Malware Analysis Report

2025-08-10 23:22

Sample ID 241117-kxwf5szrer
Target c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a
SHA256 c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a
Tags
healer redline maxbi discovery dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a

Threat Level: Known bad

The file c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a was found to be: Known bad.

Malicious Activity Summary

healer redline maxbi discovery dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Redline family

RedLine payload

RedLine

Healer

Healer family

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Windows security modification

Adds Run key to start application

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 08:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 08:59

Reported

2024-11-17 09:01

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Healer family

healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b42430628.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exe
PID 4692 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exe
PID 4692 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exe
PID 2560 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe
PID 2560 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe
PID 2560 wrote to memory of 612 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe
PID 612 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe
PID 612 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe
PID 612 wrote to memory of 4612 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe
PID 612 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b42430628.exe
PID 612 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b42430628.exe
PID 612 wrote to memory of 372 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b42430628.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe

"C:\Users\Admin\AppData\Local\Temp\c211c71c4e05ad54ca8412302494e62cfef12eeef34da04bcf9b3c667514656a.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4612 -ip 4612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4612 -s 1096

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b42430628.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b42430628.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 185.161.248.73:4164 tcp
RU 185.161.248.73:4164 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\i30199716.exe

MD5 7b10849c090d55ebabec6c88681a58a2
SHA1 68a0cc7b6c271889be06fcd5887a079b8de65c35
SHA256 d22fe2f55fbacc45800db3e805d1787b9816ea08ce0cd302903a41f4ba1c6623
SHA512 9fde6fe75a8c2edf0cbd0dadfda027a3b0cd8821d5cc1322caac5e5e6a7cd18489854bc26294ee4447dc1fb9ad2260c2b3cdda7ca599614d3e9f45d57cd8e865

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\i29593467.exe

MD5 2ef99d8b78b22f10f0b0c76e833fb278
SHA1 f84bb3a9889f03640a37232b71ae9ec0b3042c44
SHA256 3f7eed0eb69ec24e1f8623a492088fd566a1fd61e2ae4cfff4f33d7778931586
SHA512 a6a9087c85f420df132bbe3b63f3601d46b77b66874298286aa7871bc55515a69dc14b96b60feda718ec70289e286559b293d4c611f59430cdc51103763a0561

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\a79350827.exe

MD5 f1477fec2edbf82cd829e8c8a3c26265
SHA1 d8cae5e77c025b4c122b970b7c6d04833e7330cf
SHA256 fa314f8240e9d4791a87e35cfb914e28eeb8551d51a005a1c2a0bc757a6d6e25
SHA512 d01dc1ae737f28830c823357fbc8cca104f652a2ce4db1338bcd509c4c6051575f7e8468f9aa08ece45da315c71fcb5b20d713d2a2663fa7856d326ec7f03a1d

memory/4612-22-0x0000000000780000-0x0000000000880000-memory.dmp

memory/4612-23-0x00000000006D0000-0x00000000006FD000-memory.dmp

memory/4612-24-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4612-25-0x0000000002370000-0x000000000238A000-memory.dmp

memory/4612-26-0x0000000004F50000-0x00000000054F4000-memory.dmp

memory/4612-27-0x00000000024F0000-0x0000000002508000-memory.dmp

memory/4612-45-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-55-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-53-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-51-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-49-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-47-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-43-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-41-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-39-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-37-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-35-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-31-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-28-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-33-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-29-0x00000000024F0000-0x0000000002502000-memory.dmp

memory/4612-56-0x0000000000780000-0x0000000000880000-memory.dmp

memory/4612-57-0x00000000006D0000-0x00000000006FD000-memory.dmp

memory/4612-59-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4612-58-0x0000000000400000-0x00000000006CA000-memory.dmp

memory/4612-61-0x0000000000400000-0x00000000006CA000-memory.dmp

memory/4612-62-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\b42430628.exe

MD5 17f75b96ee94b0e55b69fdf7f14d6852
SHA1 4fbbfe42674d6418f70681e55c561f0445f46ac6
SHA256 67a207f23396e4c437fb989150f2a55b5452aa82445799a6dd341a1479245739
SHA512 497f03f4009a85bf32aa5759b95d8e0ac6f70c639d38d8c7aa7c819f22b938a515452e62e018b732ae1f4b269801755914e9aefc7190f8120413cebc81e064ea

memory/372-66-0x0000000000040000-0x0000000000070000-memory.dmp

memory/372-67-0x0000000002270000-0x0000000002276000-memory.dmp

memory/372-68-0x000000000A4D0000-0x000000000AAE8000-memory.dmp

memory/372-69-0x0000000009FF0000-0x000000000A0FA000-memory.dmp

memory/372-70-0x0000000009F20000-0x0000000009F32000-memory.dmp

memory/372-71-0x0000000009F80000-0x0000000009FBC000-memory.dmp

memory/372-72-0x00000000042C0000-0x000000000430C000-memory.dmp