Malware Analysis Report

2025-03-15 01:43

Sample ID 230910-kd8mcsfh26
Target 8267fc2d8fc9f777dd58baf77636ac30180420438ddefb879eee5887b6657194
SHA256 8267fc2d8fc9f777dd58baf77636ac30180420438ddefb879eee5887b6657194
Tags
healer redline virad dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8267fc2d8fc9f777dd58baf77636ac30180420438ddefb879eee5887b6657194

Threat Level: Known bad

The file 8267fc2d8fc9f777dd58baf77636ac30180420438ddefb879eee5887b6657194 was found to be: Known bad.

Malicious Activity Summary

healer redline virad dropper evasion infostealer persistence trojan

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Detects Healer an antivirus disabler dropper

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 08:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 08:30

Reported

2023-09-10 08:32

Platform

win10v2004-20230831-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8267fc2d8fc9f777dd58baf77636ac30180420438ddefb879eee5887b6657194.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\8267fc2d8fc9f777dd58baf77636ac30180420438ddefb879eee5887b6657194.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2428483.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3588 set thread context of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 468 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8267fc2d8fc9f777dd58baf77636ac30180420438ddefb879eee5887b6657194.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2428483.exe
PID 468 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8267fc2d8fc9f777dd58baf77636ac30180420438ddefb879eee5887b6657194.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2428483.exe
PID 468 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\8267fc2d8fc9f777dd58baf77636ac30180420438ddefb879eee5887b6657194.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2428483.exe
PID 4600 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2428483.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe
PID 4600 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2428483.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe
PID 4600 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2428483.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe
PID 4464 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe
PID 4464 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe
PID 4464 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe
PID 3588 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3588 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3588 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3588 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3588 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3588 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3588 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3588 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4464 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8594396.exe
PID 4464 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8594396.exe
PID 4464 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8594396.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8267fc2d8fc9f777dd58baf77636ac30180420438ddefb879eee5887b6657194.exe

"C:\Users\Admin\AppData\Local\Temp\8267fc2d8fc9f777dd58baf77636ac30180420438ddefb879eee5887b6657194.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2428483.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2428483.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3588 -ip 3588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3588 -s 580

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8594396.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8594396.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 126.153.27.67.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 254.1.248.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2428483.exe

MD5 98423f81fe49fd682414f331a071d08e
SHA1 c3a57a094d8df89474a7e42dec47ea6844f5cfc0
SHA256 473abe204b9361b6d34d332cf81f75657fd15dd46cd80de74f5cc5aa450066f3
SHA512 da03a5e4e93104031cb2faaf3502bb9f6253439f1a26c9c0655c1a3d21a73b278c5c6f0705fa77a2788aa6fb4e3bc7ea4012c8c49ca3492ff08a251fa8345567

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2428483.exe

MD5 98423f81fe49fd682414f331a071d08e
SHA1 c3a57a094d8df89474a7e42dec47ea6844f5cfc0
SHA256 473abe204b9361b6d34d332cf81f75657fd15dd46cd80de74f5cc5aa450066f3
SHA512 da03a5e4e93104031cb2faaf3502bb9f6253439f1a26c9c0655c1a3d21a73b278c5c6f0705fa77a2788aa6fb4e3bc7ea4012c8c49ca3492ff08a251fa8345567

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe

MD5 c72155180d870d7eba9f686a76827d5c
SHA1 2502f638bf893eb348a2e346fda5ff4564e1a820
SHA256 8ce0abeee84a303776f759317b334e73684ee3942e943d7b4b1080b8faa03c89
SHA512 d40148ea7296e440a176fe9612d0c7cbf8585d142331d71df40d4a773008dc0c5a48a3ab8c445e81da321652c2235d8e55f5f49990169963aaa925cd8f9d6468

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2433605.exe

MD5 c72155180d870d7eba9f686a76827d5c
SHA1 2502f638bf893eb348a2e346fda5ff4564e1a820
SHA256 8ce0abeee84a303776f759317b334e73684ee3942e943d7b4b1080b8faa03c89
SHA512 d40148ea7296e440a176fe9612d0c7cbf8585d142331d71df40d4a773008dc0c5a48a3ab8c445e81da321652c2235d8e55f5f49990169963aaa925cd8f9d6468

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe

MD5 6cabba7c391565889c8fe3f0d192dcd4
SHA1 e7762162b9b010b925cf5a93613fc815a7c212c3
SHA256 385801941df676ef3b81a560b12be710d55a8d4995d85bc4c122549bd510ab3b
SHA512 7d7b5db3909ae379f3a77152198a25349466af313c557906d5c0b30f936fe7f26b0ecad5e557e364a9ec41f370bbf5004011ea2e7419a114e3c92d567c8afb92

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g7073662.exe

MD5 6cabba7c391565889c8fe3f0d192dcd4
SHA1 e7762162b9b010b925cf5a93613fc815a7c212c3
SHA256 385801941df676ef3b81a560b12be710d55a8d4995d85bc4c122549bd510ab3b
SHA512 7d7b5db3909ae379f3a77152198a25349466af313c557906d5c0b30f936fe7f26b0ecad5e557e364a9ec41f370bbf5004011ea2e7419a114e3c92d567c8afb92

memory/400-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/400-22-0x0000000073DC0000-0x0000000074570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8594396.exe

MD5 507eba56626fae7cae5548f9c56943c0
SHA1 9c0cb4975c429fc01103c1bc5231a0f434be9aed
SHA256 6dc2af9af7462c3709968ca90d70351bf9c11f513b665103383b71dc6fa7f224
SHA512 44f040b28cb249f822f8492f902a6a4bfd3cbf50771bc89e7f360868fd2f369ef294d8383946df465a93e1490bdb129f7d7871d49ec3a0f6d7c5479f28fad281

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8594396.exe

MD5 507eba56626fae7cae5548f9c56943c0
SHA1 9c0cb4975c429fc01103c1bc5231a0f434be9aed
SHA256 6dc2af9af7462c3709968ca90d70351bf9c11f513b665103383b71dc6fa7f224
SHA512 44f040b28cb249f822f8492f902a6a4bfd3cbf50771bc89e7f360868fd2f369ef294d8383946df465a93e1490bdb129f7d7871d49ec3a0f6d7c5479f28fad281

memory/2688-26-0x0000000000580000-0x00000000005B0000-memory.dmp

memory/2688-27-0x0000000073DC0000-0x0000000074570000-memory.dmp

memory/2688-28-0x00000000054F0000-0x0000000005B08000-memory.dmp

memory/2688-29-0x0000000004FE0000-0x00000000050EA000-memory.dmp

memory/2688-30-0x0000000004F10000-0x0000000004F22000-memory.dmp

memory/2688-31-0x0000000004D80000-0x0000000004D90000-memory.dmp

memory/2688-32-0x0000000004F70000-0x0000000004FAC000-memory.dmp

memory/400-33-0x0000000073DC0000-0x0000000074570000-memory.dmp

memory/2688-34-0x0000000073DC0000-0x0000000074570000-memory.dmp

memory/400-36-0x0000000073DC0000-0x0000000074570000-memory.dmp

memory/2688-37-0x0000000004D80000-0x0000000004D90000-memory.dmp