Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-rs5mkshg33
Target 3f474298d0d772a6bd6c03d34db65b3f43a8e6879ff94cd3a87a6e4375683f77
SHA256 3f474298d0d772a6bd6c03d34db65b3f43a8e6879ff94cd3a87a6e4375683f77
Tags
healer redline virad dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f474298d0d772a6bd6c03d34db65b3f43a8e6879ff94cd3a87a6e4375683f77

Threat Level: Known bad

The file 3f474298d0d772a6bd6c03d34db65b3f43a8e6879ff94cd3a87a6e4375683f77 was found to be: Known bad.

Malicious Activity Summary

healer redline virad dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:28

Reported

2023-09-10 14:30

Platform

win10v2004-20230831-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f474298d0d772a6bd6c03d34db65b3f43a8e6879ff94cd3a87a6e4375683f77.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6394118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\3f474298d0d772a6bd6c03d34db65b3f43a8e6879ff94cd3a87a6e4375683f77.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1060 set thread context of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\3f474298d0d772a6bd6c03d34db65b3f43a8e6879ff94cd3a87a6e4375683f77.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6394118.exe
PID 2104 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\3f474298d0d772a6bd6c03d34db65b3f43a8e6879ff94cd3a87a6e4375683f77.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6394118.exe
PID 2104 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\3f474298d0d772a6bd6c03d34db65b3f43a8e6879ff94cd3a87a6e4375683f77.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6394118.exe
PID 3316 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6394118.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe
PID 3316 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6394118.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe
PID 3316 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6394118.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe
PID 888 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe
PID 888 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe
PID 888 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe
PID 1060 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1060 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1060 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1060 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1060 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1060 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1060 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1060 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 888 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9930306.exe
PID 888 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9930306.exe
PID 888 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9930306.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f474298d0d772a6bd6c03d34db65b3f43a8e6879ff94cd3a87a6e4375683f77.exe

"C:\Users\Admin\AppData\Local\Temp\3f474298d0d772a6bd6c03d34db65b3f43a8e6879ff94cd3a87a6e4375683f77.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6394118.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6394118.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1060 -ip 1060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9930306.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9930306.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6394118.exe

MD5 86478e5cbd1d3e1852b97d2420abd0ec
SHA1 4bc4ce5f0879c1384afb013efe7aa083ae22daba
SHA256 35babbd093a930983c27220ad95eb7ed99bad3fdf93bc96fc0f29021af0a6f70
SHA512 912822d78e9e09c638a9983487c64f40a3a55247c11a3409de7506fc8366212df2e71a3644cf16cd12818853d2d1bfa2fb4d7a4e9890d2ac668fcde828f081b8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6394118.exe

MD5 86478e5cbd1d3e1852b97d2420abd0ec
SHA1 4bc4ce5f0879c1384afb013efe7aa083ae22daba
SHA256 35babbd093a930983c27220ad95eb7ed99bad3fdf93bc96fc0f29021af0a6f70
SHA512 912822d78e9e09c638a9983487c64f40a3a55247c11a3409de7506fc8366212df2e71a3644cf16cd12818853d2d1bfa2fb4d7a4e9890d2ac668fcde828f081b8

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe

MD5 8779a7249bc936e372a79d7f4c87a8eb
SHA1 f677ab167f38afd442f22a8f8a7ad4dacd7aaa13
SHA256 175d8550c840bf0bc6f3f140f8e833833bf708d8acc251387ad1bd33437260be
SHA512 5d72461e6fbd134dfe7e47d275d7c30200c204a0a9327e1f12eb147e7203e9268f3f6e4674ab44040c5687f7f07eba3f50f4480ce05135d0f075b47f1d7d8237

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x5950953.exe

MD5 8779a7249bc936e372a79d7f4c87a8eb
SHA1 f677ab167f38afd442f22a8f8a7ad4dacd7aaa13
SHA256 175d8550c840bf0bc6f3f140f8e833833bf708d8acc251387ad1bd33437260be
SHA512 5d72461e6fbd134dfe7e47d275d7c30200c204a0a9327e1f12eb147e7203e9268f3f6e4674ab44040c5687f7f07eba3f50f4480ce05135d0f075b47f1d7d8237

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe

MD5 58ac9df970a9286d6639fb3fe4505748
SHA1 c83093b23d3d4d991f6aae9ea6af18179cd8d4c8
SHA256 56742d1fa2162bbfdcc22e95e95f1edf4648c1afd35f3808d0c179a26d828723
SHA512 789c3c91caf011bc0c938f2ffc095600778052174fe7d4d664cf1ad8ee97a7f54a1b3dee6ccfb0867ada8f11c60ca4d945227cc36a7bd425d87b81bbc423059b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g8549363.exe

MD5 58ac9df970a9286d6639fb3fe4505748
SHA1 c83093b23d3d4d991f6aae9ea6af18179cd8d4c8
SHA256 56742d1fa2162bbfdcc22e95e95f1edf4648c1afd35f3808d0c179a26d828723
SHA512 789c3c91caf011bc0c938f2ffc095600778052174fe7d4d664cf1ad8ee97a7f54a1b3dee6ccfb0867ada8f11c60ca4d945227cc36a7bd425d87b81bbc423059b

memory/2084-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2084-22-0x0000000074800000-0x0000000074FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9930306.exe

MD5 726bb4c9300c4a673619fd2187d1cb18
SHA1 564f9e688aed4411c486f474677b0c28bec2a17c
SHA256 551044d0c8d509162fd6e61bd9737dd7e44fe3debec0a05ced176e62d408ba64
SHA512 b47f89def123644d1b339abdb8533e7f05220c4c8d48d2fac771b8fd04161f8ca43d441ca53dcc2c2d76093634f98da6947035d7e77c992fc948e82145f0b831

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i9930306.exe

MD5 726bb4c9300c4a673619fd2187d1cb18
SHA1 564f9e688aed4411c486f474677b0c28bec2a17c
SHA256 551044d0c8d509162fd6e61bd9737dd7e44fe3debec0a05ced176e62d408ba64
SHA512 b47f89def123644d1b339abdb8533e7f05220c4c8d48d2fac771b8fd04161f8ca43d441ca53dcc2c2d76093634f98da6947035d7e77c992fc948e82145f0b831

memory/3016-26-0x0000000000640000-0x0000000000670000-memory.dmp

memory/3016-27-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/3016-28-0x0000000005630000-0x0000000005C48000-memory.dmp

memory/3016-29-0x0000000005120000-0x000000000522A000-memory.dmp

memory/3016-30-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

memory/3016-31-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/3016-32-0x0000000005050000-0x000000000508C000-memory.dmp

memory/2084-33-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/2084-35-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/3016-36-0x0000000074800000-0x0000000074FB0000-memory.dmp

memory/3016-37-0x0000000004F00000-0x0000000004F10000-memory.dmp