Malware Analysis Report

2025-03-15 01:41

Sample ID 230910-lmv83agb42
Target 954808bfbcf36867dbff4967925378e3c6497ab583d22c497520421aa7e612da
SHA256 954808bfbcf36867dbff4967925378e3c6497ab583d22c497520421aa7e612da
Tags
healer redline virad dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

954808bfbcf36867dbff4967925378e3c6497ab583d22c497520421aa7e612da

Threat Level: Known bad

The file 954808bfbcf36867dbff4967925378e3c6497ab583d22c497520421aa7e612da was found to be: Known bad.

Malicious Activity Summary

healer redline virad dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Checks processor information in registry

Enumerates system info in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 09:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 09:39

Reported

2023-09-10 09:42

Platform

win10v2004-20230831-en

Max time kernel

151s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\954808bfbcf36867dbff4967925378e3c6497ab583d22c497520421aa7e612da.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\954808bfbcf36867dbff4967925378e3c6497ab583d22c497520421aa7e612da.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3062476.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{BE11D652-B5F6-4A5A-AAF3-0AABD6857FF7}.catalogItem C:\Windows\System32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5044 set thread context of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3284 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\954808bfbcf36867dbff4967925378e3c6497ab583d22c497520421aa7e612da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3062476.exe
PID 3284 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\954808bfbcf36867dbff4967925378e3c6497ab583d22c497520421aa7e612da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3062476.exe
PID 3284 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\954808bfbcf36867dbff4967925378e3c6497ab583d22c497520421aa7e612da.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3062476.exe
PID 4516 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3062476.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe
PID 4516 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3062476.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe
PID 4516 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3062476.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe
PID 4304 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe
PID 4304 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe
PID 4304 wrote to memory of 5044 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe
PID 5044 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5044 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4304 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6375218.exe
PID 4304 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6375218.exe
PID 4304 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6375218.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\954808bfbcf36867dbff4967925378e3c6497ab583d22c497520421aa7e612da.exe

"C:\Users\Admin\AppData\Local\Temp\954808bfbcf36867dbff4967925378e3c6497ab583d22c497520421aa7e612da.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3062476.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3062476.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 140

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6375218.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6375218.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 140.121.18.2.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3062476.exe

MD5 7287d750fe4657d9a102df96dd6cf66a
SHA1 eeec4171e10a25fdba24cdd0953bff22e8dddf87
SHA256 dda7f3dc98fc41b2db25cb2712cd476b225ac0b68fde86be7ce300c16dbaa1d1
SHA512 3f5384a2ee02da0ed3e8740ee33ddd2e0c45c0da36a46f5da14e8d38a1f1b3a12bb3a537be38d310c63e975b55f00370d4ad043ebe13f4b6d98b19fd38e81366

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x3062476.exe

MD5 7287d750fe4657d9a102df96dd6cf66a
SHA1 eeec4171e10a25fdba24cdd0953bff22e8dddf87
SHA256 dda7f3dc98fc41b2db25cb2712cd476b225ac0b68fde86be7ce300c16dbaa1d1
SHA512 3f5384a2ee02da0ed3e8740ee33ddd2e0c45c0da36a46f5da14e8d38a1f1b3a12bb3a537be38d310c63e975b55f00370d4ad043ebe13f4b6d98b19fd38e81366

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe

MD5 f98181810be21e6aa36b70b943fd3cce
SHA1 ccdbc5afb0c138675d547e4882adf1f93e5dea55
SHA256 61bf8f097914ada9a3bfbd6d45cad18e3eba6a34934f35f019f29c623089b9c8
SHA512 ee5e1eada4a51aed2e34da33f8b1aa759112972e07760a4398e3517720b9da58f281ca3004f8903d3b086936a4a9013885a7966fe362800d64a0463598c45b2c

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5822521.exe

MD5 f98181810be21e6aa36b70b943fd3cce
SHA1 ccdbc5afb0c138675d547e4882adf1f93e5dea55
SHA256 61bf8f097914ada9a3bfbd6d45cad18e3eba6a34934f35f019f29c623089b9c8
SHA512 ee5e1eada4a51aed2e34da33f8b1aa759112972e07760a4398e3517720b9da58f281ca3004f8903d3b086936a4a9013885a7966fe362800d64a0463598c45b2c

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe

MD5 f77e90a9eb0d56b2375619862282722c
SHA1 3579aee84a868e6a881700e54ae72455ab643c10
SHA256 5e0e0159f6d699fc98f8e293b84e36a4841b0ae51f78cb46989c3f93de526a22
SHA512 651387b5de4f04dcab93eb0d2b87b6024134ac972e48fa91005ee8e354502b1885475299e1a13171cbf0c3eb033aff9a0ebf4babe1c3304642d133f20cb2a8be

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4382181.exe

MD5 f77e90a9eb0d56b2375619862282722c
SHA1 3579aee84a868e6a881700e54ae72455ab643c10
SHA256 5e0e0159f6d699fc98f8e293b84e36a4841b0ae51f78cb46989c3f93de526a22
SHA512 651387b5de4f04dcab93eb0d2b87b6024134ac972e48fa91005ee8e354502b1885475299e1a13171cbf0c3eb033aff9a0ebf4babe1c3304642d133f20cb2a8be

memory/1416-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1416-22-0x0000000074030000-0x00000000747E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6375218.exe

MD5 d4e36dff3b0624936979f4ce5f93bc4a
SHA1 1b6f23c9177dcf1b5c19b3107d7b9e862b2461e3
SHA256 2004450a44954b2a9e147333161253e37715b48f0a0419a31dc57d80f3db99ba
SHA512 17569231dd45816ad084f81ddd263525953ede657c039e33f9f75b73a8d130446e959f0e8588c7d6f447d83b1ade59cdfa9c8a1514d51e324e154959f2196ba1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i6375218.exe

MD5 d4e36dff3b0624936979f4ce5f93bc4a
SHA1 1b6f23c9177dcf1b5c19b3107d7b9e862b2461e3
SHA256 2004450a44954b2a9e147333161253e37715b48f0a0419a31dc57d80f3db99ba
SHA512 17569231dd45816ad084f81ddd263525953ede657c039e33f9f75b73a8d130446e959f0e8588c7d6f447d83b1ade59cdfa9c8a1514d51e324e154959f2196ba1

memory/5016-28-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/5016-27-0x0000000000B00000-0x0000000000B30000-memory.dmp

memory/5016-29-0x0000000005B40000-0x0000000006158000-memory.dmp

memory/5016-30-0x0000000005630000-0x000000000573A000-memory.dmp

memory/5016-31-0x0000000005380000-0x0000000005392000-memory.dmp

memory/5016-32-0x0000000005410000-0x0000000005420000-memory.dmp

memory/5016-33-0x0000000005520000-0x000000000555C000-memory.dmp

memory/1416-34-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/1416-42-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/5016-43-0x0000000074030000-0x00000000747E0000-memory.dmp

memory/5016-44-0x0000000005410000-0x0000000005420000-memory.dmp