Malware Analysis Report

2025-03-15 01:39

Sample ID 230910-l4ebwagc83
Target 0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241
SHA256 0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241
Tags
healer redline virad dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241

Threat Level: Known bad

The file 0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241 was found to be: Known bad.

Malicious Activity Summary

healer redline virad dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 10:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 10:04

Reported

2023-09-10 10:07

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1296 set thread context of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4368 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe
PID 4368 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe
PID 4368 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe
PID 4704 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe
PID 4704 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe
PID 4704 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe
PID 5072 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe
PID 5072 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe
PID 5072 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe
PID 1296 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1296 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1296 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1296 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1296 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1296 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1296 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1296 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5072 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6380824.exe
PID 5072 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6380824.exe
PID 5072 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6380824.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241.exe

"C:\Users\Admin\AppData\Local\Temp\0feee5e3c397746639b00780252516f2b04002c184ef461491f76175f14b3241.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1296 -ip 1296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 564

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6380824.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6380824.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 126.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 254.3.248.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe

MD5 d987e0531e38a470713833a6c3beea1a
SHA1 5d119955b328c185e789184842c32e921c7bcc7b
SHA256 ad106b63b4e195619b751a3c821c3f8cc58d4d363c1f405d38554d9d5e84179d
SHA512 94e20cf75a301dc27eb3119c193ac41b04b91a0550bf943ff04945aab0a04684e868c2dd56654f6855a8f87d642b5ac2e2fda3edf4fd97c04e0d33ff0ef370ff

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x4287018.exe

MD5 d987e0531e38a470713833a6c3beea1a
SHA1 5d119955b328c185e789184842c32e921c7bcc7b
SHA256 ad106b63b4e195619b751a3c821c3f8cc58d4d363c1f405d38554d9d5e84179d
SHA512 94e20cf75a301dc27eb3119c193ac41b04b91a0550bf943ff04945aab0a04684e868c2dd56654f6855a8f87d642b5ac2e2fda3edf4fd97c04e0d33ff0ef370ff

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe

MD5 cee1dcc4ed8abff974697e51a33c24fe
SHA1 dfe3aa0e18a675fc8565f49af7e7900596028ccc
SHA256 48de1dd8db30ff7db7c40e7eb64deaab988750be3508f9d0de2a2351c07c3af3
SHA512 01bc423050e89b9336751e9f4be8ef910e5e452f7493b1309b58fea20396cd4dced39001ca388ae2140569c63a6ec5941ae82c7c652bef33e61b34da076c648d

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2483002.exe

MD5 cee1dcc4ed8abff974697e51a33c24fe
SHA1 dfe3aa0e18a675fc8565f49af7e7900596028ccc
SHA256 48de1dd8db30ff7db7c40e7eb64deaab988750be3508f9d0de2a2351c07c3af3
SHA512 01bc423050e89b9336751e9f4be8ef910e5e452f7493b1309b58fea20396cd4dced39001ca388ae2140569c63a6ec5941ae82c7c652bef33e61b34da076c648d

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe

MD5 6c5011cd8c67f60785ee26cb8cf93901
SHA1 877ac7de7e199b217c373688e3b09bf5c47f1d01
SHA256 b574ba398c518977ae790e9c0bb7cbc7f9444fea0bf849f1a409218e4936034e
SHA512 ae7f35b47bb9182d0cd4ddff175b72a1931a810c9963e249093408d78fbf598c93ab0734075868f8ecccdd058135d66ffaa9f4028484aea8a78a4243dc272aee

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g5083950.exe

MD5 6c5011cd8c67f60785ee26cb8cf93901
SHA1 877ac7de7e199b217c373688e3b09bf5c47f1d01
SHA256 b574ba398c518977ae790e9c0bb7cbc7f9444fea0bf849f1a409218e4936034e
SHA512 ae7f35b47bb9182d0cd4ddff175b72a1931a810c9963e249093408d78fbf598c93ab0734075868f8ecccdd058135d66ffaa9f4028484aea8a78a4243dc272aee

memory/4200-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4200-22-0x00000000748B0000-0x0000000075060000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6380824.exe

MD5 c130d0b039fed3f2606e5a222e6ad67d
SHA1 08971b4c5b2ae83f0d8dad0515236b4d7a280220
SHA256 451e63e619fd1cdc14311086de443842370fc3b01ff31eb55c08eb25cd5d23d2
SHA512 a513b79dcebf68ea7bc2ba42af8577f1e4f370e2e7e30237629671fd4c2310261fc5848908f6071efa959de82aeed3cd14e45d4da9b6c02a8b243510f418018a

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6380824.exe

MD5 c130d0b039fed3f2606e5a222e6ad67d
SHA1 08971b4c5b2ae83f0d8dad0515236b4d7a280220
SHA256 451e63e619fd1cdc14311086de443842370fc3b01ff31eb55c08eb25cd5d23d2
SHA512 a513b79dcebf68ea7bc2ba42af8577f1e4f370e2e7e30237629671fd4c2310261fc5848908f6071efa959de82aeed3cd14e45d4da9b6c02a8b243510f418018a

memory/1104-26-0x0000000000F30000-0x0000000000F60000-memory.dmp

memory/1104-27-0x00000000748B0000-0x0000000075060000-memory.dmp

memory/1104-28-0x000000000B270000-0x000000000B888000-memory.dmp

memory/1104-29-0x000000000ADA0000-0x000000000AEAA000-memory.dmp

memory/1104-30-0x000000000ACE0000-0x000000000ACF2000-memory.dmp

memory/1104-31-0x00000000057C0000-0x00000000057D0000-memory.dmp

memory/1104-32-0x000000000AD40000-0x000000000AD7C000-memory.dmp

memory/4200-33-0x00000000748B0000-0x0000000075060000-memory.dmp

memory/4200-35-0x00000000748B0000-0x0000000075060000-memory.dmp

memory/1104-36-0x00000000748B0000-0x0000000075060000-memory.dmp

memory/1104-37-0x00000000057C0000-0x00000000057D0000-memory.dmp