Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-rzx63shg82
Target 0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8
SHA256 0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8
Tags
healer redline virad dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8

Threat Level: Known bad

The file 0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8 was found to be: Known bad.

Malicious Activity Summary

healer redline virad dropper evasion infostealer persistence trojan

Detects Healer an antivirus disabler dropper

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 14:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 14:38

Reported

2023-09-10 14:41

Platform

win10v2004-20230831-en

Max time kernel

149s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3708 set thread context of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 844 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe
PID 844 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe
PID 844 wrote to memory of 4928 N/A C:\Users\Admin\AppData\Local\Temp\0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe
PID 4928 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe
PID 4928 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe
PID 4928 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe
PID 1308 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe
PID 1308 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe
PID 1308 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe
PID 3708 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3708 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3708 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3708 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3708 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3708 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3708 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3708 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3708 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3708 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3708 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1308 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0456451.exe
PID 1308 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0456451.exe
PID 1308 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0456451.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8.exe

"C:\Users\Admin\AppData\Local\Temp\0a5b579b14047adf00f8f65899edfdbfbfca495e20eab9f119a6e8004a5f25a8.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3708 -ip 3708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 140

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0456451.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0456451.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe

MD5 91e4e48350f036e1334412d11e6285ef
SHA1 f9730179bc8d5b8335158baf4e08c2ddee7ece0d
SHA256 d7d8da125fdb7c5a7d1109d4362c84eeb4243c6168f9f9022677bcb0eb7fc4f1
SHA512 c3404c9541648a12aaa7636cdac9aede1f35d130c4906dcc015d9b96ce89e08b9a9985c4bf2dbe1136a024c0ea123d2febe9499a2b464bbb0c7273743e5cc0b3

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x7307703.exe

MD5 91e4e48350f036e1334412d11e6285ef
SHA1 f9730179bc8d5b8335158baf4e08c2ddee7ece0d
SHA256 d7d8da125fdb7c5a7d1109d4362c84eeb4243c6168f9f9022677bcb0eb7fc4f1
SHA512 c3404c9541648a12aaa7636cdac9aede1f35d130c4906dcc015d9b96ce89e08b9a9985c4bf2dbe1136a024c0ea123d2febe9499a2b464bbb0c7273743e5cc0b3

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe

MD5 ac051a7a5a2408817258fef925cad636
SHA1 5b914c5fad182f627005d31c6b6c9d58840014b1
SHA256 c5d8b2f483e27b4c50d706a268079197f7560699492af2fcea85ac6932147770
SHA512 08c35a433c20f8f5943d577684d1329e57ef12230e74cface874561d856cebaabd3c11811d2415db3eba20b9afc3a233ac0edb303728258a26ff9af2435a385e

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x1522459.exe

MD5 ac051a7a5a2408817258fef925cad636
SHA1 5b914c5fad182f627005d31c6b6c9d58840014b1
SHA256 c5d8b2f483e27b4c50d706a268079197f7560699492af2fcea85ac6932147770
SHA512 08c35a433c20f8f5943d577684d1329e57ef12230e74cface874561d856cebaabd3c11811d2415db3eba20b9afc3a233ac0edb303728258a26ff9af2435a385e

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe

MD5 fa7780d4c0966d5b201bdd02de37c794
SHA1 d3397b5bffe22c059a23c6865acc9a14123e0ce1
SHA256 e25b3480d4fd85580779bc35f370801adc9249ceff39dce08b70ecaa1238d933
SHA512 7d09c84109728ea9c29382f6acd861a05fd22a2a73ba756dc69566cb0cd82be3de319ac1303ec1de85f7dbe0eff80dd4690ca3b7e75b8949e9b98a672e8f90f1

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g1063765.exe

MD5 fa7780d4c0966d5b201bdd02de37c794
SHA1 d3397b5bffe22c059a23c6865acc9a14123e0ce1
SHA256 e25b3480d4fd85580779bc35f370801adc9249ceff39dce08b70ecaa1238d933
SHA512 7d09c84109728ea9c29382f6acd861a05fd22a2a73ba756dc69566cb0cd82be3de319ac1303ec1de85f7dbe0eff80dd4690ca3b7e75b8949e9b98a672e8f90f1

memory/3764-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3764-22-0x0000000073A40000-0x00000000741F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0456451.exe

MD5 e261b6acd9cc1e669a183fad0a537725
SHA1 e29048c4b6c0369df6b3a805f4453a59f0b8b505
SHA256 f75fffadd09751b92d3e04098fb50037a439d077358e9358bb2d7b4f8e1a85f1
SHA512 ad2350f2d67f6202a22599882c6e9247c4655339d315ef487ebf3bf6b396d4423cf9339563db58318c2db816441fba47c64198bae2dd251c5125344e4df08c3b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i0456451.exe

MD5 e261b6acd9cc1e669a183fad0a537725
SHA1 e29048c4b6c0369df6b3a805f4453a59f0b8b505
SHA256 f75fffadd09751b92d3e04098fb50037a439d077358e9358bb2d7b4f8e1a85f1
SHA512 ad2350f2d67f6202a22599882c6e9247c4655339d315ef487ebf3bf6b396d4423cf9339563db58318c2db816441fba47c64198bae2dd251c5125344e4df08c3b

memory/1772-26-0x0000000000EE0000-0x0000000000F10000-memory.dmp

memory/1772-27-0x0000000073A40000-0x00000000741F0000-memory.dmp

memory/1772-28-0x0000000005FC0000-0x00000000065D8000-memory.dmp

memory/1772-29-0x0000000005AB0000-0x0000000005BBA000-memory.dmp

memory/1772-30-0x00000000059C0000-0x00000000059D2000-memory.dmp

memory/3764-31-0x0000000073A40000-0x00000000741F0000-memory.dmp

memory/1772-32-0x0000000003290000-0x00000000032A0000-memory.dmp

memory/1772-33-0x0000000005A20000-0x0000000005A5C000-memory.dmp

memory/1772-34-0x0000000073A40000-0x00000000741F0000-memory.dmp

memory/3764-36-0x0000000073A40000-0x00000000741F0000-memory.dmp

memory/1772-37-0x0000000003290000-0x00000000032A0000-memory.dmp