Malware Analysis Report

2025-08-05 11:06

Sample ID 241111-hns9baylfp
Target 6dde8274b53851d494471d41333b92e6388df978de01f6d9a6108eda3e3b09d3
SHA256 6dde8274b53851d494471d41333b92e6388df978de01f6d9a6108eda3e3b09d3
Tags
healer redline rosn discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6dde8274b53851d494471d41333b92e6388df978de01f6d9a6108eda3e3b09d3

Threat Level: Known bad

The file 6dde8274b53851d494471d41333b92e6388df978de01f6d9a6108eda3e3b09d3 was found to be: Known bad.

Malicious Activity Summary

healer redline rosn discovery dropper evasion infostealer persistence trojan

Healer family

Modifies Windows Defender Real-time Protection settings

RedLine payload

Redline family

RedLine

Detects Healer an antivirus disabler dropper

Healer

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 06:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 06:53

Reported

2024-11-11 06:55

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6dde8274b53851d494471d41333b92e6388df978de01f6d9a6108eda3e3b09d3.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\6dde8274b53851d494471d41333b92e6388df978de01f6d9a6108eda3e3b09d3.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCk2442.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku212241.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6dde8274b53851d494471d41333b92e6388df978de01f6d9a6108eda3e3b09d3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCk2442.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku212241.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6dde8274b53851d494471d41333b92e6388df978de01f6d9a6108eda3e3b09d3.exe

"C:\Users\Admin\AppData\Local\Temp\6dde8274b53851d494471d41333b92e6388df978de01f6d9a6108eda3e3b09d3.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCk2442.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCk2442.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku212241.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku212241.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 176.113.115.145:4125 tcp
RU 176.113.115.145:4125 tcp
US 8.8.8.8:53 78.239.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziCk2442.exe

MD5 8b6402b004a81694c984e46ca55205dc
SHA1 9b68e885144a1204c2b74e37327ea195b2d6de73
SHA256 54d2652ea803cc2312f30787dcfa3e3b63428836459119fc280fa42f25b7995e
SHA512 3d3815c4ac2e01c6f05cff523078f403865ae1c81cd60ef43173e84aaae698e494a152cb13803f6ad1c7bddd7212e4dfc999e54ccfd895a20dd7eefecc2c9540

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr504774.exe

MD5 58694cfb88af74d7c0a8e6f726abc697
SHA1 a70de4706113f44c6cde4ed95bbc24723b9cf6eb
SHA256 d8e76838f8ddd72bb34af568658f0fe182ecedad651b0e7f83b6d29473bc9cf5
SHA512 61019b6dbd38e3a7653bc319e942c6a2014bb11de4b9606581c74d269422d47fadec187a6caf4d3506ea53db858ea288db6afdac7318686e2683b5cfcbf3ced8

memory/3844-14-0x00007FFF59AD3000-0x00007FFF59AD5000-memory.dmp

memory/3844-15-0x0000000000FA0000-0x0000000000FAA000-memory.dmp

memory/3844-16-0x00007FFF59AD3000-0x00007FFF59AD5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku212241.exe

MD5 f6086d1a3bd02e6839dc21780afa0c87
SHA1 910bdc5d8759cbd3a55e362d675a2c9400e29e2b
SHA256 c2b4a346042e04715f82d01ad7eb6ef8bc95c8cb41a2b46eff71d7ff82c68b8f
SHA512 8767ac9b8277d7509cdf62bd814d46befaa5aa3f5336015358ec1a40c241af9994733e60e8fd07c4ca6cf8eadc6b1bd2fc69fc95acb65c7be65de45ff4c46359

memory/4260-22-0x0000000004A10000-0x0000000004A56000-memory.dmp

memory/4260-23-0x0000000007340000-0x00000000078E4000-memory.dmp

memory/4260-24-0x00000000071C0000-0x0000000007204000-memory.dmp

memory/4260-32-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-48-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-88-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-86-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-84-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-82-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-80-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-78-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-76-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-74-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-72-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-68-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-66-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-64-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-62-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-60-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-58-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-56-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-54-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-52-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-46-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-44-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-42-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-40-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-38-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-36-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-34-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-30-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-70-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-50-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-28-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-26-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-25-0x00000000071C0000-0x00000000071FF000-memory.dmp

memory/4260-931-0x00000000078F0000-0x0000000007F08000-memory.dmp

memory/4260-932-0x0000000007F10000-0x000000000801A000-memory.dmp

memory/4260-933-0x00000000072B0000-0x00000000072C2000-memory.dmp

memory/4260-934-0x00000000072D0000-0x000000000730C000-memory.dmp

memory/4260-935-0x0000000008150000-0x000000000819C000-memory.dmp