memory/2580-952-0x0000000002850000-0x0000000002862000-memory.dmp

memory/2580-953-0x0000000004D10000-0x0000000004D4C000-memory.dmp

memory/2580-954-0x0000000004D50000-0x0000000004D9C000-memory.dmp