Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-q67hnahe66
Target e51591895c6a143bc3423ae1fedc4ba0c217150061ad9fec3a8985b5a74f5024
SHA256 e51591895c6a143bc3423ae1fedc4ba0c217150061ad9fec3a8985b5a74f5024
Tags
healer redline virad dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e51591895c6a143bc3423ae1fedc4ba0c217150061ad9fec3a8985b5a74f5024

Threat Level: Known bad

The file e51591895c6a143bc3423ae1fedc4ba0c217150061ad9fec3a8985b5a74f5024 was found to be: Known bad.

Malicious Activity Summary

healer redline virad dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 13:53

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 13:53

Reported

2023-09-10 13:56

Platform

win10v2004-20230831-en

Max time kernel

148s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e51591895c6a143bc3423ae1fedc4ba0c217150061ad9fec3a8985b5a74f5024.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5555178.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\e51591895c6a143bc3423ae1fedc4ba0c217150061ad9fec3a8985b5a74f5024.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 548 set thread context of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1568 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\e51591895c6a143bc3423ae1fedc4ba0c217150061ad9fec3a8985b5a74f5024.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5555178.exe
PID 1568 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\e51591895c6a143bc3423ae1fedc4ba0c217150061ad9fec3a8985b5a74f5024.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5555178.exe
PID 1568 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\e51591895c6a143bc3423ae1fedc4ba0c217150061ad9fec3a8985b5a74f5024.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5555178.exe
PID 4196 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5555178.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe
PID 4196 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5555178.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe
PID 4196 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5555178.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe
PID 1576 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe
PID 1576 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe
PID 1576 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe
PID 548 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 548 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 548 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 548 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 548 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 548 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 548 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 548 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 548 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 548 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 548 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1576 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8398961.exe
PID 1576 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8398961.exe
PID 1576 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8398961.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e51591895c6a143bc3423ae1fedc4ba0c217150061ad9fec3a8985b5a74f5024.exe

"C:\Users\Admin\AppData\Local\Temp\e51591895c6a143bc3423ae1fedc4ba0c217150061ad9fec3a8985b5a74f5024.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5555178.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5555178.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 548 -ip 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 588

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8398961.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8398961.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5555178.exe

MD5 307cb07dee911cadc39f1fe7411820e1
SHA1 1e276da064b137fe99a6b19b88c8d7b545d32084
SHA256 82755dc46d99129495bc44df32701f0c8d9f8a4fe15ddcc68c33f75432dc6faf
SHA512 8daa13f2810445fa07a17318253f9afe36751e4aa739e1f1b9633e87423c846b3843378e8089d49646bb83c6f044007a8f0053d595fba707a9655107f79531be

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x5555178.exe

MD5 307cb07dee911cadc39f1fe7411820e1
SHA1 1e276da064b137fe99a6b19b88c8d7b545d32084
SHA256 82755dc46d99129495bc44df32701f0c8d9f8a4fe15ddcc68c33f75432dc6faf
SHA512 8daa13f2810445fa07a17318253f9afe36751e4aa739e1f1b9633e87423c846b3843378e8089d49646bb83c6f044007a8f0053d595fba707a9655107f79531be

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe

MD5 a811785338a6aee81f4d7f62c2e9af2f
SHA1 21f357bf814a806e969c367be200f92d794cb558
SHA256 b43779f7cec11ca6d9f544e926b082ad134abe57907f8b6a0ca4374da572e015
SHA512 72fd9ee2791697a61803f8e4363a4586f31254b44ccab54cec2db71b3325007ff9307a85b8990afa2e240f5605a0949b674629c555ca90ed83723f6fe3dae831

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x6763261.exe

MD5 a811785338a6aee81f4d7f62c2e9af2f
SHA1 21f357bf814a806e969c367be200f92d794cb558
SHA256 b43779f7cec11ca6d9f544e926b082ad134abe57907f8b6a0ca4374da572e015
SHA512 72fd9ee2791697a61803f8e4363a4586f31254b44ccab54cec2db71b3325007ff9307a85b8990afa2e240f5605a0949b674629c555ca90ed83723f6fe3dae831

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe

MD5 e582869c6e146f10a71b3f6ba484619d
SHA1 7598c5a18f3d7af6871f1d60bf5784aba2a1d403
SHA256 2514954107c29a1307d4076436ab56c64f4c60a37aca0400a540d486f3a77ee0
SHA512 137c21c123316e4048db81fe1dff7c5d0ce1b9206cf1167eadc77f710520d30d043a9fcba56b54f08ca4b113e755ec7913919190d4afa5dc40bbed1739dda516

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g4243192.exe

MD5 e582869c6e146f10a71b3f6ba484619d
SHA1 7598c5a18f3d7af6871f1d60bf5784aba2a1d403
SHA256 2514954107c29a1307d4076436ab56c64f4c60a37aca0400a540d486f3a77ee0
SHA512 137c21c123316e4048db81fe1dff7c5d0ce1b9206cf1167eadc77f710520d30d043a9fcba56b54f08ca4b113e755ec7913919190d4afa5dc40bbed1739dda516

memory/1644-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1644-22-0x0000000074970000-0x0000000075120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8398961.exe

MD5 34a3c74691ac60d58005207d2148692f
SHA1 2f965538b5ff1797412df2179a6cad433f081f66
SHA256 1b6239ee780b6bbc51b0d86990f29bbc69463b294cf7b0939be8b9345c35247f
SHA512 7ae51752a5ac71acff30a10cd3b729acf81b98a08a4a40980399f301efab6efd9bbce631f4dee7a31e88aec643339235db69b6ee6820d212c563660b23e7ba90

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i8398961.exe

MD5 34a3c74691ac60d58005207d2148692f
SHA1 2f965538b5ff1797412df2179a6cad433f081f66
SHA256 1b6239ee780b6bbc51b0d86990f29bbc69463b294cf7b0939be8b9345c35247f
SHA512 7ae51752a5ac71acff30a10cd3b729acf81b98a08a4a40980399f301efab6efd9bbce631f4dee7a31e88aec643339235db69b6ee6820d212c563660b23e7ba90

memory/4512-26-0x00000000007D0000-0x0000000000800000-memory.dmp

memory/4512-27-0x0000000074970000-0x0000000075120000-memory.dmp

memory/4512-28-0x0000000005710000-0x0000000005D28000-memory.dmp

memory/4512-29-0x0000000005220000-0x000000000532A000-memory.dmp

memory/4512-31-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/4512-30-0x0000000005160000-0x0000000005172000-memory.dmp

memory/4512-32-0x00000000051C0000-0x00000000051FC000-memory.dmp

memory/1644-33-0x0000000074970000-0x0000000075120000-memory.dmp

memory/1644-35-0x0000000074970000-0x0000000075120000-memory.dmp

memory/4512-36-0x0000000074970000-0x0000000075120000-memory.dmp

memory/4512-37-0x0000000004FE0000-0x0000000004FF0000-memory.dmp