Malware Analysis Report

2025-06-15 23:47

Sample ID 241112-ydpq5sylgz
Target 0ece66e785f8a335553d681563dc2cff6e17126fcd2609bb72a8d5a2cb3f79c1
SHA256 0ece66e785f8a335553d681563dc2cff6e17126fcd2609bb72a8d5a2cb3f79c1
Tags
healer redline fud discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ece66e785f8a335553d681563dc2cff6e17126fcd2609bb72a8d5a2cb3f79c1

Threat Level: Known bad

The file 0ece66e785f8a335553d681563dc2cff6e17126fcd2609bb72a8d5a2cb3f79c1 was found to be: Known bad.

Malicious Activity Summary

healer redline fud discovery dropper evasion infostealer persistence trojan

Healer family

Redline family

RedLine

Healer

RedLine payload

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 19:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 19:40

Reported

2024-11-12 19:42

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ece66e785f8a335553d681563dc2cff6e17126fcd2609bb72a8d5a2cb3f79c1.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0ece66e785f8a335553d681563dc2cff6e17126fcd2609bb72a8d5a2cb3f79c1.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhnj1431bx.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0ece66e785f8a335553d681563dc2cff6e17126fcd2609bb72a8d5a2cb3f79c1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhnj1431bx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf11ja61Jj45.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf11ja61Jj45.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0ece66e785f8a335553d681563dc2cff6e17126fcd2609bb72a8d5a2cb3f79c1.exe

"C:\Users\Admin\AppData\Local\Temp\0ece66e785f8a335553d681563dc2cff6e17126fcd2609bb72a8d5a2cb3f79c1.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhnj1431bx.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhnj1431bx.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf11ja61Jj45.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf11ja61Jj45.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.27:4123 tcp
RU 193.233.20.27:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vhnj1431bx.exe

MD5 ceee9a9dff2a69c787e10c6eba3894a2
SHA1 ff5236df9143aaf4c60583241a0df620a8286f1c
SHA256 c8d6e267ee3e231c567220ee828a649054de1b6a2e9c3caee6049f9fc91ed2c2
SHA512 86963514d6bbf0fe97ddf2849abb87b0ed6550d55023239922d52d9ccd4211ece080043fa70372dba923af780c0b50a7155603ef97d27ea856d82d3d2f74a8c0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf69Bz34Jo45.exe

MD5 82b8f09804fb00c9ee2e0b21ec98db13
SHA1 940ba73feeafb6ee961ed065de17dbd43f9d8177
SHA256 5c18c250f6fb2a1cb9e35ab203a130c2e0b2d72db0150c43698d348558eca81e
SHA512 569fd977b772df2f93b926fd6c04c60ea30e58e06717cb88144ded1ed711952506916a1b7b62a5892b9018b78ab7ed1dc42a308ddba1fd8d2371a5231c1f8fbb

memory/2880-15-0x0000000000D30000-0x0000000000D3A000-memory.dmp

memory/2880-14-0x00007FF8C05E3000-0x00007FF8C05E5000-memory.dmp

memory/2880-16-0x00007FF8C05E3000-0x00007FF8C05E5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tf11ja61Jj45.exe

MD5 6b48a9a5ca542b20633aff65ae0e882a
SHA1 c5e08fe68b82b937492e9686347567a37d606a48
SHA256 763b078fafe64dce994f8843a962741a00784eb2adcd8de0a1865f459e454355
SHA512 05e452f2b6540bc566b8d3b956c1e1ca8b645be991583374a559bd84fcd13c1ec79526a5b7dfb01369b0120793d1ac6aa4b5b956a5311ac504ed79cd0ea9e2e5

memory/1964-22-0x0000000004E00000-0x0000000004E46000-memory.dmp

memory/1964-23-0x00000000074E0000-0x0000000007A84000-memory.dmp

memory/1964-24-0x0000000004EA0000-0x0000000004EE4000-memory.dmp

memory/1964-28-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-36-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-88-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-86-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-84-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-83-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-80-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-78-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-76-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-74-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-72-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-70-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-66-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-64-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-62-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-60-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-58-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-56-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-54-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-52-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-50-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-48-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-46-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-44-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-42-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-40-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-38-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-34-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-32-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-30-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-68-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-26-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-25-0x0000000004EA0000-0x0000000004EDE000-memory.dmp

memory/1964-931-0x0000000007A90000-0x00000000080A8000-memory.dmp

memory/1964-932-0x00000000080B0000-0x00000000081BA000-memory.dmp

memory/1964-933-0x0000000007440000-0x0000000007452000-memory.dmp

memory/1964-934-0x0000000007460000-0x000000000749C000-memory.dmp

memory/1964-935-0x00000000082C0000-0x000000000830C000-memory.dmp