Malware Analysis Report

2025-08-05 11:06

Sample ID 241111-hnkxyavelp
Target a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219
SHA256 a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219
Tags
healer redline rouch discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219

Threat Level: Known bad

The file a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219 was found to be: Known bad.

Malicious Activity Summary

healer redline rouch discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Redline family

RedLine payload

RedLine

Healer family

Modifies Windows Defender Real-time Protection settings

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:52

Reported

2024-11-11 06:55

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 436 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe
PID 436 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe
PID 436 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe
PID 2576 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe
PID 2576 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe
PID 2576 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe
PID 3284 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe
PID 3284 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe
PID 3284 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe
PID 1432 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe
PID 1432 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe
PID 1432 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe
PID 2616 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe
PID 2616 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe
PID 2616 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe
PID 2616 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe
PID 2616 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe

"C:\Users\Admin\AppData\Local\Temp\a32b0d149c969cf5c2851ba4950a0784eba7cccd0300339a0462b94db2551219.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FR 193.56.146.11:4162 tcp
FR 193.56.146.11:4162 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plGH94Iw82.exe

MD5 6b26dea5e48f18b0d8961866d33cf0d8
SHA1 ad2200771b613dcd42f9e3e3eceffcc7b7beda69
SHA256 10d8a04ed97dd5bd3fcb08a1919c7e6ed3ca5f7e2a590b7485a59d0a8ee9e1aa
SHA512 101f8e3121c9a89087d71cd2c174970bc2d15708ed339b8fee0d47efb7ffb3ee6a2fea0d0b1a01fd9599275e27dbe5753a8a9f0a796ddcef6807250fa1a92f6b

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\plfB14wT30.exe

MD5 1e5603fcee4409660bd62c9d64cb4186
SHA1 03cc43ea6ebc62fcf000dc2a8cccab7f077ba30b
SHA256 3d591d1bd9d7e544d84269fbdd5a8f9add21aa28acf95fba24b04868bdf33f35
SHA512 bcb6fbf01d023021705dc97526d109d245469e1862558e668857abc8bdce0ad471aa28dbadc2f7411a7b32be8a0fee16a8a9fe3758abd7ef877bdffff4b77b77

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\plpu34PR48.exe

MD5 38cbe723900d59aa753cc870e127a11d
SHA1 6add57bcbd7d2fe555855058df7e8c9492fb6378
SHA256 23724ec0e0cd8d384b7a82cd99085c963d7fd6dfee4e39e1789dcd301e7c777c
SHA512 b0a294e2c1ae6328e0223baf41f55f85b33adc7223c73f348744729ed743721ed3078373372086041c21e03f69a18d894fd9126111699c2144a980e5b1bf20c4

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\plub66qY66.exe

MD5 40584ca476ac36edfee3d977d21c01f6
SHA1 eb4455335d7273b65f5438250e12a119d894f601
SHA256 b6ff83cbe5ecc27ba1162cc43a20cb660746faeb6ee722e3c46d6e2557ef8dd5
SHA512 c1bfd1264735e04f0a3f26d657d192f1476831bee9d2fb934ab43c5c436b8e1b18211c2d49d45c6889488591ce94d01deaa5c8cc2ffe6dddb72996d3806ffebc

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\bupD17GK38.exe

MD5 3af0ef8b7ecaaf53cd964b48f3974deb
SHA1 1338a465c121496da656e0af915fdb3315a00a08
SHA256 2060c541405bb9947bd61fb1a4b174fa3b00470c648accab963297fcda1e955b
SHA512 8d81b46fa33238b5b09672e1cc6e0d3c13fa48f5789dd285c7c965c6b69835051dbc27bcf63f459e5d90a6bda2c3dd16901ec919d632120782e5a68b56449439

memory/628-35-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\caIZ03ex15.exe

MD5 a3da8951bb23f305fd251958e8535aa4
SHA1 ef6115e81f6e8a5a7ed3428db8ff7e34619e7e54
SHA256 786dcca370472e838015aaff2797f569f05b3fe168087a60e95294354ced715a
SHA512 be73e7708641e3d8d8f3f7b9136287bdf4de58798dd98ba5b03d1e486ff97aafcba07f428d135c87cb84098595e711a64d72b3ec43100375049d49d88618fe9d

memory/5056-41-0x0000000004CA0000-0x0000000004CE6000-memory.dmp

memory/5056-42-0x0000000007390000-0x0000000007934000-memory.dmp

memory/5056-43-0x00000000071C0000-0x0000000007204000-memory.dmp

memory/5056-107-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-85-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-59-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-47-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-45-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-44-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-105-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-103-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-101-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-99-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-97-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-95-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-93-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-91-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-89-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-87-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-83-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-81-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-79-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-77-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-75-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-74-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-71-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-69-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-67-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-65-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-63-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-61-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-57-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-55-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-53-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-51-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-49-0x00000000071C0000-0x00000000071FE000-memory.dmp

memory/5056-950-0x0000000007940000-0x0000000007F58000-memory.dmp

memory/5056-951-0x0000000007F60000-0x000000000806A000-memory.dmp

memory/5056-952-0x00000000072F0000-0x0000000007302000-memory.dmp

memory/5056-953-0x0000000007310000-0x000000000734C000-memory.dmp

memory/5056-954-0x0000000008170000-0x00000000081BC000-memory.dmp