Malware Analysis Report

2025-06-15 23:47

Sample ID 241112-yemm6symbs
Target 0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205
SHA256 0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205
Tags
healer redline rumfa discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205

Threat Level: Known bad

The file 0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205 was found to be: Known bad.

Malicious Activity Summary

healer redline rumfa discovery dropper evasion infostealer persistence trojan

Modifies Windows Defender Real-time Protection settings

Healer family

Redline family

RedLine payload

Detects Healer an antivirus disabler dropper

RedLine

Healer

Windows security modification

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 19:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 19:42

Reported

2024-11-12 19:44

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYP23Fr06.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caBz77Gi61.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYP23Fr06.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caBz77Gi61.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe

"C:\Users\Admin\AppData\Local\Temp\0f65fa4c174d79cadecf051ba5578642cc281dfd63b4618d4a9eb713fb1f7205.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYP23Fr06.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYP23Fr06.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caBz77Gi61.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caBz77Gi61.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 193.233.20.24:4123 tcp
RU 193.233.20.24:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\plYP23Fr06.exe

MD5 d4219091803ebac63fb629c639387364
SHA1 1937b3c3c02d2709009f121e580683af44ed603f
SHA256 18e8e1bb79ebcd07894aa4bd97eee33207990749b521434bdabf93f615c53d27
SHA512 73f37ed573bf503b231f1e357f5b6027d35b702ec8fcbc4249c80591e9064c7fbf58c81971e127488708ce0751fb86f7669a82923bc21c3414d6e9a0364ef5c0

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\buvb70cA80.exe

MD5 6e365e5a4be2edb6974d1f9989b26aed
SHA1 f9eb483bcbc21ec5ae7b72a49176c6db4965325d
SHA256 f9ba45273be1b0d06f7d1b759da86328510a0d551dee57b711aac2c9fc093ba8
SHA512 f3d0ca517ae48294145cc39d843b7b736700c302335171993cf7fa3925f16f9e45649420cc770cfeb062ce9dd3afe601c55fce216c993b619d551677a539cf0c

memory/3920-14-0x00007FFD2EE73000-0x00007FFD2EE75000-memory.dmp

memory/3920-15-0x0000000000520000-0x000000000052A000-memory.dmp

memory/3920-16-0x00007FFD2EE73000-0x00007FFD2EE75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\caBz77Gi61.exe

MD5 e8a74f8947be8861da483f9a1b725bea
SHA1 c9485cc022bb2ee5eb15bc98e1aa5330b1b5c09a
SHA256 b27c4b8cc67abed8e257f5b43a656dbfafea50833d2aae5b7fe545ac82d74727
SHA512 4ac48c039d81d9b6f5dd9cd4700855bc27efec45bb167fbf0268ec56c238138865a9d9b9575b2e71f2ab204f29da0daff1e78f5ac12cb54d0383766b7c82e2e8

memory/2932-22-0x0000000002600000-0x0000000002646000-memory.dmp

memory/2932-23-0x0000000004C90000-0x0000000005234000-memory.dmp

memory/2932-24-0x0000000004B90000-0x0000000004BD4000-memory.dmp

memory/2932-28-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-34-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-32-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-30-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-82-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-66-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-48-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-26-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-25-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-36-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-88-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-86-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-84-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-80-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-78-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-76-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-74-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-72-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-70-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-68-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-64-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-62-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-60-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-58-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-56-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-54-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-52-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-50-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-46-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-44-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-42-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-40-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-38-0x0000000004B90000-0x0000000004BCE000-memory.dmp

memory/2932-931-0x0000000005240000-0x0000000005858000-memory.dmp

memory/2932-932-0x0000000005860000-0x000000000596A000-memory.dmp

memory/2932-933-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/2932-934-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/2932-935-0x0000000005B10000-0x0000000005B5C000-memory.dmp