Malware Analysis Report

2025-03-15 01:43

Sample ID 230910-ljhtkaga51
Target 7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67
SHA256 7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67
Tags
healer redline virad dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67

Threat Level: Known bad

The file 7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67 was found to be: Known bad.

Malicious Activity Summary

healer redline virad dropper evasion infostealer persistence trojan

RedLine

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 09:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 09:33

Reported

2023-09-10 09:36

Platform

win10v2004-20230831-en

Max time kernel

137s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 496 set thread context of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe
PID 2120 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe
PID 2120 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe
PID 2972 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe
PID 2972 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe
PID 2972 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe
PID 1984 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe
PID 1984 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe
PID 1984 wrote to memory of 496 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe
PID 496 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 496 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 496 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 496 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 496 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 496 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 496 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 496 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1984 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3499465.exe
PID 1984 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3499465.exe
PID 1984 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3499465.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67.exe

"C:\Users\Admin\AppData\Local\Temp\7b1bf70120dc9fc14cbe1686d874a5e9aff93621e115b49c83426b832d19fc67.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 496 -ip 496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 168

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3499465.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3499465.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.121.18.2.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe

MD5 e5b7101ef5e87f4bdcd9969a70d4dfba
SHA1 65fda7e9fe6bea2743319bff23c1ed9cf307fcdd
SHA256 e1f6dfaabc115bb11316590e38ec4d112851a848190c39d783b3975821a7792b
SHA512 c14bc3ea5aeb98ff52903ddcbb1e546566321a2cdd507fa4a1d6fe3e10dee638c80ca486818470d851f90517ad5ac21268baffda16ee5f79b2edc120bdb60f86

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x2492182.exe

MD5 e5b7101ef5e87f4bdcd9969a70d4dfba
SHA1 65fda7e9fe6bea2743319bff23c1ed9cf307fcdd
SHA256 e1f6dfaabc115bb11316590e38ec4d112851a848190c39d783b3975821a7792b
SHA512 c14bc3ea5aeb98ff52903ddcbb1e546566321a2cdd507fa4a1d6fe3e10dee638c80ca486818470d851f90517ad5ac21268baffda16ee5f79b2edc120bdb60f86

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe

MD5 c7fcd765d717dd4572cd020a5855a1e7
SHA1 ef48e5087271e08238ca5777bad1517d7fac9abb
SHA256 c0bc9d0feeba34d711db79d20019164fd92efebdf0ddd8e5af7f649d9981d776
SHA512 7a54a40510e97f813a7522a7266754cdb0cbbe42f7d983c5933bb7cd94a02494172cec6be8d1f51e73d4e857917547d26a061118d6aa017a8e4d5d412323d31f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x2334444.exe

MD5 c7fcd765d717dd4572cd020a5855a1e7
SHA1 ef48e5087271e08238ca5777bad1517d7fac9abb
SHA256 c0bc9d0feeba34d711db79d20019164fd92efebdf0ddd8e5af7f649d9981d776
SHA512 7a54a40510e97f813a7522a7266754cdb0cbbe42f7d983c5933bb7cd94a02494172cec6be8d1f51e73d4e857917547d26a061118d6aa017a8e4d5d412323d31f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe

MD5 052e3dc1f0c1cdf12f7dd4b80bfb6e2d
SHA1 57fa3d404e39146737443b2a295db7cd3e30ddb9
SHA256 329f724caadae645ee3c70202626a562bd251cf5986b53e1195ff5a615d4011f
SHA512 620f0b23a01ae3c9295de2f4c0e89242c5e862e4f395bb73211c8803c419623ca35065be5bda420dca0aa3c62a2ff54d375a480be3cb0ef8105ffabbc9d5efc8

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4767974.exe

MD5 052e3dc1f0c1cdf12f7dd4b80bfb6e2d
SHA1 57fa3d404e39146737443b2a295db7cd3e30ddb9
SHA256 329f724caadae645ee3c70202626a562bd251cf5986b53e1195ff5a615d4011f
SHA512 620f0b23a01ae3c9295de2f4c0e89242c5e862e4f395bb73211c8803c419623ca35065be5bda420dca0aa3c62a2ff54d375a480be3cb0ef8105ffabbc9d5efc8

memory/1532-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1532-22-0x00000000745F0000-0x0000000074DA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3499465.exe

MD5 14d3c7f32c71badb827292181829cf47
SHA1 ff5afc85181a150b7158cdfaaa8679b8e729c872
SHA256 4e0cf6893405937ec20cdcec1efa7d59d8649ace8785f66867badf92fd3e3ba4
SHA512 62d5080c018c24a8571c9dfba239c41f77c52eddac06d9355748e6cacbea6c4faa4c7ffa1452bb598cfbae137eff80a6f14088761273447d24f14d87ede9bf9c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3499465.exe

MD5 14d3c7f32c71badb827292181829cf47
SHA1 ff5afc85181a150b7158cdfaaa8679b8e729c872
SHA256 4e0cf6893405937ec20cdcec1efa7d59d8649ace8785f66867badf92fd3e3ba4
SHA512 62d5080c018c24a8571c9dfba239c41f77c52eddac06d9355748e6cacbea6c4faa4c7ffa1452bb598cfbae137eff80a6f14088761273447d24f14d87ede9bf9c

memory/4104-26-0x00000000001F0000-0x0000000000220000-memory.dmp

memory/4104-27-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/4104-28-0x00000000051D0000-0x00000000057E8000-memory.dmp

memory/4104-29-0x0000000004CC0000-0x0000000004DCA000-memory.dmp

memory/4104-31-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

memory/4104-30-0x0000000004B70000-0x0000000004B82000-memory.dmp

memory/4104-32-0x0000000004BF0000-0x0000000004C2C000-memory.dmp

memory/1532-33-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/1532-35-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/4104-36-0x00000000745F0000-0x0000000074DA0000-memory.dmp

memory/4104-37-0x0000000004BA0000-0x0000000004BB0000-memory.dmp