Malware Analysis Report

2025-06-15 23:45

Sample ID 241112-zd6kbs1ckq
Target b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe
SHA256 b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92
Tags
healer redline ramon discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92

Threat Level: Known bad

The file b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe was found to be: Known bad.

Malicious Activity Summary

healer redline ramon discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine payload

Redline family

Healer family

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Executes dropped EXE

Windows security modification

Adds Run key to start application

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 20:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 20:37

Reported

2024-11-12 20:39

Platform

win10v2004-20241007-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe

"C:\Users\Admin\AppData\Local\Temp\b3934e65d078022c40e6054323c252ebe8fa01ca4f176bc9abb5affa333f1c92N.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
RU 193.233.20.23:4123 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 193.233.20.23:4123 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\pgT63bu58.exe

MD5 258a6b2df5cad8c864bb75df2e1d3376
SHA1 520d36fbdfd65e2bee1a999bec5d46ee6f7ee6ac
SHA256 4ca7414afb2849216202055c68b7c134069a4ec2ea092abeb3770656f9cd18fe
SHA512 653f66fbab322803658d017881e76d0792e98d4d64255f1983f7517d8b545cbaa6abf79e8a51f4ceb8db0bcd795988fd5144d038ac78ac121937f4d0e6c6ead7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\bpw79rx89.exe

MD5 7720e60b1e2818e47418fa2551f90f07
SHA1 caa232d9a1939650cfd54f7890a74d46c7291356
SHA256 83ba14557a7847fb9fd3b925051db3c3b6a32edadd232c8a7fd0bcc6e35ed98d
SHA512 cfd3f0be18ddde002d0b778b6231d24cc3dcf816fc47cd8a731e41419cdd833d66a11d9551076374dd61bf9dd5c0abf81606879f5ef4bceb7b87a93fcaa4e1bc

memory/1764-14-0x00007FF9179B3000-0x00007FF9179B5000-memory.dmp

memory/1764-15-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

memory/1764-16-0x00007FF9179B3000-0x00007FF9179B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ckN62wa95.exe

MD5 268eb6c29660b671081e908c7edff532
SHA1 e43f244273c197c44bb8bc7ad1ae2583545724bf
SHA256 44dcf8fd0be32702a4246205f7ac38abfed0f072fa42bbe79044476c5f2903d0
SHA512 a141e4bdedfcd313468ac3a967ed9a866efc5db3d060edeaa409f1fb278f02595921480192b0b43d02cc18fd2872ac045af2f01c86660d40b6b2f527074a3689

memory/224-22-0x00000000024F0000-0x0000000002536000-memory.dmp

memory/224-23-0x0000000004CC0000-0x0000000005264000-memory.dmp

memory/224-24-0x00000000026D0000-0x0000000002714000-memory.dmp

memory/224-38-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-36-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-88-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-84-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-82-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-80-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-78-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-76-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-74-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-72-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-68-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-66-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-64-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-62-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-60-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-58-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-56-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-54-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-52-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-50-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-46-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-44-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-42-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-40-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-86-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-70-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-48-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-34-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-32-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-30-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-28-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-26-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-25-0x00000000026D0000-0x000000000270E000-memory.dmp

memory/224-931-0x0000000005270000-0x0000000005888000-memory.dmp

memory/224-932-0x0000000005890000-0x000000000599A000-memory.dmp

memory/224-933-0x00000000059A0000-0x00000000059B2000-memory.dmp

memory/224-934-0x00000000059C0000-0x00000000059FC000-memory.dmp

memory/224-935-0x0000000005B10000-0x0000000005B5C000-memory.dmp