Malware Analysis Report

2025-03-15 01:45

Sample ID 230910-tllx1aac93
Target 11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e
SHA256 11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e
Tags
healer redline virad dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e

Threat Level: Known bad

The file 11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e was found to be: Known bad.

Malicious Activity Summary

healer redline virad dropper evasion infostealer persistence trojan

Healer

RedLine

Detects Healer an antivirus disabler dropper

Modifies Windows Defender Real-time Protection settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 16:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 16:08

Reported

2023-09-10 16:11

Platform

win10v2004-20230831-en

Max time kernel

148s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e.exe"

Signatures

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4472 set thread context of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe
PID 1648 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe
PID 1648 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe
PID 1848 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe
PID 1848 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe
PID 1848 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe
PID 2456 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe
PID 2456 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe
PID 2456 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe
PID 4472 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4472 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4472 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4472 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4472 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4472 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4472 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4472 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2456 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3272917.exe
PID 2456 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3272917.exe
PID 2456 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3272917.exe

Processes

C:\Users\Admin\AppData\Local\Temp\11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e.exe

"C:\Users\Admin\AppData\Local\Temp\11ecd191e2f21f262b54d2a820dfe068015ad378257c7c3b2a4a356119b0e29e.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4472 -ip 4472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 148

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3272917.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3272917.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 126.153.27.67.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
FI 77.91.124.82:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe

MD5 569d430a97f191a6fdfa8355ed24d34c
SHA1 db3287bfb048ebf73ad5aa28844610f2c7c80d86
SHA256 6017f9d4733eafd2b4cc9b1aab0b3e7f6d6a9ac78e16de35525d56bfa4674153
SHA512 4e93ba3705d00de911994baece24a11b04fede06cd67d449945dc7ce32970163cad992d99cf4fe5b4f5b16728ed7dee02bb0f49036067459381f0da5042caeb7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\x6330032.exe

MD5 569d430a97f191a6fdfa8355ed24d34c
SHA1 db3287bfb048ebf73ad5aa28844610f2c7c80d86
SHA256 6017f9d4733eafd2b4cc9b1aab0b3e7f6d6a9ac78e16de35525d56bfa4674153
SHA512 4e93ba3705d00de911994baece24a11b04fede06cd67d449945dc7ce32970163cad992d99cf4fe5b4f5b16728ed7dee02bb0f49036067459381f0da5042caeb7

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe

MD5 97f7849d60070ce685c718595cd296d8
SHA1 613c33eea34b00d1c37633804da7ad24e1ea23eb
SHA256 40e1c8db9e03752ca60b664152f73439953f71df101fd5f2b0227a02e9b5be6b
SHA512 5ca845d132c8fd0a72430d2137e5b29e1ea88878113246f296bb59b630e0a0b6701821b4d79795110720dcad16b28c1ab5461aedb06b2ce85c1e4d565d8d2b78

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\x7119808.exe

MD5 97f7849d60070ce685c718595cd296d8
SHA1 613c33eea34b00d1c37633804da7ad24e1ea23eb
SHA256 40e1c8db9e03752ca60b664152f73439953f71df101fd5f2b0227a02e9b5be6b
SHA512 5ca845d132c8fd0a72430d2137e5b29e1ea88878113246f296bb59b630e0a0b6701821b4d79795110720dcad16b28c1ab5461aedb06b2ce85c1e4d565d8d2b78

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe

MD5 f7eeb1a801d2c9102c4e0f1ad3eb647e
SHA1 661a1722f7a8ad76e468e3e2c49ca772ac3fe3db
SHA256 16a01e437d325a072479cd6bb8698218c40c65807738ad36c668d25b38c33830
SHA512 067e53cfa3a1736e8b0aa95178727acadd8ec51d4bb7104892d1503861b4884c6966133fa58f51d59be7d9f1823939bb2ecc8b9506e92c160360296b387e37a4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\g0315147.exe

MD5 f7eeb1a801d2c9102c4e0f1ad3eb647e
SHA1 661a1722f7a8ad76e468e3e2c49ca772ac3fe3db
SHA256 16a01e437d325a072479cd6bb8698218c40c65807738ad36c668d25b38c33830
SHA512 067e53cfa3a1736e8b0aa95178727acadd8ec51d4bb7104892d1503861b4884c6966133fa58f51d59be7d9f1823939bb2ecc8b9506e92c160360296b387e37a4

memory/716-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/716-22-0x0000000074640000-0x0000000074DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3272917.exe

MD5 d46a9616cbe54201715d0505707ff931
SHA1 61da42b6bcaef085b456cb01f4035bcab6a889ab
SHA256 3050ea04e76f5ad1d123cb995869dfd7c86d8d85ac9b07d3e51e3f50c8d01a8c
SHA512 21e7b40f8e126e38c68215e7ee5a41cabb5b8ca5ca164a1bd0bc552636d248b331fc570f8362275aa6f4703938b04f2d6350e2752b536acd5f7975ef47c20655

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\i3272917.exe

MD5 d46a9616cbe54201715d0505707ff931
SHA1 61da42b6bcaef085b456cb01f4035bcab6a889ab
SHA256 3050ea04e76f5ad1d123cb995869dfd7c86d8d85ac9b07d3e51e3f50c8d01a8c
SHA512 21e7b40f8e126e38c68215e7ee5a41cabb5b8ca5ca164a1bd0bc552636d248b331fc570f8362275aa6f4703938b04f2d6350e2752b536acd5f7975ef47c20655

memory/3052-26-0x0000000000A90000-0x0000000000AC0000-memory.dmp

memory/3052-27-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/3052-28-0x000000000AED0000-0x000000000B4E8000-memory.dmp

memory/3052-29-0x000000000AA40000-0x000000000AB4A000-memory.dmp

memory/3052-30-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/3052-31-0x000000000A980000-0x000000000A992000-memory.dmp

memory/3052-32-0x000000000A9E0000-0x000000000AA1C000-memory.dmp

memory/716-33-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/716-35-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/3052-36-0x0000000074640000-0x0000000074DF0000-memory.dmp

memory/3052-37-0x00000000053E0000-0x00000000053F0000-memory.dmp