Malware Analysis Report

2025-06-15 23:47

Sample ID 241112-ylk3xsynex
Target 541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe
SHA256 541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1
Tags
healer redline maxbi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1

Threat Level: Known bad

The file 541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe was found to be: Known bad.

Malicious Activity Summary

healer redline maxbi discovery dropper evasion infostealer persistence trojan

RedLine

Redline family

Healer family

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine payload

Windows security modification

Executes dropped EXE

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 19:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 19:52

Reported

2024-11-12 19:54

Platform

win10v2004-20241007-en

Max time kernel

116s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b18432150.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b18432150.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe

"C:\Users\Admin\AppData\Local\Temp\541cecd2fe318b8102042fda4b8322d3308eb9ea417db33d74eb4cc06c85c0c1N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b18432150.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b18432150.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\a92405775.exe

MD5 ce27553a2a3454e82a427b2a8a7847b8
SHA1 572ce8d9daf60ba37132dfef202a22bf1db391e0
SHA256 97734c5b3a6cc99d4baaafd1ca3e844e27b35b5c2072b2dd2fc258b3504a5373
SHA512 036a00e8a137b9d746573598d4b4d51fe9c5f835abe72af0992261fc96e7a6d575209f4daafdeb6910fffcf7ef85fc10a42957c3d5c25d76b55c5fb31b1fda37

memory/3272-8-0x0000000000880000-0x0000000000980000-memory.dmp

memory/3272-10-0x0000000000400000-0x00000000006C9000-memory.dmp

memory/3272-9-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3272-11-0x0000000000400000-0x00000000006C9000-memory.dmp

memory/3272-12-0x0000000002250000-0x000000000226A000-memory.dmp

memory/3272-13-0x0000000004CC0000-0x0000000005264000-memory.dmp

memory/3272-14-0x0000000004C60000-0x0000000004C78000-memory.dmp

memory/3272-34-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-40-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-38-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-36-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-33-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-30-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-29-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-26-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-24-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-42-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-22-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-20-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-18-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-17-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-15-0x0000000004C60000-0x0000000004C72000-memory.dmp

memory/3272-43-0x0000000000880000-0x0000000000980000-memory.dmp

memory/3272-44-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3272-47-0x0000000000400000-0x00000000006C9000-memory.dmp

memory/3272-48-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\b18432150.exe

MD5 df9334955bb2461c384e61f8f8d7a628
SHA1 8a277eeb18bf974fdd58c5e5825c6779fde6ae51
SHA256 827f9a77b86cb4745363cfeb07be2d2ab04149536a4085324289b9de1011bb5e
SHA512 0055f0fe6417ff86d1d1ccb4cf8af88e1c481b325366922d1829281d1d3b957a54efaafa12f6fd8249ed96e1985d50f44d9aca8600e9fc2bcb5deec40a28019c

memory/1308-53-0x0000000000D80000-0x0000000000DB0000-memory.dmp

memory/1308-52-0x00000000746BE000-0x00000000746BF000-memory.dmp

memory/1308-54-0x0000000002EF0000-0x0000000002EF6000-memory.dmp

memory/1308-55-0x000000000B080000-0x000000000B698000-memory.dmp

memory/1308-56-0x000000000ABF0000-0x000000000ACFA000-memory.dmp

memory/1308-57-0x000000000AB20000-0x000000000AB32000-memory.dmp

memory/1308-59-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/1308-58-0x000000000AB80000-0x000000000ABBC000-memory.dmp

memory/1308-60-0x0000000005030000-0x000000000507C000-memory.dmp

memory/1308-61-0x00000000746BE000-0x00000000746BF000-memory.dmp

memory/1308-62-0x00000000746B0000-0x0000000074E60000-memory.dmp